Jun 19, 2015

5 Best Kali Linux Books

If you want to learn Kali Linux then these books will help you to understand it from core with exact tutorial. It doesn't matter if you are total newbie because these books are very beginner friendly, all you need is basic hacking and programming knowledge.

 Kali Linux Pentesting and Hacking Cookbooks

Basic Security Testing with Kali Linux is the best book for beginners to get started. It covers basic pentesting methods such as Metasploit tutorials, Exploiting Windows and Linux systems, Social Engineering, Wireless and Passwords attacks etc. It focuses more on How an attacker can find and exploit weakness in system, For e.g. How to discover vulnerability in system, which can be exploited by a malicious hacker.

Web Penetration Testing with Kali Linux is completely dedicated to web pentesting methods with step-by-step tutorials not just with bunch of text paragraphs but with clear definitions as well graphic images, which makes it easier to understand even for a layman. It teaches you how to pentest web apps, find severe vulnerabilities, write reports in professional manner and most important securing it by patching weakness. You will learn the most vital portion of Web pentesting which includes discovering client & server side vulnerabilities.

Penetration Testing: Hands-on Intro to Hacking entirely focuses on penetration testing methods and techniques that every pentesters must know. It has series of practical lessons with tools like Burp Suite, Nmap and Wireshark etc. Most of the tutorials are demonstrated in a virtual pentesting machine which covers huge portion of network, mobile hacking and writing your own exploits. If you're interested in building penetration testing career then go for it.

Mastering Kali Linux is the most advance book I've ever came to read. It covers vast topics of network exploit and security. The initial part of the book wraps up common security testing methods and the middle section focuses on exploitation and post-exploitation methods. It also represent bypassing physical security, social engineering, wireless networks, web services and attacking network direct end user.

It follows a hacker methodology with all practical knowledge needed to test your security. If you're stepping into IT Security field or appearing for pentesting exam then this book will help you a lot.

Kali Linux: Wireless Penetration Testing Beginner's Guide teaches you how to pentest wireless devices. Network is a very critical part of security and as you know wireless networks like WiFi, cellular mobile phones and other radio frequency devices are almost everywhere it has become essential to secure them. The book entirely for those who has huge interest in wireless hacking and pentesting.

Mar 11, 2015

An Interview with Rafay Baloch - (Famous Ethical Hacker)

I have interviewed one of the world top ethical hacker Rafay Baloch, A very passionate security geek and a pentester. Let's see how he began his hacking career and became world famous security researcher. He also has lot of advice for your career as well.

Who is Rafay Baloch?

Rafay Baloch is a Pakistani security researcher, founder of popular blog RHA and author of Ethical Hacking and Penetration Testing Guide paper-book. Rafay has received countless bug bounties from tech giants like Facebook, Google, PayPal etc. His most famous finding is remote code execution in PayPal worth $10,000 USD that's not all, he is also listed in many security disclosure page.

1. How did you get fascinated towards hacking?

7 years back, I downloaded a tool which claimed to hack an Orkut account and as of that time orkut was at it's top famous list among social networks; the tool which I was curious about turned to be a virus which was designed to steal information. Weird things started to happen to my computer, eventually after lots of googling, I figured it out and managed to clean the infection successfully.

This however made me curious how could had been the little program actually work beyond the curtains. This alone was my starting point, and from that morning on-wards i dedicated my every step of career information security.

2. Where did you learn so many things?

I have dedicated almost seven years into this field and I am still learning more and more every single day. Learning never stops. The most essential thing you would need to have for learning is patience and dedication; these combined lead to heights of excellence. I haven't done any courses especially in terms of information security.

I have self-explored most of the things and I am still doing it with my learning passion. With regards to the learning part, I was lucky to get great mentors such as David Vieria, Giuseppe, Alex and File Descriptor to name a few. A list of Great friends such as Prakhar Prasad and Deepankar who helped me with my learning.

3. Why you're inactive in bug bounty programs?

The reason being is that I lost interest, money was never a problem alhamdullilah, but I felt like I was not learning anything new with it, So I moved towards security research especially with Android. I think security research is more challenging than bug bounty, we as security researchers invent techniques which pentesters use.

4. What is your advice to beginners in Hacking

My advice is first of all is to be ethical and not to compromise your integrity, A hammer could be used to build something and it could be used to destroy something. My personal integrity is to bring positive change in this world. Secondly, With regards to learning, I would recommend everyone to focus more on web application security instead of networks and other layers due to the fact that the attacks have moved towards web applications and there is a huge playground and potential for bug bounties.

If you are into Blackbox testing, before you even start your first test, you should interact with the application and see how it works and start identifying all the inputs and start manipulating them against well known bugs. To be a better penetration tester, you need to be good at finding logical bugs, which you can only find given that you understand how the application really works.

5. Tell us about your book Ethical Hacking and Penetration Testing Guide

The book was published in 2014, It is completely dedicated towards beginners, the idea behind the book is that offense is the best defense. I have received mixed reviews. While people have really liked the contents of the book, however there have been people who have complained about the Grammar specifically and have criticized the editor.

I appreciate your time for this interview Rafay would you like to say anything else?
My pleasure, thank you very much. The last message I would like to give is
Never get demotivated by your failures, turn your weaknesses into your strength and follow your passion.

Feb 16, 2015

Top 5 Ethical Hacking and Pentesting Books of 2015

I have listed few best hacking and penetration testing books PDF recommended by expert hackers especially for beginners. All the listed books are best based on its topic but it depends more on you what exactly you want to learn because InfoSec is a massive field.

The Hacker Playbook: Practical guide to Pentesting

The Hacker Playbook written by security professional. It is greatly informative for newbies which will guide you with practical methods, hands on examples and helpful advice from the top of the field. It is for those who have huge interest in pentesting as it doesn't require any prior knowledge of hacking. If you're a beginner and thinking of getting started then GO FOR IT!

Ethical Hacking and Penetration Testing Guide

Ethical Hacking & Penetration testing Guide written by a Pakistani prodigy hacker Rafay Baloch. It's a step-by-step guide that empowers you on how to prevent threats. Readers will acquire knowledge on how to interpret tools and will learn to perform pentesting with tools like fender Rootkit, Netcat, Fast Track Autopwn, Metasploit, Nessus, Nmap, Google Reconnaissance and Backtrack.

Black Hat Python: Python Programming for Hackers and Pentesters

Black Hat Python is one of the best book because whenever it comes to creating powerful and effective hacking tools, Python is the language of choice for most security analysts. But just how does the magic happen? You'll explore the darker side of Python's capabilities - writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and much more.

Web Application Hacker's Handbook

Web Application Hacker's Handbook focuses on finding and exploiting web apps security flaws. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. It is consists of 912 pages of guide and techniques on web app hacking.

Hacking Exposed Web Applications

Hacking Exposed Web App is a very informative which explores full details on the hacker's footprinting, scanning, and profiling tools, including SHODAN, Maltego, and OWASP DirBuster. You will learn advance web pentesting techniques including the most devastating methods used in today's hacks. It also covers vast section of web networking and discovering vulnerabilities.

Dec 8, 2014

Important Programming languages for Hackers

Every application or site you use is programmed in a particular computer language also known as Programming and people such as Hackers tries to hack it but to break anything first you need to understand and then exploit its weakness, same happens in Hacking, To actually hack anything first you'll have to understand target application but that understanding requires knowledge of Programming languages.

Which Programming are required to Hackers?

There are lots of computer languages but few are required for hacking purpose because in most cases it depends upon target. There are basically three sections ― Web Hacking, Exploit Writing & Reverse Engineering and each of it requires different coding.

1. Web Hacking

Let's say you are interested in hacking web apps and sites then you will need to learn web coding HTML, CSS and JavaScript because all sites are created using these languages and knowing it will allow you to understand things quite easily.

HTML: One of the easiest and widely used static markup web language present in each and every website you see in your browser. It's recommended to learn HTML very well because it helps understanding web actions, response, and logic.

JavaScript: JS is a client-side web programming mostly used in web sites for better user interface and quick response. You should learn JS carefully because it helps to understand client-side mechanism which is essential for finding client-side flaws.

PHP: A dynamic server-side language which responsible for managing information, web-apps and database. PHP is considered one of the most essential language because it controls everything on site and server, like a captain of a ship. It is advised to learn PHP nicely.

SQL: SQL is responsible for storing and managing sensitive and confidential data such as User Credentials, Personal info or even Bank details used in almost all data storing sites and therefore it's the most attacked portion of a site.

2. Exploit Writing

Python: It is said that a Hacker must know Python because its the core for creating exploits and tools. Security experts and even pro hackers suggests us to master Python because it provides wider flexibility and can be used in many places. I recommend to read Black Hat Python

Ruby: A simple but complicated object-oriented language. Ruby is very useful when it comes to exploit writing. It is used for meterpreter scripting and you may know that Metasploit framework itself is programmed in Ruby.

3. Reverse Engineering

Assembly: It's a low level but advance coding. One can instruct a machine hardware or software using it. If you're keen about Reverse Engineering then Assembly is going to be very helpful.


I mentioned seven languages but that's not all and nobody ever learn all of them 100% but you should know little bit of each as its essential but what matters here is only your target, If the app which you want to hack is coded in ASP then you'll need to know ASP. Do you think any other programming is essential for Hackers? if yes then please comment below.

Nov 19, 2014

Meet Jasminder Singh - Security Researcher

This is an exclusive interview of an Indian security researcher Jasminder Pal Singh ― A very passionate InfoSec enthusiast, Web developer and a Bug bounty hunter. What's catchy about Jas is, he is a very humble and have lots of patience towards his work. Recently he discovered critical stored XSS flaw in YouTube, as a white hat he immediately reported it to Google Security team and received positive reply.

Jasminder Singh
Jas has discovered multiple bugs in Nokia, Facebook etc

1. How you got fascinated towards security field?

I was attracted by the term hacking but before it I was into Security Researches - Malwares, Trojans etc I studied how they work, did stuffs practically. I really loved these things but I had to drop it because there was no peace of mind working and so I engaged in web development but I was also aware that there are destructive minds and methods to break my apps and in the process of learning to secure them, I also learned how to break.

2. Who is your inspiration?

Actually there were many inspirations during the journey and its still ON, If you're ask about Web App Security, it is necessary for a web developer to secure their developed applications. I want to give credit to two persons. I was inspired by the research of Rafay Baloch A a very genuine person and helped me quite a few times. The other one is Siddhesh Gawde, he once sent my name for Microsoft Hall of fame even though I hadn't anything. This made me happy and I decided to start pentesting.

3. Which is your most favorite quote?

Getting Inspired instead of being jealous on someone's success will lead you towards the Success.

4. What is your advice to beginners in Hacking?

Learn the Basics: This is the key, without basics we are like shooting in dark. It may hit correct sometime by chance but majority will go in vain. I would like to quote few words of Amine Cherrai.

Never try to think outside the box before you know what's inside

Learn Programming: I was into web applications development before pentesting, so I had some command over web development languages like php,js,html/xhtml,css etc. It helped alot to understand the behavior of the application. I was able to code my own payloads instead of injecting static ready made vectors.

Watch POCs and Read Write-Up: Its a good practice to watch video Proof of Concepts and read the write-Ups of bugs discovered by other security researchers. It will increase your area of thinking about injecting into application. Some good resources are: Hackerone.com, vulnerability-lab.com or on Youtube set the search filter to "Last Week" and input search terms like "XSS" , "CSRF" etc

Avoid Pentesting sites which doesn't have a vulnerability disclosure program its kinda illegal. There are many websites where you can practice pentesting - Bug bounty programs list and last but not least follow InfoSec and researchers on twitter, I follow some good researchers on twitter. You can also navigate to HOF pages of different websites and read their researches.

5. Which is your favorite vulnerability found by you?

Last year I discovered a DOM based Cross Site Scripting bug which abused CORS in Nokia's Ovi Store which affected whole site. It was quite interesting bug, I had to work lot to make the payload. Second one which is also XSS in YouTube.