Aug 21, 2015

An Interview with Prakhar Prasad - Security Researcher

Hi, today I have interviewed an Indian security researcher Prakhar Prasad, A young wacky guy with little humour and very passionate security fella. Prakhar has received lot of recognition in InfoSec field by speaking at security conference, finding vulnerabilities and he is also very fond of bug bounty program which has earned him fame as well as fortune.

1. What's the best part about being a Security Researcher?

I think the best thing a security researcher are the challenges that are part and parcel of the job. The fun part is knowing the things inside-out.






2. What is your biggest achievement?

There's no biggest achievement as such, but I really like few of findings on different bug bounties like arbitrary Code Execution in Shopify, SQL Injection in PayPal and etc... (For more awesome researches visit prakharprasad.com)

3. Who is your inspiration?

Few people that continue amaze me with their interesting security research :

  • Nir Goldshlager for his ninja web sec skills
  • Masato Kinugawa for elite JS and browser security knowledge
  • Gareth Hayes for his awesome XSS researches
  • Stefano Di Paola for his extraordinary DOM-based XSS researches

4. What are your personal interests?

Apart from security I've a keen interest in aviation and have a soft-corner for Airbus A320 aircraft.

5. Which is your favourite motivational quote?
Nothing worthwhile ever comes easy
No Pain, No Gain
6. What is your advice to beginners?

If you think you have inclination towards security space then go for it.

First things first, gets your basics right. Learn things the basics well. Don't proceed unless you understand what you're doing. Focus on a scripting language like Python, this will help a lot in automating your stuffs and little exploits. Make sure during your journey you attain skills that a software cannot do. In other words make sure you develop "real" skills not something that can be done easily using a software (automated-scanners). At the end of the day if only how to download and run an exploit to pop shells then you're doing it wrong.

7. Which Hacking and Pentesting book would you suggest to beginners?

Initially I'd say there's no such book that guides beginners properly (at least it was in my case), blog posts are better to follow initially that provide nice and quick tutorials, you can dissect the components of the blog posts to learn things precisely. A few good books are Web Application Hacker's Handbook and Tangled Web and Browser Security Handbook.

8. What you're currently working at?

I'm working on a web security book that will probably be out next year.

Thank you for this interview Prakhar and Good-Luck with your upcoming book :)

To stay connected with Prakhar you can follow him on @prakharprasad | Read his previous interview on eHackingNews.

Aug 2, 2015

Best Selling Hacking Books of 2015

I got a good success with Top Hacking Books of 2015 but many readers were confused "which book to buy?" and and as you know people generally go with the majority, So I decided to list Best Selling Hacking Books of 2015.


The list is based on my Amazon affiliate orders reports and other ratings. All the listed books are very informative based on its topic, I strongly suggest it to any beginner in hacking.

The Hacker Playbook 2: Practical Guide to Penetration Testing

After huge success with the first edition of Hacker Playbook the author has recently released The Hacker Playbook 2 and It tops our list because it covers vast topics of hacking as well as practical pentesting and it is also one of the best selling hacking book. The 2nd edition focuses more on advance topics such as attacking networks, privilege escalation, and evading antivirus.

Black Hat Python: Python Programming for Hackers

As you know python is the most powerful language for hackers and that's why Black Hat Python ranks second. It teaches you the darker side of python like creating your own hacking, sniffing tools and trojans etc. Black Hat Python is for those who are interested in black hat hacking. You'll also learn advance topics of hacking like memory forensics tricks, privilege escalation and web-hacking.

RTFM: Red Team Field Manual

Red Team Field Manual (RTFM) is a great command line book. It contains 90 pages of commands for Windows, Linux, Nmap, Powershell, Google Hacking, Tunneling etc. From basic syntax to advance, RTFM contains all command line tools and it is highly suggested book to pentesters because it also teaches you new red team techniques.

Basic Security Testing with Kali Linux

When it comes to Kali linux books - Basic Security Testing with Kali Linux ranks first because it covers most of the basic pentesting methods using Kali. It also guides its readers in advance topics like wireless hacking, metasploit and exploiting windows/linux system. Kali is an essential OS for hackers and its even more essential to learn "How to use it?" and this book teaches you perfectly.

Ethical Hacking and Penetration Testing Guide

Ethical Hacking and Penetration Testing Guide written by a very famous security researcher Rafay Baloch. It's a step-by-step guide book covering vast topics of ethical hacking and penetration testing. The book mostly focus on web hacking and pentesting with tools like fender Rootkit, Fast Track Autopwn, Metasploit, Nessus, Google Reconnaissance and Backtrack.

Jun 19, 2015

5 Best Kali Linux Hacking Books

As you know Kali Linux is the most advance pentesting OS It is essential to learn to How to use it and learning from books is the best way to understand it, So here I've listed best Kali Linux Books to learn Pentesting & Hacking.


Top 5 Kali Linux Books for Hackers & Pentesters

Kali has hundreds of pentesting and forensics tools and there are countless ways to use them, It is important for a beginner to get a guide from book or an expert. Well in my opinion books are best because it describes points very well and you don't need to remember anything.

Basic Security Testing with Kali Linux

Basic Security Testing with Kali Linux - Kali PenTesting Books

Basic Security Testing with Kali Linux covers most of the basic and intermediate pentesting methods using Kali. I would recommend this book to a beginner because it covers security testing as well as hacking methods.

What you can learn from this Book?
  • Introduction to Kali Linux and Overview
  • Metasploit Tutorials
  • A section on Shodan (the "Hacker's Google")
  • Exploiting Windows and Linux Systems
  • Wireless (WiFi) Attacks
  • Social Engineering and Password  Attacks

You'll also learn how to discover vulnerability in system, which can be exploited by a malicious hacker. The book focuses more on How an attacker can find and exploit weakness in system and applications and that is the most important skill of a hacker.

Web Penetration Testing with Kali Linux

Web Penetration Testing-with Kali-Linux

As you know web is the major part of security and hacking, It is important to learn web penetration testing. Kali has tons of web pentesting tools pre-installed but using these tools in correct way isn't easy until you learn it from this book. Web Penetration Testing with Kali Linux is superb book for hackers interested in web hacking and pentesting.

Web pentesting is my favourite topic in hacking and this book guides reader with step-by-step tutorials not just with bunch of text paragraphs; It contains screenshots instructions which makes it easier to understand even for a layman.

Penetration Testing: A Hands-On Introduction to Hacking

Penetration Testing: A Hands-On Introduction to Hacking

Penetration Testing: Hands-on Intro to Hacking entirely focuses on penetration testing methods and techniques that every pentesters must know. Most of the tutorials are demonstrated in a virtual pentesting machine (An attacker's machine and a vulnerable target) using Kali linux. It has series of practical lessons with tools like Burp Suite, Nmap and Wireshark etc.
If you would like to become a penetration tester, this book is perfect for you
It also covers major part of network and web pentesting methods. That's not all you'll also learn writing your own exploits along with mobile hacking concepts. If you're interested in building penetration testing career this book is strongly suggested to you.

Mastering Kali Linux for Advanced Penetration Testing

Mastering Kali Linux for Advanced Penetration Testing

Mastering Kali Linux is the most advance Kali linux book I've ever came to read. It has vast topics of network security and penetration testing. Honestly this book has taught me lot about network exploits and most important how to use Kali linux as a pentesting machine.

After learning common security testing methods it takes you to exploitation and post-exploitation methods used by Hackers. It also focuses on bypassing physical security, social engineering, wireless networks, web services and attacking network direct end user.

The books follows a hacker methodology with all practical knowledge needed to test your security. If you're appearing for pentesting exams or wish to become professional penetration tester then undoubtedly this is the perfect book for you.

Kali Linux: Wireless Penetration Testing Beginner's Guide

Kali Linux: Wireless Penetration Testing Beginner's Guide

Network is a very important part of pentesting and as you know wireless networks like (WiFi, Routers, Cellular Networks and Mobile phones) and other radio frequency devices are almost everywhere it has become essential to learn how to pentest and secure it.

Kali Linux: Wireless Penetration Testing Beginner's Guide will teach you how to pentest wireless devices using Kali. It's a very informative book covering advance wireless hacking techniques along with encryption cracking skills. It's very beginner's friendly.

Jun 6, 2015

How to make Money being an InfoSec Professional

Have you ever wondered How professional Security Researchers and Hackers makes money? If not, then Here are Top methods for making money being an Information Security Professional, Although there are many ways but I've mentioned few legitimate ones.

Top Methods to make Money from InfoSec Skills

How to earn money Being an InfoSec Professional

Bug Bounty Programs

Bug Bounty Programs are very popular and best source of income for Security Researchers and Hackers, they are also known as Bug Bounty Hunters. What they do is simple, instead of exploiting a vulnerability they report it to security team and receive Bounty, Swags, Appreciation Certificate or getting honourable mention in security disclosure page (HOF).

Bug Bounty Programs

Giant sites like Google, Facebook and PayPal have huge bug bounties, but in most cases it actually depends upon depth and severity of vulnerability (If the bug is highly effective and critical you'll get huge bounties) In many cases researcher also gets a job offer.

It has become major source of income and believe me its a serious business, Although it requires good web pentesting skills and experience but if you're new, just read these security researcher's interviews it will help you a lot.

Bug Bounty Programs list

Not all Websites have Bug Bounty programs but there's a specific place where you can find and participate. Please follow Bug Bounty Program list by BugCrowd.

Teaching Ethical Hacking online

If you've years of experience and knowledge in hacking/security field then you can easily start your own online training academy and start making money by selling course videos as well as giving live lectures.

Become an Instructor on Udemy

Another best way to earn by teaching hacking online is to sell your video lectures on Udemy All you need to do is sign-up as an instructor, create your course package, set price and start selling it. Every time a students enrolls for your course you'll get paid.
Just make sure you do it in a good manner and your course must be beneficial, then only more students will engage. It also must be unique and simple to understand.

Freelance Ethical Hacker

I've seen many people living on online freelance jobs mostly from Designing, Development and Security field. It is easier and satisfactory, All you need is to setup a professional profile of yours and do advertisement, It is also called Personal Branding which is very important for a freelancer. Once you become popular you'll receive lots of freelance jobs.

Freelance Ethical Hacker and Penetration tester

Join Freelancer.com

Freelancer is the best place to find freelance jobs. It is totally free you can WORK and HIRE without any hesitation. Setup your profile with all attractive educational as well as professional skills and you'll find tons of hacking, pentesting and security jobs. You can apply for any of them and once you finish the job you'll get paid by the client.

It is very important to have a professional profile, skill as well as experience.

Blogging

You can also earn money by creating blogs on niche like Pentesting, Security and Ethical Hacking. Sharing your ideas, researches and ethical hack tutorials can get you good traffic and you can make money out of it using Adsense, Affiliate or writing sponsored posts.
It's a good method but not easy, one has to be very consistent. I Blog on these niches and it only works when you're very dedicated. One must know good online earning strategies as well as SEO.

Vlogging

Nobody can just solely depend upon Blogging. Vlogging (Video Blogging) along with Blogging is another great method to increase reputation as well as earning. The best way is to create YouTube channel and earn money from Google Adsense.

Working in Firm

This is the most common job for most of the InfoSec professionals. You can either work in a firm or an organization as security expert, ethical hacker or penetration tester and actually its the best but not so easy to get. One needs to crack an interview plus it also requires knowledge and experiences.

Ethical Hacker working in Firm

Working in a firm will help you to learn new things, gain experience and most important expand your knowledge and skills.

It is much like regular office job but getting these jobs might not be easier for a fresher because everybody demands an experienced person with professional information security skills. That's why it is necessary to get professional security certificates.

Writing a Book

Writing and publishing a book on ethical hacking or security is one of the best method to earn money as well as fame in InfoSec world. Don't expect to become popular author in first attempt, It definitely requires lot of knowledge, experiences and little investment too. But instead of writing a paper-book you can start with self-published eBook.

Alternate Methods

Speaking at Security Conferences, Conducting Seminars, Webinars and Ethical Hacking Workshops etc... are alternate methods to make money from InfoSec skills.

Apr 2, 2015

8 Must Have Pentesting Browser Plugins

While testing web apps, We always need pentesting browser add-ons because its quick and light. In the following post I've mentioned few essential browser add-ons for hackers and web penetration testers. As you know Mozilla Firefox is the only browser used by hackers widely because it provides wider flexibility and so I too recommend everybody to use it.

Top 10 Essential Firefox Add-ons for Hackers and Pentesters

Essential Browser Plugins for Web Pentesters

Tamper Data : Tamper Data is one of the most useful add-ons for pentesters, It is used to view and modify HTTP/HTTPS headers and post parameters as well as trace HTTP response or requests. It can also be used for testing web app security by modifying POST parameters and much more.

Hack Bar : Hack Bar is another widely used add-on because it has numerous security audit and light penetration testing tools. It's quick, light and easy to use for XSS, SQL encoding/decoding as well as Hexing and Splitting. Hack Bar comes with an inbuilt feature of encoding and decoding common encryption like MD5, SH1, Base64 etc.

User Agent Switcher : This is most useful tool when you're testing for multiple browser vulnerabilities, Yes it can switch user agent. The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser. It can help you changing the User Agent to IE, Search Robots, I-Phone (I-OS), or you can also create your own User Agent.

Cookie Manager+ : Cookie manager can help you to view, edit, create and inject cookies etc. It also shows extra information about cookies, allows edit multiple cookies at once as well as backup/restore.

HTTP-Fox : HTTP-Fox monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers. It aims to bring the functionality known from tools like HTTP watch or IE Inspector to the Firefox browser.

Live HTTP Headers :  It is another great alternative to Tamper Data but with huge difference for e.g viewing HTTP headers of a page while browsing. It is mostly used to Inject payloads and fetch server response information very quickly.

Passive Recon : PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information. One of the most wanted information gathering tool.

XSS Me : Cross-Site Scripting (XSS) is a common flaw found in today's web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the exploit-me tool used to test for XSS flaws.

Get - Top 5 Ethical Hacking and Pentesting Books of 2015