ATTN: GQgeek and other IT nerds

Here is a post I wrote a few weeks ago to someone that basically asked the same question: I started in the infosec world 10 years ago while in my final years of college. I got a job with a security focus after about 2 years, and been there ever since. Over the years, I've also earned many different certs, including CISSP, GCIH, and GPEN. Here's the path of how I gained my knowledge over time: Configure a linux/bsd system as your home firewall/router. Do it from scratch, so no GUI config tools, dedicated firewall OSes, etc. Learn how to do port forwards, NAT. Get FTP working. Create a DMZ with an internet accessible web server. My preference is ipfilter running on FreeBSD. Play with the dsniff package, include arpspoof, dnsspoof, sshmitm, etc. Learn WHY these tools work, so take packet captures and note the differences. If you don't know tcpdump, learn it. Wireshark is great, but you should know how to digest most common (and plaintext) captures at the CLI. You don't need pretty graphics to see SYNs, ACKs, IPs, MACs, and plaintext payloads. Play with password cracking tools. John, cain and able, and others like vncrack. Passwords are one of the weakest links in security. Learn HOW each tool does its cracking, as they work in different manners. Learn VMWare. Virtual machines are incredibily useful for testing, attacking, etc. I had to dual-boot my machine 10 years ago. Now you just spin up a new VM. Learn clear-text protocols, such as HTTP, SMTP, etc. It's good knowledge to have later down the road Netcat. Learn it. Use it. It's tremendously useful. Break your own box. Install software you know is vulnerable and then attack it. Don't have your machine open to the internet while you do this. Don't worry about writing your own tools, just download sourcecode that somebody else wrote and compile it. Learn how to compile programs. Usually C programs are the most common I run into. Learn make. Learn gcc. For now, learn them just enough to use them to compile apps. In the future, you'll need to learn more and more, though. Read RFCs. They can be very difficult to read and understand, but they are the law of the land (except in M$'s eyes). Read about HTTP and SMTP, as they are plaintext and you can use netcat to experiment. Play with metasploit, nmap, etc on a continual basis, as more experience is just that....more experience. Try different modules, like the meterpreter. Play with NSE, the nmap scripting engine. Snort. Never hurts to have experience with snort. Buy a hub (NOT a switch), run your metasploit attacks, and see what it captures, triggers on, etc. Pick an attack technique and read all you can about it. SQL Injection, buffer overflows, priviledge escalation, XSS, XSRF, format string attacks, arp attacks. If the attack talks about things you don't know yet, then go learn those first. Sign up for mailing lists. Check out the lists from SecurityFocus. DON'T STOP LEARNING. That's one thing I learned very quickly. The bad guys are changing their attacks on a daily basis, and new attacks are appearing on a regular basis. If you aren't learning new things, you are already obsolete. I'm sure I'll come up with more, but this should take you a while to learn.... Enjoy!