/biz/ - Business & Finance

NOTE - ADD INFO FOR IRC AND FOR UPCOMING ONLINE CTF EVENTS AND HOW TO JOIN! ALSO ADD INFO FOR ANONYMITY WHEN USING IRC (DIG UP OLD ANONYMOUS GUIDES FOR THIS)

free Burp Suite course (Burp Suite is the no.1 tool for web app testing):
https://hackademy.aetherlab.net/p/burp-suite

Other Resources (podcasts, tech reading, misc):
https://darknetdiaries.com/episode/36/ (great podcast. Ep.36 is about a pentest)
https://wheresmykeyboard.com/2016/07/hacking-sites-ctfs-wargames-practice-hacking-skills/ (collection of online CTF games)
http://ctf.infosecinstitute.com/ (CTFs for beginners)
more to come...

Link to Certification Info:
https://www.elearnsecurity.com/certification/ejpt/ (Junior Pentester Cert)
https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/ (OSCP - The ultimate goal of aspiring pentester)

Thanks to everyone who replied to my email with the guide. My protonmail inbox is now a beacon of hope. I really appreciate your warm regards, and your positivity proves to me this is going to be a worthwhile venture.

Monetization section (updates soon):

Bug bounty site (hack large companies and websites for bounty rewards):
https://www.hackerone.com

Hackerone also runs this site, which is for learning:
https://www.hacker101.com/

If you are looking for the original PDF guide I posted / emailed , then please see the previous /RPG/ threads. As always any questions are welcome, and I will answer them as soon as I can throughout the day. If you want to discuss other remote work opportunities in tech, outside of hacking, that is fine too. And anyone who wants to chime in with advice on such a topic is welcome to join in.

You got this anons!

ps. Looking for IRC chat mods. Email me if you are interested. OSCPanon at protonmail dot com. Also, I added some stuff to the MISC section, couple links for online CTFs for beginners. Check em out.

Got the wrong link to last thread. Here you go:
>>14685592

>NOTE - ADD INFO FOR IRC AND FOR UPCOMING ONLINE CTF EVENTS AND HOW TO JOIN! ALSO ADD INFO FOR ANONYMITY WHEN USING IRC (DIG UP OLD ANONYMOUS GUIDES FOR THIS)

damn I'm off today. left my own notes in there. anyway, you have a glance at what I'm working on for next weeks /RPG/ thread.

Also apologies that I am just now getting caught up on emails. It's been a busy couple weeks.

>>14784856
OP, would you say learning pentesting is the best way to build up 'blue-team' skillsets? Could use some advice on this approach.

>>14785034
Tough question. I actually have done blue-team for the defense industry, and it is a lot different that penetration testing, of course. What I will say, is that if you were to be OSCP qualified, you would be the most qualified blue-teamer I know. As a red-team guy now, I always wish my blue-team understood more of what I am telling them from the offensive side. A blue-team member with this level of knowledge, would not just be a SME, they would be the absolute god-mode expert. Understanding the offense to that level, while practicing incident response, forensics, etc... You would be about as valuable as a blue-team as you could be. that's my opinion, having worked both blue and red team, as well as dedicated proactive defense.

>>14785212
Awesome thanks, always scratched my head at the degree of separation between the two. Would working on both facets in parallel (assume not a beginner) be inefficient?

>>14785420
In my opinion, the two SHOULD go hand in hand. It is unfortunate that they don't, but I think this is an issue, where if companies required blue-teams to have the level of knowledge of red-teams, they wouldn't have a blue-team. I think you can safely work on both in parallel. I don't have resources handy right this minute, but I've got some packed away. Let me get back to you with some book titles and resources that I think would help with this.

Also, I caught up on the backlogged emails. If you haven't heard from me, check your inbox, and if you have questions send em, I'm all caught up.

>>14784856
my parents missed woodstock I've been making up for it ever since

I have my doubts about how quickly I can get the OSCP cert, if at all, so I'm looking for an entry-level job that would take a more accessible cert in the meantime. What do you know about RHCSA/RHCE? Despite it being Red Hat specific, do you think it would provide a good foundational knowledge of Linux, Bash, etc., that would be applicable to the OSCP? If not, what other certs would require knowledge more pertinent to the OSCP?

thinking about studying infosec
which route is the best? undergraduate compsci, undergraduate IT/informatics or undergraduate cyber security?

>>14784856
yeah did bandit otw
not gonna lie I cheated on some of them
been using linux since 2015, the only way i've ever been able to break in to stuff is shodan tard servers where they have vlc open. Tried pivoting through tard server with metasploit and never hooked the ports up right.
Was able to use eternalblue on a lan (practice) but the shit always felt like script kiddie bs.
What do you hacker guys actually do, in a professional setting, just look for shit that isn't patched? Look for memory leaks? Try to talk Norman in to reading you the number on the modem?

>>14785720
a statement or was this supposed to be greentext? Either way, you are probably right.

>>14785725
Red Hat is hardcore linux. Just getting RHCSA/RHCE is enough to get you a good job, since it is niche and yet in demand. Those certs would give you a level of knowledge of linux beyond what is required for OSCP / penetration testing.
Other certs that would require the same kind of knowledge? CeH, eJPT (eLearnSecurity), GWAPT (expensive, SANS). CompTIA Pentest+ is a good one too, and CompTIA CySA is a good blue-team cert.

>>14785761
Not sure anon. I don't have a degree in this field. shooting from the hip I would say undergrad cyber security. But I will stress that as of right now, the industry is not degree focused outside of management. If you want to do cyber security or penetration testing, then the certs are what matter more. Employers just want proof you can do the job tasks. IMO, it won't matter too much which of those degrees you get, they are the foundation of knowledge that you will build upon with certifications and hands-on experience. Anything IT will be fine. But my guess is that cyber security will be considered more valuable in the near future, if it isn't already.

Bump

Based OP

>>14785836
thanks based anon. your opinion coincides with the research ive done

>>14785836
>was this supposed to be greentext?
It's from the movie my man

>>14784856
Just popping in to say thanks again, based anon. I'm still in the early stages of getting comfortable with python and Kali, hope to have more to contribute to this thread in the future.

>>14785818
>What do hacker guys actually do, in a professional setting?
All the things you mentioned and more. Being a hacker is less about being good at specific things, and more about being relentless and trying all the things, until something works. I am good at my job, not because I know everything, but because I refuse to NOT get into a system once I target it. The one thing I am sure of, is that every system is somehow vulnerable. It's just a matter of figuring out the weak spot. Here's a quick list of things I do regularly on tests:
password spraying (take a 'top 100' list, and work through it, automated password attempts for every validated user, 1-2 per hour, over the course of days, so you don't lock out accounts)
search dump databases for leaked passwords
Company123, Company2019, Summer2019, etc... try common passwords anywhere that login area is present.
Search for outdated and unpatched software.
Use Nessus to vuln scan infrastructure. Use Burp Suite to scan webpages. You would be surprised how much shit is vulnerable out there that you can find with a scan.
Test for blind SQL injection. Test for XSS. Use OWASP top 10 tactics. Again, you would be surprised how much is vulnerable.
Dig through source code. Learn Javascript, and then pull the code from webpages and find the weak points.
Learn to use google very very well.
There's lots more, that's what I have off the top of my head that fits a broad area.

>>14785900
Damn! Can't believe I missed that haha. based. I better re-watch the movie for the 100th time now that I'm missing quotes.

>>14785928
awesome, thanks for stopping in with an update anon. you got this

>>14785857
thanks for the bump anon

>>14785895
np

>>14784856
Hey man, thanks for doing this the past couple of weeks my sincere appreciation

>>14785983
no problem. thanks for dropping in. my apologies the threads have been regular on saturday as planned. bunch of life stuff came up. I’m getting back to normal though and /RPG/ should be back on regular schedule next week.

>>14786093
>threads *havent* been regular on saturday

>>14785836
Any cyberecurity Field is more important now than it's ever been. the biggest problem i See is if we engage in friendly fire, Complicate things more than they need to be and forget to Remember that what you're up against isn't tangible, although it will seem more and more tangible if we allow it access to our most sensitive knowledge. use 2fa, realize that 0 is much more valuable today than it ever has been, and never neglect the advice of the odd one out, like the 8-ball on a pool table. @ny single character can represent a value.
Gmail and the like are obviously not the first choices when considering privacy. but in urgent circumstances you gotta work with what you got. play the platform, don't let it play you.

>>14785683
Thanks, I'll be watching for those resources. Much appreciated

I run popular site with 10k daily users I literally just run default debian install and haven't been hacked yet in 5 years. Is security that easy?

>>14784856
Another anon here that wants to thank you.
I'm halfway through the Python/Hacking course on Udemy and have been working on learning more Linux. Your active encouragement in these threads has really helped me keep positive. I'm hoping we're all gonna make it.

>>14786338
How do you know you haven't been hacked?

>>14786313
Blue Team Field Manual (BTFM)
Blue Team Field Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder
Cybersecurity Blue Team Toolkit
Penetration Testing: A Hands-On Introduction to Hacking 1st Edition
Cybersecurity: Attack and Defense Strategies: Infrastructure security with Red Team and Blue Team tactics

>>14786338
LOL! I guarantee if you let me or someone else pentest your site, it would get completely pwnd. You should have a pentest done friend. You are not safe.

>>14786361
We're all gonna make it anon. You got this

>>14786371
This. It's not the old days when someone would plant a virus on your server that results in frequent crashes and obvious signs. These days, if you are not actively monitoring for threats (and well) then you would have no clue that you have been compromised. Check the news. Of the major breaches in the last couple years, most the companies did not realize for a year. >>14786338 you already probably already pwnd and mining shitcoins for someone in singapore.

>>14786371
and you?
>>14786463
how can you be so sure?

>>14786778
mainly because anon said default debian and blew off security as a focus. If you are not actively defending, as well as doing custom config with a security focus, and patching properly, then it would be trivial to pwn a basic webserver.

>>14784856
I gave up pentesting to understand markets and make a couple million in crypto but ill always have a deep love for net sec def con blck hat b sides etc... if i have more time ill return.