Preface
Web penetration is an entry-level field in the network security industry. Just like software ten years ago, the prospects are very promising and the salary is also very attractive. Unlike software testing and front-end development, which only require certain programming skills, penetration requires more knowledge and takes a longer time. Mastering code is the foundation for penetration testing. Secondly, you also need to learn knowledge about server operating systems and databases. Web security basics, penetration testing basics, vulnerability principles and mining and reproducibility capabilities, code auditing, attack and defense and other related technologies.
Regarding the prospects of network security, let me start with two points of view. The era of script kiddies has passed, and knowledge will always keep pace with the times.
At present, the talent supply for penetration testing is limited. However, due to limited school education, many college graduates only know theory and are not well qualified for their jobs. However, off-campus training institutions, in view of the difficulty of learning network security, each training institution can The number of talents to be cultivated is also limited.
However, as the number of penetration testing practitioners increases and universities gradually develop professional disciplines, there will be more and more talents in the future and competition will become increasingly fierce. The "big bulls" who were able to simply inject black websites in the past will definitely lose their advantage in front of the regular army in the future. **So, the only way out is to give up the fear of difficulties, raise the requirements for yourself, and improve your abilities. **As for the future, if your skills and experience do not increase with age and you keep using the same old tools over and over again, then losing competitiveness is inevitable.
For example, the current employment requirements of enterprises for penetration are obviously much higher than those in previous years.
While the breadth is expanding, the depth requirements for each item are also gradually increasing. With a lot of policy support and a large number of jobs available, the demand for talents will increase in the future.
Before you start learning, you must first be mentally prepared, that is, the problem often faced by penetration testing is that it is too difficult, that is, you have to find problems that no one else has thought of, so if you are not particularly interested, it will be difficult to persist. Go down. Penetration is the most professional type of work in the information security field and has high technical requirements. In common penetration testing, tools are always just auxiliary. Whether they are old tools or the latest tools, they are only part of the penetration testing. It is difficult to use them to directly scan the injection point or backend. More often, we rely on our knowledge system, experience, proficiency, and the depth of our own research to discover vulnerabilities manually.
The price of offline courses at different institutions ranges from 20,000 to 30,000. Junior penetration positions are suitable for self-study, but most can only reach the level of "script kiddies". The possibility of self-taught hackers is extremely low, which can be said to be rare. Although the learning cycle of penetration is shorter than binary.
But nowadays, the entry threshold for penetration is getting higher and higher, and the requirements for mastering relevant technical capabilities are getting higher and higher. Penetration requires a lot of knowledge, so it takes more time. It is not like software testing and For front-end development, you only need to master certain programming skills. Mastering code is the foundation for penetration testing. Secondly, you need to learn Server operating system database related knowledge, web security basics, penetration testing basics, vulnerability principles and mining and reproduction capabilities, code auditing, attack and defense and other related technologies. Therefore, if you go in this direction, you need to spend more time studying the system.
Network security knowledge route
1. Basic stage
1. Cybersecurity Law of the People's Republic of China (including 18 knowledge points)
2. Linux operating system (including 16 knowledge points)
3. Computer Network (including 12 knowledge points)
4. SHELL (contains 14 knowledge points)
5. HTML/CSS (including 44 knowledge points)
6. JavaScript (including 41 knowledge points)
7. Introduction to PHP (including 12 knowledge points)
8. MySQL database (including 30 knowledge points)
9. Python (including 18 knowledge points)
The first step to get started is to systematically learn basic computer knowledge, that is, learn the following basic knowledge modules: operating system, protocol/network, database, development language, and common vulnerability principles. After learning the previous basic knowledge, it is time to practice.
Because of the popularity of the Internet and informatization, website systems have a lot of external business, and the level of programmers and the configuration of operation and maintenance personnel vary, so there is a lot of content that needs to be mastered.
2. Penetration stage
1. Penetration and defense of SQL injection (including 36 knowledge points)
2. XSS related penetration and defense (including 12 knowledge points)
3. Upload verification penetration and defense (including 16 knowledge points)
4. The document contains penetration and defense (including 12 knowledge points)
5. CSRF penetration and defense (including 7 knowledge points)
6. SSRF penetration and defense (including 6 knowledge points)
7. XXE penetration and defense (including 5 knowledge points)
8. Remote code execution penetration and defense (including 7 knowledge points)
9. Deserialization penetration and defense (including 12 knowledge points)
10. Logic loopholes (including 12 knowledge points)
11. Violent guessing and defense (including 11 knowledge points)
12. Redis unauthorized access vulnerability (including 9 knowledge points)
13. AWVS vulnerability scanning (including 7 knowledge points)
14. Appscan vulnerability scanning (including 10 knowledge points)
15. Nessus vulnerability scanning (including 5 knowledge points)
16. MSF-Metasploit Framework (including 26 knowledge points)
17. Social engineering (including 14 knowledge points)
18. ARP penetration and defense (including 36 knowledge points)
19. System privilege escalation, penetration and defense (including 5 knowledge points)
20. DOS and DDOS penetration and defense (including 8 knowledge points)
21. Intranet related penetration and defense (including 4 knowledge points)
22. Wireless security-related penetration and defense (including 63 knowledge points)
23. Trojan anti-kill issues and defense (including 6 knowledge points)
24. vulnhub shooting range practical series (including 50 knowledge points)
25. Kali advanced penetration testing (including 80 knowledge points)
Master the principles, uses, and defenses of common vulnerabilities. In the Web penetration stage, you still need to master some necessary tools.
The main tools and platforms to master: burp, AWVS, Appscan, Nessus, sqlmap, nmap, shodan, fofa, proxy tools ssrs, hydra, medusa, airspoof, etc. The above tools can be practiced using the open source shooting range above, which is enough Got it
3. Safety management (improvement)
1. Penetration report writing (including 21 knowledge points)
2. Level protection 2.0 (including 50 knowledge points)
3. Emergency response (including 5 knowledge points)
4. Code audit (including 8 knowledge points)
5. Risk assessment (including 11 knowledge points)
6. Safety inspection (including 12 knowledge points)
7. Data security (including 25 knowledge points)
Mainly includes penetration report preparation, network security level protection grading, emergency response, code audit, risk assessment, security inspection, data security, compilation of laws and regulations, etc.
This stage is mainly for those who are already engaged in network security related work and need to be promoted to management positions. If you are only studying to take up engineering positions, you may or may not study at this stage.
4. Upgrade stage (upgrade)
1. Cryptozoology (including 34 knowledge points)
2. Introduction to JavaSE (including 92 knowledge points)
3. C language (including 140 knowledge points)
4. C++ language (including 181 knowledge points)
5. Windows reverse engineering (including 46 knowledge points)
6. CTF Capture the Flag Competition (including 36 knowledge points)
7. Aandroid reverse engineering (including 40 knowledge points)
Mainly including cryptography, JavaSE, C language, C++, Windows reverse engineering, CTF capture the flag competition, Android reverse engineering, etc.
Mainly aimed at those who are already engaged in network security related work and need to improve their knowledge of advanced security architecture.
The learning framework has been sorted out, and now we are just missing materials and resources. I have compiled the materials and resources documents corresponding to all knowledge points here. Scan the QR code below to get them!
Full set total282G《Network security/hacking technology introductory learning gift package< a i=4>》, click the link below to get it
END
Special statement:
This tutorial is purely technical sharing! The purpose of this book is never to provide technical support to those with bad intentions! We also do not assume any joint liability arising from the misuse of technology! The purpose of this book is to awaken everyone's attention to network security to the greatest extent, and to take corresponding security measures, thereby reducing the economic losses caused by network security! ! !