When you first start learning something, it can be difficult to discover high-quality resources to help you on your journey. . In particular, these resources will provide beginner hackers with an excellent foundation for bug bounty hunting or penetration testing. Now keep in mind that there are a lot of resources out there, so I am definitely missing a lot of them. If I missed anything that you think should be covered – let me know!
The list is quite long, but don’t be overwhelmed. You don’t need to binge every piece of content at every link. You would have a hard time ever getting through it all. I certainly haven’t. Instead, aim to learn a little bit regularly. Or, as James Clear put it, “you should be far more concerned with your current trajectory than with your current results.”
Introduction to Hacking
Hacking in its simplest explanation is breaking into a system that has a certain degree of security.
Hacking is a skill set and requires a lot of practice to become good at.
There are 3 types of hackers, they are:
- Black Hat.
- White Hat.
- Grey Hat.
Black hat hackers: This category of hackers do hacking for malicious purposes.
White hat hackers: This category of hackers do hacking for the benefit of others. They hack to secure the vulnerability that can lead to harm.
Grey Hat Hackers: This category of hackers acts as both white Hat and black hat hackers. This makes them be on both the good and bad side, depending on the situation 😀 .
Hacking is a vast subject. It has a lot of sub-categories which includes:
- Web application.
- Forensic.
- Networking.
- Cloud.
- Systems both mobile and desktop devices.
- Hardware.
These are some of the various things you can learn and each has sub-topics that are interesting.
The main goal of a white-hat hacker is to find a potential vulnerability, exploit it, gain access, create a detailed document and report it to the authorities.
Hackers or pentesters are paid on the scale of priority of the vulnerability reported. This is decided based on a priority table that is made by the board showing which part of their infrastructure is most important and needs special attention. If you are successful in finding a vulnerability in that specific section you can expect a high reward.
If you are not into full-time pentesting and want to do part-time then Bug-bounty hunting is the go-to thing for you.
Bug-bounty hunting is a program hosted by company websites with specified rules and regulations. They usually specify things they won’t consider a bug and other than those things, any other possible bug you find will get you some reward from the website.
A Bug in this sense is a vulnerability that can be exploited to gain information or unauthorized access into the server.
Bug bounty hunters usually have extensive knowledge of different types of bugs. Some of the common types of bugs include XSS, HTML-INJECTION, CSRF, etc. Having knowledge and being able to detect these vulnerabilities as a bug-bounty hunter can get you a decent amount of pay from the bounty.
Other than being a bug-bounty hunter, you can also be a freelance pentester, where the work will be more but the payout is more than that of a bug bounty.
Why Learn to Hack?
In my previous explanation, I have introduced you to various types of hackers and what they do for a living. Having knowledge of hacking and how it works, you can be able to protect yourself and others, and also educate them with your experience. You can also make a living via hacking by being a bug-bounty hunter or a freelance pentester. You could also get a job after gaining a few certifications.
This leads us to our next question where to start? if you ask me there is no way you can excel in any field without knowing the basics relating to the field you are going to choose.
All the things such as basic networking, web application, and programming can be learned from web sources such as Youtube or Udemy but if you want professional teaching then you can opt for training from official sources such as Offensive security, INE, EC-Council, etc.
Fundamentals are easy to understand anyone can achieve learning the fundamentals, but the main goal is to learn the advanced things, for example, if you understand how the server works with the client-side request, you can learn how to manipulate and possibly exploit the server.
You need not worry, anyone can achieve this. Some people are afraid to learn things from a new field while studying in a different field, for example, a commerce student fears that studying this topic will be of no use for him in the future even though it has potential.
Similarly, anyone from any field can learn to hack and become a hacker but it requires dedication and a lot of practice to learn and perfect your skills.
Professional aspect: Cybersecurity is a fast-growing field for job opportunities and even new freshers can also get a high salary job with work experience if you have prior experience and certifications then you can expect a good salary and high growth in your job profile.
The list of lists
I am not the first person to create a list of resources for beginner hackers, and I won’t be the last! Below you will find a list of lists. Each one is it’s own repository of resources, similar to this one.
- Nahamsec’s “Resources for Beginner Bug Bounty Hunters” is an organised index of resources for learning to hack. It is quite comprehensive and well curated. It would take months to get through it all!
- Codingo’s search functionality on his website indexes a huge stack of public content from hackers. This is particularly useful if you’re looking for content about a specific topic or vulnerability class.
- S0cm0nkey’s “Security Reference Guide” is another excellent, well-curated and well-organised repository of cybersecurity resources.
- InfosecWriteups is a Medium publication that has a huge amount of cybersecurity related write-ups for CTFs and bug bounties.
Labs
- Pentesterlab has a hands-on approach to learning hacking. Each lesson is a hands-on lab where you need to exploit a vulnerability that mimics something you might see in a real-world application. It covers a lot of different bug classes from basic to advanced. They have a hosted paid offering, or you can download some of their more basic exercises as ISOs.
- Portswigger labs is a huge set of web application security labs that are totally free. Each hands-on lab also comes with a solution and a “community solution” which is typically a YouTube video from the hacking community.
- Tryhackme is a cybersecurity training platform and competitive hacking game. When you sign up, you choose between three streams: pre-security for fundamentals, offensive pentesting or cyber defense. The platform seems quite comprehensive, and includes labs for more than just web application vulnerabilities including buffer overflow, active directory and more.
- Hackthebox is best known for being an ongoing worldwide competitive CTF, but they also provide some very high quality training “tracks” for any / all topics that you could think of. They offer a lot of labs/boxes for free, but also have different premium subscriptions that allow you to hack expired boxes, less crowded lab environments and pro labs.
- Kontra is an online platform that offers a series of hosted labs designed to teach developers about application security. The platform is very slick and beginner friendly – each lab is story based. It walks through a plausible real-life attack scenario, teaching the student how the vulnerability would be exploited, and also what the vulnerable code looks like.
- Hacker101.com is an online training platform for web security, created by bug bounty platform Hackerone. It includes a bunch of CTF challenges inspired by real-world vulnerabilities and also a series of video tutorials about all elements of web hacking.
- Vulnhub is a platform that allows users to upload “challenge boxes” which are purposely vulnerable virtual machines, the aim is to gain root/system level access on these machines by exploiting various vulnerabilities.
YouTube Channels
- John Hammond has a very entertaining channel covering all kinds of topics including CTF walkthroughs, programming tutorials, interviews, the dark web, malware analysis, and more!
- Nahamsec does “Recon Sundays” every Sunday, where he streams live recon and brings on guests to interview or hack with. He also hosts “Nahamcon”, a virtual security conference with great speakers.
- STÖK makes all kinds of different cybersecurity related videos, mostly pertaining to bug bounties. He interviews some great hackers and documents live hacking events. He releases “Bug Bounty Thursdays” every week which outlines the latest bug bounty news.
- Farah Hawa is excellent at taking complex topics and explaining them in a way that you will understand by breaking it down to fundamentals. She describes different bug classes, hacking process and career.
- Codingo creates bug bounty specific videos including videos about tools, hacking processes, recon and more.
- Liveoverflow is a cybersecurity YouTube legend at this point, having released over 300 videos about a huge range of topics.
- PwnFunction also focuses primarily on web application hacking. The videos have a really nice style and are very well explained.
- Ippsec almost exclusively creates walkthroughs of HackTheBox challenge boxes. Every action is explained very well, it feels like you are watching a pro over their shoulder, and it is an excellent way to learn.
- InsiderPhD “Dr, apparently, hacker, Lecturer in Cyber Security, Educational YouTuber, Application Security Engineer and still awaiting the nobel prize for more hours in the day.” Makes great videos about hacking, bug bounties, machine learning and more!
- The Cyber Mentor (TCM) is an excellent cybersecurity educator who now runs his own academy, “TCM Security Academy“. He is best known for developing excellent cybersecurity courses, particularly in penetration testing.
- Hakluke. I can recommend myself, right? I make instructional videos, bug bounty report explainers, career and mindset videos.
Video Sources
There are a lot of online video sources such as Youtube and Udemy. On social media platforms, you can follow some professionals who have great links and useful resources to learn from.
Social media
These are some of the best social media influencers who share information of value and can help you in your works.
On Youtube, you can refer to the following Youtube channels:
I would recommend you follow David Bombals’s Youtube video as he gives a lot of giveaways. I love his works, his explanations are also really easy to understand and beginner-friendly.
Web-articles
Web articles are write-ups that enable people with knowledge to share their thoughts and points related to a certain topic or a certain event that matters in the cybersecurity world.
There are several websites where one can find web articles. But I am going to mention a few of them that I find to be quite informative.
Website links:
- Hackernoon.com (security section)
- Latesthackingnews.com
- Thehackernews.com
- Hackingarticles. in
These are some of the useful websites you can use to learn more about the latest events and more related to security-related content.
Books.
Cybersecurity-related books are all over the internet but some of them stand out. I am going to list 11 of the best ones to start your security journey.
Book links:
- Hacking: The Art of Exploitation.
- The Basics of Hacking and Penetration Testing.
- The Hacker Playbook.
- Penetration Testing.
- The Web Application Hacker’s Handbook.
- Hacking: Computer Hacking, Security Testing is a book written by Gary Hall.
- Computer Hacking Beginners.
- Hackers & Painters.
- Advanced Penetration Testing.
- The Hardware Hacker is a book written by Andre Huang.
- BackTrack 5 Wireless Penetration Testing Beginner’s Guide.
These are some of the most useful books out there for beginners and intermediate-level hackers.
Paid and free courses.
Udemy courses:
- Complete cyber-sec course by Nathan House.
- Complete Web hacking by Loi Liang Yang.
- Complete Mobile hacking course by Loi Liang Yang.
- CompTIA Network+ with expertise from David bombal.
Weblinks to gain infinite knowledge in any field for free:
- HacksPlanning.com
- Edx.org
- Hackerstop.org
- Digitaldefynd.com
- guru99.com
- Securitytube.net
- Simplylearn.com
Twitter Accounts
I won’t give a description of each Twitter account because the content being posted will vary quite significantly from day to day. All of these Twitter accounts post excellent cybersecurity related content, most of them with a lilt towards bug bounties.
- hakluke
- jhaddix
- Nahamsec
- stokfredrik
- fransrosen
- nnwakelam
- samwcyo
- InsiderPhd
- Albinowax
- Codingo_
- sml555_
- zseano
- Farah_Hawaa
- MrTuxracer
- Th3G3nt3lman
- spaceraccoonsec
- erbbysam
- 0xteknogeek
- 0xpatrik
- LiveOverflow
- EdOverflow
- Filedescriptor
- ngalongc
- rhynorater
- Codecancare
- mertistaken
- _jensec
- yaworsk
- thedawgyg
- Regala_
- Tomnomnom
Blogs and Write-ups
- Codelivly – Don’t Miss US
- Hackerone Hacktivity has an unlimited stream of disclosed vulnerabilities on the Hackerone platform. Reading through them is a great way to see what kinds of things people are finding and inspiring your own hacking.
- Crowdstream is the Bugcrowd equivalent of Hackerone’s Hacktivity. Although there are far less disclosed reports there, it’s worth reading through them!
- Pentesterland has a huge, curated list of bug bounty writeups and resources for beginner hackers.
- Inti De Ceukelaire is a great bug bounty hunter and the Head of Hackers at bug bounty platform Intigriti. He has a knack for finding critical systemic bugs that affect a lot of organisations, and doing great write-ups!
- D0nut’s blog is a total mixed bag with lots of gems.
- Intigriti’s Medium Publication is filled with great bug bounty content!
- Secjuice is a not-for-profit publication that posts all kinds of articles about cybersecurity including CTF writeups, tutorials, methodologies and more.
- Tomnomnom‘s blog has three exceptional technical write-ups about cooking cake, cooking steak and debugging a bug in an extremely niche window manager. As it turns out, “medium sized” eggs vary in size quite significantly.
There are also some great blogs with more advanced security research content, you can see a few of them below!
- Detectify Labs posts an impressive amount of cybersecurity research.
- Portswigger Research also posts an impressive amount of cybersecurity research.
- Bishopfox Labs releases great research papers and tools.
Discord / Forums
Being a part of the community and finding people to bounce ideas off is sometimes really helpful! Here are a bunch of invites for hacking-related Discord servers.
- Bugcrowd Community Discord
- TryHackMe Discord
- The Cyber Mentor Discord
- 0x00sec Forum
- 0x00sec Discord
- InsiderPhD Discord
- Nahamsec Discord
- HackTheBox Discord
And so many more – you can use Discord’s “discover” feature to search for cybersecurity-related keywords.
Capture the Flag (CTF) Challenges
Capture the Flag (CTF) challenges are a popular way for beginners to learn hacking. These challenges are designed to simulate real-world hacking scenarios and allow participants to practice their skills in a safe and controlled environment. Here are some popular CTF platforms that beginners can use to start their hacking journey:
- HackTheBox: HackTheBox is a popular CTF platform that offers a wide range of challenges for beginners and advanced hackers. The challenges cover various topics, including web exploitation, cryptography, and reverse engineering.
- TryHackMe: TryHackMe is another popular CTF platform that offers a variety of challenges for beginners. The platform offers a gamified learning experience and provides virtual machines for participants to practice their hacking skills.
- VulnHub: VulnHub is a CTF platform that offers virtual machines with vulnerabilities that participants can exploit. The platform has a wide range of challenges, from beginner to advanced, and covers various topics, including web exploitation, cryptography, and reverse engineering.
- PicoCTF: PicoCTF is a CTF platform designed for beginners. The challenges cover various topics, including cryptography, web exploitation, and reverse engineering. The platform provides a gamified learning experience and offers tutorials and hints to help participants solve the challenges.
- OverTheWire: OverTheWire is a CTF platform that offers challenges related to system security and network security. The challenges cover various topics, including password cracking, network sniffing, and privilege escalation.
By using these CTF platforms, beginners can practice their hacking skills in a safe and controlled environment. These platforms provide a gamified learning experience and offer challenges that cover various topics related to hacking and cybersecurity.
Learning the Skills
Name | Description |
---|---|
CS 642: Intro to Computer Security | academic content, full semester course, includes assigned readings, homework and github refs for exploit examples. NO VIDEO LECTURES. |
CyberSec WTF | CyberSec WTF Web Hacking Challenges from Bounty write-ups |
Cybrary | coursera style website, lots of user-contributed content, account required, content can be filtered by experience level |
Free Cyber Security Training | Academic content, 8 full courses with videos from a quirky instructor sam, links to research, defcon materials and other recommended training/learning |
Hak5 | podcast-style videos covering various topics, has a forum, “metasploit-minute” video series could be useful |
Hopper’s Roppers Security Training | Four free self-paced courses on Computing Fundamentals, Security, Capture the Flags, and a Practical Skills Bootcamp that help beginners build a strong base of foundational knowledge. Designed to prepare for students for whatever they need to learn next. |
Learning Exploitation with Offensive Computer Security 2.0 | blog-style instruction, includes: slides, videos, homework, discussion. No login required. |
Mind Maps | Information Security related Mind Maps |
MIT OCW 6.858 Computer Systems Security | academic content, well organized, full-semester course, includes assigned readings, lectures, videos, required lab files. |
OffensiveComputerSecurity | academic content, full semester course including 27 lecture videos with slides and assign readings |
OWASP top 10 web security risks | free courseware, requires account |
SecurityTube | tube-styled content, “megaprimer” videos covering various topics, no readable content on site. |
Seed Labs | academic content, well organized, featuring lab videos, tasks, needed code files, and recommended readings |
TryHackMe | Designed prebuilt challenges which include virtual machines (VM) hosted in the cloud ready to be deployed |
Malware Analysis
Name | Description |
---|---|
Malware traffic analysis | list of traffic analysis exercises |
Malware Analysis – CSCI 4976 | another class from the folks at RPISEC, quality content |
[Bad Binaries] (https://www.badbinaries.com/) | walkthrough documents of malware traffic analysis exercises and some occasional malware analysis. |
Linux Penetration Testing OS
Name | Description |
---|---|
Kali | the infamous pentesting distro from the folks at Offensive Security |
Parrot | Debian includes full portable lab for security, DFIR, and development |
Android Tamer | Android Tamer is a Virtual / Live Platform for Android Security professionals. |
BlackArch | Arch Linux based pentesting distro, compatible with Arch installs |
LionSec Linux | pentesting OS based on Ubuntu |
Workshops/Playlists
Security Talks and Conferences
- InfoCon – Hacking Conference Archive
- Curated list of Security Talks and Videos
- Blackhat
- Defcon
- Security Tube
- Kevin Mitnick: Live Hack at CeBIT
- Ghost in the Cloud, Kevin Mitnick
- Kevin Mitnick | Talks at Google
- Complete Free Hacking Course: Go from Beginner to Expert Hacker Today
Sharpening Your Skills
Name | Description |
---|---|
Backdoor | pen testing labs that have a space for beginners, a practice arena and various competitions, account required |
The cryptopals crypto challenges | A bunch of CTF challenges, all focused on cryptography. |
Challenge Land | Ctf site with a twist, no simple sign-up, you have to solve a challengeto even get that far! |
Crackmes.de Archive (2011-2015) | a reverse engineering information Repo, started in 2003 |
Crackmes.one | This is a simple place where you can download crackmes to improve your reverse engineering skills. |
CTFLearn | an account-based ctf site, where users can go in and solve a range of challenges |
CTFs write-ups | a collection of writeups from various CTFs, organized by |
CTF365 | account based ctf site, awarded by Kaspersky, MIT, T-Mobile |
The enigma group | web application security training, account based, video tutorials |
Exploit exercises | hosts 5 fulnerable virtual machines for you to attack, no account required |
Google CTF | Source code of Google 2017, 2018 and 2019 CTF |
Google CTF 2019 | 2019 edition of the Google CTF contest |
Google’s XSS game | XSS challenges, and potentially a chance to get paid! |
Hack The Box | Pen testing labs hosting over 39 vulnerable machines with two additional added every month |
Hacker test | similar to “hackthissite”, no account required. |
Hacker Gateway | ctfs covering steganography, cryptography, and web challengs, account required |
Hacksplaining | a clickthrough security informational site, very good for beginners. |
hackburger.ee | hosts a number of web hacking challenges, account required |
Hack.me | lets you build/host/attack vulnerable web apps |
Hack this site! | an oldy but goodie, account required, users start at low levels and progress in difficulty |
knock.xss.moe | XSS challenges, account required. |
Lin.security | Practice your Linux privilege escalation |
noe.systems | Korean challenge site, requires an account |
Over the wire | A CTF that’s based on progressive levels for each lab, the users SSH in, no account recquired |
Participating Challenge Sites | aims at creating a universal ranking for CTF participants |
PentesterLab | hosts a variety of exercises as well as various “bootcamps” focused on specific activities |
Pentestit | acocunt based CTF site, users have to install open VPN and get credentials |
Pentest Practice | account based Pentest practice, free to sign up, but there’s also a pay-as-you-go feature |
Pentest.training | lots of various labs/VMS for you to try and hack, registry is optional. |
PicoCTF | CTF hosted by Carnegie Mellon, occurs yearly, account required. |
pwnable.kr | Don’t let the cartoon characters fool you, this is a serious CTF site that will teach you a lot, account required |
pwnable.tw | hosts 27 challenges accompanied with writeups, account required |
Ringzer0 Team | an account based CTF site, hosting over 272 challenges |
ROP Emporium | Return Oriented Programming challenges |
SmashTheStack | hosts various challenges, similar to OverTheWire, users must SSH into the machines and progress in levels |
Shellter Labs | account based infosec labs, they aim at making these activities social |
Solve Me | “yet another challenge”, account required. |
Vulnhub | site hosts a ton of different vulnerable Virtual Machine images, download and get hacking |
websec.fr | Focused on web challenges, registration is optional. |
tryhackme | Awesome platform to start learning cybersecurity, account is needed |
webhacking.kr | lots of web security challenges are available, recommended for beginners. You need to solve a simple challenge to sign up. |
Stereotyped Challenges | Challenges for web security professionals, account required. |
Stripe CTF 2.0 | Past security contest where you can discover and exploit vulnerabilities in mock web applications. |
Windows / Linux Local Privilege Escalation Workshop | Practice your Linux and Windows privilege escalation |
Hacking Articles | CTF Brief Write up collection with a lot of screenshots good for begginers |
Hacker101 CTF | CTF hosted by HackerOne, always online. You will receive invitations to some private programs on HackerOne platform as a reward. |
Hacking Lab | European platform hosting lots of riddles, challenges and competitions |
Portswigger | Best Platform inorder to learn Web Pentesting, account required |
Reverse Engineering, Buffer Overflow and Exploit Development
Name | Description |
---|---|
A Course on Intermediate Level Linux Exploitation | as the title says, this course isn’t for beginners |
Analysis and exploitation (unprivileged) | huge collection of RE information, organized by type. |
Binary hacking | 35 “no bullshit” binary videos along with other info |
Buffer Overflow Exploitation Megaprimer for Linux | Collection of Linux Rev. Engineering videos |
Corelan tutorials | detailed tutorial, lots of good information about memory |
Exploit tutorials | a series of 9 exploit tutorials,also features a podcast |
Exploit development | links to the forum’s exploit dev posts, quality and post style will vary with each poster |
flAWS challenge | Through a series of levels you’ll learn about common mistakes and gotchas when using Amazon Web Services (AWS). |
Introduction to ARM Assembly Basics | tons of tutorials from infosec pro Azeria, follow her on twitter |
Introductory Intel x86 | 63 days of OS class materials, 29 classes, 24 instructors, no account required |
Lena’s Reversing for Newbies (Complete) | listing of a lengthy resource by Lena, aimed at being a course |
Linux (x86) Exploit Development Series | blog post by sploitfun, has 3 different levels |
Megabeets journey into Radare2 | one user’s radare2 tutorials |
Modern Binary Exploitation – CSCI 4968 | RE challenges, you can download the files or download the VM created by RPISEC specifically for challenges, also links to their home page with tons of infosec lectures |
Recon.cx – reversing conference | the conference site contains recordings and slides of all talks!! |
Reverse Engineering for Beginners | huge textbook, created by Dennis Yurichev, open-source |
Reverse engineering reading list | a github collection of RE tools and books |
Reverse Engineering challenges | collection of challenges from the writer of RE for Beginners |
Reverse Engineering for beginners (GitHub project) | github for the above |
Reverse Engineering Malware 101 | intro course created by Malware Unicorn, complete with material and two VM’s |
Reverse Engineering Malware 102 | the sequel to RE101 |
reversing.kr challenges | reverse engineering challenges varying in difficulty |
Shell storm | Blog style collection with organized info about Rev. Engineering. |
Shellcode Injection | a blog entry from a grad student at SDS Labs |
Micro Corruption — Assembly | CTF designed to learn Assembly by practicing |
Privilege Escalation
Name | Description |
---|---|
4 Ways get linux privilege escalation | shows different examples of PE |
A GUIDE TO LINUX PRIVILEGE ESCALATION | Basics of Linux privilege escalation |
Abusing SUDO (Linux Privilege Escalation) | Abusing SUDO (Linux Privilege Escalation) |
AutoLocalPrivilegeEscalation | automated scripts that downloads and compiles from exploitdb |
Basic linux privilege escalation | basic linux exploitation, also covers Windows |
Common Windows Privilege Escalation Vectors | Common Windows Privilege Escalation Vectors |
Editing /etc/passwd File for Privilege Escalation | Editing /etc/passwd File for Privilege Escalation |
Linux Privilege Escalation | Linux Privilege Escalation – Tradecraft Security Weekly (Video) |
Linux Privilege Escalation Check Script | a simple linux PE check script |
Linux Privilege Escalation Scripts | a list of PE checking scripts, some may have already been covered |
Linux Privilege Escalation Using PATH Variable | Linux Privilege Escalation Using PATH Variable |
Linux Privilege Escalation using Misconfigured NFS | Linux Privilege Escalation using Misconfigured NFS |
Linux Privilege Escalation via Dynamically Linked Shared Object Library | How RPATH and Weak File Permissions can lead to a system compromise. |
Local Linux Enumeration & Privilege Escalation Cheatsheet | good resources that could be compiled into a script |
OSCP – Windows Priviledge Escalation | Common Windows Priviledge Escalation |
Privilege escalation for Windows and Linux | covers a couple different exploits for Windows and Linux |
Privilege escalation linux with live example | covers a couple common PE methods in linux |
Reach the root | discusses a process for linux privilege exploitation |
RootHelper | a tool that runs various enumeration scripts to check for privilege escalation |
Unix privesc checker | a script that checks for PE vulnerabilities on a system |
Windows exploits, mostly precompiled. | precompiled windows exploits, could be useful for reverse engineering too |
Windows Privilege Escalation | collection of wiki pages covering Windows Privilege escalation |
Windows Privilege Escalation | Notes on Windows Privilege Escalation |
Windows privilege escalation checker | a list of topics that link to pentestlab.blog, all related to windows privilege escalation |
Windows Privilege Escalation Fundamentals | collection of great info/tutorials, option to contribute to the creator through patreon, creator is an OSCP |
Windows Privilege Escalation Guide | Windows Privilege Escalation Guide |
Windows Privilege Escalation Methods for Pentesters | Windows Privilege Escalation Methods for Pentesters |
Malware Analysis
Name | Description |
---|---|
Malware traffic analysis | list of traffic analysis exercises |
Malware Analysis – CSCI 4976 | another class from the folks at RPISEC, quality content |
[Bad Binaries] (https://www.badbinaries.com/) | walkthrough documents of malware traffic analysis exercises and some occasional malware analysis. |
Network Scanning / Reconnaissance
Name | Description |
---|---|
Foot Printing with WhoIS/DNS records | a white paper from SANS |
Google Dorks/Google Hacking | list of commands for google hacks, unleash the power of the world’s biggest search engine |
Vulnerable Web Application
Name | Description |
---|---|
bWAPP | common buggy web app for hacking, great for beginners, lots of documentation |
Damn Small Vulnerable Web | written in less than 100 lines of code, this web app has tons of vulns, great for teaching |
Damn Vulnerable Web Application (DVWA) | PHP/MySQL web app for testing skills and tools |
Google Gruyere | host of challenges on this cheesy web app |
OWASP Broken Web Applications Project | hosts a collection of broken web apps |
OWASP Hackademic Challenges project | web hacking challenges |
OWASP Mutillidae II | another OWASP vulnerable app, lots of documentation. |
OWASP Juice Shop | covers the OWASP top 10 vulns |
WebGoat: A deliberately insecure Web Application | maintained by OWASP and designed to to teach web app security |
Vulnerable OS
Name | Description |
---|---|
General Test Environment Guidance | white paper from the pros at rapid7 |
Metasploitable2 (Linux) | vulnerable OS, great for practicing hacking |
Metasploitable3 [Installation] | the third installation of this vulnerable OS |
Vulnhub | collection of tons of different vulnerable OS and challenges |
Linux Penetration Testing OS
Name | Description |
---|---|
Android Tamer | Android Tamer is a Virtual / Live Platform for Android Security professionals. |
BackBox | open source community project, promoting security in IT enivornments |
BlackArch | Arch Linux based pentesting distro, compatible with Arch installs |
Bugtraq | advanced GNU Linux pen-testing technology |
Docker for pentest | Image with the more used tools to create a pentest environment easily and quickly. |
Kali | the infamous pentesting distro from the folks at Offensive Security |
LionSec Linux | pentesting OS based on Ubuntu |
Parrot | Debian includes full portable lab for security, DFIR, and development |
Pentoo | pentesting OS based on Gentoo |
Exploits
Name | Description |
---|---|
0day.today | Easy to navigate database of exploits |
Exploit Database | database of a wide variety exploits, CVE compliant archive |
CXsecurity | Indie cybersecurity info managed by 1 person |
Snyk Vulnerability DB | detailed info and remediation guidance for known vulns, also allows you to test your code |
Forums
Name | Description |
---|---|
0x00sec | hacker, malware, computer engineering, Reverse engineering |
Antichat | russian based forum |
CODEBY.NET | hacker, WAPT, malware, computer engineering, Reverse engineering, forensics – russian based forum |
EAST Exploit database | exploit DB for commercial exploits written for EAST Pentest Framework |
Greysec | hacking and security forum |
Hackforums | posting webstite for hacks/exploits/various discussion |
4Hat Day | brazilian based hacker forum |
CaveiraTech | brazilian based, general hacker forum |
Archived Security Conference Videos
Name | Description |
---|---|
InfoCon.org | hosts data from hundreds of cons |
Irongeek | Website of Adrien Crenshaw, hosts a ton of info. |
infocondb.org | a site that aims to catalog and cross-reference all hacker conferences. |
Online Communities
Name | Description |
---|---|
Hacktoday | requires an account, covering all kinds of hacking topics |
Hack+ | link requires telegram to be used |
MPGH | community of MultiPlayerGameHacking |
Online News Sources
Name | Description |
---|---|
InfoSec | covers all the latest infosec topics |
Recent Hash Leaks | great place to lookup hashes |
Security Intell | covers all kinds of news, great intelligence resources |
Threatpost | covers all the latest threats and breaches |
Secjuice | |
The Hacker News | features a daily stream of hack news, also has an app |
NOTE:
All references taken from Internet and shared on internet xD Thanks to those who shared their opinion before that helped me learn 😉 if you have any questions, please ask in the comments. If you know about any good resource for beginners, please share it here.
Conclusion
In conclusion, learning hacking can be a challenging task, but it is also a rewarding experience. As a beginner, there are many resources available online that can help you get started on your hacking journey. In this blog post, we have discussed some of the most popular resources for beginners to learn hacking, including online courses, CTF challenges, and online forums. By using these resources, beginners can gain a better understanding of the tools and techniques used in hacking, and practice their skills in a safe and controlled environment. As with any new skill, it takes time, patience, and dedication to become proficient in hacking, but with the right resources and a willingness to learn, anyone can become a successful hacker.