“Do I really look like a guy with a plan?”
Originally posted on my first blog on 20/08/2020
I was asked the other day what my 6 to 12 month plan was and did that include working toward a certification. While I always had a rough plan in my head, I don’t think I answered the question particularly well, I think this is because the plan has never made it out my head and been written down somewhere (also probably had a lot to do with nerves!).
This post will change that.
My rough plan was basically:
- Work through any courses I have outstanding on Udemy/Codecademy
- Start working my way through beginners boxes on Try Hack Me (THM) and Hack The Box (HTB)
- Work my way up to medium/hard boxes
- Blog the whole way through
- Then start to look at certifications
I think the general idea of this plan is about right, but it lacks specifics and it lacks goals. I think I need to get specific and get something I can hold myself accountable to, I am going to do this in three or four stages but I think this might be a bit of a work in progress as I evolve and develop.
Stage 1 - Studying the basics
I keep banging on about getting the foundations right but then I get distracted by the “bright lights and excitement” of hacking a box from scratch. I know my current skill level and I know where I need to be, getting there is going to start with good old fashioned studying. Up until now I have been watching courses on YouTube and Udemy to learn certain topics (like Networking) but I haven’t been taking particularly detailed notes or testing my knowledge. How am I going to know what I know if I don’t check what I know and don’t know, you know?
Computer Networking is very important to ethical hacking and pen testing (and Cyber Security in general tbh), yes there are loads of automated tools out there that will do various types of network scanning for you, but if you don’t know your TCP or TLS from your UDP or SSL then you’re gonna have a bad time. I don’t want to be a “script kiddie”, I want to know and understand what I am doing.
I am currently enrolled in “TOTAL: CompTIA Network+ Certification (N10-007)” by Mike Myers on Udemy and it is a really good course. Mike is very knowledgeable and definitely explains things in a way that is easy to understand. It might not seem like the most graphically advanced course, Mike uses foam blocks to explain some concepts, it certainly provides all the right information in an easy to digest way.
I have around 14 hours of content left on this course and if I factor in another (generous?) 6 hours for taking notes, revising notes and testing my knowledge, lets say I have 20 hours. I think I can find roughly anywhere from 7-15 hours a week (possibly more or less as life demands, I work full time and have a 9 month old!) that would give me 2-3 weeks or so to learn and understand Computer Networking to a decent level.
Goal 1: Complete Network+ course and associated studying by 18th September 2020.
I think this is achievable but I also want to push myself, I don’t want to sacrifice quality for speed, though that won’t do anyone any favours. I may need to adjust this goal but I hope this will give me time to not only learn this topic but maybe see some of it in action by scanning some boxes etc.
Stage 2 - Boxes, Scripting & Coding
At this stage I would like to start working some boxes on Try Hack Me. Now I don’t want to jump straight into a CTF or something similar, I still won’t be at that level, but there are loads of different boxes designed to give you an introduction to all the different areas of ethical hacking. Hacking isn’t just about scanning networks, there is a lot more to it than that including OSINT (Open Source Intelligence Gathering), Google Dorking, Steganography, Cryptography etc.
Here are a few rooms I found that were rated easy that would give me a good start in various different areas of hacking. (At this stage I have already completed Learn Linux, Basic Pentesting, Network Services, Active Directory Basics, Web Fundamentals, Burp Suite, Nmap & Metasploit on THM, all rated as “easy”)
- Introductory Researching
- Google Dorking
- Networking
- Linux Challenges
- Ninja Skills (Basic Linux)
- Basic Steganography
- Intro to Web Scanning
- XXE
- Intro to SSRF
- Intro to XXS
- Basic SQL Injection
After this I think I would be in a position to start attempting the actual challenges on THM. the challenges are usually a Capture the Flag (CTF) where they simply give you an IP address of a target machine and tell you how many “flags” you need to obtain. A flag is usually just a text file with a code in it, something like {THM:02d20d50d8501f50df5f05_Captur3_th3_fl4g}, but the text file is hidden and usually you need root privileges to get to them. Again, I would be starting at the easy/beginner level and hopefully working my way up.
Alongside this stage I would like to look in more detail at scripting. I have a basic understanding of Python from a Codecademy course I did last year but I could definitely do with a refresher and the opportunity to build on the basics. Bash/Shell scripting is also used alongside hacking to automate a lot of processes, according to Null Byte:
“Any self-respecting hacker must be able to script………. As a hacker, we often need to automate the use of multiple commands, sometimes from multiple tools. To become an elite hacker, you not only need to have advanced shell scripting skills, but also the ability to script in one of the widely-used scripting languages…..”
The plan is to work at scripting alongside working on the rooms/boxes and CTF challenges. I think these work hand in hand as I may have opportunities to write some scripts to help me complete these challenges. I hope this is the right call but as always it will be subject to change, if anyone with knowledge of this wants to contact me to let me know if this is a good idea or not please feel free!
As for timescales for this part? I am really not sure and I can’t be as specific as the first goal however I am willing to put a ballpark figure of 3 to 6 months for this stage. As always I am happy to be corrected by someone more in the know.
Goal 2: Complete basic boxes on THM by end of 2020 and have completed several easy to medium CTF challenges by 31st March 2021.
Stage 3 & 4 and More?
We are getting further and further from my realm of knowledge and as such it may not be productive or realistic to set further specific goals at this stage? As I said before, I really don’t know what I don’t know. At these stages though I think would be looking into more advanced hacking topics such as Buffer Overflows, SSH Tunneling, Advanced Crypto etc. (please take these topics with a pinch of salt as I have not fully researched what “advanced” means in terms of hacking concepts.
I do also want to get certified and have been looking in to the various qualifications that are avail;able (I am going to cover this in a future blog post). I know that certs vary from USA to UK and many people have an opinion as to whether certs are actually needed. For me personally, this is the route I want to take. I would like to set a longer term goal but I am struggling with wanting to make it specific and achievable but also not really knowing what the next 3, 6 or 9 months will bring in terms on my learning and progress. Let’s try this though:
Goal 3: Obtain a certification, like OSCP or equivalent, by December 31st 2021.
I reckon there will be some goals added in between goals 2 and 3 in terms of technical progression but I would like to think that I would be in a position to pass a certification exam within 12 to 18 months. I know this will be pretty tough, especially not being able to work at this full time, but I am committed to doing it. I can do it. I will do it.
Other goals?
I do have some other goals that are maybe not time specific, just hings that I will be working on over the next year or two as I journey into Cyber Security, again it feels important to at least document them and make myself accountable.
Increase presence on Twitter, engaging in more conversations about the industry.
I don’t have a huge amount of confidence when it comes to social situations, and on social media I am definitely more of a lurker. I enjoy the Cyber Security conversations on Twitter and there are a ton of resources posted all the time. I need to get more involved in this though, networking will help my career and who knows, maybe I will even have something to offer too!
Continue to blog about my progress and increase viewership of my site.
I like this blog. It helps me organise my thoughts and get a bit more focused. I would like it, if in the future, people who were getting into the field were able to follow my journey and learn from my mistakes and take advantage of the resources I have found. Part of this will be getting the blog more well known, which will fall in line with the goal above.
Continually work on my soft skills such as communication, project management, writing and presenting.
Hacking isn’t just about technical skills, I will also need to be able to communicate effectively with people of all levels and technical ability. This could involve presenting complex findings in an easy way. If I was performing a full pen test for a company I will also need to be able to manage my time and be very organised. these are all skills I need to continually work on.
Take intro/refresher courses on Codecademy on HTML, CSS, PHP and JavaScript.
These languages will help with Web App testing. I did an intro course on HTML & CSS a few years ago and I worked through part of a JavaScript course but It was so long ago a lot of it has been forgotten. I like the Codecademy platform, I find it really easy to use and understand so I will definitely be picking up some into course on these languages. I need to be able to understand how a website functions and what various type of request mean to have a chance of exploiting any vulnerabilities.
Summary
So, to summarise, I have three main goals set that are SMART:
Complete Network+ course and associated studying by 18th September 2020.
Complete basic boxes on THM by end of 2020 and have completed several easy to medium CTF challenges by 31st March 2021.
Obtain a certification, like OSCP or equivalent, by December 31st 2021.
And four more additional goals:
Increase presence on Twitter, engaging in more conversations about the industry Continue to blog about my progress and increase viewership of my site Continually work on my soft skills such as communication, project management, writing and presenting. Take intro/refresher courses on Codecademy on HTML, CSS, PHP and JavaScript
These will of course be subject to change if necessary but it is definitely a good start for me to re-focus and get stuck in. There is currently a huge technical jump between goals two and three so this will be filled with more specific goals in the future, I in no way think that after managing a few boxes on THM will I be ready for certification! As I mentioned previously, if anyone out there has been through any of this or has any feedback on my goals and how realistic they are please let me know.
All the best,
Nelly