How to become a network security expert

This is not because I am tired of answering the same question over and over again, but because it is indeed a meaningful question. In fact, many people (90%) you have never asked this question.

This document may be updated frequently.

I have been asked many times about many fields.

For example, what programming language do you recommend most? What books should I read as a start?

All in all, how to become an influential person in the security field.

Since my answer is different from the general answer, I intend to express my opinion.

　　
From where?
　　

My opinion may be very different from the general opinion. If you are just getting started, I suggest you --- * Don't * use

Parameter tronic, Bugtraq,

Packetstorm, Rootshell (do not know if this is still running ?), And so on.

That's right! * Do not * start from there. (Although they are good sites, and they do not say you do not want to visit their sites ). The reason is simple. If you think that "security" is the latest vulnerability, you will find that you have nothing to gain.
I agree that it is necessary to know what is good and what has vulnerabilities. However, these cannot lay a solid foundation for your masters. Well, you know that RDS is the latest vulnerability, and you know how to download and use the SCRIPT tool that exploits this vulnerability. You know how to fix this vulnerability (maybe. Many people only know how to attack, but do not know how to protect them. 3 months later, patches were flying. This vulnerability is no longer available. ------ what's your knowledge now? In addition, you may not understand the vulnerability analysis at all.

What is your knowledge? Analysis? Or attack methods?

This is what I want to emphasize again. People may not notice that many people think that as long as they know the latest vulnerabilities
Is a security expert. NO! NO! NO! All they know is "vulnerabilities", not "security ".

For example, you know the PHF vulnerability SHOWCODE. ASP vulnerabilities. COUNT. CGI and TEST-CGI vulnerabilities. But do you know why they become CGI vulnerabilities? Do you know how to compile a secure universal Gateway? Will you determine the possible vulnerabilities or vulnerabilities of a CGI based on its working status? Or do you only know that these CGI vulnerabilities exist?

Therefore, we recommend that you * Do not * start with a vulnerability. If they don't exist (You Know What I Mean ). What you really need to do is
Start with a normal user.

Be a user

I mean you should have at least a basic general knowledge. For example, if you want to engage in web hacking, may you not even use the browser? Will you open NETSCAPE and open IE? Good! You will enter the name. You know. HTML is a webpage. Very good... You must continue to become a skilled user. The difference between ASP and CGI is dynamic. What is PHP? What is turning? COOKIE? SSL? You need to know what a common user may be exposed to about the WEB. It is not an attack vulnerability, but an attack vulnerability. You cannot become a master with no basic (or perhaps boring) things. There are no shortcuts here.
Well, now you know everything here. You used it. You must at least know how to log in before you start hack unix. LOGOUT. Use shell command. Use common programs. (MAIL, FTP, WEB. LYNX. And so on ). To become an administrator, you need to know the basic operations.

　
Become an administrator

　　
Now you have exceeded the field of a common user. It entered a more complex field. You need to know more. For example, the type of the WEB server. What is the difference with others? How to configure it. The more you know about this knowledge, the more you know about how he works. What does he do. Do you understand HTTP? You know HTTP 1. 0 and HTTP1. What is the difference between 1? What is WEBDAV? HTTP1. 1. VM helps you build your WEB server .... In-depth and in-depth.

Operating system? If you have never configured NT, how can you attack an NT server? You have never used RDISK, User Manager, but want to CRACK an ADMIN password to get user permissions? You want to use RDS and all your operations under NT you have been using a graphical interface? Once again, you need to go from the Administrator to a "Super administrator". This does not mean that you have the permissions of a Super User. But your knowledge needs to run through all your fields. Good. You will add a user in the graphic interface. How is the command line method? And those in SYSTERM32. What are EXE files? Do you know why USERNETCTL must have Super User Permissions? Have you ever touched USERNETCTL? In-depth, in-depth ....

This is the key to becoming a "Bai Xiaosheng. Don't think you know how to do it. (You can lie to the boss, lie to the boss ??...) The more you know, the better. Become a technical leader. But ......

　

You cannot know everything.

　　

Ah! This is a miserable fact that we have to face in our lives. Don't think you can .... If you think you can. You are deceiving yourself. What you need to do is to select a field. A domain that you are most interested in. Learn more. Become a user, an administrator, and a leader. To be the best guy (guy, girl) in a field, don't just learn how to use a WEB browser or write CGI. Know HTTP, what the WEB server does, and how it works. I know where to find the answer. Know how to make the server work when it is not working properly.

When you have experience in your field, you naturally know how to attack.

This is actually a simple truth. If you know all the knowledge about this, then. You also know that security risks are there. Institute
Some vulnerabilities, new ones, old ones, and future ones, you will be able to discover unknown vulnerabilities by yourself (you are already a Network Expert). You can find vulnerabilities, yes, you can, but you must understand everything you are looking for first.

So, let go of the copy of the WHISKER in your hand. Learn exactly what CGI is. How do they make WEB servers vulnerable through HTTP? Soon you will know what the WHISKER is doing.

　　

Programming Language
　

Some of the most frequently asked questions recently are what programming languages I think should be learned: I think this depends on some specific situations. ---- In general, how much time are you going to spend on it and how useful the language is. How long does a program take to complete. And how complicated the program can accomplish. The following are several options (arrangement is meaningless ).

Visual Basic.

-Languages that are easy to learn. There are a lot of books in this area, and there are also a lot of free original code. You should be able to use it quickly. However, this language has a limit. He is not as powerful as c ++. You need to run it in WINDOWS. A vb programming environment is required (whether pirated or genuine, it is not free ). It is very difficult to compile attack code or patch with VB.

C ++

-Maybe the most powerful language. It is available in all operating systems. It is free to store tons of original code and books on the Internet. Including programming environment. It is a little more complex than VB. It may take a little more time to master than VB. Simple things are easy to learn, and complex things must be understood. By yourself.

Assembly

-The most complicated and difficult language to learn. If you think of him as the first language you want to learn, it will be difficult for you to crack your head. However, you first learned the compilation, and there are some books for the remaining dishes. The trend of teaching materials in this area is decreasing. However, assembly knowledge is critical to some aspects. For example, buffer escape. Attack. Many such free software. However, this language is very * difficult *.

Perl

-A good language. He is as easy as VB. He is easier to learn. He is also as limited as VB, but he is
Most operating platforms can run. (UNIX. and WIN ). so this is his advantage. many books in this regard. (O 'Reilly 'camel 'books), and the language is completely free of charge. you can use it for some common attack tools. he mainly acts on some text techniques. it is not suitable for Binary programs. I think this is all you want to know. c/C ++ is the best choice.

　

Recommended books

　　

Another question is what books I recommend to read:
　　

I personally have the following books for reference:

Applied Cryptography (Bruce Scheiner)

Linux Application Development (Mike Johnson and Erik Troan)

Windows Assembly Language and Systems Programming (Barry Kaiming)

Perl Cookbook (Tom Christiansen and Nathan Torkington) (O 'Reilly)

Linux Programmer's Reference (Richard Petersen) (Osborne)

All the O 'reill' Pocket Reference 'books, which include vi, emacs,

Python, perl, pl/SQL, NT, javascript, sendmail, tcl/tk, perl/tk

I always think about some basic rules of these books.

In my experience, most of O's Reilly books are easy to read. Find a field you are interested in and focus on.