Some CS101 knowledge is a must. Trying to learn how to hack without even being comfortable with Unix commands wouldn’t just be like trying to run before you can walk. It’d be like flying an A380 without knowing which direction up is.
If you try to jump into pentesting without the necessary prior knowledge and “fill the gaps” as you go along, you’ll struggle needlessly. Here’s what you’ll need to know:
How to Linux: The main power of Linux/Unix for coding and pentesting comes from the terminal and the sheer number of tools available. You can try to do everything you need in Windows, but it’s not going to be easy - and if you’re getting into pentesting, you’ll need to know some Linux eventually. Trust me: if you get a job in security and your coworkers find out you’ve never used Linux, they’ll laugh at you forever.
You have three main options here:
Use Ubuntu on Windows 10. I’d consider this the worst option for a beginner because it can be pretty unreliable when it comes to installing tools, and getting the GUI to work can sometimes be a nightmare.
If you’re a dev, you probably have your perfect setup already. Gratz! The way to go here is usually Linux or Mac. Personally, I use Ubuntu on Windows 10 (sue me) but only because I know all my favorite tools work on it.
Many beginners start with Kali, but I recommend against this. Part of becoming a confident pentester is building your library of tools. Kali hands you a bunch of tools, none of which you’ll really understand and appreciate.
But whatever you’re doing, it’s absolutely crucial that you have a comfortable setup. Take some time now to fix any issues you might have in your setup (like bootloaders, window managers, GUI, etc). Pentesting can get messy when you have countless windows and complicated tools open, and the last thing you need is your own environment working against you.
No way around this one. Even in just web application hacking, there’s a whole breadth of knowledge you need to know. I’d split web hacking knowledge into two categories: The Basics, and the Nifty Tricks. The Basics are what you should learn first from books, videos, online tutorials, etc.
Unfortunately, given how quickly the world of hacking moves, most competent websites are already secure against The Basics (but you still need to know them!). The Nifty Tricks are the real moneymakers. You’ll learn these later through browsing experienced pentesters blogs, joining ethical hacking communities, and obscure Youtube videos. If you’re the first to discover a Nifty Trick, you get a place in The Hall of Fame and maybe lots of money.
Here are some great resources for The Basics:
Once you’ve learned and practiced The Basics (more on how to practice in the next section), you can move on to learning some Nifty Tricks. Some resources:
This is the fun bit. Once you have some theory down, you can start practicing by doing hacking challenges. These are vulnerable web applications with hidden “flags” that you find by exploiting the application.
CTF (Capture the Flag) competitions are live events with scoreboards and teams, while wargames are less competitive and are more like playgrounds to practice your skills on.
Check out CTFtime for current and upcoming CTFs, although most of these will be too difficult for a beginner. Good wargames are OWASP’s WebGoat and OverTheWire. Also check out OWASP’s Juice Shop, Hacker101 CTF, Hack The Box, and Google’s XSS game.
While fun and a great way to learn, note that the skills you need for wargames/CTFs are somewhat different from the skills you need for real-life applications such as bug bounties. It’s possible to be a top scorer in CTFs, but be utterly incapable of doing bug bounties (this was me for a while) and vice versa.
Wargames are to bug bounties what Civ5 is to running an actual country (okay, maybe not that extreme, but what’s the difference nowadays?). Wargames teach you some excellent strategy and puzzle solving skills, but real life is a different landscape - more on this in Section 5.
This will make your life much, much easier. Python is amazing as a scripting language, especially for hacking. A lot of CTFs and bug bounties will require brute force actions such as sending many packets and hashing, all of which can be done easily by writing your own Python scripts.
Check out pwntools, a Python CTF framework. It simplifies exploit writing! Here’s how you send packets.
I recommend making a folder where you keep your own Python scripts and build on them over time. I really can’t understate how much time this will save you.
At some point, you’ll get the flag for your first moderately difficult CTF challenge without having to Google the solution. And you’ll feel amazing. Likely, you’d have spent hours and hours on it, and finally figuring out the answer on your own will be a feeling that’ll get you hooked on pentesting forever.
You’re a hunter now. Fierce. Unstoppable.
You might even think that you’re ready to start making money now. But once you check bug bounty sites, you’ll realize you have no idea what you’re doing. There are no clues telling you where vulnerabilities are. There’s such a wide attack surface that you don’t even know where to start. And thousands of better hackers have already wiped the site clean.
As disheartening as it might be, this is the point where the fun really starts. You’re out of the playground and ready to play with the big kids now. A good starting point is watching this DEF CON video I linked earlier and digging into finding good tools and more Nifty Tricks.
Now is the time to start learning web reconnaissance. It’s covered well in the DEF CON video, and you’ll learn more about it as you build your library of recon tools.
Tools don’t make a hacker. But you’re probably not going to get too far without them.
I recommend starting off with just downloading a couple of the “mandatory” tools like Nmap and Burp Suite. Nmap is a discovery tool that finds hosts and open ports on domains, generally giving you a good feel for what the network looks like. And Burp Suite is your new best friend. Seriously. It’s the #1 multitool of web hacking. Its main use is capturing and editing packets, but it does so much more. I really can’t give it justice in this blog post - just google it and watch some tutorial videos.
After those two, it’s up to you to find (or make) the tools that suit you best. Here are some of my favorites:
I told you it’d be difficult, didn’t I?
Pentesting is challenging, confusing, and overall just frustrating. But if this is something you really want to do, you’ll find ways to overcome all of that.
Try to join communities, such as the ones on Twitter and Bugcrowd, since the journey is always more fun with others.
And remember: this is a field that really matters. It’s rewarding, and you’ll be doing legitimate good for the world. Blackhat hackers are learning every day too, and the ethical hacking community needs all the help it can get. Good luck, and godspeed!