BOOK THIS SPACE FOR AD
ARTICLE ADHello, my name is Niraj Wagh and this is my first blog.
I have spent the last 1-hour googling impressive ways to open a blog and found nothing impressive.
So let me get straight to the blog’s topic. And if you want a short and crisp version of this blog, you can scroll down to the section before the conclusion.
If you are a beginner on this journey, then let me tell you one thing:
It’s going to be a very frustrating and confusing journey. There is a lot to learn and many ways to learn each topic and subject. YouTube and Google are filled with a huge amount of stuff related to ethical hacking. You will need two things in this journey, one is patience(a lot of patience) and second is curiosity.
I am a beginner too, but I think I have learned a lot in the last 6–7 months. As a beginner, I was confused about how to start and what to learn. Here in this blog journey, I will share all the paths and resources that worked for me and that may be helpful for you.
But first, Who am I?
I am a final year undergraduate student in IT engineering. I have some basic knowledge about the C++ programming language and have developed some basic android apps using JAVA. Apart from this, I have no experience in programming or in ethical hacking stuff. I have started my journey of ethical hacking since march 2020( Coronavirus lockdown period ).
My learning strategy:
I usually watch a ton of youtube videos before starting learning anything. So I have done the same thing for learning about ethical hacking. I have watched videos on prerequisites, certificates, books, jobs, and paths for learning ethical hacking.
After watching videos, I go to google and do my research there. Then I moved to twitter and followed all the YouTubers and other infosec community people and turned on notification for their tweets.
Then I researched on what books I should read. Books can be boring for some people and might feel old fashioned. But for me, books are the only resources if I want to learn from scratch and learn basic concepts bit by bit.
Ok enough, let me share what I have for you. The resources that worked for me as a beginner and might help you.
One small advice: First learn Computer networking and operating system concepts before trying bug bounty. This does not mean that you cannot find bugs without learning these concepts. You can finds bugs without understanding TCP/IP. But if you want to stay in this field for a longer time. then you should learn from scratch.
Ok, so how to start?
Learn Computer Networking concepts.Learn operating system concepts. (boring stuff, but worth it).Leave Microsoft Windows and switch to Linux. Make Linux your primary OS.Don't focus on how much money bug hunters are making each day. Focus on your skill development.Make sure you make your basics clear because when your time will come to show the skills, you show them as a security expert and not as a script kiddie(a person who relies on other’s tools and scripts for hacking).
Now, while learning these subjects, you might get bored and want to get familiar with real-world bug hunting. You might want to explore how are bugs found and what types of bugs are found in the real world.
So side by side, you can create your accounts on bug bounty platforms like HackerOne, Bugcrowd, and Intigriti. Explore the programs listed on these platforms and what bugs are In-scope.
You should always visit Hackerone’s Hactivity section frequently. This section has all the reports for the bugs found by hackers on HackerOne. These reports have details about the bugs and how the hacker found them on the platform along with proof in the form of videos and images.
There are some other great resources like TryHackMe, Portswigger’s Web Application Security Academy, HackerOne’s Hacker101, Bugcrowd University(videos). I am using all of them.
What is TryHackMe?
TryHackMe is a website consisting of Ethical Hacking related Learning resources and challenges for beginners. It focuses on beginner ethical hackers. They provide learning material and practical challenges in the form of rooms.
I have tried TryHackMe for one month for $10 and it's one of the best resource at this price. As a student, I was worried about spending $10 dollars but I am happy that my money is not wasted. If you can spend $10 dollars then I would highly recommend TryHackMe one month subscription. To get more out of TryHackMe, subscribe to it after learning Networking and OS concepts so that you can solve more rooms in this one month subscription period.
Other resources mentioned above focus on web application security and are very useful for bug bounty hunters. Hacker101 has videos and a CTF(capture the flag) section for practicing your skills. Portswigger’s academy has a lot of learning material along with labs for practicing your skills.
Recommended websites:
Portswigger Web Security Academy
Recommended books:
Right now I can recommend only two books, one for computer networking and one for web application security.
For Computer Networking: “Computer Networking: A Top-Down Approach” — by James Kurose & Keith W. Ross. (Amazon US) (Amazon India)
For Web application security and bug hunting: “The Web Application Hacker’s Handbook” — by Stuttard Dafydd & Marcus Pinto. (Amazon US) (Amazon India)
Youtube channels to subscribe:
NetworkChuck (must watch CCNA videos for networking)
Twitter hashtags to follow:
(crisp version)
In short, as a beginner, start with computer networking and focus mostly on application layer protocols. Start using Linux as your daily OS. Learn Operating system concepts so that you can develop your own tool for attacking weak sections of an OS. Explore websites like Portswigger Web Security Academy, Hacker101, and TryHackMe. Subscribe and follow the youtube channels and twitter hashtags mentioned above. Focus on the basics of networking, because that’s how you become an expert. And now, read the conclusion.
Conclusion:
This journey is not simple at all. It will test your patience, your dedication, and your commitment. You will need to do your own research on every topic. You need to google every new term that you encounter in this journey. Don't panic, go slow.
The fun part is, you get to know how the internet works, how a bit of a WhatsApp message is transferred as soon as you send a “hi” to your friend. You will learn what other people don't know and still use the internet and web apps daily. You will know the vulnerabilities, the exploits, and the working of the most commonly used systems.
So relax, and go step by step. Every time you feel like “this is hard and not easy”, remind yourself that it's not easy but you can master it by going step by step, and most importantly, “it's worth it”.
Note: I love getting feedback to improve myself. You can contact me here:
Twitter: NiRajWAGHHH
Github: nirajwagh