Learning Process

It would be impossible for any one person to learn everything

Way of Thinking

1. The Principle of Abstraction

2. The Principle of Correspondence

3. The Principle of Data Type Completeness

In information security, we have to learn and understand these principles, structures, and processes quickly. Additionally, we have to adapt our knowledge to the various environments we encounter. We will have many situations where we will not understand how "it" works. That is good. At this point, we have to find out what we do not know. More about that later.

There are generally three types of people.

1. Those that do not know anything.

2. Those who think they do not know anything.

3. Those who think they know but dont.

Many people do not know their actual skill and knowledge level. This is a complicated topic because penetration testers must have a deep understanding of a wide variety of technologies.

The problem in this field is the sheer volume of information available to us. We can learn about every topic and still not master any one area, or we can learn about just one topic and become an expert in it.

Another option is developing our research methodology, the learning process, and how to use this to improve our knowledge. We will be successful if we know how to search for the required information on the internet, and we know how to learn fast and adapt it to the environment we are working in.

However, before we can do this, we have to learn and practice how to do it. You become a good penetration tester only through considerable practice. There is no other way to improve our practical skills.

When is a penetration tester good enough?

We know that one person cannot know everything. In this case, we have to learn how to find, choose, and adapt the information we need.

Right now, we are considering these three key terms. There is one key term missing

Which key term is missing from the above list?

The crucial missing term is: LEARN

Most people have never truly learned how to learn effectively. For example, in school, our teachers discussed some topics with our class. First, teachers show us just one way to solve a problem. They explained one way to solve the problem, and after that, they gave us exercises to practice further.

Let us take a closer look at the problem. Look at this simple math equation and try to solve it:

20 * ________+ ________ = 65535

This equation is easy to solve, but did we think about how many different ways are there to solve it?

Optional Exercise:

Ask yourself why you didn't solve the problem in a different way. Write it down and try to think about the reasons for choosing the method that you chose. Take as much time as you need for it before you continue.

Think Outside the Box

---

What limitations were you given for this exercise? - None.

So, why didn't you think to add more digits or to replace the given arithmetic operations?

Welcome to the hacker's way of thinking called:

"Outside the box."

During this learning path, we will acquire more information that will help us find an answer. However, first, we have to understand the way of thinking we currently use. Make it clearer. Try to understand what we have to work on.

During the learning process, when we identify the solution to the problem, the process and the steps required to achieve it seem pretty straightforward in most cases. Looking back, it always seems easy once we know the solution. The art, after all, is not to get some flag but to find the way to it.

Talent

---

There is no precise definition of talent. Because the official definition is that talent is a natural aptitude or skill.

Natural in this sense means that it exists in or is caused by nature. it cannot be valid if we consider it carefully because this would have to apply to any skill.

Take this as a sample Question:

Who among the the people you know can naturally fly an airplane?

We all know one or two talented people in our circles of acquaintances. These are people bring incredible performance in one or another area. Most people believe such talents and abilities are innate that for strong skills in these areas is due to their genetics or other intangible factors.

The fact that genetics influence our thinking processes, talent itself is not innate

The ability to solve particular problems with excellence results from thought processes developed primarily in early childhood. Children can develop such a talent much more effortlessly than adults.

This is because they have not yet developed complicated thinking and do not have complex hurdles to overcome.

Children typically do not overcomplicate things like adults do. DO NOT!!!!!

Are masters of their crafts are just born. Do you believe that ? Talented individuals are defined as highly efficient and perform exceptionally well in their individual fields.

Such talents, or rather the ability to solve specific problems and challenges with high efficiency, arise from the constant or persistent confrontation with the corresponding situations and the problems that arise.

The thinking pattern to solve problems. The confrontation expands the so-called comfort zone and repertoire, which allows us to think more easily and tackle the challenge or problem. In essence,

Talent is a trained and adapted thought process and the associated thought patterns for specific fields and situations.

We know that we have a good influence on our thought processes and thought patterns and can influence them according to our decisions. This means we can develop and train such talent for any field we want.

Way Of Learning

---

So, let us jump back to the math exercise from the first section.

20 * ________+ ________ = 65535

Why did we calculate the math task like this?

We performed the calculation the way we learned it. That means we will use the patterns we have been conditioned to use. At this stage, as in the previous example with the calculation, we used the information we already had.

This art of thinking, called "Outside the box," is an essential part of the "hacker mindset", or the way we must think as penetration testers to solve complex problems.

Thinking outside the box means seeing things outside of the limitations placed on us. This means we have to be able to "pivot."

We have to focus on so many different technologies during our penetration tests that it can become confusing and frustrating when we do not understand some things.

A problem is an emotional state. Without emotions, it is just a situation.

Frustration and confusion come with the point of view we are looking at. The learning process is not just a theoretical and practical part. It is also our learning process and progress that largely depends on our emotional state. If we feel good and we know we will reach our goal, we will be successful.

The most essential part that makes you successful is knowing your goal.

1

You're standing still in a room, and your instructor instructs you to move across the room, and you start moving. After a while, the instructor puts a chair in your way.

What will you do? - You may sit down on this chair.

Now let us change the scenario a little bit.

2

Your instructor instructs you to move to the other corner. We start moving, and the instructor puts a chair in our way again.

What will we do? You will pass the chair and continue moving forward to the corner because you know your goal.

3

The big difference between these two scenarios is that we know our goal and know how we have to move on.

We will overcome the obstacles which are put in our way. If we do not have a goal, we will stop at the first obstacle. Without a goal, we will be disoriented moving from one topic to another.

Learning Efficiency

---

The problem here is the sheer size of the information security field. There is a lot to learn and many topics to cover. Many of the courses available are very technical. We have to understand how things work, how they are structured, and how to use them.

The primary and most difficult objective we must overcome is the combination of our knowledge, adaptation, and new information.

It often is not easy to find the information we need. First, we have to find out what kind of information we need.

• What do we already know?

• What do we not know yet?

Even if we find the information we need, we do not know how to use it because we do not have an overview.

The major problem we must solve is handling this massive amount of information and adapting it to our strengths and weaknesses.

The first learning phrase is FAILURE

we have to fail. It is an unavoidable and essential part of learning. This is one of the parts of the learning process which make us successful.

Experience is built on failures. It explains that we know how to handle different and sometimes adverse situations where something does not work as expected.

So how do we:

• Learn faster

• Structure our knowledge

• Find the information we need

• Get the overview

There is this theory called the "10,000-Hour Rule," which explains that you need to spend 10,000 hours on becoming good at something. We do not want to spend 10,000 hours learning a skill.

That not learn Faster, Right!

But When you watch TEDx talk by Josh Kaufman in which he explains it more in-depth.

He proposes that we can learn something new in 20 hours, even working on it for just 45 minutes per day. This sounds much more attainable!

At this point, we also should think about the Pareto Principle, or the 80/20 rule.

Josh Kaufman explained, we can become excellent pretty fast. This is the so-called learning curve, including active and passive learning. These active and passive learning types can be found in the Learning Pyramid.

Passive Learning

If we follow the Learning Pyramid while going through the modules just by reading, we will learn only about 10% of the whole penetration testing experience. By watching some demonstrations, we will not learn more than 30%.

Active Learning

When we start to discuss our entire enumeration process, results, and findings with others, we will see different points of view, results, and information to compare with our own and find out what we missed.

By using this type of active learning, we collect up to 50% experience. Before we can discuss our results with others, we should practice on our own. So while we practice, our learning experience grows to 75%.

There are many different ways to stay motivated. An excellent method that works very well is by recognizing success and see that we have made progress, even the most minor successes.

Progress is noticeable when the question that tortured us has lost its meaning.

The Goal

I cannot emphasize strongly enough the importance of setting a clear goal for ourselves. 90 % of people are significantly more successful in achieving their dreams by setting challenging and specific goals.

• Pass an exam?

• Obtain a certification?

• Learn and master new skills?

• Or impress and please others?

What do we want to achieve? Do we want to...:

how to reach this goal.

If we think about it in more detail, none of the current "great" and well-known personalities will be able to say that they knew the path that led them to the goal beforehand. None of these people knew it. What they did know, however,

Was the goal that they had set for themselves.No matter what goal we have in mind, we must decide on it.

Decision Making

A decision is, in simple terms, the choice of one of several options. All decisions are made based on the importance of the circumstances. We make decisions based on what we expect to get the most out of it. Thus,

Decisions are made not only rationally but also emotionally.

Decide the right (Decision Making) is the (The Goal) that you really want to achieve from your heart (Willingness), and that will make you happy consciously and subconsciously (The Brain).

Documentation

---

When it comes to documentation, we must first determine the report audience. We will document our activities differently than we would present our results to a customer. The purpose of documentation is to present the information we have obtained in a comprehensible and easy way to reproduce a specific activity.

These are the essential characteristics of documentation :

1. Overview

2. Structure

3. Clarity

As we learn and practice, we will come across many different situations and resources. we will have to process massive amounts of information.

Take Notes, Using can use CherryTree or any other choice and a picture is worth a thousand words. FlameShot makes it easier for us to take screenshots and edit them directly.

Focus

It is essential to differentiate between focus and attention because they are not the same.

Attention refers to the momentum, as it is happening right now, and you are reading this text.

focus is on the topic you are dealing with at the moment.

The focus is based on our will and what we want to achieve. It can be a conscious decision and a subconscious decision guided by external influences.

Focusing is the purposeful and deliberate alignment to a specific goal.

Focused people are not only enormously persistent and tenacious, but they are also hardly distracted or discouraged. If we know our goal, it is easier to align our focus accordingly. This, in turn, makes us much more efficient, and we get closer to our goal much faster and do not let ourselves be distracted by external influences.

Attention

Attention is influenced by your interests, needs, personal attitudes, beliefs, orientations, goals, and experiences.

So when I talk about concentration, I mean the maintenance of our attention on a specific topic. This means that as long as we are interested in a given topic, we keep working on it until we have achieved the desired result for our well-being. Again, attention goes hand in hand with concentration and focus.

Information security is a vast subject, We will not be able to absorb all the information at once. We will often come back to topics and repeat what we are missing. This is a normal process. We must understand how to divide our attention.

There is no general formula that we can use to learn how to divide our attention correctly. This is an individual process you train.

We know that attention takes place at the moment and therefore has a limited duration to maintain it. It will be a great advantage to find out how long our emotional state and our attention span lasts the longest.

Once we know how our attention span is behaving, we will also get an idea of how we can split it up. Experiment with this. Change our place of learning , learning hours, duration of learning if possible. Listen to different music and try out different things that might help us.

It would be best if we did not force ourselves to focus on a specific topic because it will have a negative effect and, as mentioned before, can end up in frustration.

Make sure that you feel comfortable and ready to learn new things.

Comfort

This is the feeling of well-being in the form of comfort and the attitude of risk-free behavior. This is also often referred to as the so-called comfort zone in which the person thinks(!) he/she is located.

When we leave the so-called comfort zone, we enter a situation or field where we have little or no experience. This kind of uncertainty lowers our ability to think and has a powerful impact on our thought processes, which, in turn, slows us down.

Fear

People are often afraid of something new, of something they do not know, and cannot evaluate if it could harm them somehow.

I'm talking about interpreted fear. This is an imaginary state of fear. fear is an emotional feeling .

People fear what might happen in the future while not considering the present

Imaginary fear is an emotional state that keeps us from having the best experiences and prevents us from moving forward on the desired path.

Even if we want to be excellent penetration testers, most beginners are afraid to put their maximum energy and time into it because of the imaginary fear of failure.

The difference between a winner and a loser is that the winner has lost more often than the loser.

Failure is essential to learning and unavoidable. No one has ever acquired a skill without making a single mistake.

Our failures are crucial in our learning curve because they give us momentum to climb higher. In doing so, we reach a point where we have been before but already know what to expect at the higher level. This makes it easier for us to master this uphill climb because we have already slipped once at this point and know that we have to take a different path to get higher.

Mindset

• I cannot do this

• This is not for me

• I do not understand this

The only thing we have to do is to add the word "yet."

• I cannot do this "yet."

• This is not for me "yet."

• I do not understand this "yet."

Questioning

We have all been in a situation where we suddenly did not know what to do and could not even understand what to start with to figure out the situation.

The most important and most difficult thing in any situation is not the search for the right answer but the search for the right question.

• There are no "good" or "bad" questions. End of story.

We can rather assign states to a question; thus, we would describe it as a rough question or a precise question.

• A rough question would be, for example, "How can I hack X?"

• A precise question would be: "How can I use the server's SMB service to identify its existing user accounts?"

People use the states "good" and "bad" to describe the profit or loss they expect from the question. If an answer benefits them, that a "good" one. However, what if the question leads to a loss or, let us even say, does not help the person? Is the question bad? - Actually, not.

So how should we Question?

This model represents five components:

Component	Description
Your Position	This describes the position we are in and our view.
The Object	The object is the core element of the question. The main component of our sentence takes the meaning out of the question.
Known	This information is known to us.
Unknown	This information is not known to us.
Other Position(s)	This component describes the position of other persons.

Example:

what are all the methods available to remotely access Windows operating systems?

Component	Question Part	Description
Your Position		Our position where we are situated.
The Object	Windows	The Object is the core element of the question. The main component of our sentence takes the meaning out of the question.
Known	Methods	This information is known to us.
Unknown	Methods	This information is not known to us.
Other Position(s)		This component describes the position of other persons.

Connecting the Components

What is the purpose for us to use Windows?

Mainly we use the operating system to use its functions to solve our tasks. We describe this as Operating on.

How does Windows influence our state in our position?

Windows is the most used operating system in the world and has the most compatibility and many user-friendly functions. Therefore, we can also summarize this and call it Provides functionality

Now we can connect the relations between Windows and the methods we know.

What must Windows do or offer to be managed by remote access methods?

A service must allow remote access over the Internet or network.

• We know for sure WinRM, Remote Desktop, and a few more.

• (If not, it does not matter. We will learn about though the process).

• Otherwise, we would not be able to access it remotely.

• We call this connection Listening Service.

Next, the following question comes up:

How do the remote access methods affect Windows and thus change the state of Windows? What do these methods provide us with?

Now let us look at what we know about the known remote access methods.

What is the purpose of remote access methods?

The purpose is to be able to manage Windows in different ways remotely. So all we do with it is to use it. So, therefore, we call this connection Using.

How do the different remote access methods that we know affect us?

Apart from the different services these methods are designed for, they all have one thing in common. They allow us to interact with Windows. Therefore we call this connection Allow to interact with.

Since we already know some remote access methods, we know how they are connected to Windows. Before Windows can be accessed remotely, the corresponding service must be running.

Which services must Windows have running to use methods unknown to us?

We can not know this because the methods are unknown to us. Therefore we name it like this: ???

Now the same question arises again.

How do the remote access methods affect Windows and thus change the state of Windows? What do these methods offer us?

The different methods offer different ways to access Windows. Because the purpose of the methods, in this case, has not changed. Therefore we call it again: Remote Access.

Now that we know and understand the relationships between all the individual components, we know exactly what information we are missing and what we should focus on.

In this case, we can use Windows services to find the unknown remote access methods.

This model is stackable and you can answer your own question through the process. For example, if we have identified such Windows services and found unknown methods, the field Unknown becomes Known and would look like this:

• So, what is the right question?

A right question is a precise question that allows us to establish the relationships between the components, to understand them, and to take us one step further to the required answer.

Handling Frustration

Frustration is an emotional reaction to an event, situation, or condition that occurs in the form of disappointment or powerlessness.

Most often, such a feeling occurs in varying intensity, depending on expectations or desires.

There are two different types of frustration.

• external influences, such as negative opinions of superiors

• inner frustration, caused by conscious or subconscious thought processes.

Your feelings reflect subconscious thoughts and thought processes. That is why you can understand quite well how you think from your feelings.

It helps to listen to our thoughts from a 3rd-person perspective or imagine that our best friend expresses these thoughts. With that, we gain some distance from the feeling of being affected by it, which makes it easier to construct an objective opinion and judgment about it.

In order to express frustration tolerance in this way, it is crucial to know where it comes from.

Do not forget that this feeling of frustration is temporary. This means that when we feel frustrated, it will pass.

Most people get scared and panicky at such a feeling, which leads to the fact that such people sometimes even react aggressively.

They are not aware that it is a temporary feeling. Therefore, we do not need to be afraid to venture into such situations.

Frustration passes, the experience we have gained through it remains.

Instead, over time, we will become calmer in reacting and dealing with such stressful situations, which in turn will strengthen our self-confidence.

• We can control our inner frustration.

• The frustration of the external factors, however, can hardly be controlled.

Learning Progress

In order to see our progress, two specific states are compared, including a specific time window between the learning process.

• we compare our knowledge from the past with the present and try to keep track of the progress to give ourselves the confirmation that we have achieved something new.

People who have been on the road for years will know how exhausting it can be and what hurdles they have to overcome. We only gain height by going uphill. Going uphill is always exhausting, and we may slip and slide a little bit down again. What is essential here is to keep moving constantly. How fast we want to reach a defined height depends entirely on our ambition. Whether we only take one step a day or ten steps a day only plays a role in the duration.

The difference here is easy to see. If you stop on the mountain and do not climb any further up, you will stay on the same spot.

1% is even enough for 10 minutes per day = Just show up for 10 mins THAT'S IT.