foreword
[One by one to help network security entry and improve learning points here one by one]
Since I have written a lot of articles related to network security technology before, many readers know that I am engaged in network security-related work, so people often ask me in private messages:
- I'm just getting started with network security, what should I learn?
- What to learn?
- What are the directions?
- How to choose?
- What are the career prospects in this line of work?
Not much nonsense, let’s take a picture of the town building first to see what directions network security has, what are the relationships and differences between them, and what each needs to learn.
[One by one learning route one by one]
In this circle technology category, jobs mainly have the following three directions:
Security R&D
Security Studies: Binary Direction
Security Research: Network Penetration Direction
Let's explain them one by one.
The first direction: security research and development
You can understand network security as the e-commerce industry, education industry and other industries. Every industry has its own software research and development, and network security is no exception as an industry. The difference is that the research and development of this industry is the development and network security business. related software.
That being the case, there are common positions in other industries in the security industry, such as front-end, back-end, big data analysis, etc., but in addition to such general development positions, there are also some R&D positions closely related to the security business.
This category can be further divided into two subtypes:
- Do security product development, do defense
- Do security tool development, attack
- Firewall, IDS, IPS
- WAF (Web Application Firewall)
- database gateway
- NTA (Network Traffic Analysis)
- SIEM (Security Event Analysis Center, Situational Awareness)
- Big Data Security Analysis
- EDR (Security Software on End Devices)
- DLP (Data Leakage Prevention)
- antivirus software
- Security Detection Sandbox
To sum up, most of the security research and development products are used to detect and defend against security attacks, involving the terminal side (PC computer, mobile phone, network equipment, etc.)
The technologies used to develop these products are mainly three technology stacks of C/C++, Java, and Python, and there are also a small number of GoLang and Rust.
Compared with the other two directions, security R&D positions have lower requirements for network security technology (only relatively, the R&D of some products does not have low requirements for security skills), and I have even seen many R&D companies that have nothing to do with security. Know. In this case, if you have an understanding of network security technology in addition to basic development skills, it will naturally be a bonus item when you interview for these positions.
Second Direction: Binary Security
Binary security direction, which is one of the two major technical directions in the security field.
This direction mainly involves software vulnerability mining, reverse engineering, virus and Trojan horse analysis, etc., and involves operating system kernel analysis, debugging and anti-debugging, anti-virus and other technologies. Because we often deal with binary data, binary security is used to collectively refer to this direction over time.
The characteristic of this direction is: need to endure loneliness.
It’s not as good as security research and development, which can have real product output, and it’s not as cool as the direction of network penetration. This direction spends more time in silent analysis and research.
Taking vulnerability mining as an example, it takes a lot of time just to learn various attack techniques. In this field, it may take months or even years to study a problem, which is definitely not something that ordinary people can persist. Not only that, success is not achieved through hard work, but more on talent.
People like the heads of Tencent’s major security laboratories, well-known TK leaders in the industry, and Wu Shi have already mastered the profound meaning of vulnerability mining and have mastered this stunt. They can think of new ways to play in their dreams. But geniuses like this are really rare and beyond the reach of most people.
If programmers are hard-working, then binary security research is hard-working Plus
The third direction: network penetration
This direction is more in line with most people's perception of "hackers". They can hack mobile phones, computers, websites, servers, and intranets, and everything can be hacked.
Compared with the direction of binary security, this direction is easier to get started in the early stage. After mastering some basic technologies, you can hack with various ready-made tools.
However, if you want to change from a script kid to a master hacker, the further you go in this direction, the more things you need to learn and master.
The direction of network penetration is more inclined to "practical combat", so there are higher requirements for the breadth of technology, from network hardware devices, network communication protocols, network services (web, email, files, databases, etc.), to operating systems, attack Methods and so on need to know. I am more inclined to be an all-round computer expert, who can integrate various technologies for "actual combat".
Let's start to talk about the learning route. The content is a bit long, so you can give it a like first, so that you can find it in time if you don't get lost.
In this map roadmap, there are a total of sixteen stages, but it does not mean that you have to learn all of them before you can start working. For some junior positions, it is enough to complete the sixth stage.
The first stage is aimed at pure novice Xiaobai who has just entered the arena. At this stage, it is mainly to lay the foundation, and there are five parts to learn:
1. Windows
Some basic commands on Windows, the use of PowerShell and simple scripting, and the use of several important components that Windows will often deal with in the future: registry, group policy manager, task manager, event viewer, etc.
In addition, learn to build a virtual machine on Windows, learn to install the system, and prepare for the next learning of Linux.
For network security, it is necessary to deal with Linux frequently. I have seen many newcomers follow some training courses to learn Kali as soon as they come up. I am eager to learn Kali without even establishing the basic Linux concepts. This is learning to run before I can walk. It is putting the cart before the horse
In the basic stage, it mainly focuses on usage, learning commands related to text editing, files, networks, permissions, disks, users, etc., and has a basic understanding of Linux.
2. Computer network
Network security, computer network must be very important. As a basic stage, this section mainly studies computer networks from a macro perspective, rather than sticking to the meaning of certain fields of a certain protocol.
First of all, starting from the local area network, understand the basic network of computer communication - Ethernet, how to communicate in the local area network? What is the difference between a hub and a switch? What are MAC addresses, IP addresses, subnets, and subnet masks used for?
Then it leads to a larger wide area network, the Internet, what is a network communication protocol, and the layering of communication protocols. Through the seven-layer and four-layer models, the basic concepts of computer networks are quickly established, the functions of each layer of protocols, and which protocols are there. How the protocol is applied in today's Internet.
3. Web Basics
A very important part of network penetration is Web security. To learn Web security, you must first start with the basics of the Web front-end.
This section is very simple. It is to learn the most primitive web front-end three tricks: the development and use of HTML+CSS+JS, and lay the foundation for future learning of web-related security knowledge.
This section is relatively practical and hands-on. You need to do some web programming by yourself, especially the familiarity with JavaScript, understand what Ajax is, and learn about the commonly used jQuery library. Commonly used content.
4. Database basics
In the last part of the basic stage, you can get in touch with some basic knowledge of databases.
At this stage, I mainly learn some theoretical knowledge, focusing on mastering concepts such as libraries, tables, and indexes, and then learn how to write SQL, and learn to add, delete, modify, and query data. Temporarily do not use programming to operate the database.
After passing the basic stage, you have already reserved some basic knowledge of computers: the use of operating systems, network protocols, front-end basics, and initial knowledge of databases, but this is not enough to do network security. In the second bronze stage, you still need After learning the basics further, after the first stage, the difficulty will start to rise slowly.
The knowledge to be learned at this stage is:
1. Advanced Web
In the previous stone age, we had a preliminary contact with web programming and understood the basic principles of web pages. But at that time, it was a purely front-end, purely static web page, without touching the back-end. At this advanced stage, you have to start touching the content of the Web backend.
First, start from the two commonly used mainstream web servers, learn the basic knowledge of Apache and Linux, and then introduce the basic principles of dynamic web pages, transition from CGI/Fast-CGI to later dynamic web page technologies such as ASP/PHP/ASPX/JSP, and understand Their history, evolution and basic working principles.
Finally, learn some basic knowledge in web development: form operations, Session/Cookie, JWT, LocalStorage, etc., to understand what these basic terms mean, what they are used for, and what they solve.
2. PHP programming
To learn Web back-end development, you have to learn a back-end development language. In this section, choose to start with PHP.
But remember, choosing PHP here is not to let you engage in PHP back-end development in the future, nor does it mean how popular PHP is now, but under a specific historical background, PHP-related website security issues are very representative, so choose this language It is more convenient for us to study security issues.
Due to the different purposes of learning, the learning method is different from ordinary back-end development. Here we learn the basics of grammar, basic back-end request processing, database access, and then get in touch with the commonly used ThinkPHP framework. Of course, if you are interested, it is of course better to learn more.
3. Computer network advanced
The second stage needs to enrich the study of computer network. This time, the focus is on HTTP/HTTPS and packet capture analysis.
You must master tcpdump on Linux, including common parameter configurations. Then focus on learning Wireshark to analyze data packets, and use Fiddler to capture and analyze encrypted HTTPS traffic.
By viewing the communication flow under the packet capture software, the understanding of the computer network changes from abstract to concrete.
4. Encryption and decryption technology
Next, let's learn about codec technology and encryption and decryption technology that are often dealt with in the field of network security. Including base64 encoding, symmetric encryption, asymmetric encryption, hashing technology and so on.
Understand their basic concepts, what they are used for, what problems they solve, and finally understand how they work.
Recommended book: "Encryption and Decryption"
Now we are entering the third stage. At this stage, we begin to fully learn the real network security technology. The foundation laid in the previous two stages will also come in handy at this stage.
The knowledge to be learned at this stage is:
1. Introduction to Web Security
With the previous Web front-end and PHP programming foundation, you can formally learn Web security. Several typical attack methods in the field of web security: SQL injection, XSS, CSRF, various injections, SSRF, file upload vulnerabilities, etc., each of which needs to be studied in detail, while learning theory and hands-on practice.
Be careful not to use websites on the Internet to attack learning, this is an illegal act. You can build some websites that contain vulnerabilities in the virtual machine (there are many websites that can be downloaded and played on the Internet), and use the websites you built to practice.
2. Network scanning and injection.
We have learned some attack methods of web security, but these are not enough. When we face the attack target, how to find the attack point and obtain the target information is very important.
This information includes: what operating system the target is running, what ports are open, what services are running, what type of backend service is, what version information is, etc., and what vulnerabilities can be exploited. Only by obtaining this information can we target Predictively formulate attack methods and take down the target.
Common network information scanning includes port scanning, website background scanning, vulnerability scanning and so on. Need to learn common scanning tools and how they work.
3. Information collection & social engineering
In addition to the information that needs to be scanned above, in network security, it is often necessary to investigate a lot of information, such as website registration information, associated characters, content retrieval within the website, etc. This requires learning and mastering related techniques of information gathering and social engineering.
Whois information is used to query domain name information, cyberspace search engines such as shodan, zoomeye, and fofa retrieve information behind IP, domain name, URL, etc. Google Hacking uses search engines to retrieve website internal information, these things are frequently used in network information collection skills used.
4. Brute force cracking
In a network attack, when the open service of the target is scanned, the most direct thing is to log in. Common services include SSH, RDP, MySQL, Redis, web forms, and more.
At this time, brute force cracking usually comes in handy, by using a dictionary composed of common usernames and passwords of various services, and brute force cracking through programs.
Commonly used blasting tools include hydra, super weak passwords, and mimikatz, which are often used to obtain Windows system passwords.
Ascension stage
In the last stage, I learned some security attack technologies. At this stage, I need to learn about security defense and security detection technologies. Security has both offensive and defensive aspects, and both are indispensable.
1. WAF technology
The first thing to learn is WAF - Web Application Firewall.
What Web security learns is to attack computer systems through Web technology, and WAF is to detect and defend against these security attacks. As the saying goes, knowing yourself and the enemy can win every battle. As an attacker, you must master the working principle of WAF and find weaknesses to bypass detection. As a defender, you need to continuously strengthen security detection and defense capabilities to effectively discover and defend against Web attacks.
It is necessary to learn the architecture adopted by the current mainstream WAF software such as openresty, modsecurity, and several main detection algorithms: feature-based, behavior-based, machine learning-based, etc.
2. Network protocol attack & intrusion detection
WAF is mainly aimed at Web-related security attacks. In this section, the field of vision will be further expanded to the entire network protocol stack, TCP hijacking, DNS hijacking, DDoS attack, DNS tunneling, ARP spoofing, ARP For flooding, etc., it is necessary to master the principles of these traditional classic attack methods, build an environment for practice, and lay the foundation for subsequent intranet penetration.
In addition, as the defensive side, you also need to learn security detection through network traffic analysis technology, understand commonly used network analysis technology, detection framework, rule syntax, and prepare for future security-related development or security defense work.
3. Log technology
It is the most common behavior to find attack behavior through logs. The attacker’s web request, system login, brute force cracking attempt, etc. will be recorded by various software of the system, and the attacker will often wipe the In addition to related log records, so learning to master these logs is a skill that both offensive and defensive teams need to learn.
Common logs include system login logs (Windows, Linux), web server logs, database logs, and so on.
4. Python programming
At this stage, it's time to learn some Python programming development. Although network security does not often need to do a lot of engineering development, it is very useful to master basic programming skills, which can be used to write crawlers, data processing, network scanning tools, vulnerability POC, etc., and among many programming languages, Python is undoubtedly is the most suitable.
5. Browser security
The last part of this stage is to learn some security knowledge on the browser side, and consolidate browser-related vulnerability attacks in web security.
It is necessary to focus on mastering the two most mainstream browser features of IE and Chrome, what is the sandbox mechanism of the browser, same-origin policy and cross-domain technology, etc.
1. Vulnerabilities of third-party components
The previous Web security-related attacks have been classic methods for many years. After years of development, they have become quite mature. Therefore, learning and researching the vulnerabilities of these common third-party components, on the one hand, mastering these attack methods for use in actual combat, and on the other hand, understanding by analogy, is also very helpful for the work of vulnerability mining.
The research objects mainly cover some engineering components actually used in the current Internet services, such as the Java technology stack series Spring Family Bucket, SSM, Redis, MySQL, Nginx, Tomcat, Docker, etc.
2. Intranet penetration
In network penetration, after capturing a point, it is just the beginning. How to transfer and control more nodes after the infiltration is the scope of research and study of intranet penetration. A typical example is the Eternal Blue virus of the year, which spread rapidly through the SMB protocol loopholes, resulting in a large area of being infected.
There are many and complicated things to learn in intranet penetration, and the difficulty will increase a lot, but this is a very important part of network penetration, and you must chew more. This part has less theory and more practicality, and needs to build more environments to simulate learning.
3. Operating system security technology & privilege escalation technology & virtualization technology
penetrates into the computer through web and other means, due to various restrictions, there is often a demand for privilege escalation, and it will also involve many issues closely related to the operating system security mechanism Content, so learning some operating system security knowledge is also very necessary.
Such as the respective authority management mechanism on Windows and Linux, the method of escalation of authority and commonly used vulnerabilities, tools, etc.
Finally, learn some knowledge about virtualization technology to deal with scenarios where you may need to escape from the virtual machine.
1. CobalStrike & MetaSploit
Learning to use these two artifacts will greatly improve attack efficiency, and it is a must-have choice for network infiltrators at home and traveling!
2. Other security technologies have been expanded
to the late stage of network penetration. If you want to become a security expert, you must not just rest in your own field of expertise. You need to learn more about other fields of network security to expand your knowledge.
Such as binary vulnerability attack, reverse engineering, Trojan horse technology, kernel security, mobile security, side channel attack, etc. Of course, when studying, you don’t need to go as deep as students in the professional direction, but you need to dabble and understand, enrich your knowledge, and build A comprehensive network security knowledge and skill stack.
epilogue
The above is my network security learning route. I hope it will give you some inspiration and help for self-study. At the same time, I have also compiled a set ofCyber Security Self-Study Course, let me know if you need it.