Cyber Security

Roadmap
(Beginners)

Author : Abhinav Kumar

Starting The Journey

Twitter : Computer Fundamentals


https://twitter.com/abhinavkakku
Official Link,
Twitter Page : Only if you have no idea of computer not asking to do certification,
 
https://twitter.com/ethicalhackx , this will teach very basics, Good to learn, but asking to learn from resources,
but skip if you have been using computers aim is to gain knowledge, not the certification

LinkedIn :
CompTIA A+
https://www.linkedin.com/in/abhinavk 
akku/ Join Telegram Channel 

Telegram Channel : Join Telegram Discussion Group 

https://t.me/ethicalhackx 
Discussion Group link on Channel
Link / references of anything mentioned on the
roadmap will be embedded , join group to ask
and download the resources

Operating Systems

Learn about different OS from Microsoft, their Don't fear errors,

versions, improvements over last versions ( every possible error is probably discussed
broadly) online, search to solve

Windows OS

Just get around with day to day tasks in

Windows OS, and very basic troubleshooting

What is Linux What is Linux Kernel, and its functions

Linux OS and Uses, different distributions

What are Linux Distro/ or Distributions Different Linux distributions idea, what's basic
difference in Linux Distributions

NEVER ! NEVER get into this debate,

OS Does not makes better Hackers,
Hacker is who can do his task on any OS,
Windows or Linux all work equally well for
most of the tasks,
The Best OS for Hackers So one can choose any, be it any Linux distro (
and installing all required applications) , or
Windows ( again installing required
applications. Most so called Hacking OS are
just dump of all the tools that probably very
less people use daily.

Search anything on Search engines, So Start by searching few of the things like
Never stop reading at one page ( unless in
Facing any problem ? How to become a hacker
GOOGLE : Learning How to do Google Search hurry)
Searching / Research is what can really make How to <problem> Penetration Tester Roadmap
like Hackers ( this is THE MOST IMPROTANT Read few pages for every search you do
someone Hacker, it is the most important skill search this and you can get the solutions 99% How to get Cyber Security Job
SKILL to learn) Researching about things can only give more
of the times, at least something close related to How to learn JavaScript
knowledge
the problem & solution How does websites work

It's said in today's time:

Deep Web / Dark Web ( which I feel funny
about)
Real Deep Web or Dark Web is Page 2 of
Google Search Results Page

So always visit this Deep/Dark Web ( Google

Search results pages ) , if you did not already
find what you were looking for

Now you already know searching Searched Jobs already !

SO search and learn about few things Now search the roles and responsibilities of Don't get inspired by movies, most often they
You may get definitions , none maybe 100% few of the jobs on Linkedin or other job way they how in movies are fake/false. These
correct, but read more and more, get some websites, this will let you know more about the movies have put wrong image of Cyber
clue, connect them all in mind Why do we need Cyber Security What are jobs in Cyber Security things you would be interested in learning Security & Hacking to allot of people
Learn What is Cyber Security / Hacking /
Penetration Testing / Blue Teaming / Red
Teaming / Different Cyber Security
Domains(Jobs)
What is Cyber Security What Hackers do What all Skills are needed to get job in Cyber Also see some recent news related to Cyber CURIOSITY | RESEARCH |
What is Hacking security Security ( from good and reputed websites)
PATIENCE
Always try to Know more about
things
To break things efficiently, some
knowledge of How to make things is
better to have
You cannot start now and suddenly
start loosing patience, things can
take some time, so be Patient
Trust thing when you read from
good reputed source, also question
them in right way, beingg curious
and being stupid are two different
things, be curious

Towards Basic Knowledge of

Security & Hacking

So What Programming Language do I Learn ?

it Depends on what you have decided next you Python
want to do helps allot in automating day to day tasks,
But I suggest basic of some languages is making things easier
always good to know.
is programming really necessary for hacking ? One never knows the next website you need to
Computer Programming ( Start basics ) JavaScript
NO hack is built on PHP or Node.Js or asp.. it uses
Start with any 1 or two languages and give at Hard to find websites today that dont use
But do you want to be a good hacker without JavaScript or is based on some other
least 20 hours to learn. It maybe Python | JavaScript these days, better learn the basics of
Knowing or understanding basic programming framework..
JavaScript or any other javaScript
? : Very rare chances You may need to read and understand through
some VBScript Code or C++ code to
understand the logic and complete the task Any other Language like C++ or Java
Its always good knowing one or two Recently Go ( Golang) has also been catching
languages, good enough to understand the attention
program if you face it.

Vulnerability | Exploit | Threat | Malware | Virus ciphertext | CVE (Common Vulnerabilities and
Some terms in Cyber Security & Hacking keep
| Botnet | Cloud | Firewall | Virus | Ransomware Social-Engineering | Clickjacking | White-Hat | Exposures)| cryptography | decrypt | DMZ packet sniffing | patch | PKI (Public Key
coming , repeating every time, a common
Cyber Security & Hacking terms | Trojan | Worm | Spyware | Adware | Rootkit | Black-Hat | SAST | DAST | APT ( Advanced (Demilitarized Zone) | drive-by download | Infrastructure) | SaaS | sandboxing | SIEM |
Jargon , so it's better to search and learn few of
Search & Learn Phishing | Spear Phishing | DoS | DDoS | Persistent Threat) | Authentication | encode | encryption key | honeypot | IaaS | IDS sniffing | SPAM | spoofing| supply chain | two-
these terms, so when you see, don't get
Encryption | Encoding | Penetration Testing | Authorization | Bug | IPS | | insider threat | ISP | keylogger | LAN | factor authentication |
confused.
Vulnerability Scanning | ....... OWASP | PaaS

If you already know or are comfortable with the

OS, don't spend time around whole courses,
Windows Installation What are the security features in Windows OS search things as they come and learn,
yes you should know how to repair if you Learn how or what has Windows put in place If started learning, 15 hours on OS should be
damaged while Learning, you can try on VM to protect / defend against hackers good enough

Windows OS

Read some blogs about Windows Internals, Know few things like auto-start locations,
Basic understanding on Windows will help registry editors, services managers, task
when protecting or attacking a Windows manager.....just normal admin tasks.
Machine Again we don't need to become Windows
Administrator ( yes this is also a thing), but we
need to know enough to protect it or attack it,
as both are job of a Security Engineer

If you already know or are comfortable with the

We need to know basic CLI commands as we OS, don't spend time around whole courses,
don't every time get GUI interface , most of the search things as they come and learn,
Just like Windows, Basic Linux Administrative We can again start installing Linux in VM and times we are operating remotely and with CLI If started learning, 15 hours on OS should be
Knowledge is required learn basic tasks interface, so make CLI a friend good enough

Linux OS

Linux is Everywhere, from Web- Servers to Linux+ course is good enough to start with ( Make use of Linux in everyday use to get more
Mobile, TV, and almost in everything you know where you can get it, just ask ) comfortable
So understanding of Linux is required to some almost any error can be solved searching on
extent Google

why is Network required & it's use

Different Network devices like Router, Switch,
Modem
IP Address ( Public & Private IP Address ),
Network Subnets and Calculations ( Classful & Server Client model What are Ports and Common Ports on
Classless ) , knowing different IP Ranges DNS request, computer
OSI Layers & TCP/IP Model How Website request is made and resolved What is DHCP , SSL their functions

Computer Network

Learn Networking only as much required, Proxy and It's uses ( forward & reverse proxy),
I am listing few topics which you can search VPN, VLAN , MAC Address
and Learn & also some resources attached at Firewall, Load-Balancers
end
We want to become Security Engineers &
Hackers, not Network Engineers only
So spend time maybe 1-2 week on this

Network Modes in Virtualization Software play

very important role, search and read about : also try setup of Dual Boot setups,
Search and choose available virtualization VirtualBox Network Modes Try Installing Windows OS on any Install Both Windows & Linux on Same VM learn about Snapshots, backups in VMs and to
software for your platform (OS) VMWare Network Modes VirtualMachine take help of Google search as required restore them

Virtual Machines(VM) / Virtualization (

VirtualBox, VMWare, WSL)

Research the difference in available Bridged Try Installing Linux OS on any VM Windows Started featuring WSL
Virtualization Software, common ones are NAT Windows Subsystem for Linux
VirtualBox, VMWare Player/Workstation, Host-Only Network Do read and try that too
VMWare Fusion, HyperV, Parallels These are common network types, search and This is not actually a VM, but a good thing to try
read when and why are these used( very
important for LAB Setup)

CompTIA Linux+ (Udemy / ITProTV) 

CCNA ( Essential Topics Only)
Linux 101 - TCM
Network+ (Udemy / ITProTV)
Linux Essentials for Ethical Hackers - Full

InfoSec Course - freeCodeCamp.org Search terms on Google

When I say courses, I mean the learning

materials , PDFs, Videos , Blogs, references for Linux Essentials For Hackers - HackerSploit  Search topics on Youtube
topics covered in a course.
NOT doing the course actually if not required.
Courses / Certifications / Resources We are referencing free resources and you  Click to Join and ask/get these  Linux Windows Computer Networks
know where to get them ( if you read carefully
above )
Join t.me/ethicalhackx and ask for any of the Telegram Channel  Use Windows like a pro, break and make tihngs
resources mentioned on the page

Telegram Discussion Group  Windows Internals (1,2,3) - Pluralsight

Twitter  Microsoft documentations

Practical Hacking & Security

We have now decent knowledge about

Windows, Linux, Networks, some
Programming, Virtual Machines and Basic
Hacking/Security terms.
Now Let's START HACKING

Setup Virtual Machine or Labs as Lab to attack

or learn Setup Labs with help of Virtualization
LAB setup for Practice
It's 100% Legal to Learn in Labs Knowledge learnt earlier
and what's better than to have your own Lab

Network Hacking

Host Discovery Network Scanning port scan and discovery nmap scripts WhoIs and other similar search

Information Gathering & Reconnaissance

Different nmap scan types Scanning by Nessus or Qualys or other similar Active and Passing Search email harvesting
software

based on Reconnaissance choosing the exploits exploit-db find any 0day if you can get to exploit

Weaponization, Delivery, Exploitation

Metasploit exploits and meterpreter searchsploit mapping knowledge of open ports or services
to exploits/attacks

Windows Privilege Escalation Reverse shells one-liners that trigger and give back shells Data Exfiltration techniques

Exploitation & Command-Control

Linux Privilege Escalation by now at least learn netcat pentestmonkey

gtfobins

Resources :

Wireshark & packet capture TCPDump

network sniffing

Man in the Middle Attacks

Web Application Security

PHP
another most commonly found language
Node.Js
or other backend frameworks
very basic HTML CSS, Basic idea help understand the communication
just intro only to find high severity bugs sometimes
Unpopular Opinion : But learn basic of Web
languages ( will help in long term)
can give like 7 hours on each language to know
some of it)
JavaScript Database Technologies: MySQL, NoSQL,
you can find this in places where you don't find MongoDB....list never ends, some idea of few of
sunlight, if you know JavaScript, hacking these
becomes slightly easier as you can understand
the application more

speaking of Web App PT , and you don't hear

BurpSuite 100 times is not an option, so learn it
and different tools under BurpSuite
For learning even the community version is
good

MiTM proxy ( BurpSuite Owasp ZAP)

OWASP ZAP is free, and good equally

OWASP Top 10 Web Application

Vulnerabilities { 2013, 2017 , 2021....}

API Security ( this also has a top 10 list from

OWASP )

Cross Site Scripting Cross Site Request Forgery SQL Injection Directory Traversal Business Logic

Vulnerabilities :
Just Examples, list is never ending

HTML Injection XXE File upload Vulnerabilities Authentication & Authorization Rate Limiting

hackerone reports

Resources/references
Read the Writeups on personal blogs as well as
twitter #hashtags like #infosec #bugbounty
#bugbountytips

Cloud & Cloud Security

Basic Idea of AWS|Azure|GCP , specially

security concerned functions

Docker Basics & Container Security

Email is widely used by organisations for

communications
- prevent spam & Phishing email Malware Analysis
- understand how can we determine spam Reverse Engineering
emails Insider Threat Analysis
- How to detect phishing emails Attack Surface Determination
-email gateway security softwares

Defending Network is a very challenging task,

with ever evolving technology, increasing
Network Defense Endpoint Security Email Security Firewall | Proxy | VPN Threat Hunting SIEM | SOC | IHR Patch Management
attack surface area, Defenders need to secure
Network/Infra against all kinds of attack

-Antivirus / EDR Solutions Configure Firewall policies for Security SIEM or similar things act as central Security
-Malwares needs to kept out of the machines -Maintain ACLs Log system
-Learn about common malware injection ways, -DNS Resolvers & Monitoring - All Security Incidents at any function like
-How Antivirus works - Block Lists & and More Important Allow Lists firewall , AV , email....can be looked up and
-Asset/Inventory management to ensure -Enterprise VPN & Proxy Configuration related at single point
Security software and security policies are - Helps determine the spread of infection ,
applied to add machines Web Application Firewall source/origin and help mitigate by fact finding
-How malware can spread, this knowledge Ng Firewalls Configurations with concerned teams
helps to make policies that can stop the spread -Incident Handling & Response Teams (IHR)
or infection are the key between different teams and guide
-DLP ( Data Leak/Loss Prevention) systems to the mitigation or lead the investigation
prevent the leak of sensitive data either by
email, copying, file sharing , online uploads,
printing

CEH - Excellent source to know basics

CompTIA Security+  PorSwigger Web Academy 

Practical Ethical Hacking - TCM  eCPPTv2 - Penetration Testing Professional eWPT - Web Application Penetration Testing
Professional
eJPT LiveOverFlow Youtube Channel
SANS : SEC542
SANS : SEC460 SANS : SEC504
When I say courses, I mean the learning Ethical Hacking Penetration Testing & Bug
SANS SEC301 SANS SEC560 
materials , PDFs, Videos , Blogs, references for Bounty Hunting
topics covered in a course.
NOT doing the course actually if not required.
Linux
Courses / Certification / Resources We are referencing free resources and you
Learn Linux by using daily
Starting into Security Defence Penetration Testing Programming/Scripting Web Application Security Cloud Pentest
know where to get them ( if you read carefully
above )
Also many many courses present, search and eNDP (Network Defense Professional) Utilize Youtube Freecodecamp.org SANS : SEC588
Stackoverflow
learn from any

Official Documentations of Linux Distributions Firewall - PaloAlto Firewall SANS : SEC573 SANS : SEC488

Google Search things where stuck eCTHPv2 - Threat Hunting Professional SNS SEC505 SANS SEC534

SANS : SEC699

SANS : FOR500

SANS FOR508

SANS FOR572

SANS SEC555

Hacking

Security is a big field,

There maybe many things that went missing in SECURITY / HACKING is all about Research
Some enjoy attacking
Hope you have learnt allot by now above levels Each of topic / keywords on this page can be
Some enjoy defending ( which is really hard )
LETS HACK / DEFEND Like a PRO So we can now test our Skills on Some But if you are here, I am sure you are good at expanded into a mind-map of it's own
and many more fields coming up with evolving
platforms searching and finding out things on your own, Since you are good at searching, you can
technology like IoT Security, Block Chain
also decide what is best for you search further to learn
Security...

We have learnt Enough all the way till here

Now we should Practice in Labs or real world (
legally)

TryHackMe 

HackTheBox 

PortSwigger Labs 

Try2Hack 

echoCTF 

CertifiedSecure 

Root Me 

VulnHub 

OverTheWire 

PentesterLab 

LetsDefend 

SecurityBlueTeam 

SANS SEC660

SANS SEC760

eCPTX - Advanced Penetration Testing

OSCP

IppSec Youtube Channel  SNS SEC575

Courses / Certifications / Resources Network Hacking Web Application Mobile Threat

SANS SEC642 SANS FOR578

eWPTXv2 - Advanced Web Application SANS FOR610

Penetration testing
OSEE
OSWE