Ask HN: What are the best resources to learn security / pen testing?

Your videos are great, thanks for your hard work! And thanks for the ep with John Hammond recently that put me onto his channel too 🙂

+1 I love your videos there great, I’ve watched a few of your pwnadvenuture videos and some other ones related to MMOs

If you like watching videos and following along:

Free: https://www.cybrary.it/

Cheap: https://www.pluralsight.com/

The entry level cert in this area is the CEH. It’s kind of looked down upon, like a lot of entry level certs are, but studying/working towards that isn’t a bad thing.

Books:

– Practical:

The Web Application Hacker’s Handbook 2nd Edition – Gives a very good overview and is a good place to start.

The Hacker Playbook 3: Practical Guide To Penetration Testing – #3 just came out. Haven’t gone through my copy yet, but I’ve heard good things.

RTFM – Red Team Field Manual – Nice to have, quick reference guide

BTFM – Blue Team Field Manual – Like the above, but for the good guys 😉

– Covering the bigger picture, if you’re curious (geopolitical):

The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age

The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries

Dark Territory: The Secret History of Cyber War

Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage

CEH is a fucking joke created by a former marketing professional and it shows. It’s always been a ho-hum cert that attests to the fact that you once heard about this nmap thing, but it was cheap resume fodder for someone looking for their first industry position.

They successfully lobbied the DoD to make it an option for 8570 compliance and, after becoming a government contractor, doubled the price immediately afterward.

CEH never taught anything useful or lasting even at its former price point, and it only exists now to soak up mandatory spending of government cheddar. (The cynic in me speculates that this was their intention all along.)

Don’t bother with it unless someone else is footing the bill.

> It’s kind of looked down upon, like a lot of entry level certs are

Well, it’s an entry level cert, as you say. Passing CEH doesn’t mean someone knows what they’re doing.

Is there an alternative entry-level qualification that evokes fewer frowns?

But still gets looked down on. It’s a running joke in pretty much everywhere I’ve worked that if you see someone with CEH and/or CISSP in their email signature – like a badge of honour – that you know you’re going to be in for a real tough time.

Well sure. That’s like the old joke from Red Dwarf: Arnold J Rimmer, BSC. The BSC stood for Bronze Swimming Certificate.

That’s not a problem with the certificate, it’s a problem with people confusing it for an advanced qualification.

There’s no standard path in information security, most schools don’t offer information security degrees and many extremely successful people in security didn’t come from a CS background at all.

Some general recommendations:

– follow smart security people on Twitter, which is the defacto medium for information security discussion

– read publicly disclosed bug bounty reports on Hackerone and Bugcrowd

– read The Tangled Web by Michal Zalewski

– learn to use Burp Suite

> – learn to use Burp Suite

Burp Suite is an awesome tool for devs as well. The Repeater tool is better for messing with API calls than any of the browser dev tools, imo.

For people finding the proxy setup stuff annoying: install Foxyproxy in Firefox and it makes your life really simple.

How about for proxy servers in headless browsers; what do you recommend? Any experience with how public and premium proxies vis-a-vis uptime and reliability compare?

Plenty of good suggestions here already. Some I’ve not seen mentioned yet:

Books:

Hacking, 2nd edition (some specifics are out of date, but it teaches hacking by teaching how the relevant pieces of a computer work which is still valuable)

Anything else from https://nostarch.com/catalog/security that looks relevant to your specific interests

Hands-on practice:

OverTheWire: http://overthewire.org/wargames/ (wargames to ease you into things)

WeChall: https://www.wechall.net/ (challenge site directory that’ll help you pick challenge sites based on your topic of interest)

+Ma’s Reversing: http://3564020356.org/ (old reverse engineering site/community – mostly dead as far as I know but the puzzles will still challenge you and the old articles you can unlock make it a bit of a hacking museum)

CTF Time: https://ctftime.org/ (A directory/calendar of tons of CTFs you can play in)

Pwn Adventure: http://www.pwnadventure.com/ (A vulnerable MMO server/client designed to demonstrate common game vulnerabilities)

VulnHub: https://www.vulnhub.com/ (A repository of deliberately vulnerable VMs you can host and attack in your security lab)

I find that talking to folks in the trenches is incredibly useful. If you’re already at a company that has a security team, or even a small company that has folks that deal with infra/app security and/or incidents, you can learn a boatload directly the practitioners on the line. Even better if there’s a chat room that you can be a fly on the wall in.

When I worked at Mashery (a SaaS API management company) we were the front end for the APIs of hundreds of companies around the world, handling billions of API calls for the likes of Comcast, Best Buy, Starbucks, Macy’s, etc. During my time there, I learned a god awful amount about ops, scaling, amd security, simply by sticking my head in whenever I detected chaos going down.

Some comments mentioned tools like Metasploit, or reading up on the OWASP 10. Yup and yup. Plus, there are other tools to add to your belt that I find indispensable: Charles Proxy (install a MITM to watch web traffic), nmap (discover all the services running on a network)

I highly recommend pentesterlab.com.
The Web for Pentester course is a great intro for first timers if you read the PDF and play with the VM

When training newbies I will start with this and get them to play around with google-gruyere.appspot.com.

These are only relevant for web app testing, I haven’t been able to find a suitable free resource for network testing but for paid resources OSCP is a great practice course if not pretty challenging for first timers

If your goal is to land a job with the skills you acquire, you’ll need more than just solid basic skills. It would be helpful to keep abreast of new developments, where there might not necessarily be a lot of training material yet.

One way to keep up on what’s new, is to watch the talks posted by security conferences. Speakers generally submit their freshest work, and are often playing their own game of resume-enhancement by getting their name associated with hot topics. So pay attention to not just the topics, but also the vocabulary around them…

A lot of the newest-fanciest research won’t necessarily be within your grasp as a neophyte, but some of it will, and some of it will inform your direction and focus as you work your way up.

And some of it will suggest entirely new avenues, disciplines, and modes of thinking.

The university of NSW (respected Australian uni) is putting up a bunch of materials from their Masters in Cyber Security. It’s going up slower than expected but the lecturer is engaging and the first subject to roll out covers a lot of good philosophy of security type subjects.

Find it at sec.edu.au/moocs

As mentionned several times already, OWASP has very interesting stuff, it’s more web application oriented though.
(https://www.owasp.org)

WebGoat is a good way to put things in practice locally.
(https://github.com/WebGoat/WebGoat)

The project ZAP is a really great tool to help you in the process.
(https://www.zaproxy.org)

Outside the web sphere, exploit database is a great site with a bunch of exploit code, explanation and papers.
(https://www.exploit-db.com)

The tool suite in Kali Linux is also very good if you don’t mind read the documentation and try understanding the goal of the tools.
(https://www.kali.org)

Kali NetHunter lets you practice from Android.
(https://github.com/offensive-security/kali-nethunter)

Security is such a wide domain that you can quickly get flood.
I don’t think the ultimate step-by-step learning guide exists.

Once you’ve learned and practiced a bit, if you don’t give up too soon, you will get the point and understand how deep you need to go into a protocol or a system to actually do something yourself (then this not about security documentation anymore, but about understanding how the target works, and how you can make it work the way you want).

I would say that you need to focus on some targets first, and expand the scope over time depending on your needs/interests.

recommended way,
1. learn operating system internals, start using Linux
2. learn computer networking. TCP/IP, OSI layer and network protocols like TCP, UDP, HTTP
3. learn about software programs and Web application architecture
4. start following up security related resource like books, videos, courses (OSCP is great).

– Pick one programming language along the way and try scripting programs while learning.
– you need not master every topic but knowledge of how and why everything works the way it works increases you expertise as security practitioner
– since there are many public bug bounty programs these days, legally testing out stuffs to hone your knowledge has never been easy. plus you get paid.

Wow, thanks for sharing and for your hard work on your channel!

I recommend it to everyone who is even remotely interested in security as your videos provide really valuable knowledge which is very easy to digest in the same time.

Thank you and keep it up please!:)

This often goes overlooked on a forum full of coders, but not everyone who reads HN or wants into infosec is proficient with a major scripting language.

I’d bet being solid in python/bash/powershell would come in handy, and that having no skills in any of them may be a dealbreaker.

Highly recommend python or perl myself – and obviously know how to use bash as well.

One related suggestion: Do not become reliant on third party modules/add-ins (other than the standard library stuff) – at least when learning. Really learn how it works.

AskNetsec on reddit.

OWASP find your local chapter and go to meetings.

YouTube, and pentesterlab (even the free ones are better than most (even all) other paid resources).

Learn the OWASP top 10

Use vulnerable VM’s and practice like Metasploitable and https://github.com/SecGen/SecGen

Get the OSCP

I also highly recommend being good at some programming. This is for source code review and quick scripts/exploit development.