/biz/ - Business & Finance

free Burp Suite course (Burp Suite is the no.1 tool for web app testing):
https://hackademy.aetherlab.net/p/burp-suite

Other Resources (podcasts, tech reading, misc):
https://darknetdiaries.com/episode/36/ (great podcast. Ep.36 is about a pentest)
https://wheresmykeyboard.com/2016/07/hacking-sites-ctfs-wargames-practice-hacking-skills/ (collection of online CTF games)
http://ctf.infosecinstitute.com/ (CTFs for beginners)
more to come...

Link to Certification Info:
https://www.elearnsecurity.com/certification/ejpt/ (Junior Pentester Cert)
https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/ (OSCP - The ultimate goal of aspiring pentester)

Thanks to everyone who replied to my email with the guide. My protonmail inbox is now a beacon of hope. I really appreciate your warm regards, and your positivity proves to me this is going to be a worthwhile venture.

Monetization section (updates soon):

Bug bounty site (hack large companies and websites for bounty rewards):
https://www.hackerone.com

Hackerone also runs this site, which is for learning:
https://www.hacker101.com/

If you are looking for the original PDF guide I posted / emailed , then please see the previous /RPG/ threads. As always any questions are welcome, and I will answer them as soon as I can throughout the day. If you want to discuss other remote work opportunities in tech, outside of hacking, that is fine too. And anyone who wants to chime in with advice on such a topic is welcome to join in.

You got this anons!

ps. Looking for IRC chat mods. Email me if you are interested. OSCPanon at protonmail dot com. Also, I added some stuff to the MISC section, couple links for online CTFs for beginners. Check em out.

Also, I am likely moving the General thread to Sundays instead of Saturdays. An update on the IRC: I have decided we will run our own secure server. I promised to make sure any chat setup would be secure, and this is the only way I can make sure of that. It is taking some extra time (mostly because I'm very busy outside of this project,) but in the end, it will be the most secure method of comms. Hopefully I'll have it up and running soon for those interested. We will also do CTFs and regular training from the channel. For info or updates, email me. I'll put you on the email list I'm putting together.

>>14908749
Hello man, im following your threads. I finished the zaids course on udemy but it seems so far away from what oscp test asks. I couldnt register on htb... halp i need a remote job. 3rd qorld shithole

>>14908749
You inspired me to look into pentesting! The past couple of weeks I've been watching a ton of Youtube vids, it's so much to wrap my head around but I'm starting to see the bigger picture. There is so much to learn, and its pretty confusing, but I have a lot of free time and I'm determined to learn. Will definitely join the IRC when it's up. Thanks OP, you've given me a new challenge to strive towards.

>>14908956
>I finished zaids course
Good job anon! You now have all the knowledge of python that you need for OSCP. No joke.

>I couldnt register on htb
No worries anon. I used to have very little knowledge of certain web languages, even after going through OSCP. What I have been trying to explain to people on this path, is that you do not need to know everything. I work with some testers who are great at SQLi or Thick Client testing, but awful at WIFI or netpen, etc... It's no big deal. Use this: https://codeburst.io/hack-the-box-how-to-get-invite-code-56e369fc8dae
"Spoiler Alert : I suggest you to try to hack your way into the site, before actually reading anything below. If you fail after considerable tries or you want to know a method which may be different than yours, you can follow along below."

Use that guide to register and start working on easy rated servers on hackthebox. I always encourage people to try and try again, but in the end, if you use a guide and learn something, then you accomplished learning a new skill, and the things you tried before reading the guide helped build your testing methodology.

You can do this. Try. Then try harder. Do research. Use everything available on google. Learn to search well and use whatever you find to your advantage. It's not what you know. It's your ability to learn and research what you do not know.

>>14909047
Awesome! I am glad to have inspired you on this path. That is the whole reason why I am here posting these threads. If you are determined to learn, then you will make it.

I apologize that the threads have not been posted consistently on same day/time as I had originally hoped, but life had other plans. I will continue to get the threads out as consistently as I am able. I am thinking Sundays will work better for me from here on. Sorry too that the IRC is not up yet, I know it has been a while, but the added security is certainly worth the wait.

Thanks for keeping this alive. There are a lot of anons following you, I started lurking /g/ and saw that they mentioned OSCPanon a couple of times. You're helping out all of us here. I finished Zaids course and I'm starting to work with the over the wire games, I'm also doing a couple of Linux courses to get a better understanding ob the picture and probably when I finish it I'll start with the books. It's taking me longer than I was hoping but I was also really busy this last few weeks so maybe I'll be progressing faster sometime soon. I honestly thankful to you, without your push most of us would be in the exact same place that we were months ago. You're making us better.

>>14909149
I'm glad there are anons still following the threads and path. I considered migrating this to /g/ , but several anons asked me to keep it on /biz. I also feel most comfy on /biz these days. I feel this community is the most dedicated to advancing themselves and their career path. It stands to reason then that this board could most benefit from these threads. It requires a lot of determination and dedication.

Sounds to me like you are making plenty of progress. Just stay on track and you will make it. It will happen faster than you think. My life was miserable before I started on this path. That is what drove me. But honestly, looking back, my life changed so fast. Not just my income, but my overall well-being in general, because I am genuinely interested in what I do and enjoy it. That is the part that really made me want to share this info with anons. The money is great, but getting rid of that wageslaving feel is much better. Keep going anon, you got this!

Studying and passing the OSCP is a great way to get into pentesting but there is VERY little chance you will be able to get an infosec job with just the OSCP. Pentesting comes with experience from within other IT fields.

I'm glad OSCPanon has inspired you but just remember that you need experience in this field and there's no cutting corners. Having the OSCP is not a golden ticket, it's just the first step into years of discipline before you make it into a comfy pentesting job. There are of course exceptions to this but it is far from the norm.

>>14909253
I appreciate your comments and concern for your fellow anons, but I do have a rebuttal to make.

First, I will say that for those anons who share your concern with me, I do always encourage them to get some IT job while they study. Any IT job. It is not that I do not think OSCP is enough, as you suggest, but I do recognize that padding your resume with IT related experience will certainly only help your chances of landing a good job. So I am not against going into some form of IT first, but I do not believe it is required either.

Your suggestion though that you need pentesting experience, or experience in other IT fields, is not accurate. I work for a large firm, and if someone has OSCP, we will interview them without question. If they interview well and pass our internal test, then they are hired. Period. We are also currently hiring, and can never find enough people.

Beyond that, I would argue that the increasing lack of qualified penetration testers will only make the OSCP certification more valuable as time goes on. I know you can get a remote pentest gig right now with just OSCP, but it will be even easier next year, and the year after that. The 'cyber gap' is only increasing, and there will be a dire need for certified testers for a long time. Again, I don't discourage people from getting some experience on their resume, but it is not required.

>>14909253
To add to my other reply... If you do not want to get IT related experience, you can also go the route of doing freelance work, building a github repo, and doing CTF challenges at conferences. Doing those things, and putting them on your resume / speaking to them during interviews is plenty. If you do CTF challenges at conferences, you will certainly be approached by companies at those conferences, looking for good testers. There are plenty of paths that do not involve working in a help desk or other IT situation first.

Here is a link for keeping track of upcoming CTFs. Here you can find online CTF competitions that you can take part in. In the future, /RPG/ will work on these together as a team in IRC.
https://ctftime.org/event/list/upcoming

>>14909329
I respect your opinion, but as someone who also holds the OSCP. I can say from experience that I have never met someone or heard of anyone even considered for a pentesting job without experience, even if it's something as entry level as help desk.

How many people that work at your firm just have the OSCP and no other experience? I would guess it is a very low amount if not zero. Again, I'm not saying these people don't exist and yes having the OSCP will put most applicants ahead of those that don't (even those with years of IT experience). I am only saying that you will have to do more to stand out AFTER you get your OSCP.

I agree with you though, there are other paths you can take to supplement lack of experience. I'm not trying to discourage anyone. I'm giving awareness that pentesting is not just a trade, it's a niche subset of IT/infosec/netsec that usually requires specialization in other fields. Which is why it's in such demand for quality pentesters. Pentesting is also not an easy job, it requires more work than most IT fields; lots of travel, research, and assessments.

>>14909831
> How many people that work at your firm just have the OSCP and no other experience?

Of course not a lot, because it is important to have people with experience. But there is a fair amount and as I said, my company is having a hard time finding quality candidates still. We actually hiring many without OSCP and pay for them to get it on the job, so having OSCP already is a fairly big deal for a candidate.

>I am only saying that you will have to do more to stand out AFTER you get your OSCP.
Fair enough. I do recommend other paths to stand out to potential employers. (github repo, conferences, freelance work, etc...)

>lots of travel
My firm requires no travel. Some people travel about 20% , but that is only the people who want to travel. None is required. It is all remote. There is no reason this cannot be the case. Though it does require lots of research yes, and you do lots of assessments, as that is the job. I certainly would not suggest that someone who does not enjoy hacking do it as a career. But if you can enjoy it, then it is incredibly rewarding.

Thanks for your comments anon. I think they are quite helpful for those aspiring to do penetration testing. I agree it would be very helpful if aspiring testers could get into IT somewhere during the process. But I do believe there are many ways to get to the same end goal. Bug bounty hunting for example requires no experience and has no hiring process. If you can find bugs in software, then you get paid. Many people make a good living doing just that. If a candidate has issues getting into IT or doesn't want to take a job during their quest for OSCP, then doing bug bounties would not only pay some bills, but also would look Great on a resume. So, I think there are several approaches that don't necessarily involve IT job exp.

For those interested in bug bounty hunting as an alternative, see: https://www.hackerone.com

>>14909983

What's the expected salary?

Expected salary after 5 years? 10?

>>14909983
>>14910025

Also, how do I ensure your pdf doesn't have any malicious html in it? It's html, isn't it, that it parses for dynamic content?

>>14910094
If you really wanted to check, open the pdf in a text editor and search for any javascript code.

The alternative is just reading the same guide that he posted to pastebin which is in raw text.

https://pastebin.com/e35Vr0LX

>>14910176
also if the pdf is compressed or encrypted use something like

https://github.com/itext/rups

>>14910176

Thanks

>>14910025
Accepted numbers for OSCP holders say average $90,000 to start. I disagree with this for a few reasons. The biggest being that many job postings list a job as "Penetration Tester" , when it is not at all that. These jobs damage the accepted average, since it is pulled from job boards mostly. I would argue that starting salary for OSCP holder should be $100k+ . To further this, you can find that CompTIA CASP holders pull 80k-120k, and quite honestly, their jobs and abilities are completely eclipsed by OSCP holders.

I would say after 5 years, you should be $150k+ . If not, you are not working for the right people, and not striving to get what you should. 10 years? $200k

>>14910094
I put it on pastebin now:
https://pastebin.com/e35Vr0LX

I also posted it as images in the old /RPG/ threads and I will upload them to imgur for you now:
https://imgur.com/a/gl8lhd7

>>14910221

It's cool, I read the pastebin, ty.

I am just wondering if this or software dev makes more sense. I do think software dev is over-saturated, or will be soon. Not sure if you were the one who also highlighted that the projected job growth is much higher in security.

>>14910253
I probably did. Much higher job growth in security. Also, you don't want to become another code-monkey. Consider your daily job tasks. Software dev is a grind, and you are very likely to end up churning out code for some big project you don't really care about, for less pay than you probably deserve.

Penetration testing is ever-changing, every project. It is enjoyable and less of a grind. I would say that vs software dev, it is no contest. Even if you go defense rather than offense, go security.

>>14910253
As someone who was a software/web developer for a few years and transitioned to InfoSec, I will say if you're starting from scratch. InfoSec/NetSec is absolutely the better path. Although my knowledge of programming and using linux servers for years made the transition so much easier.

If I had to start over from scratch, my path would be getting A+ certified, studying fundamental networking like subnets / OSI layers / protocols and then jump for something like the RHCSA.

Red hat certs hold way more weight than any CompTIA certs imo. Like the OSCP the RH certs are hands-on and you have to know what you're doing, no multiple choice question bullshit. You either know it or you don't. From there you pretty much can jump into a Sys Admin role somewhere and decide if you want to pursue networking/security/devops. Of course you can also just go for the OSCP if security is your ultimate goal from the start.

>>14910510
Good stuff! Thanks for jumping in with the input anon. I completely agree on these recommendations.

Hey man thanks for doing this; I've been looking for something to sink lots of hours into that'll land me a more interesting, and this sounds like something I want to try out. I remember in another thread an anon mentioned a discord server IRC being set up. Is this up and running yet?

>>14910650
more interesting job

>>14910510
>>14910572

My concern is that devs can make $220k at Amazon/Goog/whatever if they are just good (not exceptional / rare). I wonder if that's the case with security.

>>14909365
How should noobs treat their github? Should we upload projects finished from going through Zaid's course, for example, or is that bad form?

>>14910650
IRC is not up yet. I took some time to determine which solution to use for chat, and decided on IRC. In order to ensure it is secure, I decided to go with standing up our own server, rather than just a channel on some already existing server. I hope to have it live soon and will update here when it is up. I am looking for moderators/admins for the channel, since I will not be able to be there all the time. If you are interested, email me (OSCPanon at protonmail dot com)

>>14910680
I think you would have to be very good to make that kind of money at amazon/google as a software dev. I could be wrong, but I think there are a lot more code monkeys out there than people really developing at this level. I would think that security people make just as much or more for the same companies, working at a similar level. My big thing is that I do not enjoy software development. That could be different for you. I would suggest doing whichever you enjoy more. You will put more into it if you enjoy it and therefor climb higher. Plus, you will be better off overall (not just monetarily) doing something you enjoy. Pick what suits you.

>>14910719
I don't see anything wrong with uploading those projects. Honestly they are good tools. I still use the network sniffer I wrote in that class, professionally. I would say just group stuff into folders and upload whatever you finish that works. You can always go back and push updates. If you stick with it, you will definitely at some point update those tools, and then you have a central repo to push and track updates, and provide your own twist on those tools. Just having a decent github will separate you from other candidates and show employers you go the extra distance.

>>14910680
The turnover rate at those companies are high. Cost of living in those areas are also high. Competition for jobs at those companies are also extremely high.

If money is your biggest motivation. This isn't for you, period. Also, the interview process for software engineers is a complete joke, even for small startups.

As far as security. Firms get huge contracts with either large companies or government/military spending. Career wise you will be making more money than the average software engineer. You can also get your CISSP and get into management/consulting which again, is good money. But if you're just starting out and only thinking about the paycheck, you're going to hate any IT job.

>>14910812
Don't agree with the money part of this. I'm not sure why you think the money is not good... I think IT security is the absolutely best field monetarily for people with a college degree, and probably still the best for many people with only a bachelors degree. The money is quite good. Especially for penetration testers.

>>14911177
mean to say for people without* a degree or with only bachelors

>>14911177
No, I'm saying the money is very good, but if it's your biggest motivation to get into the field, you're probably not going to enjoy it. I see the churn with students getting degrees in computer science so they can become software engineers because it's commonly sought after as a high paying career. They then come to find that they don't like programming or IT in general and end up hating their jobs.

It's the same with security. Yes it pays well and people view it as a sexy career because they like the idea of becoming a "hacker". They learn very quickly that they only liked the idea of becoming one and not the hard work that it takes to actually become one.

Obviously money should be part of your motivation because if this job didn't pay well, nobody would do it. What I'm trying to say is this line of work has to be of interest to you, not just the paycheck or you will burnout very quickly.

>>14910510
Could you recommend any content or books to prepare for the A+ certification? Or any tips at all about the test? Thank you for taking the time to help us out here!

>>14912398
Professor Messer is the absolute best source for A+ . Also on youtube but here is a direct link. Course is free:
https://www.professormesser.com/free-a-plus-training/220-1001/220-1000-training-course/

ID may have changed, im phoneposting

>>14908749
BASED pentester anon

>>14912973
guess my wifi has better range than i thought

You inspired me anon. I was the original poster who wanted to make money witu out leaving my house. Learning pentesting so far is a slow process. I already binge listened to all the dark net diaries. Thank you so much

>>14913182
awesome! and you inspired me to make these threads and share info.

its not a quick process, but its well worth it anon. you can do this. feel free to email me any time when you have a question, or if you just get down and need motivation.

>>14912973
I'll be taking a look in a couple of minutes. Thanks, you're the best m8

>>14908749
Just wanted to throw another thanks your way, anon. I was feeling desperate about long-term financial stuff the other day, then stumbled onto your thread. It's been an inspiration. I've been reading up on penetration testing, as well as Linux, and for the first time in a long while I feel like I have some good possibilities in front of me. I know it's not a quick process, but I trained myself to be patient a long time ago. Thanks, anon, for helping light a spark under my ass.

>>14913333
those quads!

>>14913778
glad to hear it anon. keep in mind that you can do this. I’ll be here when you need a little boost. you got this