This thread is for the discussion and support of those anons who have accepted the Quest to become remote pentesters. I am OP, my email is OSCPanon at protonmail. You may contact me via email with any questions related to hacking professionally, or learning to do so.
Link to the last General thread: So what are you doing to further your Quest this weekend user? Here are some good resources and things you could start working on:
Free ebook downloads for several of the books I cover: b-ok.org/
NOTE - ADD INFO FOR IRC AND FOR UPCOMING ONLINE CTF EVENTS AND HOW TO JOIN! ALSO ADD INFO FOR ANONYMITY WHEN USING IRC (DIG UP OLD ANONYMOUS GUIDES FOR THIS)
Thanks to everyone who replied to my email with the guide. My protonmail inbox is now a beacon of hope. I really appreciate your warm regards, and your positivity proves to me this is going to be a worthwhile venture.
Monetization section (updates soon):
Bug bounty site (hack large companies and websites for bounty rewards): hackerone.com
Hackerone also runs this site, which is for learning: hacker101.com/
If you are looking for the original PDF guide I posted / emailed , then please see the previous /RPG/ threads. As always any questions are welcome, and I will answer them as soon as I can throughout the day. If you want to discuss other remote work opportunities in tech, outside of hacking, that is fine too. And anyone who wants to chime in with advice on such a topic is welcome to join in.
You got this anons!
ps. Looking for IRC chat mods. Email me if you are interested. OSCPanon at protonmail dot com. Also, I added some stuff to the MISC section, couple links for online CTFs for beginners. Check em out.
Colton Young
Got the wrong link to last thread. Here you go:
John Hall
>NOTE - ADD INFO FOR IRC AND FOR UPCOMING ONLINE CTF EVENTS AND HOW TO JOIN! ALSO ADD INFO FOR ANONYMITY WHEN USING IRC (DIG UP OLD ANONYMOUS GUIDES FOR THIS)
damn I'm off today. left my own notes in there. anyway, you have a glance at what I'm working on for next weeks /RPG/ thread.
Also apologies that I am just now getting caught up on emails. It's been a busy couple weeks.
Hudson Rogers
OP, would you say learning pentesting is the best way to build up 'blue-team' skillsets? Could use some advice on this approach.
Lincoln Martin
Tough question. I actually have done blue-team for the defense industry, and it is a lot different that penetration testing, of course. What I will say, is that if you were to be OSCP qualified, you would be the most qualified blue-teamer I know. As a red-team guy now, I always wish my blue-team understood more of what I am telling them from the offensive side. A blue-team member with this level of knowledge, would not just be a SME, they would be the absolute god-mode expert. Understanding the offense to that level, while practicing incident response, forensics, etc... You would be about as valuable as a blue-team as you could be. that's my opinion, having worked both blue and red team, as well as dedicated proactive defense.
Jonathan Rodriguez
Awesome thanks, always scratched my head at the degree of separation between the two. Would working on both facets in parallel (assume not a beginner) be inefficient?
Jaxon Campbell
In my opinion, the two SHOULD go hand in hand. It is unfortunate that they don't, but I think this is an issue, where if companies required blue-teams to have the level of knowledge of red-teams, they wouldn't have a blue-team. I think you can safely work on both in parallel. I don't have resources handy right this minute, but I've got some packed away. Let me get back to you with some book titles and resources that I think would help with this.
Adam Cook
Also, I caught up on the backlogged emails. If you haven't heard from me, check your inbox, and if you have questions send em, I'm all caught up.
Lincoln James
my parents missed woodstock I've been making up for it ever since
Aaron Walker
I have my doubts about how quickly I can get the OSCP cert, if at all, so I'm looking for an entry-level job that would take a more accessible cert in the meantime. What do you know about RHCSA/RHCE? Despite it being Red Hat specific, do you think it would provide a good foundational knowledge of Linux, Bash, etc., that would be applicable to the OSCP? If not, what other certs would require knowledge more pertinent to the OSCP?
Noah Nguyen
thinking about studying infosec which route is the best? undergraduate compsci, undergraduate IT/informatics or undergraduate cyber security?
Michael Gray
yeah did bandit otw not gonna lie I cheated on some of them been using linux since 2015, the only way i've ever been able to break in to stuff is shodan tard servers where they have vlc open. Tried pivoting through tard server with metasploit and never hooked the ports up right. Was able to use eternalblue on a lan (practice) but the shit always felt like script kiddie bs. What do you hacker guys actually do, in a professional setting, just look for shit that isn't patched? Look for memory leaks? Try to talk Norman in to reading you the number on the modem?
Justin Morris
a statement or was this supposed to be greentext? Either way, you are probably right.
Red Hat is hardcore linux. Just getting RHCSA/RHCE is enough to get you a good job, since it is niche and yet in demand. Those certs would give you a level of knowledge of linux beyond what is required for OSCP / penetration testing. Other certs that would require the same kind of knowledge? CeH, eJPT (eLearnSecurity), GWAPT (expensive, SANS). CompTIA Pentest+ is a good one too, and CompTIA CySA is a good blue-team cert.
Not sure user. I don't have a degree in this field. shooting from the hip I would say undergrad cyber security. But I will stress that as of right now, the industry is not degree focused outside of management. If you want to do cyber security or penetration testing, then the certs are what matter more. Employers just want proof you can do the job tasks. IMO, it won't matter too much which of those degrees you get, they are the foundation of knowledge that you will build upon with certifications and hands-on experience. Anything IT will be fine. But my guess is that cyber security will be considered more valuable in the near future, if it isn't already.
Gabriel Miller
Bump
Based OP
Xavier Jackson
thanks based user. your opinion coincides with the research ive done
Mason Robinson
>was this supposed to be greentext? It's from the movie my man
Just popping in to say thanks again, based user. I'm still in the early stages of getting comfortable with python and Kali, hope to have more to contribute to this thread in the future.
Landon Kelly
>What do hacker guys actually do, in a professional setting? All the things you mentioned and more. Being a hacker is less about being good at specific things, and more about being relentless and trying all the things, until something works. I am good at my job, not because I know everything, but because I refuse to NOT get into a system once I target it. The one thing I am sure of, is that every system is somehow vulnerable. It's just a matter of figuring out the weak spot. Here's a quick list of things I do regularly on tests: password spraying (take a 'top 100' list, and work through it, automated password attempts for every validated user, 1-2 per hour, over the course of days, so you don't lock out accounts) search dump databases for leaked passwords Company123, Company2019, Summer2019, etc... try common passwords anywhere that login area is present. Search for outdated and unpatched software. Use Nessus to vuln scan infrastructure. Use Burp Suite to scan webpages. You would be surprised how much shit is vulnerable out there that you can find with a scan. Test for blind SQL injection. Test for XSS. Use OWASP top 10 tactics. Again, you would be surprised how much is vulnerable. Dig through source code. Learn Javascript, and then pull the code from webpages and find the weak points. Learn to use google very very well. There's lots more, that's what I have off the top of my head that fits a broad area.
Damn! Can't believe I missed that haha. based. I better re-watch the movie for the 100th time now that I'm missing quotes.
awesome, thanks for stopping in with an update user. you got this
Hey man, thanks for doing this the past couple of weeks my sincere appreciation
Levi Mitchell
no problem. thanks for dropping in. my apologies the threads have been regular on saturday as planned. bunch of life stuff came up. I’m getting back to normal though and /RPG/ should be back on regular schedule next week.
Liam Moore
>threads *havent* been regular on saturday
Nathaniel Davis
Any cyberecurity Field is more important now than it's ever been. the biggest problem i See is if we engage in friendly fire, Complicate things more than they need to be and forget to Remember that what you're up against isn't tangible, although it will seem more and more tangible if we allow it access to our most sensitive knowledge. use 2fa, realize that 0 is much more valuable today than it ever has been, and never neglect the advice of the odd one out, like the 8-ball on a pool table. @ny single character can represent a value. Gmail and the like are obviously not the first choices when considering privacy. but in urgent circumstances you gotta work with what you got. play the platform, don't let it play you.
Andrew Long
Thanks, I'll be watching for those resources. Much appreciated
Jose Thompson
I run popular site with 10k daily users I literally just run default debian install and haven't been hacked yet in 5 years. Is security that easy?
Elijah Powell
Another user here that wants to thank you. I'm halfway through the Python/Hacking course on Udemy and have been working on learning more Linux. Your active encouragement in these threads has really helped me keep positive. I'm hoping we're all gonna make it.
Blue Team Field Manual (BTFM) Blue Team Field Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder Cybersecurity Blue Team Toolkit Penetration Testing: A Hands-On Introduction to Hacking 1st Edition Cybersecurity: Attack and Defense Strategies: Infrastructure security with Red Team and Blue Team tactics
LOL! I guarantee if you let me or someone else pentest your site, it would get completely pwnd. You should have a pentest done friend. You are not safe.
We're all gonna make it user. You got this
This. It's not the old days when someone would plant a virus on your server that results in frequent crashes and obvious signs. These days, if you are not actively monitoring for threats (and well) then you would have no clue that you have been compromised. Check the news. Of the major breaches in the last couple years, most the companies did not realize for a year. you already probably already pwnd and mining shitcoins for someone in singapore.
mainly because user said default debian and blew off security as a focus. If you are not actively defending, as well as doing custom config with a security focus, and patching properly, then it would be trivial to pwn a basic webserver.
Levi Anderson
I gave up pentesting to understand markets and make a couple million in crypto but ill always have a deep love for net sec def con blck hat b sides etc... if i have more time ill return.