Ask HN: What are the best resources for learning security and pen testing? - relaunched
======
LiveOverflow
I create highly technical videos about various topics of IT security. Many of
my videos are walk-throughs of CTF challenges explaining my thought process. I
think this playlist could be interesting:
[https://www.youtube.com/playlist?list=PLhixgUqwRTjywPzsTYz28...](https://www.youtube.com/playlist?list=PLhixgUqwRTjywPzsTYz28I-qezFOSaUYz)

I have also recently started a series on Pwn Adventure 3, where we are hacking
a game and I explain my process:
[https://www.youtube.com/playlist?list=PLhixgUqwRTjzzBeFSHXrw...](https://www.youtube.com/playlist?list=PLhixgUqwRTjzzBeFSHXrw9DnQtssdAwgG)

Besides that, I can also really recommend livestreams/screenshares from the
following creators. To me, seeing how somebody really does it and where they
struggle, really really helped me break through a wall I was hitting:

\+ ippsec:
[https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)

\+ John Hammond:
[https://www.youtube.com/user/RootOfTheNull](https://www.youtube.com/user/RootOfTheNull)

\+ Gynvael EN:
[https://www.youtube.com/user/GynvaelEN](https://www.youtube.com/user/GynvaelEN)

\+ Derek Rook:
[https://www.youtube.com/channel/UCMACXuWd2w6_IEGog744UaA](https://www.youtube.com/channel/UCMACXuWd2w6_IEGog744UaA)

\+ ...

~~~
MoomDog
I really appreciate your videos.. I'm an early early beginner, regardless
though the videos and how you construct them is really entertaining and
informative. Keep it up. <3

------
strictnein
If you like watching videos and following along:

Free: [https://www.cybrary.it/](https://www.cybrary.it/)

Cheap: [https://www.pluralsight.com/](https://www.pluralsight.com/)

The entry level cert in this area is the CEH. It's kind of looked down upon,
like a lot of entry level certs are, but studying/working towards that isn't a
bad thing.

Books:

\- Practical:

The Web Application Hacker's Handbook 2nd Edition - Gives a very good overview
and is a good place to start.

The Hacker Playbook 3: Practical Guide To Penetration Testing - #3 just came
out. Haven't gone through my copy yet, but I've heard good things.

RTFM - Red Team Field Manual - Nice to have, quick reference guide

BTFM - Blue Team Field Manual - Like the above, but for the good guys ;)

\- Covering the bigger picture, if you're curious (geopolitical):

The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in
the Digital Age

The Red Web: The Struggle Between Russia's Digital Dictators and the New
Online Revolutionaries

Dark Territory: The Secret History of Cyber War

Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage

~~~
MaxBarraclough
> It's kind of looked down upon, like a lot of entry level certs are

Well, it's an entry level cert, as you say. Passing CEH doesn't mean someone
knows what they're doing.

Is there an alternative entry-level qualification that evokes fewer frowns?

~~~
fybe
CISSP is a bit harder but still entry level and has more credibility

~~~
morrbo
But still gets looked down on. It's a running joke in pretty much everywhere
I've worked that if you see someone with CEH and/or CISSP in their email
signature - like a badge of honour - that you know you're going to be in for a
real tough time.

~~~
MaxBarraclough
Well sure. That's like the old joke from Red Dwarf: _Arnold J Rimmer, BSC_.
The BSC stood for Bronze Swimming Certificate.

That's not a problem with the certificate, it's a problem with people
confusing it for an advanced qualification.

------
arkadiyt
There's no standard path in information security, most schools don't offer
information security degrees and many extremely successful people in security
didn't come from a CS background at all.

Some general recommendations:

\- follow smart security people on Twitter, which is the defacto medium for
information security discussion

\- read publicly disclosed bug bounty reports on Hackerone and Bugcrowd

\- read The Tangled Web by Michal Zalewski

\- learn to use Burp Suite

~~~
strictnein
> \- learn to use Burp Suite

Burp Suite is an awesome tool for devs as well. The Repeater tool is better
for messing with API calls than any of the browser dev tools, imo.

For people finding the proxy setup stuff annoying: install Foxyproxy in
Firefox and it makes your life really simple.

~~~
andromedavision
How about for proxy servers in headless browsers; what do you recommend? Any
experience with how public and premium proxies vis-a-vis uptime and
reliability compare?

~~~
strictnein
Sorry, no experience with that.

------
paddlepop
I highly recommend pentesterlab.com. The Web for Pentester course is a great
intro for first timers if you read the PDF and play with the VM

When training newbies I will start with this and get them to play around with
google-gruyere.appspot.com.

These are only relevant for web app testing, I haven't been able to find a
suitable free resource for network testing but for paid resources OSCP is a
great practice course if not pretty challenging for first timers

------
indigochill
Plenty of good suggestions here already. Some I've not seen mentioned yet:

Books:

Hacking, 2nd edition (some specifics are out of date, but it teaches hacking
by teaching how the relevant pieces of a computer work which is still
valuable)

Anything else from
[https://nostarch.com/catalog/security](https://nostarch.com/catalog/security)
that looks relevant to your specific interests

Hands-on practice:

OverTheWire:
[http://overthewire.org/wargames/](http://overthewire.org/wargames/) (wargames
to ease you into things)

WeChall: [https://www.wechall.net/](https://www.wechall.net/) (challenge site
directory that'll help you pick challenge sites based on your topic of
interest)

+Ma's Reversing: [http://3564020356.org/](http://3564020356.org/) (old reverse
engineering site/community - mostly dead as far as I know but the puzzles will
still challenge you and the old articles you can unlock make it a bit of a
hacking museum)

CTF Time: [https://ctftime.org/](https://ctftime.org/) (A directory/calendar
of tons of CTFs you can play in)

Pwn Adventure: [http://www.pwnadventure.com/](http://www.pwnadventure.com/) (A
vulnerable MMO server/client designed to demonstrate common game
vulnerabilities)

VulnHub: [https://www.vulnhub.com/](https://www.vulnhub.com/) (A repository of
deliberately vulnerable VMs you can host and attack in your security lab)

------
mansilladev
I find that talking to folks in the trenches is incredibly useful. If you’re
already at a company that has a security team, or even a small company that
has folks that deal with infra/app security and/or incidents, you can learn a
boatload directly the practitioners on the line. Even better if there’s a chat
room that you can be a fly on the wall in.

When I worked at Mashery (a SaaS API management company) we were the front end
for the APIs of hundreds of companies around the world, handling billions of
API calls for the likes of Comcast, Best Buy, Starbucks, Macy’s, etc. During
my time there, I learned a god awful amount about ops, scaling, amd security,
simply by sticking my head in whenever I detected chaos going down.

Some comments mentioned tools like Metasploit, or reading up on the OWASP 10.
Yup and yup. Plus, there are other tools to add to your belt that I find
indispensable: Charles Proxy (install a MITM to watch web traffic), nmap
(discover all the services running on a network)

------
jdeca568
As mentionned several times already, OWASP has very interesting stuff, it's
more web application oriented though.
([https://www.owasp.org](https://www.owasp.org))

WebGoat is a good way to put things in practice locally.
([https://github.com/WebGoat/WebGoat](https://github.com/WebGoat/WebGoat))

The project ZAP is a really great tool to help you in the process.
([https://www.zaproxy.org](https://www.zaproxy.org))

Outside the web sphere, exploit database is a great site with a bunch of
exploit code, explanation and papers. ([https://www.exploit-
db.com](https://www.exploit-db.com))

The tool suite in Kali Linux is also very good if you don't mind read the
documentation and try understanding the goal of the tools.
([https://www.kali.org](https://www.kali.org))

Kali NetHunter lets you practice from Android. ([https://github.com/offensive-
security/kali-nethunter](https://github.com/offensive-security/kali-
nethunter))

Security is such a wide domain that you can quickly get flood. I don't think
the ultimate step-by-step learning guide exists.

Once you've learned and practiced a bit, if you don't give up too soon, you
will get the point and understand how deep you need to go into a protocol or a
system to actually do something yourself (then this not about security
documentation anymore, but about understanding how the target works, and how
you can make it work the way you want).

I would say that you need to focus on some targets first, and expand the scope
over time depending on your needs/interests.

------
s14ve
CTFs: [https://github.com/apsdehal/awesome-
ctf](https://github.com/apsdehal/awesome-ctf) especially
[https://www.hackthebox.eu/](https://www.hackthebox.eu/)

In case you want cert: skip CEH, get some basic knowledge and go OSCP

Daily resources:

* [https://www.reddit.com/r/netsec/](https://www.reddit.com/r/netsec/)

* [https://www.hackerone.com/zerodaily](https://www.hackerone.com/zerodaily)

* [https://hackerone.com/hacktivity](https://hackerone.com/hacktivity)

For lightweight learning by watching after work, check out LiveOverflow:
[https://www.youtube.com/channel/UClcE-
kVhqyiHCcjYwcpfj9w](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w)

~~~
LiveOverflow
thank you for sharing my channel <3

I would also like to highlight the following other creators. For me seeing the
process of others has been a lot more fruitful then just following text
tutorials:

\+ ippsec:
[https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)

\+ John Hammond:
[https://www.youtube.com/user/RootOfTheNull](https://www.youtube.com/user/RootOfTheNull)

\+ Gynvael EN:
[https://www.youtube.com/user/GynvaelEN](https://www.youtube.com/user/GynvaelEN)

\+ Derek Rook:
[https://www.youtube.com/channel/UCMACXuWd2w6_IEGog744UaA](https://www.youtube.com/channel/UCMACXuWd2w6_IEGog744UaA)

\+ ...

~~~
s14ve
Wow, thanks for sharing and for your hard work on your channel!

I recommend it to everyone who is even remotely interested in security as your
videos provide really valuable knowledge which is very easy to digest in the
same time.

Thank you and keep it up please!:)

------
myself248
If your goal is to land a job with the skills you acquire, you'll need more
than just solid basic skills. It would be helpful to keep abreast of new
developments, where there might not necessarily be a lot of training material
yet.

One way to keep up on what's new, is to watch the talks posted by security
conferences. Speakers generally submit their freshest work, and are often
playing their own game of resume-enhancement by getting their name associated
with hot topics. So pay attention to not just the topics, but also the
vocabulary around them...

A lot of the newest-fanciest research won't necessarily be within your grasp
as a neophyte, but some of it will, and some of it will inform your direction
and focus as you work your way up.

And some of it will suggest entirely new avenues, disciplines, and modes of
thinking.

------
taurusismysign
This should help - [https://www.zaproxy.org/](https://www.zaproxy.org/)

------
jquast
[https://www.pearson.com/us/higher-education/program/Dowd-
Art...](https://www.pearson.com/us/higher-education/program/Dowd-Art-of-
Software-Security-Assessment-The-Identifying-and-Preventing-Software-
Vulnerabilities/PGM306255.html)

------
runjake
OffSec's course is both very well-respected and very in-depth.

[https://www.offensive-security.com/information-security-
trai...](https://www.offensive-security.com/information-security-
training/penetration-testing-training-kali-linux/)

The price isn't bad, either.

------
WhiteSource1
Resources I like:

DDoS BootCamp: [https://www.ddosbootcamp.com/](https://www.ddosbootcamp.com/)

InfoSec Industry: [https://www.infosecinstitute.com/topics/information-
security...](https://www.infosecinstitute.com/topics/information-security-
training/)

Learning Tree (might have free access through your local library):
[https://www.learningtree.com/training-directory/cyber-
securi...](https://www.learningtree.com/training-directory/cyber-security-
training/)

and several courses available on Coursera: [https://www.coursera.org/learn/it-
security](https://www.coursera.org/learn/it-security)

------
throwaway000021
This is a good intro to pen testing:
[https://www.sgsgroup.com.hk/en/news/2014/02/general-
requirem...](https://www.sgsgroup.com.hk/en/news/2014/02/general-requirements-
and-test-methods-for-pen)

------
loteck
This often goes overlooked on a forum full of coders, but not everyone who
reads HN or wants into infosec is proficient with a major scripting language.

I'd bet being solid in python/bash/powershell would come in handy, and that
having no skills in any of them may be a dealbreaker.

~~~
deaps
Highly recommend python or perl myself - and obviously know how to use bash as
well.

One related suggestion: _Do not_ become reliant on third party modules/add-ins
(other than the standard library stuff) - at least when learning. Really learn
how it works.

------
lewsire
[http://www.securitytube.net/](http://www.securitytube.net/)
[https://www.pentesteracademy.com/](https://www.pentesteracademy.com/) ...
both run by same company

------
Liblor
Resources I like that haven't been mentioned yet:

Offensive Computer Security (used to be a class at FSU):
[http://hackallthethings.com/ocs.php](http://hackallthethings.com/ocs.php)

[https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/le...](https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html)
(2014 version)

Opensecuritytraining (various stuff on different topics):
[http://opensecuritytraining.info/Welcome.html](http://opensecuritytraining.info/Welcome.html)

------
Mandatum
No-bullshit, basics of hacking guide often referenced as preparation material
for the OSCP exam.

[https://nostarch.com/pentesting](https://nostarch.com/pentesting)

/r/netsec

netsecfocus.com - chat community, super active

------
mattr3
This Medium article provides a comprehensive overview
[https://hackernoon.com/how-to-become-a-
hacker-e0530a355cad](https://hackernoon.com/how-to-become-a-
hacker-e0530a355cad)

Books

~~~
mattr3
Author maintains a GoodReads page
[https://www.goodreads.com/user/show/57131835-andrew-
douma](https://www.goodreads.com/user/show/57131835-andrew-douma)

------
thorin
How about these courses: [https://www.edx.org/micromasters/ritx-
cybersecurity](https://www.edx.org/micromasters/ritx-cybersecurity) it's free
if you don't want the certificate and Johnathan S Weissman is an amusing and
informative geek.

I've only done the foundation so far, but as a long time developer I've
already learnt a few things

------
dogma1138
AskNetsec on reddit.

OWASP find your local chapter and go to meetings.

YouTube, and pentesterlab (even the free ones are better than most (even all)
other paid resources).

------
k4ch0w
Learn the OWASP top 10

Use vulnerable VM's and practice like Metasploitable and
[https://github.com/SecGen/SecGen](https://github.com/SecGen/SecGen)

Get the OSCP

I also highly recommend being good at some programming. This is for source
code review and quick scripts/exploit development.

~~~
strictnein
> Get the OSCP

I mean, sure, yeah, that's great, but that's not an easy task.

------
Athaman
The university of NSW (respected Australian uni) is putting up a bunch of
materials from their Masters in Cyber Security. It's going up slower than
expected but the lecturer is engaging and the first subject to roll out covers
a lot of good philosophy of security type subjects.

Find it at sec.edu.au/moocs

------
longnow
This ‘awesome list’ is a great list of curated security resources.
[https://github.com/sbilly/awesome-
security/blob/master/READM...](https://github.com/sbilly/awesome-
security/blob/master/README.md)

------
kayge
For getting started in web security, the Hacker101 series by HackerOne is a
great — and free — place to start. And I believe they are currently adding new
content every month.

[https://www.hacker101.com/](https://www.hacker101.com/)

------
sakshyamshah
recommended way, 1\. learn operating system internals, start using Linux 2\.
learn computer networking. TCP/IP, OSI layer and network protocols like TCP,
UDP, HTTP 3\. learn about software programs and Web application architecture
4\. start following up security related resource like books, videos, courses
(OSCP is great).

\- Pick one programming language along the way and try scripting programs
while learning. \- you need not master every topic but knowledge of how and
why everything works the way it works increases you expertise as security
practitioner \- since there are many public bug bounty programs these days,
legally testing out stuffs to hone your knowledge has never been easy. plus
you get paid.

------
runningmike
[http://security-and-privacy-reference-
architecture.readthedo...](http://security-and-privacy-reference-
architecture.readthedocs.io/en/latest/) with Only open resources

------
yobananaboy
I'm going through HackTheBox to prepare for taking the OSCP course.
[https://www.hackthebox.eu/](https://www.hackthebox.eu/)

------
jonahx
Surprised I didn't see the Matasano security challenges mentioned yet:

[https://cryptopals.com/](https://cryptopals.com/)

------
DyslexicAtheist
for learning security I'd start with this book:

Security Engineering — The Book
[https://www.cl.cam.ac.uk/~rja14/book.html](https://www.cl.cam.ac.uk/~rja14/book.html)

------
xrayzerone
Follow anyone from SpecterOps and the content they put out.

------
lainon
r/netsec

