Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Also, you might want to move SQL to the top of your list. That's very important.
-
itsundef2596y18/37. [Android] - {GrapheneOS} & ΜΆiΜΆOΜΆSΜΆ(useless your are absolute mad lad, my friend) exploit/pentest
FIXED -
thoxx20876yI think metasploit basics is way too early and stuff like C/C++ programming should be above (esp. for understanding how payloads etc. work).
IMO: good pentesters are really good programmers -
99% of security work is "Can I inject database queries along with any HTTP request?", "Can I access REST resources a standard/guest user shouldn't have access to?" and of course "Can I trick a support desk employee to change another user's data?"
Pretty much all communication between devices happens through APIs these days, and the weakest ones are backend APIs written by sloppy companies (used by mobile apps, web frontends, other backends... doesn't matter). And people, of course, people are super weak.
There is a smaller area of research when it comes to hardware pentesting, trying to find vulnerabilities in bluetooth chips used by cars, USB/displayport firmware, etc -- but that requires a lot of low level knowledge, starting with mastery of assembly/C and electrical engineering. -
@thoxx if you look at the most famous hackers they don’t really have a technical background (Kevin Mitnick, Adrian Alamo, etc). But then again they are the ones that got caught. C++ would be useful for understanding hardware architecture, but it’s not really required for a professional pen tester. Professional pen testing is less glorious than you think: running vulnerability scans and writing lots and lots and lots of reports.
-
thoxx20876y@toriyuno
I don't know if you can compare famous hackers with building a successfull/solid pentesting career ;-)
Maybe it's not absolutely necessary, but it's definitely very helpful. The better pentesters I've met were at least really good programmers (who didn't just rely on tools like sqlmap, zap, burp suite, w3af etc). -
Starting with Linux basics is great, especially bash scripting, and understanding overall structure
Put metasploit in the middle if not the very end
Learning how things work is 90% of the work in pentesting, info gathering is the most amount of time you'd probably spend on. Once you know what it is and how it works you can manipulate it
Read these three books :
web application hacker's handbook,
hacking the art of exploitation, and
penetration testing a hands on introduction to hacking(video tutorials on cybrary.it)
All three of them are of novice to intermediate level, and it'll give you a good base with theory and tools
If you need any help, feel free to connect with me on Twitter (same username)
Also don't waste your money on CEH, do OSCP instead -
R-C-D160066y
Now that I have time to approach my ultimate dream ( being the pro penrester ) , asked a hacker for a road map and he gave me (U'll rarely see such open hackers that share knowledge :) )
Surprisingly I've been familiar with all the topics but being the most pro , requires u to be pro in every single topic .
Guess what ? I'm starting from basic linux commands all over again π
echo 'hello world :/'
rant
pro pentester