‎Cyber Security

‎Roadmap
‎(Beginners)

‎Author : Abhinav Kumar

‎Starting The Journey

‎Computer Fundamentals
‎ witter : https://twitter.com/
T

‎abhinavkakku

‎ fficial Link,
O
‎ witter Page : https://twitter.com/
T ‎ nly if you have no idea of computer
O ‎not asking to do certification,
 
‎ethicalhackx ‎, this will teach very basics, Good to learn, ‎but asking to learn from resources,
‎but skip if you have been using computers ‎aim is to gain knowledge, not the certification
‎ inkedIn : https://www.linkedin.com/
L

‎in/abhinavkakku/ ‎CompTIA A+

‎ elegram Channel : https://t.me/

T
‎Join Telegram Channel 
‎ethicalhackx 
‎Discussion Group link on Channel
‎Join Telegram Discussion Group 
‎Website : https://ethicalhackx.com 

‎ ink / references of anything mentioned on the

L
‎roadmap will be embedded , join group to ask
‎and download the resources

‎Operating Systems

‎ earn about different OS from Microsoft, their

L ‎ on't fear errors,
D
‎versions, improvements over last versions ( ‎every possible error is probably discussed
‎broadly) ‎online, search to solve

‎Windows OS

J‎ ust get around with day to day tasks in

‎Windows OS, and very basic troubleshooting

‎What is Linux ‎What is Linux Kernel, and its functions

‎Linux OS and Uses, different distributions

‎What are Linux Distro/ or Distributions ‎ ifferent Linux distributions idea, what's basic
D
‎difference in Linux Distributions

‎ EVER ! NEVER get into this debate,

N
‎OS Does not makes better Hackers,
‎Hacker is who can do his task on any OS,
‎Windows or Linux all work equally well for
‎most of the tasks,
‎The Best OS for Hackers ‎So one can choose any, be it any Linux distro (
‎and installing all required applications) , or
‎Windows ( again installing required
‎applications. Most so called Hacking OS are just
‎dump of all the tools that probably very less
‎people use daily.

‎ earch anything on Search engines,

S ‎ o Start by searching few of the things like
S
‎ ever stop reading at one page ( unless in
N
‎Facing any problem ? ‎How to become a hacker
‎ OOGLE : Learning How to do Google Search
G ‎hurry)
‎ earching / Research is what can really make
S ‎How to <problem> ‎Penetration Tester Roadmap
‎like Hackers ( this is THE MOST IMPROTANT ‎Read few pages for every search you do
‎someone Hacker, it is the most important skill ‎search this and you can get the solutions 99% ‎How to get Cyber Security Job
‎SKILL to learn) ‎Researching about things can only give more
‎of the times, at least something close related to ‎How to learn JavaScript
‎knowledge
‎the problem & solution ‎How does websites work

I‎t's said in today's time:

‎Deep Web / Dark Web ( which I feel funny
‎about)
‎Real Deep Web or Dark Web is Page 2 of
‎Google Search Results Page
‎
‎So always visit this Deep/Dark Web ( Google
‎Search results pages ) , if you did not already
‎find what you were looking for

‎ ow you already know searching

N ‎ earched Jobs already !
S
‎SO search and learn about few things ‎Now search the roles and responsibilities of ‎ on't get inspired by movies, most often they
D
‎You may get definitions , none maybe 100% ‎few of the jobs on Linkedin or other job ‎way they how in movies are fake/false. These
‎correct, but read more and more, get some clue, ‎websites, this will let you know more about the ‎movies have put wrong image of Cyber
‎connect them all in mind ‎Why do we need Cyber Security ‎What are jobs in Cyber Security ‎things you would be interested in learning ‎Security & Hacking to allot of people

‎ earn What is Cyber Security / Hacking /

L
‎Penetration Testing / Blue Teaming / Red
‎Teaming / Different Cyber Security Domains(
‎Jobs)

‎ hat is Cyber Security

W ‎What Hackers do ‎ hat all Skills are needed to get job in Cyber
W ‎ lso see some recent news related to Cyber
A ‎ URIOSITY | RESEARCH |
C
‎What is Hacking ‎security ‎Security ( from good and reputed websites)
‎PATIENCE
‎Always try to Know more about
‎things
‎To break things efficiently, some
‎knowledge of How to make things is
‎better to have
‎You cannot start now and suddenly
‎start loosing patience, things can
‎take some time, so be Patient
‎Trust thing when you read from
‎good reputed source, also question
‎them in right way, beingg curious
‎and being stupid are two different
‎things, be curious

‎ owards Basic Knowledge of

T
‎Security & Hacking

‎ o What Programming Language do I Learn ?

S
‎it Depends on what you have decided next you ‎ ython
P
‎want to do ‎helps allot in automating day to day tasks,
‎But I suggest basic of some languages is ‎making things easier
‎always good to know.
i‎s programming really necessary for hacking ? ‎One never knows the next website you need to
‎ omputer Programming ( Start basics )
C J‎ avaScript
‎NO ‎hack is built on PHP or Node.Js or asp.. it uses
‎Start with any 1 or two languages and give at ‎Hard to find websites today that dont use
‎But do you want to be a good hacker without ‎JavaScript or is based on some other
‎least 20 hours to learn. It maybe Python | ‎JavaScript these days, better learn the basics of
‎Knowing or understanding basic ‎framework..
‎JavaScript or any other ‎javaScript
‎programming ? : Very rare chances ‎You may need to read and understand through
‎some VBScript Code or C++ code to
‎understand the logic and complete the task ‎ ny other Language like C++ or Java
A
‎Its always good knowing one or two ‎Recently Go ( Golang) has also been catching
‎languages, good enough to understand the ‎attention
‎program if you face it.

‎ ulnerability | Exploit | Threat | Malware |

V
c‎ iphertext | CVE (Common Vulnerabilities and
‎ ome terms in Cyber Security & Hacking keep
S ‎Virus | Botnet | Cloud | Firewall | Virus |
‎ ocial-Engineering | Clickjacking | White-Hat |
S ‎Exposures)| cryptography | decrypt | DMZ ( ‎ acket sniffing | patch | PKI (Public Key
p
‎coming , repeating every time, a common ‎Ransomware | Trojan | Worm | Spyware |
‎ yber Security & Hacking terms
C ‎Black-Hat | SAST | DAST | APT ( Advanced ‎Demilitarized Zone) | drive-by download | ‎Infrastructure) | SaaS | sandboxing | SIEM |
‎Jargon , so it's better to search and learn few of ‎Adware | Rootkit | Phishing | Spear Phishing |
‎Search & Learn ‎Persistent Threat) | Authentication | ‎encode | encryption key | honeypot | IaaS | ‎sniffing | SPAM | spoofing| supply chain | two-
‎these terms, so when you see, don't get ‎DoS | DDoS | Encryption | Encoding |
‎Authorization | Bug ‎IDS | IPS | | insider threat | ISP | keylogger | ‎factor authentication |
‎confused. ‎Penetration Testing | Vulnerability
‎LAN | OWASP | PaaS
‎Scanning | .......

I‎f you already know or are comfortable with the

‎OS, don't spend time around whole courses,
‎ indows Installation
W ‎ hat are the security features in Windows OS
W ‎search things as they come and learn,
‎yes you should know how to repair if you ‎Learn how or what has Windows put in place ‎If started learning, 15 hours on OS should be
‎damaged while Learning, you can try on VM ‎to protect / defend against hackers ‎good enough

‎Windows OS

‎ ead some blogs about Windows Internals,

R ‎ now few things like auto-start locations,
K
‎Basic understanding on Windows will help ‎registry editors, services managers, task
‎when protecting or attacking a Windows ‎manager.....just normal admin tasks.
‎Machine ‎Again we don't need to become Windows
‎Administrator ( yes this is also a thing), but we
‎need to know enough to protect it or attack it,
‎as both are job of a Security Engineer

I‎f you already know or are comfortable with the

‎ e need to know basic CLI commands as we
W ‎OS, don't spend time around whole courses,
‎don't every time get GUI interface , most of the ‎search things as they come and learn,
J‎ ust like Windows, Basic Linux Administrative ‎ e can again start installing Linux in VM and
W ‎times we are operating remotely and with CLI ‎If started learning, 15 hours on OS should be
‎Knowledge is required ‎learn basic tasks ‎interface, so make CLI a friend ‎good enough

‎Linux OS

‎ inux is Everywhere, from Web- Servers to

L ‎ inux+ course is good enough to start with (
L ‎ ake use of Linux in everyday use to get more
M
‎Mobile, TV, and almost in everything ‎you know where you can get it, just ask ) ‎comfortable
‎So understanding of Linux is required to some ‎almost any error can be solved searching on
‎extent ‎Google

‎ hy is Network required & it's use

w
‎Different Network devices like Router, Switch,
‎Modem
‎IP Address ( Public & Private IP Address ),
‎Network Subnets and Calculations ( Classful & ‎ erver Client model
S ‎ hat are Ports and Common Ports on
W
‎Classless ) , knowing different IP Ranges ‎DNS request, ‎computer
‎OSI Layers & TCP/IP Model ‎How Website request is made and resolved ‎What is DHCP , SSL their functions

‎ omputer Network
C
‎

‎ earn Networking only as much required,

L ‎ roxy and It's uses ( forward & reverse proxy),
P
‎I am listing few topics which you can search ‎VPN, VLAN , MAC Address
‎and Learn & also some resources attached at ‎Firewall, Load-Balancers
‎end
‎We want to become Security Engineers &
‎Hackers, not Network Engineers only
‎So spend time maybe 1-2 week on this

‎ etwork Modes in Virtualization Software play

N
‎very important role, search and read about : ‎ lso try setup of Dual Boot setups,
a
‎ earch and choose available virtualization
S ‎VirtualBox Network Modes ‎ ry Installing Windows OS on any
T ‎Install Both Windows & Linux on Same VM l‎earn about Snapshots, backups in VMs and to
‎software for your platform (OS) ‎VMWare Network Modes ‎VirtualMachine ‎take help of Google search as required ‎restore them

‎ irtual Machines(VM) / Virtualization (

V
‎VirtualBox, VMWare, WSL)

‎ esearch the difference in available

R ‎ ridged
B ‎Try Installing Linux OS on any VM ‎ indows Started featuring WSL
W
‎Virtualization Software, common ones are ‎NAT ‎Windows Subsystem for Linux
‎VirtualBox, VMWare Player/Workstation, ‎Host-Only Network ‎Do read and try that too
‎VMWare Fusion, HyperV, Parallels ‎These are common network types, search and ‎This is not actually a VM, but a good thing to try
‎read when and why are these used( very
‎important for LAB Setup)

‎CompTIA Linux+ (Udemy / ITProTV) 

‎CCNA ( Essential Topics Only)

‎Linux 101 - TCM

‎Network+ (Udemy / ITProTV)

‎ inux Essentials for Ethical Hackers - Full

L
‎InfoSec Course - freeCodeCamp.org
 ‎Search terms on Google

‎ hen I say courses, I mean the learning

W
‎materials , PDFs, Videos , Blogs, references for ‎Linux Essentials For Hackers - HackerSploit  ‎Search topics on Youtube
‎topics covered in a course.
‎NOT doing the course actually if not required.
‎Courses / Certifications / Resources ‎We are referencing free resources and you  ‎Click to Join and ask/get these  ‎Linux ‎Windows ‎Computer Networks
‎know where to get them ( if you read carefully
‎above )
‎Join t.me/ethicalhackx and ask for any of the ‎Telegram Channel  ‎Use Windows like a pro, break and make tihngs
‎resources mentioned on the page

‎Telegram Discussion Group  ‎Windows Internals (1,2,3) - Pluralsight

‎Twitter  ‎Microsoft documentations

‎Practical Hacking & Security

‎ e have now decent knowledge about

W
‎Windows, Linux, Networks, some
‎Programming, Virtual Machines and Basic
‎Hacking/Security terms.
‎Now Let's START HACKING

‎ etup Virtual Machine or Labs as Lab to attack

S
‎or learn ‎ etup Labs with help of Virtualization
S
‎LAB setup for Practice
‎It's 100% Legal to Learn in Labs ‎Knowledge learnt earlier
‎and what's better than to have your own Lab

‎Network Hacking

‎Host Discovery Network Scanning ‎port scan and discovery ‎nmap scripts ‎WhoIs and other similar search

‎Information Gathering & Reconnaissance

‎Different nmap scan types ‎ canning by Nessus or Qualys or other similar

S ‎Active and Passing Search ‎email harvesting
‎software

‎based on Reconnaissance choosing the exploits ‎exploit-db ‎find any 0day if you can get to exploit

‎Weaponization, Delivery, Exploitation

‎Metasploit exploits and meterpreter ‎searchsploit ‎ apping knowledge of open ports or services
m
‎to exploits/attacks

‎Windows Privilege Escalation ‎Reverse shells ‎one-liners that trigger and give back shells ‎Data Exfiltration techniques

‎Exploitation & Command-Control

‎Linux Privilege Escalation ‎by now at least learn netcat ‎pentestmonkey

‎gtfobins

‎Resources :

‎Wireshark & packet capture ‎TCPDump

‎network sniffing

‎Man in the Middle Attacks

‎Web Application Security

‎ HP
P
‎another most commonly found language
‎Node.Js
‎or other backend frameworks
‎ ery basic HTML CSS,
v ‎Basic idea help understand the communication
‎just intro only ‎to find high severity bugs sometimes

‎ npopular Opinion : But learn basic of Web

U
‎languages ( will help in long term)
‎can give like 7 hours on each language to know
‎some of it)

J‎ avaScript ‎ atabase Technologies: MySQL, NoSQL,

D
‎you can find this in places where you don't find ‎MongoDB....list never ends, some idea of few of
‎sunlight, if you know JavaScript, hacking ‎these
‎becomes slightly easier as you can understand
‎the application more

s‎ peaking of Web App PT , and you don't hear

‎BurpSuite 100 times is not an option, so learn it
‎and different tools under BurpSuite
‎For learning even the community version is
‎good

‎MiTM proxy ( BurpSuite Owasp ZAP)

‎OWASP ZAP is free, and good equally

‎ WASP Top 10 Web Application

O
‎Vulnerabilities { 2013, 2017 , 2021....}

‎ PI Security ( this also has a top 10 list from

A
‎OWASP )

‎Cross Site Scripting ‎Cross Site Request Forgery ‎SQL Injection ‎Directory Traversal ‎Business Logic

‎ ulnerabilities :
V
‎Just Examples, list is never ending

‎HTML Injection ‎XXE ‎File upload Vulnerabilities ‎Authentication & Authorization ‎Rate Limiting

‎hackerone reports

‎Resources/references
‎ ead the Writeups on personal blogs as well as
R
‎twitter #hashtags like #infosec #bugbounty #
‎bugbountytips

‎Cloud & Cloud Security

‎ asic Idea of AWS|Azure|GCP , specially

B
‎security concerned functions

‎Docker Basics & Container Security

‎ mail is widely used by organisations for

E
‎communications
‎- prevent spam & Phishing email ‎ alware Analysis
M
‎- understand how can we determine spam ‎Reverse Engineering
‎emails ‎Insider Threat Analysis
‎- How to detect phishing emails ‎Attack Surface Determination
‎-email gateway security softwares ‎

‎ efending Network is a very challenging task,

D
‎with ever evolving technology, increasing
‎Network Defense ‎Endpoint Security ‎Email Security ‎Firewall | Proxy | VPN ‎Threat Hunting ‎SIEM | SOC | IHR ‎Patch Management
‎attack surface area, Defenders need to secure
‎Network/Infra against all kinds of attack
-‎ Antivirus / EDR Solutions ‎ onfigure Firewall policies for Security
C ‎ IEM or similar things act as central Security
S
‎-Malwares needs to kept out of the machines ‎-Maintain ACLs ‎Log system
‎-Learn about common malware injection ways, ‎-DNS Resolvers & Monitoring ‎- All Security Incidents at any function like
‎-How Antivirus works ‎- Block Lists & and More Important Allow Lists ‎firewall , AV , email....can be looked up and
‎-Asset/Inventory management to ensure ‎-Enterprise VPN & Proxy Configuration ‎related at single point
‎Security software and security policies are ‎- Helps determine the spread of infection ,
‎applied to add machines ‎source/origin and help mitigate by fact finding
‎-How malware can spread, this knowledge ‎ eb Application Firewall
W ‎with concerned teams
‎helps to make policies that can stop the spread ‎Ng Firewalls Configurations ‎-Incident Handling & Response Teams (IHR)
‎or infection ‎are the key between different teams and guide
‎-DLP ( Data Leak/Loss Prevention) systems to ‎the mitigation or lead the investigation
‎prevent the leak of sensitive data either by
‎email, copying, file sharing , online uploads,
‎printing

‎CEH - Excellent source to know basics

‎CompTIA Security+ 
‎PorSwigger Web Academy 

‎Practical Ethical Hacking - TCM  ‎eCPPTv2 - Penetration Testing Professional

‎ WPT - Web Application Penetration Testing
e
‎Professional
‎eJPT ‎LiveOverFlow Youtube Channel

‎SANS : SEC542
‎SANS : SEC460 ‎SANS : SEC504

‎ hen I say courses, I mean the learning

W ‎ thical Hacking Penetration Testing & Bug
E
‎materials , PDFs, Videos , Blogs, references for ‎SANS SEC301 ‎SANS SEC560 ‎Bounty Hunting

‎topics covered in a course.
‎NOT doing the course actually if not required.
‎ inux
L
‎Courses / Certification / Resources ‎We are referencing free resources and you
‎Learn Linux by using daily
‎Starting into Security ‎Defence ‎Penetration Testing ‎Programming/Scripting ‎Web Application Security ‎Cloud Pentest
‎know where to get them ( if you read carefully
‎above )
‎Also many many courses present, search and ‎eNDP (Network Defense Professional) ‎Utilize Youtube Freecodecamp.org ‎SANS : SEC588
‎Stackoverflow
‎learn from any

‎Official Documentations of Linux Distributions ‎Firewall - PaloAlto Firewall ‎SANS : SEC573 ‎SANS : SEC488

‎Google Search things where stuck ‎eCTHPv2 - Threat Hunting Professional ‎SNS SEC505 ‎SANS SEC534

‎SANS : SEC699

‎SANS : FOR500

‎SANS FOR508

‎SANS FOR572

‎SANS SEC555

‎Hacking

‎ ecurity is a big field,

S
‎ here maybe many things that went missing in
T ‎ ECURITY / HACKING is all about Research
S
‎Some enjoy attacking
‎ ope you have learnt allot by now
H ‎above levels ‎Each of topic / keywords on this page can be
‎Some enjoy defending ( which is really hard )
‎LETS HACK / DEFEND Like a PRO ‎So we can now test our Skills on Some ‎But if you are here, I am sure you are good at ‎expanded into a mind-map of it's own
‎and many more fields coming up with evolving
‎platforms ‎searching and finding out things on your own, ‎Since you are good at searching, you can
‎technology like IoT Security, Block Chain
‎also decide what is best for you ‎search further to learn
‎Security...

‎ e have learnt Enough all the way till here

W
‎Now we should Practice in Labs or real world (
‎legally)

‎TryHackMe 

‎HackTheBox 

‎PortSwigger Labs 

‎Try2Hack 

‎echoCTF 

‎CertifiedSecure 

‎Root Me 

‎VulnHub 

‎OverTheWire 

‎PentesterLab 

‎LetsDefend 

‎SecurityBlueTeam 

‎SANS SEC660

‎SANS SEC760

‎eCPTX - Advanced Penetration Testing

‎OSCP

‎IppSec Youtube Channel  ‎SNS SEC575

‎Courses / Certifications / Resources ‎Network Hacking ‎Web Application ‎Mobile ‎Threat

‎SANS SEC642 ‎SANS FOR578

‎ WPTXv2 - Advanced Web Application

e ‎SANS FOR610
‎Penetration testing

‎OSEE
‎OSWE