A while back, a Twitter user asked us the following question:
I have a friend who is looking into ethical hacking. She is also a broke college student so do you know of any free for affordable resources she can use?
Ethical hackers use their knowledge of vulnerabilities to help defend against criminals, hacktivists, and nation-state attackers (and sometimes, mischievous pranksters). They need a solid background in writing software, designing networks, navigating operating systems, and interpreting network protocols. But beyond that, they'll need resources to stay on top of current attacks, learn how to use common tools, and build a network of like-minded peers. Even the best of us can't do it alone!
Unlike criminals who attack systems and networks without consent, ethical hackers must find opportunities to practice and enhance their skills in safe environments. For some, that means setting up a home or shared lab environment with vulnerable networks, servers, and workstations. But the cost and maintenance of such a lab can be expensive and time-consuming. Fortunately, there are a plethora of resources available to the aspiring ethical hacker!
We’ll break this into two parts: learning the basic skill set and staying current.
Start here: Learning the basic skill set
Capture the Flag exercises can be self-paced, downloadable vulnerable environments, or competitive online events in which you are expected to attack and/or defend vulnerable systems. Some are made to be frustrating, which is probably not what you want. Others are great for beginners, and some give you enough to build confidence while stretching your skills a bit. But, most importantly, they are safe environments to build your skills! Here are a few of my favorites:
- Plaid CTF: A great starter that you can play right now, in your spare time. Go do it!
- Hack.Lu CTF: A good mix of fun and challenging. The old ones are also available online, so go do it!)
- CSAW: Only the qualifications round is playable online, but it's definitely worth your time for a diverse set of challenges.
- CCDC: College students defend a realistic enterprise network from skilled attackers. This'll be the only time in your life when you'll be able to talk to someone who spent the last two days hacking your network to understand what you could have done better. And if you place, you can expect to get competitive job offers.
An important note about CTFs in general: You'll sometimes find yourself stuck, exhausted, and frustrated. That's expected. Take good notes, take a break, then come back in a few weeks when teams have started doing write-ups. (Watch CTFTime for writeups.) Those writeups will often walk you though the thought process, tools, and attacks used by more advanced teams to succeed. Use CTF writeups to grow and learn! (Otherwise, frankly, what's the point?)
Personally, I like books that give lots of hands-on examples and labs, since that's my learning style. I also tend to focus on Windows-based attacks, since that's where my interest (and, frankly, the demand) lies. On a budget? Check your local library to see if they've got any in stock, if they can borrow a copy, or if they subscribe to an ebook service. My favorites are:
- Metasploit: The Penetration Tester's Guide: I will admit my bias. Several Metasploit contributors worked on this one, and it's an excellent overview of penetration testing with a number of real-world examples showing Metasploit in action.
- Rootkits: Subverting the Windows Kernel: This book is an old one, but it has aged well. The book is a very hands-on walk-through of building Windows kernel-mode rootkits, step-by-step. While this won't work with modern versions of Windows, you'll need to understand this stuff before you can progress.
- Reversing: Secrets of Reverse Engineering: If you learn best by reading a textbook, this one is the one for you. This book starts with some basics of Assembly languages and CPU architecture, then delves into Windows internals and examples of how to circumvent software-based security protections.
- Practical Malware Analysis: A more practical and hands-on approach to the Reversing book (above), this has a quick review of Assembly fundamentals and debugging before it dives into recognizing compiler patterns in Assembly, how malware hides itself, and how malware protects itself from being analyzed. I love that this book covers several major debuggers, IDAPro, OllyDBG, and WinDBG.
- Gray Hat Python: One of my favorite books that walks through several Windows basics that will give you in-depth understanding of debuggers, DLL injection, and fuzzing, with the ability to automate common tools.
- Bulletproof SSL and TLS: A fantastic all-around review of the internals of security critical to so many services, starting with an in-depth look at the TLS handshake through a number of real-world TLS attacks, coding mistakes, and recent improvements like HSTS.
Once you've got some skills under your belt, you'll need to stay on top of current attacks and new tools. Here's how members of our Metasploit development team stay current:
As an avid Reddit lurker, I find it a good way to keep up with specific areas of InfoSec. The following is a list of subreddits that I would consider following, from active subreddits I consider an absolute must to less-populated and focused subreddits:
- /r/netsec - If you only pick one, this is it. Good submissions, decent discussion, and a quarterly "hiring" thread that you should absolutely check out.
There are also a handful of lower-traffic groups that are more focused, depending on your interests: /r/reverseEngineering, /r/Malware, /r/Metasploit, /r/blackhat, /r/cyberlaws, /r/computerforensics, /r/AskNetsec, /r/securityCTF, /r/vrd, /r/lowlevel, /r/rootkit
Blogs and news feeds
You'll build your own list of sources over time, but here's a good start.
- Krebs on Security: Brian Krebs is an investigative journalist who does an amazing job covering data breaches and other real-world attacks. Seriously top-notch.
- Schneier on Security: A cryptographic expert's diverse feed of security-related news (also, squids). Be sure to read the comments sections of his posts; there's often a good discussion.
- The Electronic Frontier Foundation continually watches for the legal and ethical implications of electronic privacy and cybersecurity law.
- Cisco Talos: Excellent technical analysis of vulnerabilities and malware that the Talos team discovers in the wild.
- Hacker News: Not infosec-focused, but still a good way to keep a pulse on technical news, tools, and blogs.
There are tons of YouTube and other videos out there with tutorials on ethical hacking, but the quality and relevance of the content varies hugely. This is another place where I (and the team) will admit bias, but Metasploit contributor Rob Fuller's Metasploit Minute series is one reliable, high-quality source of information. Rob (@mubix) not only knows pen testing inside-and-out, he invests a lot of energy in giving back to folks who are learning.
I'm not big on Twitter myself, but I hear from reliable people that it's a great resource for real-time conversations and curating lists of knowledgeable folks with specialized (or not!) interests. The best way to go about this is simply to dive into the wormhole: Find some security researchers or practitioners who seem interesting, see who they follow and talk to, rinse and repeat. Check out the lists fellow infosec folks have made for themselves, too; many people create general "Security" or more narrowly-focused lists of people whose content they find valuable.
Twitter's also a good resource during big infosec events—and events in this context can mean both conferences (search for your favorite con's hashtag to see who's sharing good info, what's getting attention, etc.) and "events" like malware campaigns or publication of high-profile vulns. Twitter conversation around celebrity vulnerabilities—not to mention campaigns like WannaCry or Not-Petya with lots of media coverage—can get noisy, but they're also good opportunities to see where the security community agrees and disagrees on analysis, exploitation, and defense strategy.
There are some staples and some lesser-known ones. Find what works for you. Do you prefer small conferences where you can form relationships, or big conferences with high-profile talks? (Personally, I'm in it for the small ones.) Here's my list:
- DerbyCon: One of my favorites. It's a small, family-friendly community that's genuinely interested in helping new folks launch their careers.
- ShmooCon: Another small conference in the Washington, DC area. There are a lot of recruiters there, so if you're looking for a job, it's a good place to be. Also, the wireless CTF is a blast!
- DefCon: It's the single most-popular infosec conference. It's overwhelming and not everyone's thing, but you should check it out at least once.
- Black Hat: Too expensive for a college student, but if you find a job that's willing to pay, go and get the training!
- BSidesLV: A smaller conference that occurs during BlackHat, which is a great intro for college students. If you're paying out of your own pocket, skip Black Hat and go here.
- Your local BSides: Watch the cities around you for these. You might learn a few things, but the talks can be hit-or-miss. But they're generally super cheap (like $20, often including a meal) and an amazing way to network with peers nearby. Just Google for "[major nearby city name] BSides".
Whew! That should keep you busy for a bit, but please, if we missed anything, or if you want to chime in with your own favorite resources, let us know below! Happy hacking!