Ryan Rambles

Writings to my future self.

PentesterLab Bootcamp

PentesterLab Bootcamp looks like a great place to start learning web security. Each section is broken up into reading materials and exercises. I'll use this post to document my progress.


1. Linux and Scripting

Reading List:

Hypertext Transfer Protocol

  • HTTP functions as a request-response protocol. A web browser acts as a client and an application on a computer hosting a website acts as a server. The client submits an HTTP request to the server. The server returns a response that includes completion status information about the client's request and content such as HTML files.
  • HTTP proxy servers at private network boundaries can facilitate commuincation for clients without a globally routed address by relaying messages with external servers.
  • HTTP Session - An HTTP session is a sequence of network request-response transactions. A client initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a server. A server listening on that port waits for a client's request message. Once the request is received, the server send back a status line and message. The body of the message is either the requested resource or an error.
  • HTTP Authentication - HTTP provides multiple authentication schemes which operate via a challenge-response mechanism where the server identifies and issues a challenge before serving requested content.
  • Request methods - Indicate the desired action to be performed on the identified resource. Often, the resource corresponds to a file or the output of an executable residing on the server. Any client can use any method and the server can be configured to support any combination of methods. If a method is unknown to an intermediate it will be treated as unsafe.
  • GET - Requests a representation of the specified resource. Requests using GET should only retrieve data.
  • HEAD - Asks for a response identical to that of a GET request but without the response body.
  • POST - Requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI.
  • PUT - Requests that the enclosed entity be stored under the supplied URI.
  • Other methods include DELETE, TRACE, OPTIONS, CONNECT, and PATCH
  • Safe Methods - Some methods (HEAD, GET, OPTIONS, and TRACE) are defined as safe. This means the methods are intended only for information retrieval and should not change the state of the server.
Domain Name System
Whois
Network socket
Scoping a Pentest

I want to learn about security.

For my first project on this site, I'd like to learn about cyber security.

I'm not sure where to start so I'm going to follow the guide on r/netsec for now.

I will keep track of my progress on the blog side, but if I build anything, I will place it in projects.

This blog is a project too!

My projects are not only technical. This blog is a project too.

List of things I need to improve for now:

  • I need to make the template sections more dynamic. Right now, if I make one change, I need to change it across all my posts to remain consistent. I know I can probably do this with Javascript - this should be one of the first things I do before I write too much more. Otherwise this is going to be a nightmare to maintain.
  • Spell check. Spell check. Spell check. Right now I'm just writing this in my text editor (VS Code). I'll probably start writing in Google Docs as a temporary workaround but I'd like a better solution. Maybe I'll see if there's a spell check extension for VS Code.
  • Stylization. This blog template is a great start but I will want to customize it in the future.
  • I would like to improve my writing. I think this will mainly come with time. Every blog post should help!

Sick Day

I stayed home from work today because I was sick.

Friday night I wasn't feeling so hot and woke up Saturday morning to a full blown cold. Normally, a cold would not be a big deal, especially starting on a Saturday. It would kill my weekend plans, but I could just lay on the couch and rest. Well, we needed to move this past weekend. We were only moving down 5 floors, but moving is still a huge pain in the ass. I do not recommend it when sick - or ever really.

Fast forward to today, Monday, and it was still not pretty - I'll spare you the phlegmy details. I took a few naps today and finally felt like 75% of a person around 4:45pm. I had been laying around all day so I decided to do something. Why not update my personal website and start on some projects?

I was originally going to focus on exploring web security, but I had an idea for a blog and honestly, I don't know if I'm up for all the technical jargon today. I really want to learn about security, so hopefully I won't put it down. (Go to the hyperlink - is there any content there yet?) It will be useful for work and my general skill set. I'm actually not super interested in security as a topic yet but I know that it's super important and I think I could get into it once I learn more about it.

So the focus for today's sick day was setting up this blog. It took me a while to lay the framework but I have all my templates set up so it should be much quicker to make a post in the future. I'm using a template built for Bootstrap by @mdo. It's not incredibly pretty but it was an easy framework to understand and gets the job done well.