(Part 3) Top products from r/netsecstudents

Here is a "curriculum" of sorts I would suggest, as it's fairly close to how I learned:

1. Programming. Definitely learn "C" first as all of the Exploitation and Assembly courses below assume you know C: The bible is pretty much Dennis Richie and Kernighan's "The C Programming Language", and here is the .pdf (this book is from 1988, I don't think anyone would mind). I actually prefer Kochan's book "Programming in C" which is very beginner freindly and was written in 2004 rather than 1988 making the language a little more "up to date" and accessible. There are plenty of "C Programming" tutorials on YouTube that you can use in conjunction with either of the aforementioned books as well. After learning C than you can try out some other languages. I personally suggest Python as it is very beginner friendly and is well documented. Ruby isn't a bad choice either.
   
   
2. Architecture and Computer basics:
   Generally you'll probably want to look into IA-32 and the best starting point is the Intel Architecture manual itself, the .pdf can be found here (pdf link).
   Because of the depth of that .pdf I would suggest using it mainly as a reference guide while studying "Computer Systems: A Programmers Perspective" and "Secrets of Reverse Engineering".
   
   
3. Operating Systems: Choose which you want to dig into: Linux or Windows, and put the effort into one of them, you can come back to the other later. I would probably suggest Linux unless you are planning on specializing in Malware Analysis, in which case I would suggest Windows. Linux: No Starch's "How Linux Works" is a great beginner resource as is their "Linux Command Line" book. I would also check out "Understanding the Linux Kernel" (that's a .pdf link). For Windows you can follow the Windows Programming wiki here or you can buy the book "Windows System Programming". The Windows Internals books are generally highly regarded, I didn't learn from them I use them more as a reference so I an't really speak to how well they would teach a "beginner".
   
   
4. Assembly: You can't do much better than OpenSecurityTraining's "Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration" class lectures from Xeno Kovah, found here. The book "Secrets of Reverse Engineering" has a very beginner friendly introduction to Assembly as does "Hacking: The Art of Exploitation".
   
   
5. Exploitation: OpenSecurityTraining also has a great video series for Introduction to Exploits. "Hacking: The Art of Exploitation" is a really, really good book that is completely self-contained and will walk you through the basics of assembly. The author does introduce you to C and some basic principles of Linux but I would definitely suggest learning the basics of C and Linux command line first as his teaching style is pretty "hard and fast".
   
   
6. Specialized fields such as Cryptology and Malware Analysis.
   
   
   Of course if you just want to do "pentesting/vuln assessment" in which you rely more on toolsets (for example, Nmap>Nessus>Metasploit) structured around a methodology/framework than you may want to look into one of the PACKT books on Kali or backtrack, get familiar with the tools you will use such as Nmap and Wireshark, and learn basic Networking (a simple CompTIA Networking+ book will be a good enough start). I personally did not go this route nor would I recommend it as it generally shys away from the foundations and seems to me to be settling for becoming comfortable with tools that abstract you from the real "meat" of exploitation and all the things that make NetSec great, fun and challenging in the first place. But everyone is different and it's really more of a personal choice. (By the way, I'm not suggesting this is "lame" or anything, it was just not for me.)
   
   *edited a name out
   
   
   
   
   
   

In my opinion; every book in this bundle is a bag of shit.

Here's a list of reputable books, again in my opinion (All links are Non-Affiliate Links):

Web Hacking:

The Web Hackers Handbook (Link)

Infrastructure:

Network Security Assessment (Link)

Please Note: The examples in the book are dated (even though it's been updated to v3), but this book is the best for learning Infrastructure Testing Methodology.

General:

Hacking: The Art of Exploitation (Link)

Grey Hat Hacking (Link)

Linux:

Hacking Exposed: Linux (I don't have a link to a specific book as there are many editions / revisions for this book. Please read the reviews for the edition you want to purchase)

Metasploit:

I recommend the online course "Metaspliot Unleashed" (Link) as opposed to buying the book (Link).

Nmap:

The man pages. The book (Link) is a great reference and looks great on the bookshelf. The reality is, using Nmap is like baking a cake. There are too many variables involved in running the perfect portscan, every environment is different and as such will require tweaking to run efficiently.

Malware Analysis:

Practical Malware Analysis (Link)

The book is old, but the methodology is rock solid.

Programming / Scripting:

Python: Automate the Boring Stuff (Link)

Hope that helps.

You don't really need much to get started. If you have a beefy laptop or desktop you can virtualize yourself a nice lab. Download VirtualBox and get yourself a kali iso and some vulnerable machines from Vulnhub. Lots of good training is also available over at OverTheWire. I can't speak for Cybrary but I've heard good things about it. Youtube and SecurityTube have endless tutorials as well.

There are lots of good books out there too - almost too many to mention. If you're just starting, check this one out: https://www.amazon.com/Penetration-Testing-Essentials-Oriyano/dp/1119235308

EDIT: Oh, also - head over to /r/howtohack and join the IRC there. Lots of knowledgeable guys who can help point you in the right direction. You can only teach yourself so much, so find communities and bounce ideas off of other professionals' heads. Like some of the others here said, you really need to have a foundational understanding of what you're trying to hack. Most people start in tier 1/desktop support work and slowly, through time and experience, specialize in infosec. Don't every expect to just wake up and be a cyber security professional... it's going to take a long time.

I would like to post another review of a certification for CEH version 10. I would like to say I am not a fan of dumps as it does not teach you anything and devalues the certification. I try to put in the time to really understand the information and be technically capable of doing the job.
I started off my process of doing my studying by taking an online based class of 40 hours that was lecture and labs. It was through the Army on something called Skill Port. It was fairly average and I would say that it was not that great a training aid. On a scale of 1-10 it was about a 5.
So I purchased the Sybex book for CEH (https://www.amazon.com/Certified-Ethical-Hacker-Study-Guide/dp/1119533198/ref=dp_ob_title_bk ) . I find that the Sybex book are very easy to read, convey the concept well and don’t drown people in a lot of fluff but they need a spell checker some times. I read through the book and took the practice tests. Anything that I felt weak on I would reread and do a little googling so I could make better sense out of it. Then I retook the practice tests again with a much better outcome.
The material is not super deep and from a hacking perspective it was not what I was expecting. Some areas I would concentrate on were basic ports and protocols, know how to look at a packet capture, ping vs ping sweep, scans, nmap commands and be able to know what it going on to be able to answer the question.
I got a lot of attack type question from cross site scripting attack to Buffer overflow and anything in-between. Some come in the form of questions and some were screen shots. I like the screen captures as I am much better at these because all the pertinent information is there as opposed to questions that a specific to a vendor and can be subjective if you don’t do a lot with EC-Council.
One thing I like to do is ensure I read the answers first and then I read the question. This way I am processing what is possible in the question verse total crap. Usually there are 4 answers and 2 are way out there and one is possible but usually has something that will not comply with the question. One thing I was able to do because I have a good base was even if I did not know the answer I was able to use some critical thinking and get the right answer.
I took about 87 minutes to do the test (they give you 240 mins) and I feel that the test really feels like an entry level exam for people getting into hacking (pen testing). I did well and I put in about 60 to 70 hours total of study time but again I have a good base to work from.
Use this as an nmap command reference. https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.1.pdf
This site has some good reference material also: https://www.danielowen.com/2017/01/01/sans-cheat-sheets/
Know some snort, ids and firewall rules\commands: be able to look at the command and tell what it does.

With money;

• Offensive Security offers some good courses on netsec - Kali.org - they offer Kali Linux (a derivative of Debian - a distribution of Linux) too tbh.
  
  
• College/University is a pretty decent source for info more often than not.
  
  
• Also, start either with code or physical things. Windows has a lot of things to poke at actually. Usually good starter references (the “for dummies” books); https://www.amazon.com/Network-Security-Dummies-Chey-Cobb/dp/0764516795
  
  
  Without money;
  
  
• Start learning python 3. Will significantly help the more serious you get.
  
  
• Start with Wireshark and nmap - both are free applications that support most operating systems.
  
  
• Also, look at penetration testing resources as a good “go-to”. Reddit, Hak5, and DEFCON are good places to look for information. Hak5 & Reddit first though, DEFCON the more you get into things. My Reddit reference:
  https://www.reddit.com/r/hacking/comments/1d9onz/how_do_i_start_getting_into_pentesting/

I made a similar jump, IT to Security Analyst.

I spun up a home lab in vmware with Kali, metasploitable, splunk, pfsense and security onion (for snorby).

I read a couple books:

Network Intrusion Detection:

https://www.amazon.com/gp/aw/d/0735712654

Applied Cryptography:

https://www.amazon.com/gp/aw/d/0471117099

Between this and diving into security centered news sites I went from 0 to (what felt like 60) in about 3 months. I was picked up as a security analyst for a pretty solid tech company.

Application Security:

• The Art of Software Security Assessment
  
• A Bug Hunter's Diary
  
  Web Security:
  
  
• The Tangled Web
  
  Secure Systems
  
  
• A Guide to Kernel Exploitation
  
• Rootkits
  

I recommend that you take a look at Programming Interviews Exposed. This book is a collection of quick/well written explanations of different Computer Science concepts (stacks, heaps, lists, and other data structures are covered). I read the first edition of this book years ago and I loved it for its brevity.

http://www.amazon.com/Programming-Interviews-Exposed-Secrets-Landing/dp/1118261364/ref=asap_bc?ie=UTF8

I'm assuming I can post links:
CompTIA Network+ Study Guide: Exam N10-006 (Comptia Network + Study Guide Authorized Courseware) https://www.amazon.com/dp/1119021243/ref=cm_sw_r_cp_api_457Fzb6X87J8P

I like the way that these guides are laid out. They have plenty of practice problems and I believe network+ has interactive labs. I am currently studying for CompTIA CASP from this publisher and it is very informative. This is just my reccomendation, I'm sure someone else will have a better recommendation.

Computer Security: Art & Science by Matt Bishop.

Covers security models, formal proofs of correctness, evaluations, etc.

I would second Ghost in the wire, though that is more of a autobiography. Still goes over some interesting stuff he did back in the day. He also helped write The Art of Deception and the Art of Intrusion

>That sounds really quick. Though I can try to achieve it.
>
>I'm not really good at interviewing though. Just another skill I need to learn.

I was just throwing out a somewhat aggressive, yet realistic timeframe, though it really depends on how much time you can devote outside of work, which is another part of security work. If you're not spending several hours per week outside of work reading news and studying the latest attacks or certing up, you are falling behind.

If you have 6 hours a week you can put into reading the cert guide, watching YouTube videos in more depth and then playing around in a lab or Wargames then it's a very realistic goal I believe. Consider scheduling the 1st of the 2 exams around March 1st

Here is the official cert guide for the first test

CCNA Cyber Ops SECFND #210-250 Official Cert Guide (Certification Guide) https://www.amazon.com/dp/1587147025/ref=cm_sw_r_cp_apa_o7D5Bb6X0ER30

Here's the cert blueprint
https://learningcontent.cisco.com/cln_storage/text/cln/marketing/exam-topics/210-250-secfnd.pdf

I think you really need to learn how to program windows in C, not this new .net or sharp stuff.

https://www.amazon.com/Programming-Paperback-Addison-Wesley-Microsoft-Technology/dp/0134382250

https://www.amazon.com/Programming-Windows%C2%AE-Fifth-Developer-Reference/dp/157231995X

edit: oops, you wanted courses, not books.

My school program uses the Cisco CCNA curriculum and we're currently on Routing and Switching (I).

I used this book and the CompTia Certmaster. I got the certmaster because I think I bought a second shot for exam retakes. I read the book and then did the certmaster for a month until I took the exam.

https://www.amazon.com/gp/product/1118875079/ref=oh_aui_detailpage_o05_s00?ie=UTF8&psc=1

http://www.amazon.com/Principles-Computer-Security-CompTIA-Official/dp/0071786198

Computer Networking: A Top-Down Approach (7th Edition)
https://www.amazon.com/Computer-Networking-Top-Down-Approach-7th/dp/0133594149

CS144 Introduction to Computer Networking Stanford University
https://suclass.stanford.edu/courses/course-v1:Engineering+CS144+Fall2016/courseware/ac9d1eef5aaa4bb5bcfe4d42f51f0f5b/c5c384e648cf404c837d05497c6e36b0

High Performance Browser Networking
https://hpbn.co

Beej's Guide to Network Programming
http://beej.us/guide/bgnet

Unix Network Programming, Volume 1: The Sockets Networking API (3rd Edition)
https://www.amazon.com/Unix-Network-Programming-Sockets-Networking/dp/0131411551

Eli The Computer Guy Youtube
https://www.youtube.com/playlist?list=PLF360ED1082F6F2A5

Load Balancing Servers, Firewalls, and Caches
http://www.amazon.com/Load-Balancing-Servers-Firewalls-Caches/dp/0471415502

More at http://Learn.SharjeelSayed.com

Learn Python The Hard Way