Through The Looking Glass
Author
Shirish Ranjan
A padawan in the ways of red teaming and blogging with the goal of mastering techniques in hacking into anything this world has to offer
Shirish Ranjan
A padawan in the ways of red teaming and blogging with the goal of mastering techniques in hacking into anything this world has to offer
This article has my take on how I got into the cybersecurity field. I was a student in the electronics and communication field and actually never took an interest in hacking, just heard whispers about it hear and there about some major hacks that happened on a large scale. Got curious about it from my second year in college so started reading up some news articles and blogs related to that field but never fully committed to it. I like playing video games and one day started playing a game named watchdogs 2 which is a game that revolves around the concept of hacker group. But the part that got me into hacking was the amount of freedom, the mastery required and the control that was at the hackers fingertips in the game even if it was blown out of proportion most of the time. I was simply curious about but never tried it and seen it with my own eyes and just brushed it off as something only really smart people can do, but once I saw the potential of what this field could let me be, I knew I needed to be a part of this movement and community. The JourneyOn my search for a proper way to approach this field after attending a few online talks here and there, I stumbled on an article by an academy named jigsaw which stated the importance of cybersecurity professionals now more than ever and the fact that they were collaborating with an Israeli Ed-Tech company named HackerU for a course on offensive security got me curious. So I contacted the people working there and found it to be a better approach then what I was planning on doing earlier and enrolled in their offensive security course. The course was divided into three phases which was originally spread out over a time period of 4 to 5 months starting from january. The first two phases would include the very basics that were needed for the course and these phases were also known as sorting phases because there was an exam at the end of these phases that determined if a student was good enough to move on to the next phase or not. Phase 1The first phase consisted of online classes which spanned for at least 20 hours or so. The instructors were Lion Kontorer and Swaroop Yermalkar. I was a little nervous getting into this since I have most of the time only been hearing that hacking is something only people with a lot lot experience in the field of computer science or IT or anything related to it can do, but that preconception was shattered when they started the lessons, for the most part our instructors made it easy for us to understand the basics and also set my mind at ease at the same time. Everything was covered from point zero, so even if I didn't know or understand any topics, they were repeated in this phase. After a month at the end of phase 1 there was a test to see if I was a good fit for this course and also for me to see if I could cope with this course myself. The passing score for any test conducted by HackerU was 70 which I could secure pretty easily in the first phase. Phase 2The second phase consisted of offline classes for a week. Had to be in bengaluru for this. Stayed in the accommodation they provided, was not really phased by it since I already stayed in hostels before. Had to wake up everyday at seven in the morning and get in the bus provided to us by 8:30 A.M. which would take us to the venue where the classes would be held, also felt a sense of anxiousness and excitement since this was course was something new to me but that was only during the trip to the academy. During phase two our batch had Azaz Dobiwala as our instructor, and I can tell you one thing, that he was awesome. The second phase had us working and navigating different aspects of linux operating systems and the different services we can use within that OS. And if I got stuck somewhere or if anyone for that matter got stuck at a certain point, Azaz would simply repeat that topic personally for that student and man-o-man I did not understand a lot of simple things, but could overcome those problems thanks to our instructor. At the end of this phase, we had a test to see of we could move on or were eligible for phase 3 of this course. Same rules as before just that the topics were different. Phase 3After successfully completing phase 1 and phase 2 it was time to move onto to phase 3. This time we had a long break before this phase started. But as the time for the course to start was inching closer the covid pandemic hit and the course which was supposed to be an in person offline training class had to change its whole structure thanks to the pandemic. Had mixed feelings going into this since I knew that there were going to be compromises and a lot of problems in an online course. One main concern being not having good hardware and was also facing problems with my ISP well before the course began which had me thinking about whether I should pursue this course further or not. Had a meeting about this with the people over at jigsaw academy and some of the instructors, they ensured us that they will try to maintain the quality of the course as it was before and would try and help with any problems we faced if we chose to go ahead with this course. After this meeting we were notified of the changes in the course structure and the schedule we were going to follow. Had doubts but went ahead with it anyways since it was better than doing nothing during this pandemic. They called it the extended phase as the course had been extended when compared to the original schedule. The instructors this time were Azaz Dobiwala - Senior Cyber Security Instructor - Red Team | Infosec Speaker | Penetration Tester | Bug Hunter | OSCP | CCNP SECURITY | Cisco Specialist , Swaroop Yermalkar - Head of Cyber Security - Red Team at HackerU (India) | OWASP iGoat Project Lead | Speaker | Author | OSCE | CREST Certified and Yogendra Swaroop Srivastava - Cyber Security Intern(Red Team) at HackerU(India) || OSCP | VAPT | Application Security. The topics like Web Application pentesting, Mobile Application and iOS Penetration testing, IoT Pentesting, Buffer Overflow, Malware Analysis, Assembly, Reverse Engineering, DevOps Security, Cloud security and also hacking into boxes were taught to us from the basics was taught by Swaroop Yermalkar. Have to say it wasn't easy learning these concepts and whenever we delved into it, it always felt like there was more to this like I was only few meters deep into the mariana trench. The instructors were also good at incubating a sense of curiosity to explore these topics further and I can tell you I was hooked on this feeling. Even in my sleep if I got any that is the only thing roaming around in my head was the approach I should be taking in order to learn these topics efficiently and at the same time master it as well. I obviously still have a long way to go but i feel like I have progressed a little. Many people mentioned that buffer overflow was a tough topic to study and at first I was of that same impression as well. But when Swaroop taught us that topic and when I implemented it practically it felt really easy. Thanks in large part to the way Swaroop taught us that topic. In my honest opinion I found it hard to find the right approach to tackle hacking into the boxes at first since I was looking for a sense of structure in how I should approach penetration testing. That is where I was wrong since there was no concrete approach to how penetration testing is done, it is all based on how those boxes are made and if they are made poorly and the information gathered through enumeration, we have to find that chink in the armour via information gathering or enumeration and exploit it to get into the box and since each box had different sets of weaknesses, one structured way could not be used to perform penetration testing on boxes. Atleast that is what I learned when Swaroop made us practice more than 20 boxes along with privilege escalation in each of them throughout the entire course in order to master the types of steps one can take to perform pentesting and enumeration. Swaroop Yermalkar is highly qualified and is actually the head of the HackerU branch here in India and is also a master in Mobile App Security as he has penned a book on iOS pentesting, developed a vulnerable IoS application for learning pentesting known as OWASP iGoat and has given talks in several well known conferences aborad like DEFCON, etc. He was open to any suggestions that could improve this course and could also empathize with the current situation and the problems each student faced during this course. He also tried and found effective ways in which he could address our problems and solve them. Azaz Dobiwala and Yogendra Swaroop Srivasthava are also highly qualified individuals who helped us solve any issue that occurred during the span of this course. Important topics like bypassing the perimeter, privilege escalation, advanced infrastructure, Windows Server 2016 and also networking concepts with routers and switches was taught to us by Azaz Dobiwala. The way in Azaz taught us these topics gave us a sense that he was right at home with them. He taught us these topics and went above and beyond what the course had in it. As an example he would always introduce new tools and approaches we could take in order to tackle a certain problem even if that certain problem was thrown at him at 2 A.M. in the morning. He was the literal definition of a night owl. Next we have Yogendra who taught the basics of programming languages like java and python. From explaining each and every step in a problem to providing resources and links to practicing these programming languages, he made it feel like we had a walking and talking encyclopedia of information at the palm of our hands. On each and every topic that the other instructors covered he would be at the ready to provide us with links and any resource pertaining to that topic which proved to be really useful to us since most of us had no clue where to begin looking if we wanted to dive further into certain topics. Overall the instructors were great, from finding ways to adapt to the present situation in the ongoing pandemic to providing extra sessions to cover and solve any problems or doubts any student had pertaining to this course, they were open minded and easy to interact with which is a huge plus for me since I am not an expressive person myself. And not only were the instructors helpful many students in my batch had helped me out if I got in contact with them as well and everything was working out like a well oiled machine. After each module there were assessments which not only included theory but also had separate practical assessments which lasted from anywhere in between 4 hours to 48 hours. Well the practical assessments did catch me by surprise since I never heard of exams lasting more than 3 hours before and had difficulty managing time at first but was able to eventually adapt to those timings and somehow make it through all of them successfully. The practical exams were a little difficult at first but they also provided us with practice on how each topic we learned in the course could be implemented practically and how we could leverage it to our advantage. Icing On The Cake Aside from the course Swaroop also got us more than 14 guest lectures and workshops on SSRF attacks, Secure Code Review, Cross Site Scripting, Application Vulnerability Management (AVM), Cloud Security, IoT, OSCP by industry veterans from reputed companies like Paytm, IBM, Cannon, Candesco, etc. We had a range of practice from making and setting up our own labs to cracking them, from cracking more than 20 boxes on TryHackMe and HTB to creating blogs on several of them. At the end and in between the course we had aptitude tests and programming tests and we also had mock interviews for placements. The mock interviews again showed me in which areas I need to work on more and I hope that they will aid me in the placements to come[update: found a job as a SOC analyst with a company named Netenrich, even if this is job deals with the defensive side of things I am gonna use the lessons I learn here to eventually become a full fledged attacker). And after a lot of falling I have completed this course successfully thanks to the guidance provided by Swaroop, Azaz, Yogendra and the help provided by my fellow batch mates. In the end this journey left me with a lot of answers and a lots of questions as well but this is just the beginning of my journey into the deep trenches and I cannot wait to explore more of this ocean which is cybersecurity.
0 Comments
Leave a Reply. |
Author
|