Jan 1, 2016

5 Best Hacking Books of 2016

I have listed few best hacking and penetration testing books PDF recommended by expert hackers especially for beginners. All the listed books are best based on its topic but it depends more on you what exactly you want to learn because InfoSec is a massive field.


The Hacker Playbook: Practical guide to Pentesting

The Hacker Playbook written by security professional. It is greatly informative for newbies which will guide you with practical methods, hands on examples and helpful advice from the top of the field. It is for those who have huge interest in pentesting as it doesn't require any prior knowledge of hacking. If you're a beginner and thinking of getting started then GO FOR IT!

Ethical Hacking and Penetration Testing Guide

Ethical Hacking & Penetration testing Guide written by a Pakistani prodigy hacker Rafay Baloch. It's a step-by-step guide that empowers you on how to prevent threats. Readers will acquire knowledge on how to interpret tools and will learn to perform pentesting with tools like fender Rootkit, Netcat, Fast Track Autopwn, Metasploit, Nessus, Nmap, Google Reconnaissance and Backtrack.

Black Hat Python: Python Programming for Hackers and Pentesters

Black Hat Python is one of the best book because whenever it comes to creating powerful and effective hacking tools, Python is the language of choice for most security analysts. But just how does the magic happen? You'll explore the darker side of Python's capabilities - writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and much more.

Web Application Hacker's Handbook

Web Application Hacker's Handbook focuses on finding and exploiting web apps security flaws. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. It is consists of 912 pages of guide and techniques on web app hacking.

Hacking Exposed Web Applications

Hacking Exposed Web App is a very informative which explores full details on the hacker's footprinting, scanning, and profiling tools, including SHODAN, Maltego, and OWASP DirBuster. You will learn advance web pentesting techniques including the most devastating methods used in today's hacks. It also covers vast section of web networking and discovering vulnerabilities.

Jun 19, 2015

8 Best Kali Linux Books

Kali Linux is an extremely advanced pentesting platform designed for hackers and security experts to make their task easier. For a beginner it might be little difficult to grasp it because of lack of proper guide and training, but you can easily learn from books available online. I have mentioned few best Kali Linux Book PDF for beginners as well as experts.


Penetration Testing with Kali Linux Books

Kali is very popular among hackers because of its environment. It has hundreds of hacking, pentesting and forensics tools which allows us to gather information, find vulnerabilities and create exploits. It can be used as destroyer as well as creator, that depends on you, but to perform such awesome actions one needs to have great hacking skill.

To become an expert hacker you must strive to improve your pentesting skills with Kali by learning new things daily and believe me books has the potential to make you master despite being a newbie. All you need is basic programming knowledge.


Basic Security Testing with Kali Linux

This is the perfect book for beginners to get started because it teaches you from starting points like Introduction & Overview, and later on covering topics such as Metasploit, Exploiting Windows & Linux systems, Social Engineering, Password attacks etc. The author has explained in simple words with images which makes it easier to understand even for a layman. The primary concern of this book is pentesting for security.

It focuses more on How an attacker can find and exploit weakness in system, For e.g. How to discover vulnerability in system, which can be exploited by a malicious hacker, and that is the most essential skill.


Mastering Kali Linux for Advanced Penetration Testing

This is for those who wants to become master because it's the most advance Kali Linux book ever written. The initial part wraps us common security testing methods and the middle section focuses on exploitation and post-exploitation methods. It also represent bypassing physical security, social engineering, web services and attacking network direct end user. The reader will also learn about network exploit and security.

It follows a hacker methodology with all practical knowledge needed to test your security. If you're stepping into IT Security field or appearing for pentesting exam, you probably shouldn't miss it.


Web Penetration Testing with Kali Linux

Internet also known as Web is another major part of today's technology, and with this level of advancement security and privacy concern rises. This book is completely dedicated to Web pentesting covering wide range of lessons on SQL Injection, XSS, Exploiting server flaws, Authentication & Hijacking techniques etc. It teaches you How to find vulnerabilities in Web-Apps and Site using the most effective tools available for Web Penetration Testers.

Apart from testing it also educates its reader on securing Web and its components, like patching flaws and preventing malicious exploitation. On top of that it also shows How to write and create reports in professional manner.


Kali Linux: Wireless Penetration Testing Beginner's Guide

Do you want to hack your neighbour's Wi-Fi password but don't know How to? Well this book is dedicated to Wireless hacking & pentesting for freshers. It will teach you How to create WLAN Lab and experiment pentesting like bypassing WLAN Authentication, Encryption flaws and Attack clients, with in-depth tutorial.

It follows pentester's methodology and focuses on advance Wireless attacks from Sniffing to Capturing WPA-2 keys. It also explores ins and outs of wireless technologies which is very exciting part.


Which book is best for you?

It's normal to get confused while choosing the most appropriate book for yourself because you may not have the slightest of idea which could be most useful for me. In my advice first of all you must recognize your interest and buy accordingly your status (Newbie, Intermediate or Expert), for instance if you're interested in Wireless hacking but you're a fresher, then you should go for fourth one.

Intermediate Level

In case if you are already aware of basics you can go for medium level books.


Security Professionals

I'm myself very fond of InfoSec professionalism, sometimes people refer it as expert level.


Reading isn't enough, Practice is necessary

It would be unwise to think that only reading is enough to become expert... NO! Training is vital. The more you practice the more you'll gain experience and knowledge. Do not just read and memorize the tutorials instead understand it completely and then do it on your own in a Pentesting Lab which is safe and beginner friendly.

First read, then understand and then perform.

Mar 11, 2015

An Interview with Rafay Baloch - (Famous Ethical Hacker)

I have interviewed one of the world top ethical hacker Rafay Baloch, A very passionate security geek and a pentester. Let's see how he began his hacking career and became world famous security researcher. He also has lot of advice for your career as well.

Who is Rafay Baloch?

Rafay Baloch is a Pakistani security researcher, founder of popular blog RHA and author of Ethical Hacking and Penetration Testing Guide paper-book. Rafay has received countless bug bounties from tech giants like Facebook, Google, PayPal etc. His most famous finding is remote code execution in PayPal worth $10,000 USD that's not all, he is also listed in many security disclosure page.

1. How did you get fascinated towards hacking?

7 years back, I downloaded a tool which claimed to hack an Orkut account and as of that time orkut was at it's top famous list among social networks; the tool which I was curious about turned to be a virus which was designed to steal information. Weird things started to happen to my computer, eventually after lots of googling, I figured it out and managed to clean the infection successfully.

This however made me curious how could had been the little program actually work beyond the curtains. This alone was my starting point, and from that morning on-wards i dedicated my every step of career information security.

2. Where did you learn so many things?

I have dedicated almost seven years into this field and I am still learning more and more every single day. Learning never stops. The most essential thing you would need to have for learning is patience and dedication; these combined lead to heights of excellence. I haven't done any courses especially in terms of information security.

I have self-explored most of the things and I am still doing it with my learning passion. With regards to the learning part, I was lucky to get great mentors such as David Vieria, Giuseppe, Alex and File Descriptor to name a few. A list of Great friends such as Prakhar Prasad and Deepankar who helped me with my learning.

3. Why you're inactive in bug bounty programs?

The reason being is that I lost interest, money was never a problem alhamdullilah, but I felt like I was not learning anything new with it, So I moved towards security research especially with Android. I think security research is more challenging than bug bounty, we as security researchers invent techniques which pentesters use.

4. What is your advice to beginners in Hacking

My advice is first of all is to be ethical and not to compromise your integrity, A hammer could be used to build something and it could be used to destroy something. My personal integrity is to bring positive change in this world. Secondly, With regards to learning, I would recommend everyone to focus more on web application security instead of networks and other layers due to the fact that the attacks have moved towards web applications and there is a huge playground and potential for bug bounties.

If you are into Blackbox testing, before you even start your first test, you should interact with the application and see how it works and start identifying all the inputs and start manipulating them against well known bugs. To be a better penetration tester, you need to be good at finding logical bugs, which you can only find given that you understand how the application really works.

5. Tell us about your book Ethical Hacking and Penetration Testing Guide

The book was published in 2014, It is completely dedicated towards beginners, the idea behind the book is that offense is the best defense. I have received mixed reviews. While people have really liked the contents of the book, however there have been people who have complained about the Grammar specifically and have criticized the editor.

I appreciate your time for this interview Rafay would you like to say anything else?
My pleasure, thank you very much. The last message I would like to give is
Never get demotivated by your failures, turn your weaknesses into your strength and follow your passion.

Dec 8, 2014

Important Programming languages for Hackers

Every application or site you use is programmed in a particular computer language also known as Programming and people such as Hackers tries to hack it but to break anything first you need to understand and then exploit its weakness, same happens in Hacking, To actually hack anything first you'll have to understand target application but that understanding requires knowledge of Programming languages.

Which Programming are required to Hackers?

There are lots of computer languages but few are required for hacking purpose because in most cases it depends upon target. There are basically three sections ― Web Hacking, Exploit Writing & Reverse Engineering and each of it requires different coding.

1. Web Hacking

Let's say you are interested in hacking web apps and sites then you will need to learn web coding HTML, CSS and JavaScript because all sites are created using these languages and knowing it will allow you to understand things quite easily.

HTML: One of the easiest and widely used static markup web language present in each and every website you see in your browser. It's recommended to learn HTML very well because it helps understanding web actions, response, and logic.

JavaScript: JS is a client-side web programming mostly used in web sites for better user interface and quick response. You should learn JS carefully because it helps to understand client-side mechanism which is essential for finding client-side flaws.

PHP: A dynamic server-side language which is responsible for managing web-apps and database. PHP is considered one of the most essential language because it controls everything on site and server, like a captain of a ship. It is advised to learn PHP nicely.

SQL: SQL is responsible for storing and managing sensitive and confidential data such as User Credentials, Personal info or even Bank details used in almost all data storing sites and therefore it's the most attacked portion of a site.

2. Exploit Writing

Python: It is said that a Hacker must know Python because its the core for creating exploits and tools. Security experts and even pro hackers suggests us to master Python because it provides wider flexibility and can be used in many places. I recommend to read Black Hat Python

Ruby: A simple but complicated object-oriented language. Ruby is very useful when it comes to exploit writing. It is used for meterpreter scripting and you may know that Metasploit framework itself is programmed in Ruby.

3. Reverse Engineering

Assembly: It's a low level but advance coding. One can instruct a machine hardware or software using it. If you're keen about Reverse Engineering then Assembly is going to be very helpful.

Conclusion

I mentioned seven languages but that's not all and nobody ever learn all of them 100% but you should know little bit of each as its essential but what matters here is only your target, If the app which you want to hack is coded in ASP then you'll need to know ASP. Do you think any other programming is essential for Hackers? if yes then please comment below.

Nov 19, 2014

Meet Jasminder Singh - Security Researcher

This is an exclusive interview of an Indian security researcher Jasminder Pal Singh ― A very passionate InfoSec enthusiast, Web developer and a Bug bounty hunter. What's catchy about Jas is, he is a very humble and have lots of patience towards his work. Recently he discovered critical stored XSS flaw in YouTube, as a white hat he immediately reported it to Google Security team and received positive reply.

Jasminder Singh
Jas has discovered multiple bugs in Nokia, Facebook etc

1. How you got fascinated towards security field?

I was attracted by the term hacking but before it I was into Security Researches - Malwares, Trojans etc I studied how they work, did stuffs practically. I really loved these things but I had to drop it because there was no peace of mind working and so I engaged in web development but I was also aware that there are destructive minds and methods to break my apps and in the process of learning to secure them, I also learned how to break.

2. Who is your inspiration?

Actually there were many inspirations during the journey and its still ON, If you're ask about Web App Security, it is necessary for a web developer to secure their developed applications. I want to give credit to two persons. I was inspired by the research of Rafay Baloch A a very genuine person and helped me quite a few times. The other one is Siddhesh Gawde, he once sent my name for Microsoft Hall of fame even though I hadn't anything. This made me happy and I decided to start pentesting.

3. Which is your most favorite quote?

Getting Inspired instead of being jealous on someone's success will lead you towards the Success.

4. What is your advice to beginners in Hacking?

Learn the Basics: This is the key, without basics we are like shooting in dark. It may hit correct sometime by chance but majority will go in vain. I would like to quote few words of Amine Cherrai.

Never try to think outside the box before you know what's inside

Learn Programming: I was into web applications development before pentesting, so I had some command over web development languages like php,js,html/xhtml,css etc. It helped alot to understand the behavior of the application. I was able to code my own payloads instead of injecting static ready made vectors.

Watch POCs and Read Write-Up: Its a good practice to watch video Proof of Concepts and read the write-Ups of bugs discovered by other security researchers. It will increase your area of thinking about injecting into application. Some good resources are: Hackerone.com, vulnerability-lab.com or on Youtube set the search filter to "Last Week" and input search terms like "XSS" , "CSRF" etc

Avoid Pentesting sites which doesn't have a vulnerability disclosure program its kinda illegal. There are many websites where you can practice pentesting - Bug bounty programs list and last but not least follow InfoSec and researchers on twitter, I follow some good researchers on twitter. You can also navigate to HOF pages of different websites and read their researches.

5. Which is your favorite vulnerability found by you?

Last year I discovered a DOM based Cross Site Scripting bug which abused CORS in Nokia's Ovi Store which affected whole site. It was quite interesting bug, I had to work lot to make the payload. Second one which is also XSS in YouTube.