| You have a long but very interesting road before you. Infosec is huge. Lesley “hacks4pancakes” Carhart has a great series which provides an overview of what you can choose from: https://tisiphone.net/2015/10/12/starting-an-infosec-career-... If you're serious about infosec and not just want to run tools and call it a day, I suggest covering the basics first: - programming: would be cool if you learn not only some language but programming “as art and mindset” in general. This includes your typical Computer Science courses, algorithms etc. Great if your school or university teaches those but you can always fall back to online education platforms. When it comes to language, I'd recommend Python over Ruby. Granted, the latter powers Metasploit, but a lot more tools and wrappers around tools are written in Python. Once you know Python, creating Metasploit modules won't be a problem because a lot of things are handled by the Metasploit Framework. Also, this comes from a highly subjective Python developer but suggest to learn Python 3, despite a lot of infosec tutorials and tools still using Python 2 (e.g. socket programming). It's easy to fall back to Py2 if you need but you'll have the power of latest and greatest if you go Py3 because not everything is backported. Most books contain a lot of useless material and are pretty slow-paced and I'm not a fan of “Learn Python The Hard Way” either. I personally started with “Learning Python” by Mark Lutz; after about a third into the book I ditched it and just went practicing and googling for answers. Cannot vouch for “Automate the boring stuff…”. You do you but in the end it all comes to practicing. - networks: almost as important, if not more important than programming. Web pentesting, internal network pentesting, malware reversing, DFIR, even some part of exploit writing constantly interact with networks and analyze traffic. - OS: for starters, tinkering will be enough. Familiarize yourself with Windows (console, registry) and some flavour of Linux (shell, permissions, important files etc.), preferably Debian-based because they are popular in CTFs and tutorials. Install and configure some software like web servers, databases, development environments to get the hang of it. Where to learn: Google, obviously. https://pentesterlab.com/ is great for web pentesting. They have free tier with pretty okayish explanations and exercises. They also have “Bootcamp” section which covers some network, programming and Linux stuff. LiveOverflow's Youtube channel has a playlist called “LiveOverflow Binary Hacking” which is a great primer into exploit development on Linux. For Windows, you should probably check Corelan series: https://www.corelan.be/index.php/articles/ https://www.vulnhub.com/ has machines for practice. Not all of them are great but you may learn a lot by reading writeups. When it comes to certifications, they all serve their purpose, even CISSP and CEH. I did OSCP and while I won't call it “10 out of 10”, it's decent and probably the best one when it comes to skill practice and cost. It targets internal network pentesting, though, which might not be that useful if you choose other field. Did I mention Google? |