How can I learn Ethical Hacking? Where should I start?
Learning materials and handful of advices for offensive security aspiring specialists. Fundamentals and basic resources you can grab right now.
This post was originally posted on the Hashnode.
So far, I was able to advise a few people on how they can start to learn cybersecurity through offensive security and pentesting. I realized that instead of repeating myself, I can write that down in an article, so it can be shared with anyone interested in expanding their itsec skills. I'll keep this article updated.
🔔 CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the sponsor feature or 🎁 become a Patron which also gives you some bonus perks.
Join our Discord Server!
- Understand what it means to hack ethically.
- Hand-on experience, AKA keep your hands dirty.
- When hands are tired - watch meaty online courses.
- Use vulnerables to practice live example scenarios.
- See how the pros do it.
- Subscribe and watch others that are on similar level.
- Think bigger. Set your goals and stand your ground.
- Join forces.
- Bonus: other aggregates.
⚠ 1. Understand what it means to hack ethically.
This is crucial to understand that without a purpose, tools are neutral. They are neither bad nor good - with a kitchen knife one can slice an onion, or wound somebody. The same rule applies to every pentesting tool that you are going to use. You must have that in mind, that only you are responsible for the consequences of your actions.
Read the disclaimer here.
Fortunately, any of the courses I spotlight here starts with ethical hacking concept explanation.
To be clear if your purpose is to conduct mallicious activity - stay away from this site. I will never consciously help in performing such activities.
How to hack your ex-girlfriends Facebook account
🔧 2. Hand-on experience, AKA keep your hands dirty.
✔ For a starter, take the free courses on TryHackMe and HackTheBox Academy - both are the first places I would learn from. THM have Complete Beginner Path and HTB Academy starts with Introduction Module. I haven't completed all available modules yet, but I feel like I know so much more and have that knowledge structuralized.
👉 HTB Academy Introduction Module
On July 2021 TryHackMe released a Pre Security Learning Path. It's a good way to start, but remember that on THM you almost always need a subscription to complete whole modules - for free are the first couple of rooms from a module.
👉 THM Pre Security Learning Path
👉 Pre Security Learning Path Review
💡 3. When hands are tired - watch meaty online courses.
✔ As for video lessons, I would recommend joining Dev Essential program from Microsoft. You should have found there time-limited access to the Pluralsight - if so, take the Ethical Hacking CEH Preparation.
✔ Sometimes you can also acquire the 3 months of LinkedIn Learning access - for example, I found mine voucher on the Visual Studio Subscription associated with my company account. From this site, I recommend both Learning Kali Linux and Become an Ethical Hacker.
All these materials are the top-notch theoretical ones in my opinion.
If you can spend a few bucks (or wait for the occasional discounts) this is a well put course on OWASP Top10 made by The XSS Rat.
👉 The OWASP top 10 demystified by XSS Rat
🌋 4. Use vulnerables to practice live example scenarios.
Vulnerables are purposely crafted vulnerable applications or even whole operating systems like Metasploitable that you can use in your isolated internal network or play with them on a Docker.
👉 Look at my Damn Vulnerable Web Application on Docker Container article for example of set up.
🎩 5. See how the pros do it.
Are you a sports fan? Do you like watching online tournaments? Even if not, trust me in this one. I can't count how many times I have eagle-eyed something that get me that one level higher in my proficiency. Things like stabilizing shell, multitasking terminals or just overall approach in documenting my findings.
👉 Watch John Hammond, NetworkChuck, STÖK
👉 Amazing David Bombal and Neal Bridges YouTube playlist - talks about starting ethical hacking, red/blue teaming, certificates and pentester software.
🔊 6. Subscribe and watch others that are on the similar level.
For this, I recommend following my #CyberEthical contents on Instagram and on LinkedIn. Add your mail to the mailing list on the Hashnode - you will be notified only on a new content on my blog.
Have a look at these:
👉 My Hacking Lab - My setup, tools and a bunch of tips
👉 HTB Starting Point - Detailed write-up series
And, because the best way to learn is to get engaged with others - I recommend you to join the Hashnode yourself and share with others as you learn.
By using my link you can help me unlock the ambasador role, which cost you nothing and gives me some additional features to support my content creation mojo.
🎯 7. Think bigger. Set your goals and stand your ground.
Remember that to learn and improve, you must stay out of your comfort zone. Keep challenging yourself, but also take care of yourself. Find other activities that relax you, that help you relieve the stress. For me, it is playing simulation/creation games like Farming Simulators or Minecraft. It is going to kitchen and prepare some food. I have my lovely Celestron Skymaster 15x70 and I tend to look at the stars, the Moon.
As for setting the goals, a recently OSCP certified Prateek Srivastava published two articles about his path and first-hand experience with Offensive Security labs and more. Read those, save them for later because it will come useful.
🚸 8. Join forces.
Look for healthy communities that will help you with your struggles. Did you get blocked on the hacking box? Couldn't get the reverse shell, although you are doing everything correctly? We all are facing these problems and sometimes just a little nudge or sanity check from the other person is what makes you understand your mistake - or simply realize you are doing everything alright, just have to restart that server.
🍦 9. Bonus: other aggregates.
- Great Hakluke's huge list of resources for beginner hackers containing some resources already mentioned by me and much more!
And what do you think about it? Would you add something to the list? Please share your experience in the comments 👇!
🎁 Become a Patron and gain additional benefits
👾 Join CyberEthical Discord server
📌 Follow the #CyberEthical hashtag on the social media
👉 Instagram: @cyber.ethical.me
👉 LinkedIn: Kamil Gierach-Pacanek
👉 Twitter: @cyberethical_me
👉 Facebook: @CyberEthicalMe
I'm a 30yo Senior Developer, but in the free time I'm working on my Cyber Security skills and I'm actively promoting Ethical Hacking as a way to develop security awareness.