Learning Ethical Hacking From Scratch. My Path
So, guys, I get so many requests for help and questions about how did I start my learning of ethical hacking. I guess, it is time to answer those questions once, in a single post. Then I will be able to simply share the link.
I am sure, the Internet is full of such posts with detailed explanations about how to start learning ethical hacking or pentesting, or any other cybersecurity niche. But this is how I did it, and I hope it will not only help with useful links but also will motivate you if you feel doubts about your own abilities (like I did).
These doubts are particularly common amongst girls since in past the society created lots of stigmas regarding women in tech and science. I hope, my small input will help change the situation, get rid of stupid stigmas, and help many girls find themselves in tech, cybersecurity, and particularly pentesting/ethical hacking.
I am an IT noob. Still
Let's start with a disclaimer that I am a complete noob, and moved to IT with close to 0 knowledge about how computers actually work. Don't get me wrong, I was a good PC user, but I was only good at clicking icons and press Ctrl+C and Ctrl+V. And, as a gamer, I knew how to install mods.
When I just started, I didn't really know what I want. I only thought I want to try to learn cybersecurity. This field seemed exciting to me but I had my doubts I will ever be able to comprehend the technical part.
An exactly this fear of failing to understand gave me the idea that before engaging in cybersecurity I have to learn some IT basics, that would help me understand more complicated topics.
Learning IT Basics. Networking is my Scourge
There are plenty of free videos on Youtube that provide nice training in IT basics, there are even whole playlists of basic courses for beginners: Fundamentals of IT, Computer Networking, System Administration, Operating Systems, etc. Here is an example of such a playlist, which I used to watch and take notes.
The Networking part was the hardest for me to understand, still is. While I comprehend OSI Model, the IP addressing is still hard for me because of that binary part and lots of math. And I am not even starting about IPv6!
What I do when I don't understand something technical: I read/watch the explanation of the particular topic on as many resources as possible. Some of them might not explain it any better than the previous ones, but some might give you that tiny bit of info that will make the whole chain finally lock, and it will click!
So, when I realized that I understand the IT fundamentals more or less, I guessed it will be easier for me to understand some basic cybersecurity concepts.
Learning Basic Cybersecurity Concepts
Same as before, Youtube was my best friend (still is). It is hard to underestimate the amount of absolutely free educational info that Youtube provides! One only has to learn to use the search bar.
Here I share with you the playlist I watched to learn the cybersecurity fundamentals: not all the videos are "must-watch", some of them provide the same info. But if you feel like you need to see another take on some topics to understand them better, you might want to watch all of them. I personally watched the first one in the list "Cyber Security Full Course for Beginner" and "CompTIA Security+ Full Course".
Learning the concepts not only helped me understand the field, it kinda shaped the whole idea of what I actually want to become in the cybersecurity field.
At this point when you have the opportunity to observe the whole field, it can be pivoting. If you haven't decided what you want to become yet, it may help you to figure it out. Or, if you already thought you wanted to do one job, it will maybe help to change your mind and adjust to the more interesting niche. It is not uncommon to adjust your learning or career path as you learn more and change your view of things.
As for me, I realized that I want to get engaged in the pentesting/red teaming activities. But this is something everyone has to decide for themselves, what are your best qualities and what do you enjoy doing?
I love the challenge and I am persistent, so being on the attacking side will be more interesting to me than stress over defending :D At least, at this point of my learning path. Remember? Everything can be changed and adjusted while you learn, and it is okay! We are humans and we search to find ourselves our whole lives!
I had a moment when it was not clear for me and I had my doubts, so I took some time to go through the CISSP training course that is available at Cybrary. The trained is one of my fave cybersecurity people Kelly Handerhan. She is funny and explains things very nicely.
I know, the CISSP course isn't something a simple pentesting noob has to divert their attention to, but I just wanted to see the "whole picture". To have the idea of where exactly I would fit in, and what are my growth options. So I passed that course, even got a certificate about passing this course.
This definitely helped me figure out I want, indeed, to be a pentester, or fight in a red team. But also gave me the idea I would feel "home" in a purple team as well.
Learning Programming. Python Course
I really was afraid to just dig into learning Python. So right before I started it, I decided to learn some ropes: coding fundamentals. There is a nice Code Foundations course on Codecademy, that I took for free.
Then I spent some time googling the best way to learn Python, for free. Since most of the educational courses including Codecademy, tend to semi-force you to use their paid options. I detest extortion, so I moved to Freecodecamp to study Python.
Freecodecamp is absolutely free, but you can always support their effort with donations. I did. I love donating as the opposite of forcing people to subscribe.
Freecodecamp has a huge course of Scientific Computing with Python, which includes the important one Python For Everybody (in fact, it starts with this beginners course). This one is so nice and comprehensive, I recommend taking it.
This course gave me a fair understanding of Python and how programming languages actually work.
At this point, I felt confident to try to learn Ethical Hacker Fundamentals.
Ethical Hacking Fundamentals. Zero to Hero Course by TCM
Of course, I start with fundamentals! I always aim to at least understand the basic concepts before actually digging into the subject. Because I hate feeling lost!
Again, Youtube saved the day!
There is the whole playlist that includes useful courses and tutorials: Ethical Hacking 101: Web App Penetration Testing, Linux for Ethical Hackers, Web Pentesting for Beginners, and, the most important, famous Zero to Hero course made by The Cyber Mentor.
Heath, The Cyber Mentor, leads you, step by step, from the very very basics of penetration testing until the whole paperwork and legal part that you have to understand as a pentester or ethical hacker.
This course settled everything in my head nicely, and everything I learned started to make so much sense! But what next?
Of course, Heath didn't show all the tools and methods, but he taught the most important thing: be curious and persistent, learn to search, change tools nad explore new options!
What Next? Practice. HTB/THM
At this point, I felt like I am ready to try something more. I need practice, after all!
I think I am going to make separate posts about those platforms since there is too much to tell about them in great detail.
But here I will make just a few points: if you feel like your knowledge and skill is still weak, I recommend starting with TryHackMe, since they are beginner-friendly and lead you through the beginning holding your hand, basically. They include tutorials for beginners and help them just to the whole CTF (Capture The Flag) concept.
If you feel more confident, you can start with HackTheBox. They also have Starting Point machines and a tutorial for beginners. But in order to actually get an invitation there, you have to "hack your way in". Which can be really challenging for a complete noob.
I tried both, and I love them both, but I find HTB more hard. So, the choice is ultimately yours. Both have free and paid plans.
If you aim to have ethical hacking and pentesting as a hobby, that's enough: just keep practicing, do tutorials, learn more.
But if you aim to have Pentesting as your career, then you will have to think about real-life certifications.
Where My Path is Going? Certifications
So, I decided to become a pentester, and all I am doing now is practicing, and learning more tools, spending time googling a lot to learn even more.
But if I want more than simply having fun, if I want to use my newly acquired and developing skills to make a living, I have no other option but to study and spend money for certificates that prove my skills.
This is a very complicated topic for me to talk about, yet, since I am new and I still have my doubts about how will I fit in without having a decent CS degree.
Thanks to people like Neal Bridges from Cyber Insecurity, I came to realize that there are plenty of opportunities for everyone in this field, and having a degree in Computer Science isn't imperative to be able to succeed.
There are so many ways and options to land a job, we only have to keep trying and keep improving ourselves.
There are plenty of educational opportunities out there and many certificates to get. I personally decided to start with eJPT, and currently, I have been learning the course Penetration Testing Student on INE.COM to get ready to pass the test. It is free and I would recommend passing the course even to those who aren't going to get the eJPT cetificate.
So this is where I am at, right now. I made a small pit stop to make this post to share my experience with you :3
This is Not the End! To be Continued...
Ethical hacking or pentesting, and the cybersecurity field in general is the area of never-ending development. Progress doesn't stay still, technologies evolve, soft, and hacking tools become more sophisticated. We will never stop learning, either.
I am at the very very beginning of my path, there is so much to learn, to understand, to explore, and to challenge.
But as far as I go, I am going to share my journey with you and update this post. Thus, it will be more informative, helpful and, I hope, motivating.
Never give up, keep learning!
P.S. I welcome any questions! Let me know if there is a need to clarify something!
Don't hesitate to DM me on Instagram, I may be slow with replying, but I will give some of my time to everyone!