This is a question I get asked a lot and by a lot I mean a LOT, so I decided to write a blog post about it.
I will not describe how I started, as there were no good guidelines or tutorials at that time, this will be a topic for another post.
I would like to present tools and portals were basic and advanced knowledge can be acquired and tested without going straight to prison.
To to start learning about cybersecurity and start hacking things you don`t need to learn a programming language as many suggest or have worked in an IT job before.
The only thing you need to bring to start learning and possibly start a career in cybersecurity is the willingness to learn, determination and you must enjoy it.
If the only reason is a better paying job, then you will have a really hard time coming to a state where you will be able to get a job in cybersecurity.
Let`s get started!
As with most topics, there are different areas of cybersecurity, for example:
- Network security
- Application security
- Web security
The first task is to pick the area of cybersecurity you want to start in.
Since it is one of the most common and in my opinion the one with the easiest entry-level. Lets go with web security.
The field of web security deals with all topics related to the internet this can be on a computer, mobile device, or a remotely accessible control panel of a wind turbine.
The first portal I want to show is root-me.org.
This started as a French portal but now has a translation for multiple languages.
In my experience languages other than French or English do have some translation errors here and there. I would suggest that you use the English translation or even better the French one. Since my French is terrible I stuck to the English translation and it worked out pretty well.
After you created an account and logged in you have access to all sorts of learning and testing material.
The best way to start is to work your way along with the provided challenges.
Most of the challenges can be solved by using your browser, no special tools needed, at least most of the time.
The web - server challenges are a perfect start. Don´t be intimidated by the word challenge we will get to that shortly.
Once clicked you will see all available challenges for the selected category.
These challenges are ordered increasing difficulty and will get harder the further you go.
Let´s click on one of the available challenges and by the way, the green checkmark on the left means that I already solved these challenges, so you can keep track of your progress.
In this picture, you can see the first and easiest challenge HTML - Source code.
This brings me to the part I like the most about root-me and that is that to every challenge you are given a set of informative resources to teach you things about the topic of the challenge.
These resources won´t just straight up give you the solution for the challenge rather than teach you the technical background about the technologies used.
After understanding what is going on in the system it is your task to use your newly acquired knowledge to overcome security measurements or to find hidden data.
scientia potentia est
To start the challenge click on the Start the challenge button. After clicking the button you will get redirected to the actual challenge.
In most of the challenges, you will have to find some sort of a password or overcome other security mechanisms.
In some challenges, it can get a bit hard to find an initial starting point. So here is a little hint, most of the time the challenge title gives you a rough direction in which the challenge creator wants you to go.
Every solved challenge will give you a password or some other sort of verification key, which you can paste on the overview page of the challenge.
After entering the correct key the challenge will be marked as completed.
When completing a challenge you get access to the writeups of other people who solved the challenge, you can have a look at them to see how others have solved the challenge and learn from it. You can even create a writeup by yourself to share with other people.
The challenges will start pretty basic and build a solid foundation, but they will get more complex and harder quickly.
If you get stuck on a challenge read about the topic and don`t give up you will figure it out! And
if when you do you will not only get another solved challenge on your board, you will have learned something new and you are another step closer on your way of becoming a cybersecurity professional.
Since this post is getting rather long and there is still a lot of ground to cover I will split this into multiple posts, stay tuned for the next part.
But wait there´s more
Over the last years, there are a lot if professionals who shared their story about how they started, here are some really good examples and additional information that will help you along the way.
In my opinion one if not the best youtube channel about cybersecurity especially for beginners
If you are more into books than take a look at Web Hacking 101 by Peter Yaworsky
You can buy this book or you can get it for free over at Hackerone just sign up and you will get a free copy. For those who don´t already know Hackerone, it´s a bug bounty portal where you can find security vulnerabilities, report them, and get rewards. Hackerone and bug bounties definitely will become topics of further posts since I am a big fan of both.