Sep 19, 2015

How to create Pentesting lab using OWASP BWA

OWASP - Broken Web Application (BWA) is a highly vulnerable web application developed and distributed by OWASP. The main objective is to aware web developers about common web vulnerabilities and to make internet more secure place. The another major use of OWASP BWA project is as a penetration testing lab widely used by hackers and security experts.

Penetration Testing Lab using OWASP BWA

About OWASP Broken Web Application

BWA is one of the best penetration testing app I have ever used because it is consist of many other third parties pentesting apps such as DVWA, Mutillidae, Ghost, NOWASP etc. Around 30+ vulnerable applications to learn almost every part of web hacking and pentesting. There is lot benefits for using BWA especially if you are beginner. You can learn lots of new techniques and methods used for pentesting. For example:

  • Web Application Penetration Testing
  • Manual Vulnerability Assessment Techniques
  • Source Code Analysis
  • Web Application Security
  • OWASP Top 10 Web Vulnerabilities

How to Install OWASP BWA

You will need VMware Player and OWASP BWA Project setup ― its a pre-made virtual machine file which doesn't require any configuration. After downloading, Install VMware player and extract BWA file and open OWASP Broken Web Apps.vmx file. This will start virtual machine setup, Just proceed as it says and that's all its installed.

OWASP BWA Pentesting Lab Setup

Its time to access pentesting lab in your browser. Just look on screen and there you will find an IP address like type it in your favorite browser and it will bring you OWASP BWA Project homepage from there you can select any vulnerable application and start practicing and honing your hacking skills

Related Post : Create Pentesting Lab in Kali Linux

Sep 15, 2015

CEH: Certified Ethical Hacker Certification Guide

CEH is one of the best ethical hacking course for beginners, it teaches you alot of basics which is very essential to step in InfoSec field. I have shared general info related to CEH certification training, exam, fees, study guide PDFs and books.

Certified Ethical Hacker Trainnig Guide

Certified Ethical Hacker Info & Guideline

CEH is an ethical hacking course consist of penetration testing and information security training. CEH version 8 is the latest version as of late 2013 and there is no eligibility for CEH training however if you are applying directly for an exam then you will have to show two years of information security related work record. You can either apply for CEH Training + Exam or only Exam (In this case you will have to self-study).

CEH Training or Straight Exam? What to choose?

If you want CEH certificate and you don't know anything about ethical hacking then you will have to get training first but if you have already self studied ethical hacking and just want to get certified then you should straight apply for an exam. Its just the difference of cost and time although training is more beneficial because it increases the chances of getting good grades.

CEH Training

Below is the CEHv8 Training module. The training can take up to 1 to 2 weeks depending on your time investment.

CEHv8 Module
CEHv8 is consist of 20 core modules.

CEH Exam Details

CEH exam may not be so easy but if you are trained well you can crack it easily.
  • Exam Code: 312-50 (IBT), 312-50 (VUE) or EC0-350 (APTC)
  • Number of questions 125
  • Duration: 4 hours
  • Passing score is 70%

CEH Training and Exam fee

CEH training fee is $500 and exam fee is $100. The cost of CEH depends on certificate provider or institute. Online training+exam will all cost you roughly $600 USD (EC-Council). You can also get it for more cheaper price from third party websites or training provider.

Where to apply for CEH training?

You can either apply for online course or look for an institute in your city. In my opinion online is more better and convenient and if you are preparing for self study then you will have to work hard even more. EC-Council is probably the best online CEH training and certificate provider.

CEH Study Guide PDFs and Books

Self-Studying candidates will definitely need study guide PDFs and books. Self-study is not a bad idea, its just little challenging. Whether you apply for straight exam or training courseware materials are essential for learning. Study guide books will help you lot strengthening your ethical hacking knowledge as well as practical skills.

CEH v8 Study Guide and The CEH Prep Guide

After giving exam, if passed you will get a valid government recognized C|EH Certificate which plays very significant role in getting InfoSec jobs. In my upcoming post, I will write about job opportunities for certified hackers. Stay tuned.

Aug 20, 2015

An Interview with Prakhar Prasad - Security Researcher

Hi today I have interviewed an Indian security researcher Prakhar Prasad ― A young wacky guy with little humour and very passionate security fella. Prakhar has received lot of recognition in InfoSec field by speaking at security conference, finding vulnerabilities and he is also very fond of bug bounty program which has earned him fame as well as fortune.

What's the best part about being a Security Researcher?

I think the best thing a security researcher are the challenges that are part and parcel of the job. The fun part is knowing the things inside-out.

What is your biggest achievement?

There's no biggest achievement as such, but I really like few of findings on different bug bounties like arbitrary Code Execution in Shopify, SQL Injection in PayPal and etc... (For more awesome researches visit

Who is your inspiration?

Few people that continue amaze me with their interesting security research :
  • Nir Goldshlager for his ninja web sec skills
  • Masato Kinugawa for elite JS and browser security knowledge
  • Gareth Hayes for his awesome XSS researches
  • Stefano Di Paola for his extraordinary DOM-based XSS researches

What are your personal interests?

Apart from security I've a keen interest in aviation and have a soft-corner for Airbus A320 aircraft.

Which is your favourite motivational quote?

Nothing worthwhile ever comes easy
No Pain, No Gain

What is your advice to beginners?

If you think you have inclination towards security space then go for it.

First things first, gets your basics right. Learn things the basics well. Don't proceed unless you understand what you're doing. Focus on a scripting language like Python, this will help a lot in automating your stuffs and little exploits. Make sure during your journey you attain skills that a software cannot do. In other words make sure you develop "real" skills not something that can be done easily using a software (automated-scanners). At the end of the day if only how to download and run an exploit to pop shells then you're doing it wrong.

Which Hacking and Pentesting book would you suggest to beginners?

Initially I'd say there's no such book that guides beginners properly (at least it was in my case), blog posts are better to follow initially that provide nice and quick tutorials, you can dissect the components of the blog posts to learn things precisely. A few good books are Web Application Hacker's Handbook and Tangled Web and Browser Security Handbook.

8. What you're currently working at?

I'm working on a web security book that will probably be out next year.

Thank you for this interview Prakhar and Good-Luck for your upcoming book :)

Aug 2, 2015

Best Ethical Hacking Books of 2015

I got a good success with Top Hacking Books of 2015 but many readers were confused "which book to buy?" and and as you know people generally go with the majority, So I decided to list Best Selling Hacking Books of 2015.

The list is based on my Amazon affiliate orders reports and other ratings. All the listed books are very informative based on its topic, I strongly suggest it to any beginner in hacking.

The Hacker Playbook 2: Practical Guide to Penetration Testing

After huge success with the first edition of Hacker Playbook the author has recently released The Hacker Playbook 2 and It tops our list because it covers vast topics of hacking as well as practical pentesting and it is also one of the best selling hacking book. The 2nd edition focuses more on advance topics such as attacking networks, privilege escalation, and evading antivirus.

Black Hat Python: Python Programming for Hackers

As you know python is the most powerful language for hackers and that's why Black Hat Python ranks second. It teaches you the darker side of python like creating your own hacking, sniffing tools and trojans etc. Black Hat Python is for those who are interested in black hat hacking. You'll also learn advance topics of hacking like memory forensics tricks, privilege escalation and web-hacking.

RTFM: Red Team Field Manual

Red Team Field Manual (RTFM) is a great command line book. It contains 90 pages of commands for Windows, Linux, Nmap, Powershell, Google Hacking, Tunneling etc. From basic syntax to advance, RTFM contains all command line tools and it is highly suggested book to pentesters because it also teaches you new red team techniques.

Basic Security Testing with Kali Linux

When it comes to Kali linux books - Basic Security Testing with Kali Linux ranks first because it covers most of the basic pentesting methods using Kali. It also guides its readers in advance topics like wireless hacking, metasploit and exploiting windows/linux system. Kali is an essential OS for hackers and its even more essential to learn "How to use it?" and this book teaches you perfectly.

Ethical Hacking and Penetration Testing Guide

Ethical Hacking and Penetration Testing Guide written by a very famous security researcher Rafay Baloch. It's a step-by-step guide book covering vast topics of ethical hacking and penetration testing. The book mostly focus on web hacking and pentesting with tools like fender Rootkit, Fast Track Autopwn, Metasploit, Nessus, Google Reconnaissance and Backtrack.

Jun 19, 2015

5 Best Kali Linux Pentesting and Hacking Books

As you know Kali Linux is the most advance pentesting OS It is essential to learn to How to use it and learning from books is the best way to understand it, So here I've listed best Kali Linux Books to learn Pentesting & Hacking.

Top 5 Kali Linux Books for Hackers & Pentesters

Kali has hundreds of pentesting and forensics tools and there are countless ways to use them, It is important for a beginner to get a guide from book or an expert. Well in my opinion books are best because it describes points very well and you don't need to remember anything.

Basic Security Testing with Kali Linux

Basic Security Testing with Kali Linux - Kali PenTesting Books

Basic Security Testing with Kali Linux covers most of the basic and intermediate pentesting methods using Kali. I would recommend this book to a beginner because it covers security testing as well as hacking methods.

What you can learn from this Book?
  • Introduction to Kali Linux and Overview
  • Metasploit Tutorials
  • A section on Shodan (the "Hacker's Google")
  • Exploiting Windows and Linux Systems
  • Wireless (WiFi) Attacks
  • Social Engineering and Password  Attacks

You'll also learn how to discover vulnerability in system, which can be exploited by a malicious hacker. The book focuses more on How an attacker can find and exploit weakness in system and applications and that is the most important skill of a hacker.

Web Penetration Testing with Kali Linux

Web Penetration Testing-with Kali-Linux

As you know web is the major part of security and hacking, It is important to learn web penetration testing. Kali has tons of web pentesting tools pre-installed but using these tools in correct way isn't easy until you learn it from this book. Web Penetration Testing with Kali Linux is superb book for hackers interested in web hacking and pentesting.

Web pentesting is my favourite topic in hacking and this book guides reader with step-by-step tutorials not just with bunch of text paragraphs; It contains screenshots instructions which makes it easier to understand even for a layman.

Penetration Testing: A Hands-On Introduction to Hacking

Penetration Testing: A Hands-On Introduction to Hacking

Penetration Testing: Hands-on Intro to Hacking entirely focuses on penetration testing methods and techniques that every pentesters must know. Most of the tutorials are demonstrated in a virtual pentesting machine (An attacker's machine and a vulnerable target) using Kali linux. It has series of practical lessons with tools like Burp Suite, Nmap and Wireshark etc.
If you would like to become a penetration tester, this book is perfect for you
It also covers major part of network and web pentesting methods. That's not all you'll also learn writing your own exploits along with mobile hacking concepts. If you're interested in building penetration testing career this book is strongly suggested to you.

Mastering Kali Linux for Advanced Penetration Testing

Mastering Kali Linux for Advanced Penetration Testing

Mastering Kali Linux is the most advance Kali linux book I've ever came to read. It has vast topics of network security and penetration testing. Honestly this book has taught me lot about network exploits and most important how to use Kali linux as a pentesting machine.

After learning common security testing methods it takes you to exploitation and post-exploitation methods used by Hackers. It also focuses on bypassing physical security, social engineering, wireless networks, web services and attacking network direct end user.

The books follows a hacker methodology with all practical knowledge needed to test your security. If you're appearing for pentesting exams or wish to become professional penetration tester then undoubtedly this is the perfect book for you.

Kali Linux: Wireless Penetration Testing Beginner's Guide

Kali Linux: Wireless Penetration Testing Beginner's Guide

Network is a very important part of pentesting and as you know wireless networks like (WiFi, Routers, Cellular Networks and Mobile phones) and other radio frequency devices are almost everywhere it has become essential to learn how to pentest and secure it.

Kali Linux: Wireless Penetration Testing Beginner's Guide will teach you how to pentest wireless devices using Kali. It's a very informative book covering advance wireless hacking techniques along with encryption cracking skills. It's very beginner's friendly.