Table of contents
2. What can we do (part-time job)? (Part 2)
2.2 Bounty Hunter--"Digging Vulnerabilities--"src Platform
3. What is penetration testing?
3.1 Definition of penetration testing
3.1.1 Contents of penetration testing
3.1.2 Three types of infiltration:
4.1. Common Terminology for Penetration Testing
foreword
personal information;
Sophomore in soft engineering
an ordinary undergraduate student
Passionate about cybersecurity and programming
Currently undergoing cybersecurity training
Looking for like-minded friends to learn and improve together! ! !
Today is the study notes of 5-8 preview lessons, I will summarize them.
There are materials for the last four lessons at the bottom of the article.
Note content mind map
1. What can we do? (Part 1)
1.1 Position:
Emergency response: The system cannot be accessed, it has been hacked or information leakage caused by improper operation ... the blue teamLive Lectures: Customers Need Safety Training ... Be a LecturerCode audit: White-box code audit of the system is required ... (The source code is open, you need to find loopholes from the source code, and you need to be very strong in programming) Programming language——"Proficient in 0daySecurity research: Vulnerability mining, various research ... Must have programming ability, bias and researchTool writing: writing various EXP/POC automation Py codes ... Must have the ability to develop tools, be able to write tools for discovered vulnerabilities, and detect them in batchesReport writing: emergency report, penetration report, vulnerability verification report ... —— "On the basis of network security, the writing is better, or the vulnerability auditPenetration testing: Web vulnerabilities, intranet penetration ... —— "Vulnerability mining or offensive and defensive drills are mostly biased towards thisOn-site service: go to work at the customer's place, send out to serve, such as: network protection action! The salary is higher, but the time will not be too longCTF competitions: Qiangwang Cup, XCTF , Wangding Cup, various CTFs... Part-time binary If you are interested in school, you can study, play games, and do part-time jobsNew hole follow-up: recurring middleware vulnerabilities, CMS vulnerabilities, database vulnerabilities, operating system vulnerabilities ...In the end it mainly depends on: ... ( Depends on your company, your department, your leadership ... )
1.2 Homework:
Here are only a small number of jobs related to network security. You can take the time to collect related jobs related to network security , as well as salary and benefits , so as to facilitate subsequent employment after finishing your studies. At the same time, you can understand what you need to understand and What relevant knowledge to learn.
Here I made a simple example.
- Security operation and maintenance engineer
- job description:
- Security reinforcement of servers and network infrastructure;
- Investigate and analyze security incidents, cooperate with regular compilation of security analysis reports, and focus on security incidents in the industry;
- Track the latest vulnerability information and conduct security checks on business products;
- Responsible for the formulation of information security policies/processes, security training/publicity and promotion;
- Responsible for the advancement of Web vulnerability and system vulnerability repair work, tracking the solution, and collecting problems.
- Job Requirements:
- Familiar with mainstream web security technologies, including SQL injection, XSS, CSRF and other OWASP TOP 10 security risks;
- Familiar with the security configuration and reinforcement of systems and software under Linux/Windows;
- Familiar with common security products and principles, such as IDS, IPS, firewall, etc.;
- Master the log analysis methods of common systems and applications;
- Proficiency in one or more languages such as C/PHP/Perl/Python/Shell;
- Have security incident mining, investigation and evidence collection experience;
- Solid network foundation, familiar with TCP/IP protocol, principles of Layer 2 forwarding and Layer 3 routing, dynamic routing protocols, commonly used application layer protocols;
- Good document writing ability, language expression and communication skills.
- Salary
- 10k-20k
2. What can we do (part-time job)? (Part 2)
2.1.ctf--"part-time job
Here are some ctf platforms I know:
2.2 Bounty Hunter--"Digging Vulnerabilities--"src Platform
Here are some of the mining platforms I collected:
2.3 Homework:
Learn about the SRCs of major manufacturers, and pay attention to some SRCs you are interested in, because some SRCs will hold activities from time to time, double the bounty, or have newcomer benefits.
3. What is penetration testing?
3.1 Definition of penetration testing
3.1.1 Contents of penetration testing
Penetration Testing ( PenetrationTesting ) is a technology and method that simulates a malicious attacker to defeat the targetstandard system security control measures , obtain access control rights , and discover a security risk with business impact consequencesTesting and Evaluation Methods .
3.1.2 Three types of infiltration :
1. Black box: directly give you a target, without any information, to attack.2. White box: It will give you information such as source code and account password to test directly.3. Gray box: The first two have both, will give you an environment or something.
3.2 Penetration process
1 Interaction: Discuss related remuneration or other matters with customers.2. Information collection: collect some relevant asset information of the target.3. Threat modeling: stop the keyboard, and consider what loopholes may appear in the collected information and what means to attack is better.4. Vulnerability analysis: what are the loopholes, how the loopholes are exploited, and so on.4. Penetration attack: After attacking in a covert way5. Post-penetration attack (intranet penetration): to obtain target permissions and obtain some permissions.6. Write a report
3.3 Infiltration target
1. Operating system: win, etc.
2. Database: Various databases related to the we website3. Application system: web composition application (some used to build websites)4. Network: network communication, network protocol, network equipment.
3.4 Homework:
Familiar with the PTES standard for penetration testing, you can simulate and imagine going out to play on May Day. Using the PTES standard, what does your play process look like, so that we can better understand and remember.
4. Penetration terms
4.1. Common Terminology for Penetration Testing
Vulnerabilities: hardware, software, protocol -- "defects -- "unauthorized -- "access, destroy the systemTrojan horse: a program or code that obtains user permissionsBackdoor: Follow up with the hidden backdoor program left by the systemVirus: Destruction -- > Automatic Propagationshell : The command execution environment of the serverwebshell: website controlpoc: Vulnerabilities occur, by reproducing the vulnerabilities, verifying the programs or codes of the vulnerabilitiesexp: A program or code that discovers a vulnerability through poc and then exploits the vulnerability to obtain permissionsBroiler: ghost machine, controlled machine, can be used as a springboardPrivilege escalation: Privilege escalation kali root......
4.2. Homework
1. Collection of penetration testing terminology + noun explanation + self-understanding memory
2. Form a document
5. Summary
Through the study of these few lessons, I not only have a clearer understanding of network security-related positions, but also have a vague understanding of the content and process of penetration testing. After learning, I have a direction and understanding of what I can do. Target.
For me, I have encountered many problems in the learning process, one of which is the ability of information collection and summarization. I have a strong ability to collect information but my ability to summarize is too weak. And when understanding some infiltration terms, it is not easy to understand a lot of information that I have not been exposed to. I often need to find more relevant information to help me understand and learn it. In short, I have gained a lot.
Word of the day:
Life is very strange. Sometimes I feel that dazzling and incomparable things, things that I want to get even if I give up everything, after a period of time or look at it from a slightly different angle, I feel that they have completely lost their brilliance.
If my study notes are useful to you, please like and collect them.