#cyber-and-careers

We can post it both places

better.

Network Engineer Wanted

Your role as a Lead Installer is to manage and deliver from A to Z the deployment of network equipment in the hospitality industry (Luxury Hotels) across Europe, from Access points deployment,
to switches configurations, gateway deployment (Linux mainly), performing Wifi survey, handling communication with the customer. Dealing with Ruckus / HP-Aruba / Cisco / Samsung / LG. Leading the onsite team while working with the
project manager to ensure that our products are installed within scope.

Qualification

• No certification required but CCNA level is a plus,
• Experience in networking is required,
• Travel across Europe is required (60% of your time would be abroad),
• Willingness to learn and issue solving mindset required,
• Interest in the network world, along with the VOD (Video on Demand)
• Cabling knowledge is an asset,
• Excellent written and verbal communication skills,
• Strong documentation and troubleshooting skills,
• Capable of handling and working under pressure

Working from home while not on installation, flexible hours, no preference in location within the EU,HQ located in Warsaw, Main HQ in Canada

if interested, please DM me for more information.

Anyone have any remote job leads? I have Network+, Security+, 3 months of helpdesk exp, over a year in customer service experience, two food jobs, and working on Linux+. I've applied a few places, Charles Schwab just rejected me. Other places haven't responded.

Looking for entry level networking/help desk/cybersec jobs

So I’m a high schooler wanting to go to college, what’s like a website of classes- like computer science and stuff like that, stuff that have to do with computers and stuff

https://www.coursera.org/ this website allows you to audit real college classes for free this includes lectures and stuff or if you want to pay you can actually take the class with quizes and tests etc

Provided one has the appropriate experience, what kind of tech jobs can someone in high-school get?

you should mainly look for internships or externships you’re not really going to find any jobs unless you start making connections and you get those from internships

do you guys use a template for your CV? or write it your own way?

default monster template

if you want to be appreciated more add buzzwords around your cv in white font

like infosec, hacking, etc

lmaooo

it works 😉

at least someone has a look over your CV

@remote mauve thanks for the suggestion

@remote mauve this seems the perfect chance to use "L33T SUPA H4X0R"

1337*

it was a cheat on age of mythology

I mean, the way that I typed it

Only 90's kids will remember

i am 25 years old @cosmic ingot .

@remote mauve lol I didn't say you weren't one 😆

xD

leet speak is in my b|_00|)

@cosmic ingot I've used resume.io a good few times

Good site for templates and such, and they host a version of your CV for you

my one big piece of advice is make sure your resume looks nice. Remember that you're one in likely a hundred applying to that job (maybe even a thousand) and you want your resume to stand out.

if it looks something like this:

redesign it.

you guys use pictures in cvs?

I thought u weren't meant to so they can't discriminate

Also no DoB

+1

rules of thumb:
No DoB, no Location, no Phone, only email.

No gender or age either under UK law

however, under the discrimination act if you are a minority in the field they are legally allowed to favour you more over someone who isn't, even if the other person has better skillset / quals than you. So it might be worth it to include some things. Jobs can also ask for information that can be discriminated against like age if it requires that (selling alcohol) or disability (long haul truck driving)

sorry its equality act* http://www.legislation.gov.uk/ukpga/2010/15/contents

It's worth noting that a lot of UK companies (and universities) have diversity quotas to meet, so if you fall into the diversity range it is definitely worth declaring this somehow. But the problem with this is that you'll get impostor syndrome thinking you was only hired because you are a diversity hire - it's really up to you

I’m more of a coder than anything, I’ve been programming for years now, and I was wondering when it comes to security engineers is coding something you’ll do? I have just recently been getting into cyber security

Depends where you end up really. There's secdevops too @marsh herald

I wouldn't want to be hired because of my the color of my skin lol

do you guys use a template for your CV? or write it your own way?
@cosmic ingot Awesome-CV

@marsh herald For security engineer? Absolutely, since you'll be helping develop security controls. There's also a lot of ways to still add some past coding experience in different roles. I moved from web dev to appsec consulting (1/2 of the time is on pentest) so I still write some scripts to do things for my engagements. I’m just not writing large apps anymore

What is one of the best intermediate level courses that you can do as a guy in high school?

course in what?

for compsci CS50 was great 🙂

what do you mean by that you didn’t explain much

Networking / pentesting (if possible)

Or really anything security related > Networking / pentesting (if possible)
@distant jay

@languid hearth what's wrong with the one you posted? It seems well laid out and easy to read the key points in a few seconds

a resume that looks like that looks incredibly boring, has absolutely no life to it, and makes me want to pass on a candidate. It looks like a majority of the resumes out there (which is a horrible thing) and the only thing it says about you, is that you know to follow the bare minimum and that's about it.

I don't know anything about making it say more about me though. I hate the fact that, given that your cv is at least presentable, with no big errors, you have to go out of your way to make it stand out in case that matters more than a gazillion soft skills that you have.

How do you even make it stand out? Embed a YouTube video?

@languid hearth your feedback meens a lot, thanks a lot for sharing

That would indeed make it stand out > How do you even make it stand out? Embed a YouTube video?
@cosmic ingot

make it look pleasing to the eyes, make it actually say something about you, put some personality in it, use some different fonts other than Times New Roman/Arial/whatever generic font

it doesn't need to be crazy, it needs to be simple, but pleasing, add a tiny bit of color to it, but don't overdo it

also, the little certification badges are a good thing to include somewhere, I include mine right next to my name

Also you can check John Hammond's resume/CV video if you want if that helps you smh.

Thanks for the suggestions guys

comic sans ms for the 1337 feeling @cosmic ingot

@remote mauve Def worth the try

either you get the attraction or the hate

or both in the same shape or form

also worth writing down if you have any blogs and stuff

anything that you worked on and you are pleased about it is worth putting there

@stone cedar Wouldn't recommend it till ur comfy with pivoting, the pivoting is horrible in this

Oh really, damnnn. Does the course provide decent info on it?

Not really no

Okay I’ll set up a lab tomorrow

It gives a lot of good info but not a huge amount of pivoting. Having to use Metasploit for it, it's really slow

It's against a majority of windows boxes if that helps

Was about to ask if you’re using Metasploit

Eurgh that doesn’t help me haha I hate windows

Having to yeah, I can manually do it against Linux boxes with chisel but not with Windows

Chisel has windows bins tho?

The lab is really oddly set up to

Does it O_o

It’s written in go

Why haven't i checked that......

Which means multiplatform?

I think

You should be able to

Although some things in go are... Poorly portable

I'll try that, anything must beat this 2 minute lived metasploit wonder

Just checked their github they have windows binaries i. The releases

https://tenor.com/view/grinch-christmas-evil-smile-grin-gif-5534744

ty! back to it! (Was reseting the lab)

Have fun 🙂

Hello, I was wondering how likely is it for a Computer Science freshman to get an internship in InfoSec? Is it best to aim for something different to get work experience and then try again next summer?

@hushed sigil Eh it depends on who you know and how much time you’ve actually put into the field that you’re looking into there’s plenty of internships out there for InfoSec so you won’t have a hard time finding one.Not really you’re hit experience isn’t going to change a lot in one year if you want you can look for them now but it all depends on what part of InfoSec you’re looking and who you know/ what hands on experience you have

@polar rock I have some experience doing IT work for my high school and I think I know someone who has contacts in InfoSec. I have being trying to learn on my own. I am interested in Red Team and Digital Forensic

Passed eJPT btw ;D clicking submit on that test was really really really hard

@forest knoll Woah, congrats 👏

Thank you 🙂 jb is next!!

Congratulations @forest knoll

Thanks bud 🙂 if u ever need any advice on it just hit my DMs, they're always open for u

Thanks bb, I will actually hit you up in a few, when I get out of bed

Go for it!

@forest knoll Is eJPT more CTF-like or CVE/Exploitation oriented?

Because I saw some claims that eJPT is just one big CTF

Nah its more Exploitation

It's understanding whats going on, and ur enviorment

alright

There is stuff u have to find like "find secret" in blah blah

But nothing is hidden or a puzzle

okay, sounds nice

It's pretty easy but there's 1 part that is extremely slow.... and I spent WAYYYYY too much time trying to do it with tools and quickly

pivoting?

I remember @remote mauve wasted like 12h on that

U have to attack a machine not in ur subnet through another computer. If u forward it its a pain

and it kept dying and I kept trying different ways. In the end it was actually easy to use just said computer

okay, thanks for that info

The actual getting root or admin is as easy as 1,2,3

anytime 🙂

I did. The only reason is that I didn't read the pdf they sent out

@fathom lake and @forest knoll

bad boi

So. Yeah. Took extra time because of that

Yeah I didnt read that til like an hour in

I didn't read that until 1 day im

In*

do you get pdfs with exam?

or the ones in the theory section

every review i've seen says you must read the engagement letter

Yeah u need to read the docs they give u

Thanks captain obvious

Its like a 4 page PDF and some bits and bobs. Literally takes 5 minutes

nice

They need a tldr

hhahaha

I didn't bother reading it until i couldn't figure out what else is there to do

I rooted the 2 initial boxes and the ftp

Then i started looking through routes and etc

So spare me plz. I over complicated it a lot

I tried to use metasploit and wasted like 6 hrs with dying port fwds/socks proxies. Was driving me up the wall

Did you use the win bin for chisel in the end?

Couldn't find 1 and was too impatient at that point and did everything in a different way xD

xD

it's literally bottom of their releases page on github

https://github.com/jpillora/chisel/releases

Just above source code

for future reference

https://tenor.com/view/hitmans-bodyguard-hitmans-bodyguard-gifs-ryan-reynolds-dammit-damn-gif-8352668

https://tenor.com/view/kekw-seizure-shaking-lol-laugh-gif-16598372

*** anddddddd bookmarked ***

In the end I didn't use any port fwds etc anyway 😉

Ahh, I think that answers the question I was going to DM you about

same

no need to pivot

just basic networking

summary of my resume:

work: 13 months network engineering experience
certs: eJPT, CCNA, MTA windows server fundamentals, MTA cloud fundamentals, MTA mobility and device fundamentals
location: england

currently unemployed and looking for anything cyber sec related, preferably junior pentester
i've got some interviews for security focused sysadmin roles, but currently none for pentesting/blue team
money is kinda an issue at the moment since i'm not getting anything at the moment and will likely have to move across the country for a job

do you think it's worth me spending ~£800 on oscp and hoping that will land me a job? due to covid i am at home all day so i have plenty of time to study

No you have the flashy certs and everything but you don’t have anything to show that you actually enjoy it like projects, boxes etc

i've recently made a box going live soon, which i have shown on my actual cv, i have a few programming projects on my github but admittedly it's nothing security focused - just working with APIs

what kind of projects do you suggest?

anything cybersec and that interests you. It could be a port scanner, automated recon tool anything

Tip before CEH

i'm asking in this discord because i don't really have another discord to go to but in terms of certifications which ones are the most necessary for looking into a career in pentesting?

i've heard of the usual sec+ and OSCP(?) but i was wondering which ones should i work towards

i'm currently aiming to do the comptia a+ but i don't know how much that might help me in a pentesting career

OSCP is the one that everyone seems to want. It's the one I'm heading for, definitely.

eJPT also seems popular

A+ will help you learn how computers work / troubleshooting. That's important, but if you find it too easy, skip it

is there like a n orderfor which ones are best to get

for example first you get sec+ then you get OSCP then you get whatnot

If you get sec+ and OSCP, stop and get a job first

ic

Be very careful with putting too much emphasis on certs

^^

yeah, it's just that i want something to work towards at the least lol

i don't want to make it all on certifications

My plan, personally, is OSCP, and my degree.

totally! It's nice to be directed in your study

Different people will have different aspirations

But the one thing everyone seems to agree on is that certs are nice to have, but far from the be-all-end-all

yeah

I always tell people the same thing: look for job postings and see what certs they ask for. Some employers want you to have at least 2 of a list, some want you to have at least OSCP, some don't require certs if you otherwise show them you're on the level they want

btw, half a year ago I think I had never even heard of eJPT, and nowadays everyone's talking about it

I can't wait for employers to recognize it because frankly the eLearnSecurity exams sound much more fun than the "try harder" exams

lol

i see i see

or just dont worry about certs find a job that will let you slide without one and get them to pay for it or participate in projects and get them to pay for your certs

haha at my age it would be harder to do that

but i can see why that would be a good method lol

why do you say that I'm 17 and have plenty of opportunities to have companies pay for my certs. If you believe that your age is a limiting factor you simply aren't applying yourself.

yeah but i'm only 15 so i'm not 100% sure whether that can happen for me lol

even still either way i'll try my best to get the cert

it will be helpful to work towards at the least

imo

lmao if youre 15 why are you even worrying about certs?

Imo you shouldn't worry about certs at an age like 15. If it directs your study, great! But don't pay them any money

i suppose that's true...

you dont need 1000$ certs at 15

youre just throwing money away for a fancy paper

yeah that is true tbh

but i don't know what i would work towards in that case

if youre doing tryhackme work towards getting to 0xD or top of the leaderboard

you could also do a cheap udemy cert like PEH

(Pretty sure they're dropping PEH)

Lemme check that

PEH has been free twice

thats how I got it

Ignore me

Wrong cert

Im talking about TCMs PEH

@undone shore they said they're gonna close the channels iirc but from what I understand the course will stay up and up-to-date

udemy has tons of great courses

@undone shore they said they're gonna close the channels iirc but from what I understand the course will stay up and up-to-date
@cosmic ingot Aaah. Danke ♥️

i've heard of udemy yeah

is it peh or cpeh lol

well im asking the question hee again, like what languages are important when i want to get into cybersecurity networking? What languages do you guys code?

https://www.udemy.com/course/practical-ethical-hacking/

i'll check that course out now

honestly he also has alot of the material for free in various places as well if you dont want to pay or sometimes he just drops the course for free

Python is pretty versatile @warm hinge

I think ruby in some contexts?

that course is great though ^, highly suggest it to anyone and especially beginners

Mostly python though - plus it's arguably one of the easier to pickup

go is starting to gain popularity as well as C#

im learning python its esy and i want o specialize cause im tired of doing hello world examples in every language- so you you also think that python has the most usescses- because i also like machine learning

Just try to only worry about python3. And if you can, learn about how to use venv!

what you mean learn venv? venv is just 3 lines of code- 1 to set it up and 1 to activate and 1 to deacvitvate

Learn to use it. I just ignored it when I was learning it (although it was py2) and messed up dependencies

im using venv all the time actually

Although now that my os only has python3, I haven't used it.

oh lol I thought it was someone who had never learned python asking my b

im dcent with python- no prfessional but i know what a venv is and use it regulary

if you're interested in ML, python is currently the most popular language for that

but even if you don't get in ML, there's so many things you can do with it

like i said im trying to decide what i wanna do, either ml or network security - with ML its just i need to know all the algos- which is kinda nerve wrecking at times and i suck at at math- and i like hacking awell thatswhy im asking- i cant stand doing front end work

too tough for you? 😉

if you want my advice, it's too early to say you suck at anything @warm hinge . other than that, I would suggest getting into uni, try to work on as many projects etc as you can to gather experience. you have much time ahead of you to decide what field to get into

actually yes- lol, not the coding part but to make the site look decent is a headache- like 50milionen colors to decide from and than- i like bootstrap

i did study cs50 harvard

but now im trying to get work and i dont want to do wordpress sites or front end work

what is cs50 harvard actually? I have seen ppl mentioning it everywhere

A free compsci basics course

CS50 is very very very good, I went to their hackathon and met David (the guy that teaches it). Absolutely superb teaching, simply the best i've ever experienced. It's the most popular course at Harvard & Stanford (or it was when I took it many moons ago) https://www.youtube.com/watch?v=jjqgP9dpD1k

can anybody help get me started with crypto mining? and or into cybersecurity freelancing?

1. Don't go into crypto mining

2. I recommend you get started in cyber security before you go into freelancing

@warm hinge the only way to profit on crypto mining currently is if you had free power and a large number of expensive gpus at your disposal

what are some major pools for cybersecurity freelancing atm

when you have the skills to freelance you will know where to go

im a newcomer i understand some some concepts behind hacking ports, programms etc

hacking... ports..

i already have kali installed

understand some basic command ad some tools

methodology behind enumerating and research about websites

i suggest just to keep learning for a few months. worry about freelancing later on.

not that i am an expert myself

^^

if you make a job or money your end goal from the start vs "I enjoy doing x and really want to learn more about it", you are probably going to hate it by the time you get there. Just learn and enjoy the process regardless of the outcome. If you are job worthy or freelance worthy opportunities will present themselves. @warm hinge

thank you!

does anyone here have a side/regular job and does hacking for fun or do you guys do hacking as a job for a company?

it seems most people here are students, becoming students or studying in their spare time while working. Some people have jobs in the industry as well.

Most people who work in the industry hack for fun

I have a regular job and I’m learning about hacking as a side/fun thing, though it’d be nice to transition in to eventually 🙂

I’m learning it because this type of thing and coding goes well with what I wanna do ultimately, which is being an author

So I have plenty of chances to write and work on stuff while I wait for processes to finish up

Okay, I'm actually mind blown now

I recently applied for an SecOps offer, even though I do not have official job experience in that, but I rather taught myself how to test and seal the security, plus the offer had a riddle that even a script kiddie would have solved

They responded suprisingly fast, less than 10 minutes from me applying, what the hell xD

Either they really need someone ASAP, or their HR is amazing

@clear atlas CS50 teaches you everything you need to know about web development- in my opinion cs50 on youtube aswwell as w3schools.com are the best resources for web developers- and also kaggle is a great resource if you into python adn ML and of course youtube but most youtbube channels suck especially all youtube channels teaching "hacking" i think they suck, but thats my own opinion- nullbyte etc are a waste of time imo but maybe someone has a different opinion- or more resources for learning

@tarek Oh, I see. Where does people always take CS50? I've been wanting to learn web dev, currently using The Odin Project. Also, I've seen w3school teaching hacking on youtube. Does it suck as well?

i only use the website w3schools.com, cs50 is mostly on youtube- downside on that is that you dont have the material but you can learn a lot from it just by watching their youtube channel- also stanford has great material- but i only took cs229 on coursera- but its free- i forgot if you want to learn about linux edex offers great free courses aswell

i suggest start with harvard cs50 for webdevelopment and edex for linux- than loook into coursera/stanford for cryptography machine learning et..

@warm hinge +1 for w3schools the Mozilla developer docs are amazing as well

i only use the website w3schools.com, cs50 is mostly on youtube- downside on that is that you dont have the material but you can learn a lot from it just by watching their youtube channel- also stanford has great material- but i only took cs229 on coursera- but its free- i forgot if you want to learn about linux edex offers great free courses aswell
@warm hinge This is not true.

CS50 republishes their content on YouTube, but the entire course - including assignments, extra videos and more are published on their EDX page where you can enroll and leave with a certificate of CS50 https://www.edx.org/course/cs50s-introduction-to-computer-science

You even get access to a cloud based IDE (cloud9 last time I checked) which allows you to do the assignments, and your assignments are marked and graded. If you pass all assignments - you pass CS50 and at the end you can get a certificiate.

thanks for clarifying this- i knew i have seen cs50 on edex

And CS50 isn't about web development, you may be thinking of CS50x Web Dev ( https://www.edx.org/course/cs50s-web-programming-with-python-and-javascript ). CS50 does cover web dev, but it is not about web dev. It is about computer science. here's the full list of topics they teach from EDX 😄

    A broad and robust understanding of computer science and programming
    How to think algorithmically and solve programming problems efficiently
    Concepts like abstraction, algorithms, data structures, encapsulation, resource management, security, software engineering, and web development
    Familiarity in a number of languages, including C, Python, SQL, and JavaScript plus CSS and HTML
    How to engage with a vibrant community of like-minded learners from all levels of experience
    How to develop and present a final programming project to your peers

sure - yes you correct its about computer science - was my bad that i said web dev- i did web development bsed on python and javascript and css- thanks dude

cs50 introduction to computer science and the art of prgramming

because i did web development and thatswhy i said its for web development, i should have been more specific about it- eithr way its a great resource

cs stands for computer science 🙂

edx

Would you recommend CS50 for a newcomer to programming @warm hinge ?

yes cs50 is for beginners- web development computer science

I know dribs and drabs of languages, would like to narrow things and formalise a language yaknow

they start from scrath with html css javascript, c++ python php i think aswell everything is covered

cool thanks for sharing (:

https://www.youtube.com/user/cs50tv

they also cover networiking which is needed if you want to get into hacking and great explained

start html css and than learn a real languagge like php javascript and than conect to database with mysql - i think thats the way to go to start out web dev than you can always learn java c++ or python- and if you into hacking you need linux

you can als start with linux systemadminitration- but at the end you need to know html css frameworks for frontend and a real languge- i stick with python

A real language, as opposed to a fake one?...

than you can alway switch from lamp stack to mean steack etc. there is just so much to learn - php is also simle and used on wordpress adn basicall everyone has a wordpress site now

well html or css arent reallylanguages

some say they are ...

Hypertext Markup Language

They are not programming languages

But they are languages nonetheless

right

a language is to me where you can program some logic into it

php javascript c c++ python ruby go etc

Programming languages, y'mean

well linux would be a language- slike shell scripting

Eww, javascript 🤢

Because if that's all a language is, then you're speaking something mighty funny

excel yould be a language too

Bash scripting, for the record

bash scripting yes, oh i said shell- bashä

CSS is turing complete.

how is css turing complete?

https://notlaura.com/is-css-turing-complete/

and css isnt even a language- i mean it kinda is but it isnt really

its a stretch to call css turing complete imo

well if you use sass i think it would be

Unfortunately, that ain't a matter of opinion.

A language is considered Turing complete if you can encode Rule 110 in it. You can encode Rule 110 in pure CSS, therefore it is Turing complete

You'd be an idiot if you tried to use it as a programming language, but that doesn't change the fact

https://en.wikipedia.org/wiki/Rule_110

interessting i didnt know

with cs you just never finsih learning

There is this dude that claims that he went from 0 coding anda after 6 month he scored a job with google https://www.youtube.com/channel/UCaO6VoaYJv4kS-TQO_M-N_g

i also started 6 month ago but i dont know shit yet- i wouldnt even know where to apply for google tbh- i shouldnt say that but i think he studied math before so i think this helps with algos

im stage where im in tutorial hell currently

he said he learned python within 10 days, well you can learn python in less than that but there are also all that libraries like panda numpy etc, and to be good in something i dont know- how google is hiring people and based on what

what does it even mean you elarn python in lessthan 10 days, becuase to understand how loops and arrayslist and tuples work you need about 20 minutes for it and to be perfect in python im sure people that use python for 10 years straight still lern new things every day so i dont know

it like with skiing you can learn skiing in a few days but even experienced skiers arent the best in the world and lern everytime- what does it really take to get a job at google?

I watched a bit of the video and he said that he did a coding bootcamp, which is a very "easy" way to learn it because you're around code for a lot of hours per day

you can do it for six months but if you're only doing 10 minutes a day it's not the same as full days

although starting with 10 minutes a day can still teach you a lot

@warm hinge there’s a YouTube channel Nick White and he talks about his journey trying to get a job at a FAANG company and you can see all the 100s of hours he puts in just with algos

thanks i will check it out

@warm hinge have you had experience with cs50 intro to cs? it seems it touches on C as well as python and has a final development project. but im not sure if the cs50 python javascript would be more beneficial... i want to get into web programing to have a better understanding of web apps for security purposes but not necessarily develop them.

Guys should i do the OSCP or eCPPT

to again more knowledge

oscp imo

thaanks

If you want knowledge, eCPPT.

Hands down better than PWK in every way, and the exam tests you on more that CTF stuff.

If you want to get past the HR filter, OSCP. But that's not saying much when many companies also list it next to CEH.

Do both. eCPPT, followed by OSCP.

That's my plan atm ^

Wow eCPPT covers a lot

eLearnSecurity is very thorough and comprehensive. I also like their WAPT and the new 2020 WAPTX courses.

You can do all 4 combined for the price of 1 SANS course lol

Do OSCP first. It'll help prepare you for PTP and the eCPPT.

I got a job, finally

Congrats!

Congrats!!

Hi, I'm a student from Serbia and I was wondering if anyone is intrested in helping me out with stuff about cybersecurity (Police Academy)

That's so great! @stoic atlas congrats!!!!!! Start a new adventure 😄

AWS DevOps, maybe will branch out as SecOps as well

Year of experience and landed as a regular, so I am really happy

Really OSCP first? sorry just saw this

OSCP is actually an entry level cert. There is a lot of mystic around it but it isn't actually that difficult. There are a lot of harder certs both from Offensive security and other organizations.

Based of the conversation I think you are talking about, yep. OSCP first.

There is this dude that claims that he went from 0 coding anda after 6 month he scored a job with google https://www.youtube.com/channel/UCaO6VoaYJv4kS-TQO_M-N_g
@warm hinge he's majored in MATH 🙂 so what do you expect. And he learned Python after the coding bootcamp. So, he already knew JS. It's easier to pick up a language once you know one. Coming from JS to python, it's easy.

Speaking of jobs @ google; have any of you received an invite for the google foo-bar challenge? I received my first invite a few weeks back.

@sly elm It's definitely not easy, not when the advice of many experienced professionals to newbies is essentially "don't get dicsouraged even if you fail it multiple times"

Oh nope. I never said it was easy. Just in the grand scheme oscp is often actually a starting point. Not the end forever.

@sly elm Agreed. At least virtually every employer ever seems to agree on that, since they require it for entry level roles

Video i saw/listen to from Infosec, guy said to start with CISSP. https://www.youtube.com/watch?v=xzDKM7eEweI

@faint laurel keep in touch if you are serious

@strong magnet Ofcorse, I am in contact with MUP Cert, I can send the DOC for the section they had in plan

200304_sekcija.pdf

Its not finalized yet, because of the COVID-19 lockdown and such its shifted a few months in the future

@fickle ermine Sadly I don't have the time to watch an hour long video, are you sure that that's what they're saying? You can't start with CISSP. Not only is it just not an entry level cert but it also requires work experience. If someone is more interested in the blue side of things, there are other entry level certs they can get, but there are way more qualified people in here than me to give advice on that.

Yes i could find the time stamp, I thought you could start with CISSP, need 5 years of working in one of the domains of the CISSP

I don't know if it's technically possible for it to be your first cert, but when someone asks "what certs to start with" or "what certs do most entry level roles require", that's just the wrong answer

Right! that is what i thought.

If that's what they're saying then I can guarantee you you can get better advice in here; just be specific in your questions so the people in here can help you better.

I am just trying to advance, been a Tech for 15years

Well, your experience will be immensely valuable, so you just gotta "explore" the field and find what's best for you, then just put the time in to work your way towards it (if life allows it)

So not a total noob but i am new to Pentesting

are you more interested in offensive or defensive roles?

Offensive, but i could go defensive

the whole "Red team" excites me more than "Blue team"

Then you should go for it :)

Thats why i subbed 🙂

If you wanna get started in the offensive side, start with OSCP or eCPPT

that probably has already been said

But I'm just dropping in here

The eJPT is definitely easier (and cheaper) than the OSCP, but since you have experience in IT, you can shoot directly for OSCP. I think that in most cases, that will be enough to land you a job in the field @fickle ermine

so CEH not worth? or CySA?

Don't get CEH unless a) someone else is paying for it and/or b) a job specifically requires it

Depends on what you're going for

thank you @cosmic ingot

The first tier of CEH, certainly, is considered absolutely hopeless by virtually everyone other than the American DoD

Yea

That said, if a job asks for it, then it's the right one to get

I'd really like to put in as much time as needed and go for the eCPPT, but it's expensive

eCPPT over OSCP @cosmic ingot?

Oh ill be paying out of pocket

For i job i would say go for OSCP, for knowledge, eCPPT

That being said, still gonna grab OSCP after eCPPT

@undone shore I know OSCP is much more recognized but from what I've heard, the course for eCPPT is just better

but no, if I can put the dough together, I'll probably go for OSCP

They did just do a major overhaul tho

(after eJPT though)

Fair enough. I was already looking at trying for eCPPT after finishing off OSCP

Go for it @undone shore

I can let you know how the new PWK is, if you let me know how eCPPT is @shrewd gazelle 😁

Its pretty awesome so far

Taught me a bunch of stuff

Taking the exam on friday

oh, good luck

Oof -- Good luck!

Bit too many powerpoint slides tho

Thanks :)

Starting PWK on Sunday

So, ouch

Oh nice

Got a bit of time before the exam thank goodness

How long did you get?

Went for two months. I've learnt a lot in the time I've been here, but in the end that's only about 7 months or so. I didn't want to rush it

Yeah makes sense

I think i will get 3 months

If i am averaging about 20hrs a week on THM and repeating rooms if something didnt sink in. How long would you say ready for OSCP

With 15 years of tech experience

Just curious

You are ready now

yes

The PWK course will teach you what you need

ok

And the labs will reinforce it

They say you should have basic knowledge of Linux and Windows

And some networking yeah

But by all accounts PWK is excellent for teaching you the stuff you need for the OSCP

Oh yeah, and some networking

with scripting being a bonus

I think you just gotta take the leap

^^

Lots of people just think about the scary exam, but it is a course, it is meant to teach you

(Guilty)

Worked myself into a state over that more than once

(Same)

yeah i want to. Currently i build and maintain Call Loggers

I feel i over prepped for eCPPT

24hr too

Oh nice

Just looking at the syllabus for eCPPT

Its you that is spying on my phone 👀

better over than under

True true

it's also knowledge and experience for you, so not in vain

Yup, can't have too much knowledge

@undone shore Whatcha think of it?

I think no chance before OSCP 😆

With that as a stepping stone, it looks fun though

Yeah it is

Wdym stepping stone?

Using the OSCP as preparation for the eCPPT

Oh right

Dunno if its a stepping stone, but i think they supplement each other nicely

But yeah, i would recommend OSCP before eCPPT, since OSCP you are restricted on certain tools, where in the eCPPT everything is fair game

I think once i go do the PWK/OSCP, i gotta drop a lot of "bad" habits

you mean not using vim probably

Night at the pub?
thats one of mine

@cosmic ingot wut

I was thinking metasploit, and all that good stuff

I'm joking fam, referring to the "bad habits"

Oh

never used vim

I got stuck in it once

Never again

I don't think metasploit could be considered a bad habit if it does the job, but it will definitely pay off learning to do things manually

Yeah no, hence the "bad", its very useful, and i will be using it IRL
But since its limited, as well as other tools, on the OSCP exam

Started watching Mayor do that

Its nice being able to do it manually

Anyone here done the Pentest+ ?

an old but still relevant article describing various roles (blue/red) in the infosec field
https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/

Don't get CEH unless a) someone else is paying for it and/or b) a job specifically requires it
@cosmic ingot soo true

hello

hello

@cosmic ingot Thank you! i really enjoyed that read

could someone explain why CEH would be a worthless certificate? (in aus) and why OSCP would be more awardable i guess?

CEH teaches you theory (really badly and sometimes incorrectly)

where OSCP gives you hands on practical experience, where you can really ensure that the people who hold the OSCP meet a certain level of standard

i see

There are 2 main purposes for certs

its easy enough to braindump a multiple choice exam

To prove you know stuff to HR, and for the course+exam aspect to teach yourself

If HR don't care and it's not teaching you much or it's teaching you wrong, what's the point?

Bunch of money, no gain

so OSCP just a much better option solely from a learning pov too

Yes

it teaches you practical hacking

the CEH does not

There is a practical version of the CEH

IIRC the only place that respects CEH is the US DoD

LPT is EC Council's version of the OSCP

I have yet to take it tho

18 hour proctored practical exam

so bit of a diff question now but similar topic

i've been in IT for 3 years, went from deployment engineer to project support now doing 24x7 service desk analyst role

would OSCP be too hard to self-study?

or is it entry-intermediate enough for me to pass easily enough?

No, OSCP isnt difficult to self study

i'd like to move to security role within the company i'm at.. hence wanting to do a cert of some-sort

as long as you've got a significant background in networking

you'll be fine

my mgr told me "just get a CEH" but would rather do an overall better option

I took my CEH without studying for it, a week into classes and passed it with a 101/125

im assuming you work in net sec?

you have lots of certifications o.o

@languid hearth bro what for? your user window already looks like ash ketchum's badge case 😄

lmao

yep

pentesting for 7 months, blue team for 1 month - dual stacking

is the only place you can do OSCP on the offensive-security.com website? i'm trying to find an aus vendor but cant seem to

would the cert even be eligible for me here if i did it

meaning, is it internationally credible

OSCP = Offensive Security

yeah

the certification and training is provided by Offensive Security, they do their own training and labs, I wouldn't get training provided by a third party

it's recognized internationally afaik

@languid hearth you mean you're a professional in infosec for just 8 months? what certs did you have before your first job in the field?

OSCP, A+, CCNA R&S, Security+

congrats for achieving all of this in just over half a year

also worldwide listings for OSCP on LinkedIn

appreciate all the info @languid hearth

if you think that's a lot, you should see my girlfriend lol

I'm very keen to study and go for certs but I don't have the money for all of that

I've been in the community for abt 3 years now

I'm very keen to study and go for certs but I don't have the money for all of that
@cosmic ingot lol i literally have like enough for 1 which is why i came here to decide which one xD

she's been in for about 7-8 months and just left her job on blue team to come work for the same company I do for pentesting/red team

@waxen lodge I think almost everyone will tell you OSCP

how long did it take you to complete OSCP?

3 months?

@languid hearth are you both extremely good in what you do or have you been lucky with the opportunities that came your way?

signed up in December for 30 days and earned in March

a bit of both :p

imagine being neither 😄

that's great for both of you though

is that 3 months while working?

or 3 months not working

not working -- 2018 -> 2019

oh

signed up for labs at the end of December

i'd say i have alot of spare time though.. i'm on a 4 day split, 4 days on / 4 days off

very doable

i used a total of like 12 days of my lab time productively

im assuming PWK is the OSCP option, right?

PWK is the course that leads to OSCP

so its 2 courses? 😫

It's one course

That leads to a cert

The cert is oscp

You buy PWK

oh.. sorry im still ending my 12 hr shift currently lol

bit dopey atm

so do the Pen testing w/ kali course to get your offensive security cert

got it

what are those others anyway?

wifu lol

@waxen lodge more advanced courses

@languid hearth that 30 days of lab access, is that 30 days from start of your course or is it 30 days total inside lab-time

@waxen lodge most of your questions can be answered by browsing the offsec site for a while

https://www.offensive-security.com/courses-and-certifications/ read it up

30 days from the time you schedule to recieve the lab material

Boy I haven't been on that site for a while, did PWK get a price bump since the update?

rip

yeah

the new material is well worth the extra $

@languid hearth I still need to save for it though 😆

but yeah I've heard only good things

I still think OffSec needs an AD course

Email them and suggest it

they're probably gonna do it, just a bit late, like the pwk update

i really dont like this lab time as soon as you pay

whats the point of starting 30 days of lab time when its gonna take you 30 days to read the material first

by the time you finish material you lose all your lab time

the material is meant to suppliment the labs

so finish in 30 days or be at a loss due no to lab to work on after that

lol

guess thats how they make $$

so the labs aren't really necessary for the course

they're just helpful,

like, you could completely ignore the labs and probably be fine

because its just a giant ctf env

mm

might just wait on it for few months

learn as much as i really can on thm

hopefully allowing me to fly through oscp w/o need of the labs like you said

anyway, thanks for talk guys

goodnight/morning

good luck!

Hello everyone....just wanted to know cyber sec I'm currently a first year student pursuing ECE but I like cybersecurity I'm at this since 7-8 months and I love it.....does my ECE field anyhow affect my job opportunities in cybersec? Any professional working in the field could answer this?

ECE - electronics and communication engineering

Same Question from my side im final year student of ECE Please ans it

Hey bro you got opportunities this year in cybersec from your college?

Nope

Like no one got or just because you had ECE?

Cyber sec companies came and took cs students?

?? @sinful gale

Hello everyone....just wanted to know cyber sec I'm currently a first year student pursuing ECE but I like cybersecurity I'm at this since 7-8 months and I love it.....does my ECE field anyhow affect my job opportunities in cybersec? Any professional working in the field could answer this?
@upper vector Anyone who could answer it please?

Share some experience maybe

that's a very specific question @upper vector, no one but you will be able to answer it after you graduate. A lot of factors play into getting interviews and ultimately job offers. A degree will help, but what's the thing that makes you special? What makes a company want to pick. you over someone else in your class?

Ohk thanks but I hope the companies are not like they don't even allow a guy with non-cs background to sit in security interviews....so I was just asking someone who's been in the interview and knows how it works....

in most cases, a degree is a degree

you don’t really need a cs background in order to get a job you really need experience and projects showing that you take your own initiative and are passionate about the field @upper vector

Also I know this one sounds very odd but make a name for yourself in the community this can get you connections in ways you didn’t expect the cybersec community is very small so even just helping out in tryhackme and getting your name known in tryhackme can start getting you recognition within the community and grow your connections

@polar rock thank you so much for replying.....this question was really bothering me that should I go for my field only(ECE) which I'm not liking that much I love being here and learning sec in this fun and self study way

Also could you tell how much these platform like thm htb help as compared to real life jobs also should I go for OSCP or CEH? I find CEH more theory based I suppose which course should I prefer?

#cyber-and-careers message

you should check that convo from yesterday

Oh thanks

Networking can be as valuable as some certifications. Plenty of people without things like OSCP, simply because they've joined a local Cyber-Sec club and know the right folks.

networking (both people) and the technical skill are incredibly valuable. I would recommend both

I straight up went to my boss (now) boss, shook his hand, introduced myself (and the place I was in during the CTF (was a team based,I was solo), handed him my resume and said "if you're ever looking for a junior penetration tester or intern, give me a call". He gave me his card, a week later I came down to their office, signed an NDA, observed an engagement, and was hired 2 weeks later.

I had a coworker who moved on to a new (huge promotion) job because he networked with people on TriRail, they were both in IT. Remember, the person trying to hire someone has a full time job, they are not hiring someone because they think it is fun, they are hiring because they have a need. Knowing the right person makes it easy for both parties. EDIT, I was trying to convey that hiring managers have better things to do than go through resumes, be the easy candidate. You spend a ton of time at work, being likable can be a huge factor, sometimes more than tech skills which can be learned.

also, help your friends out. One day you might need something from them

+1

@languid hearth i have been trying pen testing for few months now my background is Test Engineer, when shouldbe a good time to buy the PWK should i do something else first? i mean i really like to move from jobs since pen testing is a thing i fell in love with and would like to practice

The biggest thing you need to know before starting PWK is the background networking knowledge, and some network structure helps too

if you can explain to me how ARP works, a three way handshake, layers are on the OSI model are and what they do, then you're ready

hey guys

i been doing some digging / consulting with companys in my area

they suggested me to do network+ / security+ / cyber security analyst+ and pen test+

for $5800 aud

over the CEH or OSCP

thoughts?

Net+, skip it, but study for it. Security+, go for it. CySA+, skip, Pentest+, Skip. OSCP.

overall goal is red team

CompTIA certs are great, but Pentest+ doesn't have any weight.

CySA+ is s different game and won't help you get a red team position -- a SOC position, sure

any recommendations for straight forward path to red?

instead of straight ceh / oscp

Red Team will come after several years experience as a pentester

i have seen people suggesting to go for SOC position first instead of going for directly as a pentester, get some experience. you can also check r/OSCP on reddit if you like.

ahh i see

well i enjoy pentest too

you're not going to land a spot on a redteam with no prior experience unless you work for a super small org

can you spit some more facts out to me

Many people on red teams started on blue teams.

just the overall knowledge is helping me

talking about doing things doesn't help accomplish them. so just do it.

there's smore fax for yah

lol

Don't over emphasize certs, instead focus on path and what the courses teach. I'd do Network+ and Security+ course, even if you don't go for the certification. Followed by eLearnSecurity PTS or PTP course. After that, take the PWK from Offensive Security.

so essentially

And after you get a job, go for all the SANS courses 😄

net+ sec+ will get me in the door

then after experience + time

go for oscp

not sure what pts or ptp is atm

ill have to look it up

pentest student and pentest professional iirc

fron eLearnSecurity

Pen Tester Student and Pen Tester Professional courses from eLearnSecurity. They are very well organized.

price? (roughly)

price is a big factor in my situation atm

unfortunately

:/

with everything said and done, all the certs together, 2-3k USD

eJPT(PTS) is 200$ exam voucher i would suggest just go over the barebone version(That is free to get) you can easily clear it.

also 25% off on eLearnSecurity till june ends if you want to purchase any course/cert.

my league game just ended

gonna search some of this now

thank you guys

also if you cant find the method to get barebone version for eJPT just ping me

thanks man

Good luck and have fun 🙂

hey, so i just finished the PTS and it was quite nice and beginner friendly I'm looking for something more advanced now, any recommendations?Thank you.

There are multiple certs that you can go for, but as Rikka da Best Girl suggested Go for Security+ & OSCP.. my plan is to actually get eJPT and study hard for like a year and half and then directly go for OSCP instead. and move on from that.

👀

look familiar rikka?

xD

@willow gate yes thats what i was thinking the OSCP is on my Wishlist but like you said its like a year or so of hard work.

Well its an entry level cert its just way too (idk the words) like famed as a difficult one but it actually is not. If you start doing THM on regular bases or follow the OSCP path in THM or can watch ippsec videos that would help you alot clearing out the exam. (Well thats just what i think as i haven't done it myself it cant be 100% true)

ohh well i have solved most of the THM rooms i feel quite confortable with CTFs just the buffer overflow i find it quite tricky if i may say.

its entirely methodological which is nice.

idk i cant seem to figuer it out and how to actually executed on a remote host,but ill keep trying tho.

how do you mean?

you're making a connection to the remote service and sending it certain data, for example.
PWNME\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42<eip to jmp esp>\x90\x90\x90\x90<hex shellcode>\x43\x43\43...

Thank you, So i took TCMs course and he goes into detail and how to generate the pattern and see when the server will break but its seemed too perfect with emunitydebuger and vulnserver im not sure how to do it in lets say "stealthy way".

the way he does it is stealthy seeing that he has the server downloaded locally, so after you have the server locally it wouldnt be detected any of the exploits youre running locally on it @nocturne dune

you can't really do it in a stealthy way

exploitation anyways

hmm interesting, so how would i really use in a reall life situation perhaps in a pentest?

you wouldn't really

you kind of wouldnt its hard to explain

Buffer Overflows are incredibly rare, and you wouldn't be able to just download and test a client proprietary app

a pentest is a broad term there are various kind of pentests however the most common use of a buffer overflow would be priv esc like the sudo buffer overflow and in most cases you use someone elses code and for applications you use a custom exploit

like neko said you wouldnt really use it in an engagment

and you wouldn't just randomly fuzz an app running on a prod server either

yes but its required in the OSCP which is quit confusing and you are not really allowed to use automated tools.so i should have some knowlege about it i guess

if you're comfortable with vulnserver, do stack buffer overflow good, etc, you'll be fine for the exam

@languid hearth yes i totally agree with you, and i do understand the concept of it i was just confused on how i would use it on a target.

yeah you really wouldn't man

exploit dev is a topic that's a high specialization that if you're end goal is red team/pentester, you likely wont touch

you'll want to specialize in phishing or AD

oh i really love AD and osint this is what i have been doing for the last 2 months just gathering information and exploiting our offices computers and domain.

Good. AD isn't going anywhere

you may want to look into how the cloud is transforming things as well

yes so im trying to master or atleast get comfortable with a certain type of attack then try to move on to a new thing so the cloud is on my todo list.

I have started to write walkthroughs for every room i solve on THM , I have chosed medium as platform but due to limited views am i thinking to shift , anyone of you knows which platform i should shift to for the walkthroughs ??

If you're writing writeups for the views, that's the wrong motivation

plus, if you're going to do it for the views, toss it on LinkedIn

Nope not for the views , just want to contribute to community

Want to know how can i make them better

and am asking for the platform because medium has cap of two articles of reading per week if you signup , so many people who singup wont be able to read more than two articles a month , so that is why i am wanna shift to other platform

github pages, netlify

umm Correct me if i am wrong but i think this is the offical site by THM?
You can add writeups here?
https://briskets.io/

no

That's @visual heart 's site

ooh

oooh

my bad

I started this with sole purpose to contribute towards community as i am learing myself its helps me re enforce my concepts and write in a better way

Thanks @quick forum

I have started to write walkthroughs for every room i solve on THM , I have chosed medium as platform but due to limited views am i thinking to shift , anyone of you knows which platform i should shift to for the walkthroughs ??
@grizzled wedge Good that you want to shift! Using Medium is like stabbing both your eyes out so you can't see them destroying your career and livelihood (well its not like, it will happen). I use Ghost, Netlify + Gatsby is great too. Wordpress, Jekyll + GitHub pages. Basically anything where you host your own content. You can use dev.to too, but please own your content and do not leave it to third party companies as they will destroy your blog the second they don't like you

https://www.alwaysownyourplatform.com/

Never ever trust a company to host your blogs for you. They can and will destroy your content, monetise it without giving you anything, or abuse your free creation of content to better their platform without any support to you. Always own your platform no matter what 😄 https://www.netlify.com/blog/2016/02/24/a-step-by-step-guide-gatsby-on-netlify/

^^ These messages are for anyone thinking that Medium is a good platform btw, not just you :p

I'm turning 18 next month and the lead of my school's ITS department mentioned he could try getting me in. Would it be best to attempt this or stay put and get more learning in for infosec?

experience is valuable

unfortunately, school stuff is mostly just IT

and not Security

so take that with a grain of salt -- you might get some Security in, but it likely wont be the primary focus

That is true

Are there any other options that would lead to a potential employment? I'm certainly willing to wait the month, but I'm also restricted due to education policies regardless of personal experience

become a room dev, bug bounty, free lance, bug companies into giving you an internship, take up a boring sys admin job like the school IT job

@grizzled wedge Good that you want to shift! Using Medium is like stabbing both your eyes out so you can't see them destroying your career and livelihood (well its not like, it will happen). I use Ghost, Netlify + Gatsby is great too. Wordpress, Jekyll + GitHub pages. Basically anything where you host your own content. You can use dev.to too, but please own your content and do not leave it to third party companies as they will destroy your blog the second they don't like you
@rugged sable which one of the platform is free of cost ?

Both of them

and get your own server as well so those hosting providers can't shut you down

That's mutually exclusive with using netlify or github pages

eJPT(PTS) is 200$ exam voucher i would suggest just go over the barebone version(That is free to get) you can easily clear it.
@willow gate Are you recommending to go for the eJPT cert, or merely that if one wanted to go for it, just go barebeones + voucher, not full/elite? In my area, there are no postings seeking eJPT... Certainly the knowledge is good, but question the value of the cert itself.

eLearnSecurity certs are not much well known by the companies yet. You can look up for the job postings and what they require and proritize those first. The most common ones would be oscp and CEH. But ofc eJPT is better than CEH in terms of knowledge.

most of the job posts i see requires OSCP.

and 3 to 5 years experience

and i just graduated where im i suppose to get experience

Most of the posts by me are a degree and OSCP

well i do have a degree but no OSCP

There's a goal then

At least by me, the degree is a substitute for experience, not for certa

im trying really hard watching every video reading blogs

i solved most of THM boxes

i took the PTS

The jobs by me don't just look for oscp, there are other certs they will accept

could you give me a vague idea on which area you are talking about

just to get an idea

im 22 im willing to move if there is a good opportunity

UK

All over the UK but mostly the south

that about 50 km away lol

Hmm another Mutual Server Ninja

What is that 3 now lol

@nocturne dune Getting a Blue Team job is easier with no experience, rather than a Red Team/Offensive security type job. A lot of Red Team folks started out on the Blue Team. Furthermore, job descriptions are written by HR, so take the requirements with a technical grain of salt.

The ones I’ve seen near me (East Anglia), which isn’t much, require oscp or CREST. Thankfully not seen many that require a degree

Obligatory reminder that you should apply to all jobs that you want even if you're not qualified

I agree

I had a company recruiter reach out and asked if I was interested in interviewing for a Cybersecurity Engineer position on a Red Team

I just graduated so I jumped at the opportunity just to be able to interview even if I end up not getting the position

@stoic cave Congrats!

Thanks good boi

I've got to impress 3 project managers before I get an offer so yeah

Odds aren't great but we shall see

More interviews = better

Free practice

Or practice at the cost of some gas miles

All virtual

Jobs in South Carolina and I am in Mass

Government Red Team so if IA succeed I'll get to play with some big boy toys

@stoic cave do you already have security clearance?

Can neither confirm nor deny

former military i take it?

Nope

Got lucky with an internship

that a boy. sometimes i wish i would have joined the coast guard or navy like i wanted to when I was 18. it would make life so much easier for a few year sacrifice. free school, secret clearance, net+ and sec+ i would be working overseas tax free on my first 100k. you live and you learn

This is a video I saw a couple of years back and I think it's relevant to the question. It explains why you should apply anyway.

https://www.youtube.com/watch?v=6G3kQyqMFpQ

Love me some Eli @dark prairie

And I definitely agree

If they don't want you they will just deny the application

And that's the worst case situation. They might find out you fill in a different role they might need too.

Some are confusing though Raytheon looking at you

Applied to a recent graduate position that required zero experience and got dropped from the running due to not having enough experience for the role

Hi I am computer science student and just started to learning Cyber Sec with Tryhackme 23 days ago. I've finished the subscriber part at this https://blog.tryhackme.com/going-from-zero-to-hero/ . What do you reccomend to do next? How can I learn more and improve my skills?

@tropic crater Maybe look at hackthebox

@distant pier i hope i get a job in this industry im 22 am working for a game dev studio as a assets designer and i really dont like it.

Good luck with your search and there is plenty of time at that age to explore and level up to your end goal gradually. @nocturne dune

@distant pier Thank you, hey if you have any resources to learn more please refer me to it.

@nocturne dune Daniel Miessler has a great blog post on How to Build a Cybersecurity Career https://danielmiessler.com/blog/build-successful-infosec-career/

@distant pier Thank you so much I'll definitely read all of it.

@languid hearth ^^

@ashen moss Don 't post discord invite links without permission. First and last warning.

hi everyone, can i ask something? is there any place to advanced bypass security like cloudflare? or THM have room with cloudflare as firewall? i want to learn how to bypass site with cloudflare to find the true their IP. mostly i think website nowdays using cloudflare.

thankyou

@hot cedar pls read #rules and dont spam this in every channel pls

@vale nymph im sorry, thankyou for remind me. im not spam. im just trying to put this into channel thats i think still related. sorry for what i did

may i know what rule i broke? hopefully with knowing that i can improve myself. thankyou

if you have questions regarding THM boxes you can ask in #room-help or #room-hints

asking how to hack something else falls under rule 13 i guess

understood, once again thankyou very much

@hot cedar so, bypassing cloudflare: You're either leaking the IP directly, leaking it from Shodan, Censys, whatever, or using an 0day to bypass their WAF appliances.

That's pretty much the CF bypass in a nutshell

Hey, so I'm getting onto my second year of 6th form, and starting to consider, for red team opportunities the best path to go down. I've been dead set on going for an apprenticeship with GCHQ after i leave school, but I'm not entirely sure on other possible opportunities. Any ideas on where to look, or if a degree would be more useful in the long run?

This the GCHQ Degree Apprenticeship?

Yeah

that a boy. sometimes i wish i would have joined the coast guard or navy like i wanted to when I was 18. it would make life so much easier for a few year sacrifice. free school, secret clearance, net+ and sec+ i would be working overseas tax free on my first 100k. you live and you learn
@dim goblet That is a great way to start. Being a vet is worthwhile unto itself, duty, honor, discipline, showing you are willing to put others ahead of your own personal desires up to and including putting your life on the line shows a lot. Also, it is a great way to train and gain experience for "free". Coast Guard tends to have you wear more hats and give you more responsibility quickly, Navy.....Never Again Volunteer Yourself (my service), great schools and training, terrible living conditions....All of my Air Force buddies really enjoyed their time in, no advancement because people never leave (that should tell you something).

@languid hearth ahh i seee...seems difficult. is there any technique more moderate to do CF bypass? or at least is there book or something to learn how to do that? thankyou for answering before

nope, not really

Cloudflare/WAF bypass is difficult, especially since a lot of WAFs prefent direct IP access

you want an easy solution to a difficult problem it doesn't exist theres probably tons of articles and blog posts about it but cloudflare changes their infra alot

thats not what i mean @polar rock i want to learn step by step. if there is something like a book or guide to learn bypass WAF, i think want to learn that.

@languid hearth ahh i see..., once again thankyou very much for answering my question

some people tweet some WAF bypasses they find

maybe just like insight, like what @languid hearth told to me. but seems it jump to advanced level

OWASP has some good stuff on WAF bypass but I think its going to be hard to find a step by step guide

but cloudflare patches them very quickly

basically to the point where you need to know something is vulnerable, you can't just play around

hmm i see... @polar rock i will check again and learn something there in OWASP. thankyou for giving me some insight

@languid hearth yeah I have no intention on playing around. I just want to seek out the best way possible to learn it. i want to improve my skill.

i'm curious. with things like Meltdown and Spectre, how are race conditions exploited to gain such critical access to systems. i can see it causing critical failures but now how one would gain access

What are some questions people would ask a person that is high up in an organization? I just graduated and I was setup to talk with this individual who is now very high up and I hate asking dumb questions

There’s a really good discord called infosec jobs that you should probably go check out they have tons of great tips and real questions for interviews I can’t link it as that’s against the rules but I can send you the invite through dms if you’re fine with that @stoic cave

yep go ahead

@polar rock could i also grab a link ? 👀

@polar rock mind if I grab a link as well please?

@polar rock mind if i can have that link too pls?

There’s a really good discord called infosec jobs that you should probably go check out they have tons of great tips and real questions for interviews I can’t link it as that’s against the rules but I can send you the invite through dms if you’re fine with that @stoic cave
@polar rock can you please pm me the link too?

Oh no

@polar rock hmu with that link bb

I may have asked this before but anyone who has taken and completed Sec+, how long did it take and what materials did you use? I think I could complete it in a month but I wanted to check with those who have taken it to avoid unrealistic expectations

you can complete it in a month

its possible.

if you have an it background (so you aren't fumbling with concepts), and can absorb information, 1 month is very possible for the Sec+. I just passed it in less than that.

Yeah I just finished my Degree in Comp. Sec. and Info Assurance. Degree is just a piece of paper though

Need the cert to be taken seriously

I don't know that the Security+ will help you, but it is not expensive and it is easy, so there isn't really a reason to not get it. A cert is just another piece of paper 🙂 If you are job hunting, networking is the best way to go.

I am job hunting specifically in the Cyber Security Field. Sec+ also covers the DOD requirementsa

The only Cert ive got is Cellebrite Certified Operator but nobody cares about that

I am not an expert on this, just starting out in Security myself, so take it for what you will. I keep hearing the OSCP is the entry level cert to have. Looking at things, SANS has some great $$$$$$ courses. I want to get hired by someone who will pay for my to go :-).

Don't we all bruh

OSCP won't help with DOD 8570.

At all.

When you're trying to get IT or cyber jobs from DoD or one of their contractors, you have to have one or more of those approved certifications. OSCP isn't an approved certification and Offensive Security isn't an approved vendor. Probably because it doesn't teach or reinforce security principles.

true

I've applied to countless gov jobs with A+, Net+, Sec+, CySA+, CEH, the whole 9 yards and when they say they want experience -- it's concrete.

I've heard different results on that. I actually lobbied members of Congress to deny DoD and it's affiliated contractors the ability to ask for security clearances as a requirement for application. Being as we can't self sponsor in the US, it completely restricts a large portion of the job market. Even those of us who had clearances and let them lapse due to other careers at the time can't get employment because of it.

Plenty of people with experience. No employers willing to hire you due to the investigation cost.

#thatsmymayor

I know people 😉

Yeah I am cleared I just dont have a DOD cert

Frankly certs are expensive and I really dont have that kind of money but Ill have to swing it some how

Does offensive security ever have discounts for their courses?

does anyone?

I mean elearn has discounts

rn

@warm hinge around Christmas time last year they had OSWE $200 off

@languid hearth ah maybe I'll wait around then

it's not guaranteed tho

if you want to take it, you should take it

yeah I think I am going to bite the bullet and schedule sec+ for next month

Is it worth it to purchase the retry as well?

if you're confident in your skills -- not worth it

if you aren't -- then you should study more :p

I need to satisfy DOD reqs

Then buy with retake voucher

eLS won't satisfy those. Google DoD 8570 and you'll find what applies.

Wait Security+ doesnt satisfy DOD 8570 Level II?

oh you werent talking to me

carry on

@elder grove do you have any insight into how a civilian can get a clearance required job? I have only known one person who obtained a gov job with no prior military and when I asked him how he did it he just replied "I got lucky". This was a person with no formal degree or experience who worked at a gas station while obtaining a net+ sec+ and a ccna.

Sorry, I missed where this was about DOD. Here is a matrix I found a while back about DOD 8570: https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

He's right sloshy, you need to get lucky.

I agree with that

I got lucky that I was put through as a civilian

The clearance system is broken. If you don't know someone, or aren't someone they can't afford to miss out on, you won't get one.

Companies likely aren't going to put you on payroll and have you doing next to nothing for 6 months to a year while they pay thousands of dollars for the investigation. Especially when there's a never ending supply of us coming out of the military with these things.

Hi I'm going to finish my degree next year in computer science. I've seen a lot about different qualifications and wanted to know which ones will make me standout to employers?

certs and CTFs :p

Thank you awo. What kind of certs?

I recommend looking at the sort of jobs you'd be applying for and checking what they ask for.

Often varies by country or region

Cheers James I'll look into it

I had this come up on another discord group, hope it is helpful: https://i.redd.it/yo33xlys53141.png

A lot of people have serious problems with that chart

highkey thought it was a tool keyboard cheatsheet at first

thanks for sharing - I suppose those who understand it may find it useful (:

I have serious problems with that chart :p

the range of how ITIL is measured is certainly interesting

Also OSCP vs GPEN?

that's all I can comment on other then CCNA

Jobs I've seen treat them equally

GPEN > OSCP

GPEN covers a LOT more topics than OSCP does

is GPEN good for the UK tho?

Most jobs I have seen want either OSCP or CREST (or both)

I've seen some that want OSCP or GPEN

Interesting

Hey, so I'm getting onto my second year of 6th form, and starting to consider, for red team opportunities the best path to go down. I've been dead set on going for GCHQ's degree apprenticeship after i leave school, but I'm not entirely sure on other possible opportunities. Any ideas on where to look, or if a degree would be more useful in the long run?

I can't speak for GCHQ's degree apprenticeship. But talking from experience of being very much in the process for GCHQ's recruitment, it's very competitive. Their programmes are a tad bit misleading of the requirements that they would expect. I.e I know the comp sci programmes recruit from everything STEM - Sciences, Engineering, Maths, Comp Sci , cyber sec, etc

I would say, considering you want to pursue red teaming, that talking to other companies in the private sector about their apprenticeships might prove better to you. From the people I know, organisations like that are more towards the end of your career rather then the beginning

Not to say that they won't launch your career if so. Once you've got DV you have DV. A tonne of doors open up to you at that point - public or private sector. Talking to other companies such as Context Security (who I can very much vouch for) would be a good redundancy if that's what you want to pursue imho

Even other degree apprenticeships are focussed on much more than grades, important to remember

be prepared to apply for like 10+

Very much ^ I should of mentioned

Throughout my recruitment at both places, my degree only got me past the barrier somewhat. It was my experience that was brought up and/or filled certain gaps like in interview

That's my experience from them considering the place that I studied has an independent, direct programme with GCHQ - so bare that in mind

Saying that I might need to PM ashu re another thing

do i have a career?

I know i dont

Hopefully soon

@quasi stream Would i be right in assuming that certs and things such as an active GitHub with your own programs and participation in CTFs and stuff would be good?

That's good for your CV ye

And gives you stuff to talk about in interviews

I had this come up on another discord group, hope it is helpful: https://i.redd.it/yo33xlys53141.png
@dense bay Are you suggesting all of these certs or is this just a list of all available known certs by level?

this is a sorted list of available certs

However not sorted that well, quite controversial for some people

yeah of course

I think getting all of those would be pretty close to impossible. Have a look, use it as a resource to help chart a course to where you want to be. If you are looking at red team, you can look at the certs in the red section. Then research them to see if they are appropriate for you. I am not a cert guru, I am just learning like the rest of us.

Much of that chart isn't even named correctly. They butchered the eLS stuff.

Also Programming / Scripting language really isn't a cert

I'd argue having a decent programming foundation is really useful as a beginner

I would also

a shell language should be at the very bottom as well

since it's the foundation for EVERYTHING

Playing wack-a-mole with recruiters is fun

@stoic cave wdym?

Never had to deal with them so far. First job was advertised at my college, second job was basically headhunted by Skidy/Ashu here to make rooms

I was on the phone with a distinguished alumni learning what I could from him. company recruiter called when I was talking with him so i called them back afterwards. They werent there so I left a message and went away from the phone for about 10 minutes. They had called back in that time. And then I called them backl once i saw I had missed another call from them

and they werent at the phone again

oh thats what you mean haha i just got off the phone with an recruiter for my first time an hour ago

to those of you who have jobs: how many places did you interview at before you got your spot?

Any eLS certs you'd recommend before OSCP etc? Got a coupon and some £££ @languid hearth

eLearnSecurity was before my time

I haven't taken any of them yet

Oof

I have 25% off red team certs

And no certs

does anyone have any good netsec interview resources?

There's a good set of questions pinned

Current status is 1 money and 0 cert

Goal is 0.5 money and 1 cert

oh nice

PTP from eLearnSecurity. It covers a lot of ground.

That's OSCP money

Too expensive?

I mean, I could just get OSCP for that money

PTS is before the PTP, cheaper.

How about ec council road?

Ceh etc

They're meme certs unless you're doing DoD stuff

ANSI CEH certainly is a paper tiger, the newer PRACTICAL CEH is hands on skill, but no idea how valuable that would be.

you better know your shit like I do to make CEH worth it.

@distant pier I'll look through the barebones that I have

I think you can go for both

ANSI and practical

eLearnSecurity have detailed Syllabus for each course on their site, in a detailed Table of Contents format.

See

@distant pier ye but I got barebones for free already, so I have the material

I see, that is the PDF files?

Online, but slides etc

This is their roadmap for sec

@warm hinge yeah, but CEH is really not useful outside of DoD

Teoretical ceh and practical ceh

And cnd that stand for networking

You need to go for certs that jobs that you want are looking for

Otherwise there's no point

The slides are quite useful as a quick run-through if I remember correctly.

As I said

That's what you can do with ceh

Only useful for DoD

I am looking forward to see what the PTXv2 will cover and what is added versus the 2017 v1 edition.

But I wanna finish my ccna and then I will go for ceh, ecsa and lpt

I think that will be ok af

Unless you actively want to work for the DoD and can get clearance, don't get CEH

For a Blue Team job skip CEH and go for the ECSA

Also Sec+ covers level II as well I believe

For DOD

I am in Europe so I guess not

You're not doing DoD then

So don't bother with CEH

Useless certs are a waste of your money

Indeed, and EC-Council is not cheap.

Yeah

So what should I choose ?

OSCP? eJPT?

Sec+?

I wanna work with Kali Linux

For pen testing and things like that

So you want to do pentesting

Kali doesn't really factor in to it.

To break network as a white hacker

Networks *

You want to be a pentester.

So focus on pentesting certs

That aren't CEH

Because CEH is useless outside the DoD

Yes but Ceh is well designed for hacking

CEH wasnt designed for shit, yo

Other certs are more oriented on intranetworks as far as I know

as someone whos taken the exam

it's a joke

it's actually a meme

it provides no value as a penetration tester.

Good to know

CEH is a bad certification unless you want to do US department of defence stuff

Ty