Get AI summaries of any video or article — Sign up free
how to NOT be a hacking noob in 2022 // ft. John Hammond thumbnail

how to NOT be a hacking noob in 2022 // ft. John Hammond

NetworkChuck·
6 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Linux and Python are the foundational skills Hammond recommends for starting ethical hacking, with scripting used to automate and test ideas.

Briefing

Cybersecurity career advice boils down to a simple, repeatable path: build real hands-on skill through Linux and Python, grind through CTFs and war-game platforms, and document what you learn—certifications can help with hiring filters, but they’re rarely the real learning engine. John Hammond, a cyber security researcher and educator known for capture-the-flag (CTF) competitions, frames “not being a hacking noob” as less about collecting badges and more about developing the ability to break things safely, then using that knowledge to defend real organizations.

Hammond’s starting-point checklist is blunt: Linux is non-negotiable, and Python is the most practical programming foundation for scripting attacks, automating enumeration, and writing small tools (like brute-force loops or injection attempts). He pushes back on the idea that someone must become a full software engineer. Basic programming concepts—variables, functions, and conditionals—are enough to begin doing meaningful security work, especially when paired with practice. On the Linux side, he acknowledges the Kali Linux “ready-made hacking tools” appeal, but argues that learning how to install and troubleshoot tools on a mainstream distro like Ubuntu is valuable because it teaches how packages, repositories, and configurations actually work.

Prerequisites, he says, don’t require textbook mastery. Even if someone can barely distinguish networking fundamentals, the learning can start immediately through ethical hacking goals and guided labs. Networking knowledge helps—especially for understanding common attack mechanics like TCP man-in-the-middle—but the mindset shift matters as much as the technical background. Coming from IT or networking roles is a common on-ramp; the industry often rewards people who can connect how systems work to how they fail.

The most consistent theme is that CTFs and cyber ranges build the skills that certifications only partially measure. Hammond describes CTFs as competitive “proof-of-work” puzzles where teams earn tokens by exploiting vulnerabilities or solving challenges. He credits CTF grinding with getting him jobs and with preparing him for real-world security work, including passing OSCP after extensive practice. He also treats walkthroughs and solution hints as training wheels: they’re appropriate when a learner hits a wall, as long as the goal is to eventually internalize the reasoning and solve independently.

On certifications, Hammond’s stance is pragmatic rather than dogmatic. Certifications can be a resume checkbox that helps with entry-level hiring—especially in regulated environments—but they don’t replace hands-on merit. He recommends choosing credentials based on the job market and the role being targeted, and he notes that different certs emphasize different skill areas (for example, OSCP-style exploitation versus security-plus-style baseline compliance). For someone building a first serious path, he suggests starting with hands-on certs like eJPT and then moving toward OSCP, while continuing to accumulate proof through blogs, GitHub, portfolios, and write-ups.

Finally, Hammond connects the “red team” learning loop to “blue team” outcomes. His current work emphasizes threat detection and incident response for mid-market organizations—using the same exploitation knowledge to prevent breaches, respond to malware and remote access trojans, and reduce the odds of ransomware and other real-world attacks. The practical takeaway: keep learning by doing what’s fun, document progress, and apply widely while building a portfolio of evidence that hiring managers can evaluate.

Cornell Notes

John Hammond’s core message is that becoming competent in hacking comes from hands-on practice—especially Linux, Python scripting, and CTF/war-game grinding—more than from chasing certifications. He argues that beginners should start with practical fundamentals, not textbook perfection: learn enough networking to understand attacks, then focus on building exploits and automation through labs. Certifications can help with hiring filters and compliance requirements, but they’re best treated as supplements to real skill. To manage the ambiguity of “when am I ready,” he recommends documenting work (blogs, write-ups, GitHub, portfolios) and applying while continuing to build. He also reframes imposter syndrome as a byproduct of comparing oneself to others online; consistent output and contribution are the antidote.

Why does Hammond treat Linux and Python as the essential starting stack for beginners?

Linux is positioned as a necessity because most security tooling and workflows assume a Unix-like environment. Python is treated as the most practical programming foundation for scripting tasks that show up repeatedly in hacking practice—automation, enumeration, and writing small tools (for example, loops that brute-force passwords or help test for injection-style issues). Hammond emphasizes that learners don’t need to master every programming concept or become a full software engineer; basic constructs like variables, functions, and conditionals are enough to start building useful scripts.

What’s the practical difference between using Kali Linux versus learning tool installation on Ubuntu?

Kali Linux is attractive because it ships with many security tools preloaded, reducing friction for immediate practice (CTFs, penetration testing, bug bounty workflows). But Hammond argues that learning on Ubuntu—installing tools from repositories, configuring packages, and troubleshooting breakage—builds deeper understanding of how Linux systems work. That “banging your head against the wall” phase becomes a skill: knowing what packages exist, how repositories behave, and how to fix broken setups.

How does Hammond define CTFs, and why does he say they matter for real careers?

CTFs are competitive cyber “games” where participants solve security challenges and earn tokens/flags as proof of completion. They include web exploitation, cryptography, forensics, and binary exploitation-style tasks. Hammond credits CTF grinding with building the practical reasoning needed for later professional work, including passing OSCP after extensive CTF experience. He also treats CTFs as a bridge from learning to employment because they produce evidence of capability through repeatable problem-solving.

What’s his stance on using walkthroughs or solution hints when stuck?

He doesn’t treat solutions as cheating. When a learner hits a wall, looking at walkthroughs is like using training wheels to get past an unfamiliar concept. The key is not to become dependent on them—use hints to learn what you didn’t know existed, then return to solving independently. In competitions or real work, you won’t have a solution in front of you, so practice should eventually build that independence.

How does Hammond reconcile certifications with hands-on learning?

Certifications are framed as resume and hiring-market tools, not the core learning engine. In regulated or compliance-heavy environments, a certification can be required to get interviews (for example, security-plus-style baseline requirements). For less regulated roles, employers may care more about demonstrated merit. Hammond’s practical advice is to pick certifications that match the job target and to pair them with documented hands-on work—blogs, write-ups, GitHub, and portfolios.

What does he recommend for dealing with “when am I ready” uncertainty and imposter syndrome?

For readiness, he suggests applying broadly while building proof through documentation and projects—CTFs and war games can be added to a portfolio even if they don’t neatly fit as a single resume checkbox. For imposter syndrome, he rejects the idea that it should dominate thinking; he focuses on producing work and contributing to the community. If one person benefits from a write-up or video, that contribution counters the “I’m not good enough” narrative.

Review Questions

  1. What specific skills does Hammond say Python and Linux enable that make hacking practice more effective than purely theoretical study?
  2. How does he justify using walkthroughs while still aiming to become independent at solving challenges?
  3. Why does Hammond recommend documenting CTF/war-game work even when it feels ambiguous for resumes?

Key Points

  1. 1

    Linux and Python are the foundational skills Hammond recommends for starting ethical hacking, with scripting used to automate and test ideas.

  2. 2

    Beginners don’t need to master every programming concept or become a full software engineer; basic constructs plus practice are enough to start building security capability.

  3. 3

    Learning to install and troubleshoot tools on Ubuntu can be more educational than relying only on Kali Linux’s preloaded toolset.

  4. 4

    CTFs and cyber ranges build practical exploitation and reasoning skills that translate into real-world security work; they also create a portfolio of evidence.

  5. 5

    Walkthroughs and solution hints are acceptable training aids when learners hit unfamiliar walls, as long as they eventually return to independent problem-solving.

  6. 6

    Certifications can help with hiring filters and compliance requirements, but they should supplement—not replace—hands-on practice and documented work.

  7. 7

    To decide when to apply for jobs, Hammond emphasizes applying while accumulating proof through blogs, GitHub, and write-ups rather than waiting for a single “ready” moment.

Highlights

Hammond’s “noob” path is Linux + Python + CTF/war-game practice, with documentation as the bridge from learning to employability.
He argues that Ubuntu tool installation and troubleshooting teaches deeper Linux mechanics than simply using Kali’s preloaded environment.
CTFs are framed as proof-of-work competitions where flags/tokens validate exploitation skills—and he credits them with getting him jobs and passing OSCP.
Certifications are treated as resume checkboxes that matter most for regulated hiring, while real merit comes from demonstrated capability and portfolio evidence.
The pulkit (pkexec) Linux privilege escalation vulnerability is presented as an example of how argument-handling and memory termination tricks can lead to root access when exploited correctly.

Topics

  • Linux Fundamentals
  • Python Scripting
  • Capture The Flag
  • Certifications
  • Privilege Escalation

Mentioned

  • John Hammond
  • CTF
  • OSCP
  • OSCE
  • OSCP
  • eJPT
  • PNPT
  • CEH
  • CEH
  • GCIH
  • CVE
  • TCP
  • VM
  • VPN
  • DoD
  • IAT
  • SMB
  • APT
  • CTFtime
  • OSCP
  • eJPT
  • OSCP
  • pkexec
  • CVE-2021-4034

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library