Help? Software Developer's Route To InfoSec

Hi all the gurus and the fellow members,

I am a c# .net developer, Graduate in computer engineering and recently completed my law graduate degree as well, working as a software developer for last 7 years. Now my concern is to persue a career as an infosec expert as well as a cyber crimes lawyer but after a lot of googling and asking people didn’t get the answer.

  1. My first Question is being c# developer helps in anyway to become an infosec expert? if yes than what can i skip which an absolute beginner cannot.

  2. so if i want to start a career in infosec can someone please define the main fields of infosec, as i came during my research that infosec has several branches but no one defined them in a systematic manner.

  3. so if being a newbie in cyber security world, can some one list down a list of skills from beginner to elite which i have to research and study. for instance i have been looking for OSCP and CISSP last week and pentesting as well but ultimately came to know that i have to have some previous knowledge before i can start with them. so if you can list in a systematic manner that would be a great service.

  4. Is infosec is all about using the tools already in the market? if yes than how can an expert be different from others i mean if everyone uses the same tools than whats the point of Cyber Security.

I hope no one is offended by any of my questions or my words, if so i am sorry in advance

Regards,
Imran

Hi @Imran,

The answer of 1st question you raise is that, programming is an essential thing for Ethical hacking, as a hacker can write it’s own proof of concept, have better understanding of how things works, etc

But as you mentioned, you have a good experience of c# .net, these programming languages are not my favourite programming languages,
as if you want to automate any stuff, or want to code your own hacking tools, then python is perfect for that, i know C-lang, and having knowledge of low level lang, is very important according to me, but i mostly code in python,

Because it takes very less lines & time to code in python, and you don’t have to waste you le time in writing program, rather you more focus on problem solving

It would not take you more than 1-2 months because you have a good experience of programming.
And there is nothing to skip, which an absolute beginner cannot

Ans(2) : there are various fields in Ethical hacking like:

  1. Web Application pentesting & hacking
  2. iOS & Android pentesting
  3. Malware analysis & reverse engineering
  4. Network hacking & wireless attacks
  5. Digital forensics, etc

I suggest you to learn whole CEH curriculum first, according to me, it is foundation course, and will you a idea of all the fields, then learn more in particular field in which you are more interested.

For example, if you are interested in web pentesting & hacking, then start learning basic fundamentals of penetration testing, and various types of vulnerability like:
SQL injection, xss, unvalidated redirects, broken session & authentication management, command injection, insecure captcha, insecure Direct Object reference, heartbleed, unrestricted file upload, LFI & RFI, OWASP top 10 vulnerability etc.

And same goes for other fields also, such as in wireless hacking, learn about basic networking,
MITM attacks such as ARP cache poising, DHCP starvation, DNS spoofing,etc,

WEP hacking attacks such as Caffee Latte, Hirte , korek ChopChop, fake auth, fragmentation attack etc,
WPA & WPA2 hacking, iOT device vulnerability etc

Hope you get an idea about what i am trying to say.

Ans(3) Go for CEH first, as it’s course curriculum is foundation according to me, just suggesting to learn whole curriculum, not forcing to go for CEH certification.
Then go for OSCP, as it is more hands on, CEH is quite focused on theory and concepts,

These are the basics skills which you should know to go for OSCP:

  1. BASH scripting
  2. Python (will be + point for you)
  3. Working knowledge of Linux & it’s commands
  4. Basic web application attacks

Rest whole material is provided by then, there PWK course is excellent,
They starts with Kali Linux basics, and a really good line of abrahim Lincoln is written in its 1st module i.e.

“If i have 6 hours to cut down a tree, then i would spent my 3 hrs in sharping my axe”

Ans(4) absolutely not, In CEH mostly tools are used which are already in the market, as by learning programming you will able to automate any stuff, but what to automate, and what to do using programming skill, this will only clear by using existing tools and then getting inspired from the tools to make your own tools.

Tools will just going to help you, at the end you have to think and do.

Tools can’t take decision, they can just show you some security issues, or can trigger and exploit that issue, etc

Hope my answers are helpful

marvellous got all the answers to my question.
sir @MrRobot i have one more question
as far as progaramming lanuguage is concerned is python enough? i mean are there some cases where one feels that python is not enough and a specific task needs c or javascript or some other language becuase using python one cannot achieve that specific task?

Javascript is essential programming language nowadays, and also a demanding one, Python could be used to make website also, using modules like flask, django, etc
But then also, javascript has its own importance,

But from hacking point of view, Python is enough and everything can be achieved from it and that is why it is so famous among all programming,
And is ranking in the top most programming language in the world,

Not only that, as it consumes less time to code, it is very famous among hackers and various famous tools are also written in python,

These are few draw backs which I feel in python, but they are not so big issue for me:

  1. Minimum size of compiled exe is 5 MB in size as python and it’s few other things are also packed in exe when we compile it.

I feel that this is a draw back because when we code any malicious file and compile it, it is little bit hard to hide in legitimate file, as it will increase the size of legitimate file by 5 mb

I wrote my own Ransomeware, but when i was compiling it, the size is roughly 45 mb, which is huge for a evil file. On other hand, even 25 kb of size could be achieved with same functionality. Thus could easily be binded with any other file

(2) Python is little bit slow when compared to low level programming languages, but it is not so slow which people use to say,
Also a + point is that, python is a scripting language also, and we can run program without compiling it (as python is interpreted programming language)

There are few more, but they are not so important from hacking perspective,

Google, Nasa, IBM, Bing, etc all famous companies are using python, either in frontend or backend,

For a editing software company of any other companies where they need extremely less latency, they prefer c++, as it is fast and object oriented.

Every programming language has its own benefits and features, and in short python is best for hackers

great got it. Already started hsploit python tutorials

Good luck for your python journey :slightly_smiling_face:,
Suggested to learn these modules for sure as these modules are widely used in penetration testing and hacking.

Modules:

  1. Scapy
  2. Request
  3. Beautifulsoup4
  4. Nmap
  5. Subprocess & OS
  6. SMTPlib
  7. Argparser, and few basics modules , etc

@MrRobot really appreciate your guidance and thanks alot.
i will surely look into these modules, can you kindly recommend some learning material regarding these modules

Best Regards

All python modules has its python official documentation, it better to read it from there, it is very well written,

No one can teach you whole python modules as anyone can create modules, and even you can also publish your own open source modules

Also, there are thousands of modules for one work, so it is better to understand the working and functions, and different classes from its documentation.

First of all, i would suggest you to learn basic python concept and then OOPs (object oriented programming), then atlast go for theses modules docs,

It dependents on you, that what you prefer to learn python, like books or any online course,

I personally Learned from YouTube, you could learn python from these channels: Telusko, Programming with Mosh, etc

Thankyou so much really appreciate your help!

:blush: glad to help you buddy !