This topic contains 1 reply, has 2 voices, and was last updated by crabzillax 4 weeks, 1 day ago.
- October 29, 2020 at 9:46 am #323812
i am a beginner pen tester / ethical hacker and i have been practicing my pen testing skills by trying really really really easy machines.. most of the really easy machines only have 1 or maybe 2 ports open so i somewhat know which to attack
now , i have been trying average / medium machines and i have observed that there are many ports open, sometimes 4 or 5.. and i try to attack them in the way that i know such as look at smb or the webpage if they are available.. but i cant seem to get access even though the steps that i have been doing makes sense.. and when i look at the walkthrough , you were suppose to attack this specific port and try to do this and that..
so my questions are
how to know which ports to attack?
how do you not fall into the rabbit hole?
how do you know / feel that you are in a rabbit hole and wasting your time?
how to come back from being in the rabbit hole?
any tips and suggestions for a beginner will be appreciated
- October 29, 2020 at 9:46 am #323813
I’d say that you probably underestimated the difficulty and didn’t learn too much on the really easy machines.
So go back on the easy machines and train more, you have to get to a point where you scan the vulns, recognize them, classify them by difficulty and prioritize some. It’s about global understanding, then It’s about digging. For example, recognizing is trying baseline passwords/logins on all running services/ports… You dont want to miss something like this and It’s really really present in this kind of VM.
1)Passive scans and intelligence
2)Active scans and recognizing
3)Classify and prioritize
If you dont feel like you’re learning go on training websites and leave the CTF machines for a while, both are awesome but to learn I prefer websites since you know where to put your eyes.
If the machines are labelled “easy” or even “average” they probably won’t require scripting, complex decryption math or bruteforce (maybe from a very easy wordlist like Kali baseline…)Always try to match the written difficulty with your effort. Forcing isn’t learning, doing huge amounts of useless crap but ending up getting a flag while knowing what you did, being able to do it again without help is learning.
Good luck keep going =) excuse my english too.
I fell in some rabbit holes myself a lots of times and looking back at it, most of the times I missed something that I wouldn’t miss now. That’s experience and It’s one of the keys =)
Repeating easy to print commands and walkthrough if you’ve been heavily helped by Google or pasted commands is a good thing too. Know what you did and what’s behind each argument or you might regret it later, in a real rabbit hole, a worst one at work or in a real competition or even an exam.
You must be logged in to reply to this topic.