Hacking Book | Free Online Hacking Learning

Home

my penetrating learning journey

Posted by herskovits at 2020-03-02
all

The official account is written, almost one article per day, not only by myself. Today, the official account is over five thousand, which is a hack. That means my official account can be the main traffic user. I can add more income to you by browsing and clicking the advertisements below, and I can add more contributions to the submission. So today I will contribute to you with a little learning experience I shared before the knowledge planet. To celebrate this critical moment, this article is not allowed to be reproduced without permission. Students on the knowledge planet can ask me questions. I can answer them as much as I can. If I can't answer them for the time being, I can find friends to answer them. Even if I can't answer them for the time being, I can let you know what kind of questions exist. How can I guide learning through questions and why not do it. Our learning exchange group is also close to 500, which is a relatively unexpected development speed for me. It is a special achievement to create a good learning atmosphere for you. Thank you for your support.

Recently, I found that a lot of small partners are asking me if I want to learn penetration testing, but I don't know how to start or what to learn? So here I'm going to share my way of infiltrating learning and some suggestions for beginners.

My way of learning

In the twinkling of an eye, I have been studying penetration testing for nearly six years. I remember that I first started to contact with security in early 2012. When I first entered the experimental class, I borrowed a copy of hacker's notes in the library to read it. I went back to the dormitory and read two pages. I was totally confused and couldn't understand it at all. Then I returned what I didn't understand. When I was admitted to the University, my major was network engineering, which was not related to security, and I didn't have any safe classmates around me. Because the whole school selected the experimental class, I had the chance to contact security. After entering the experimental class, I started my security path.

Looking back at the scene of learning security at that time, I learned database, data structure, C language and other professional courses before, but it was not very helpful for security, so I learned security from scratch. I hope that my experience can enlighten you on the way of safety learning.

At that time, the first security data I read was TXT The hacker's notes of the first edition was shared by the learning committee of our class. When there was no foundation at that time, it seemed that it was an effect when I was a freshman. However, since I have entered the experimental class, I can't give up on this road in the future as I was a freshman, so I have to look at it a little harder, even if I can't see it at that time Understand, it doesn't matter. It's enough to leave a little impression in your mind. Later, our network attack and defense class sent us a hacker book, the book of hacker attack and defense technology - Web practice chapter, which was also hard headed to read once, and basically read these two books in terms of reading.

If it's just reading, it's very boring. Everyone has deep feelings, especially when they can't understand. How to solve this boring problem? My solution then was:

1. Keep enough interest to keep going

2. Find like-minded friends or organizations to learn and communicate together

3. When participating in CTF competition, we will encounter many interesting knowledge points, and understand one by one according to our own knowledge points

4. At the same time of learning technology, sort out what you have learned, and then share it among your mixed organizations

5. Search for websites with loopholes on the Internet, carry out actual combat, and improve your sense of achievement after gaining permission (at present, you can practice with foreign websites, don't choose sensitive targets, remember)

The first organization I participated in was Ag security team. At that time, I was still playing YY, playing and learning together. Later, I joined 90sec under the guidance of the old K , and then look at the articles in the forum every day, basically read all the articles before the forum, and then send all the knowledge summarized in the study to the forum, so that under the encouragement of everyone, the passion of learning will gradually improve, reflecting their ability and learning technology, which is the sense of achievement in the student era.

The security knowledge learned before graduation is basically based on Web. After all, in the field of security, web security occupies a dominant position and involves a wide range. The knowledge about intranet security and peripheral service security is only contacted after work, which is not mentioned here.

How to be a script kid

For those students who don't have a basic desire to enter the field, the goal of a primary penetration testing engineer is to use all the security tools they have to test and use the website comprehensively after they get a goal. It will be a little weak to learn the principle at the beginning, so the starting point can be a script kid.

For web security tools, the injection tools I used to play, such as ah D, Mingxiao, pangolin and radish, are rarely seen now. They can basically be replaced by sqlmap, so you must be proficient in using sqlmap to play injection. When you learn to write tamper supported by sqlmap, you can solve most of the injection problems.

When playing upload truncation, wsockexpert was used to grab packets, then WinHex was used to add truncation characters, and finally NC was used to submit. It's troublesome. It's almost weak in front of burp, which is the tool that beginners must master. Burp is not only used here, but also can explode all web applications, such as background, wenshell password, directory enumeration, etc. it also has its own encoding and decoding function, and supports many custom plug-ins, so it is very important to learn burp.

In those years, when we used to play scanning, we usually used s scanner, superscan, X-Scan and so on. Now, nmap can do all scanning operations, and also can customize scanning scripts. It is recognized that it has powerful functions, so it is very necessary to learn how to use this tool.

As a script kid, you don't need to know a lot of vulnerability principles and how to protect them. You just need to be familiar with the use methods of all the security tools on the network, as well as what the tools are used for, what kinds of vulnerabilities are used for, and under what circumstances. When you do this, you already have the ability of a primary penetration testing engineer, and you can complete certain penetration testing work by yourself.

How to improve your rank

After you become a script kid, although you can do some penetration testing work, when others do some protection for loopholes, the intelligent tools can't meet the needs in time, so at this time, script kid can't do anything, so we need to improve our own ability to complete our penetration testing function.

Driven by the business, we have to upgrade our ranks, otherwise we will be eliminated. In order to become a middle-level penetration testing engineer, we need to understand the principles of all the tools and vulnerabilities we used before, so that even if the website has done some protection, under our test, we can understand the protection measures and then specifically bypass them, in this process, your strength will be enhanced involuntarily, but to this step When you don't need my advice, you can also study and improve on your own.

Usually develop the following habits:

1. Be able to record your own learning achievements and quickly take them out and use them the next time you meet them

2. Pay more attention to some good technology blogs, such as SEC wiki, Changting wiki, security guest, freebuf, etc

3. Pay attention to foreign security wikis, such as reddit

Penetration test process

Each penetration tester has its own penetration test process, which is the way and method summarized in the actual combat. Here I will talk about the basic process.

In practice, the smaller the company, the more difficult it is to penetrate success. Why? Because the business of the company is small, there are only a few services exposed to the Internet. The fewer the services are, the easier they are to be managed, and the less vulnerable they are. So the larger the attack area, the greater our success rate. But how to expand the attack area?

1. Collect as many enterprise domain names as possible (including the domain names of all sub domain names and subsidiaries, the more complete the better)

2. Collect the public IP applied by the enterprise as far as possible

3. Carry out port scanning for all collected domain names and IP addresses (since it may take a long time, you can choose to use zoomeye, Shodan, censys and other platforms)

4. Conduct penetration tests for different services (especially middleware that may have vulnerabilities)

After these steps, you will collect a lot of data. Your success rate is closely related to the quality of the data you collect. These steps don't seem complicated, but there are many aspects of security knowledge involved. How to collect enough and how to test more accurately is what we need to pay attention to.

Penetration testing for Web

To get a web site, first of all, we need to know what server and script the site uses. We can use some package grabbing software, such as burp, to guess according to the banner of the server.

If you are not afraid of server denial of service, you can also directly scan with a large scanner, such as awvs, netspeaker, w3af, etc.

We can also use some open-source crawler software to crawl all dynamic pages and understand all functions of the website. As long as the content that our users can control is where we need to test, all functions that users can access are not safe, not limited to web functions, but also hidden HTTP headers Some fields in, such as cookie, x-forward-by, referer, etc.

Some pages that can't be crawled can be viewed. Robots.txt can find some hidden directories, or search engines can be used to find the previously recorded test pages, or directory scanners can be used to enumerate the existing directories, such as: wwwscan, burp, etc. the important thing is the dictionary.

You can also use some tools to find information disclosure, such as pig man's sensitive information disclosure tool, to find some backup files, and find the available points.

For those open source projects, you can find the known vulnerabilities of the corresponding version on the network for testing. If not, you have the strength to dig.

In a word, there are various ways and methods, which need time accumulation. As long as you can persist, I believe that in the near future, you will grow into the person you want to be, and we will encourage each other.