Apr 3, 2015

8 Must Have Pentesting Browser Plugins

While testing web apps, We always need pentesting browser add-ons because its quick and light. In the following post I've mentioned few essential browser add-ons for hackers and web penetration testers. As you know Mozilla Firefox is the only browser used by hackers widely because it provides wider flexibility and so I too recommend everybody to use it.

Top 10 Essential Firefox Add-ons for Hackers and Pentesters

Top 8 Essential Plugins for Web Pentesting 

Tamper Data : Tamper Data is one of the most useful add-ons for pentesters, It is used to view and modify HTTP/HTTPS headers and post parameters as well as trace HTTP response or requests. It can also be used for testing web app security by modifying POST parameters and much more.

Hack Bar : Hack Bar is another widely used add-on because it has numerous security audit and light penetration testing tools. It's quick, light and easy to use for XSS, SQL encoding/decoding as well as Hexing and Splitting. Hack Bar comes with an inbuilt feature of encoding and decoding common encryption like MD5, SH1, Base64 etc.

User Agent Switcher : This is most useful tool when you're testing for multiple browser vulnerabilities, Yes it can switch user agent. The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser. It can help you changing the User Agent to IE, Search Robots, I-Phone (I-OS), or you can also create your own User Agent.

Cookie Manager+ : Cookie manager can help you to view, edit, create and inject cookies etc. It also shows extra information about cookies, allows edit multiple cookies at once as well as backup/restore.

HTTP-Fox : HTTP-Fox monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers. It aims to bring the functionality known from tools like HTTP watch or IE Inspector to the Firefox browser.

Live HTTP Headers :  It is another great alternative to Tamper Data but with huge difference for e.g viewing HTTP headers of a page while browsing. It is mostly used to Inject payloads and fetch server response information very quickly.

Passive Recon : PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information. One of the most wanted information gathering tool.

XSS Me : Cross-Site Scripting (XSS) is a common flaw found in today's web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the exploit-me tool used to test for XSS flaws.

If you think the list misses some essential browser add-ons, So please do let me know via comment and I'll gladly mention it in post. Thank you.

Mar 11, 2015

An Interview with Rafay Baloch - A Famous Ethical Hacker

Hi, Today I interviewed one of the world top ethical hacker Rafay Baloch, A very passionate security geek and a pentester. Let's see how he began his hacking career and became world famous security researcher. He also have a little advice for your hacking career.

Who is Rafay Baloch?

Rafay Baloch is a Pakistani security researcher, founder of popular ethical hacking blog RHA and the author of Ethical Hacking and Penetration Testing Guide paper-book. He is also recognized as one of the top ethical hacker, Rafay has received countless bug bounties from tech giants like Facebook, Google, PayPal etc... His most famous finding is remote code execution in PayPal worth $10,000 USD. That's not all, He is also listed in many security disclosure page AKA HOFs. Rafay is one of the most popular and influenced personality in information security field.

How did you get fascinated towards Ethical Hacking?

7 years back, I downloaded a tool which claimed to hack an Orkut account and as of that time orkut was at it's top famous list among social networks; the tool which I was curious about turned to be a virus which was designed to steal information. Weird things started to happen to my computer, eventually after lots of googling i figured it out and managed to clean the infection successfully.

This however  made me curious how could had been the little program actually work beyond the curtains. This alone was my starting point, and from that morning on-wards i dedicated my every step of career information security.

Where did you learn so many things?

We have seen that you talk about different technologies such as Mobile app security, browser security, Radio frequency etc. How did you learn them and have you done any course?

I have dedicated almost seven years into this field and I am still learning more and more every single day. Learning never stops. The most essential thing you would need to have for learning is patience and dedication; these combined lead to heights of excellence. I haven't done any courses especially in terms of information security.

I have self-explored most of the things and i am still doing it with my learning passion. With regards to the learning part, I was lucky to get great mentors such as David Vieria, Giuseppe, Alex and File Descriptor to name a few. A list of Great friends such as Prakhar, Deepankar who helped me with my learning.

Who is your inspiration?

It's very hard to name a single person who has been my inspiration, initially i was really fascinated by Matrix movie from my childhood and then the story of Kevin Mitnick really inspired me. Also, as mentioned before i was fond of breaking things from my childhood which i never knew would transform into my career.

Which is your most favorite quote that motivates you?
Fame is a vapor, popularity an accident, riches takes wings, one thing endures is your character.
Tell us about your latest paper-book Ethical Hacking and Penetration Testing Guide

The book was published in 2014, It is completely dedicated towards beginners, the idea behind the book is that offense is the best defense. I have received mixed reviews. While people have really liked the contents of the book, however there have been people who have complained about the Grammar specifically and have criticized the editor. Also, I had a slight conflict with editor pertaining to the price of the book and he refused to lower it down. I might write another book, but I am not sure i am ready for it yet. BUT WHO KNOWS, what's next.

How do you imagine Hacking in next 10 years?

Rafay, If we look back in 90's or even beginning of 20's Hacking was little rare and very complicated indeed, perhaps it's because it was the dawn of computer and technologies but these days hacking is very popular because of Internet and anyone can learn basics of web hacking and social engineering for free of-course. In fact there are lots of automated scanners using it anybody can find flaws.

The reason why hacking was difficult to learn in 90's (Though targets were easy) was due to the fact that there were lack of automated tools to be utilized by script kiddies, As time passed by a lot of windows based GUI tools were developed which made it easier for script kiddies to utilize and hack targets. The simplicity or complexity of hacking techniques depend upon the fact that how strong your target is. There is absolutely nothing that can stop a motivated attacker, and the security of the target depends upon the number of attack vectors that you know.

With regards to the future, I see a lot of attacks against Internet of things, as you must be aware of the fact that we are moving towards smart world, where our day to day appliances are now connecting to the internet such as Smart TV, Refrigerator, peace maker to name a few, whenever you connect something to the internet, you give it a medium of communication which is sufficient for it to make it exploitable.

In future, we would be looking at a lot of attacks on Internet of things. Apart from that we have witnessed massive number of people shifting to Bitcoin mining, this means we would also witness a lot of attacks against Bitcoins especially more and more Botnets would rise.

What was your recent research on Android browsers?

My recent research was related to analyzing the security model of mobile browsers, I tested all the mobile browsers in android for security issues and found that most of them are affected with UXSS and various spoofing issues. As a matter of fact, I have just reported two more zero days to Google Security team which would be released as soon as they are fixed.

You're very inactive in bug bounty programs, Why is that?

If we look back a year ago, you were one of the most active and famous bug bounty hunter but all of sudden you've almost stopped participating in any bounty programs, have you found something even more interesting and challenging than bug bounties?

Well, that's true, the reason being is that I lost interest, money was never a problem alhamdullilah, but i felt like i was not learning anything new with it, So I moved towards security research especially with Android.

I think security research is more challenging than bug bounty, we as security researchers invent techniques which pentesters use in their pentests. So there is a huge difference between both.

What is your advice to beginners in Hacking

My advice to beginners is first of all is to be ethical and not to compromise your integrity, A hammer could be used to build something and it could be used to destroy something. My personal integrity is to bring positive change in this world. Secondly, With regards to learning, I would recommend everyone to focus more on web application security instead of networks and other layers due to the fact that the attacks have moved towards web applications and there is a huge playground and potential for bug bounties.

If you are into Blackbox testing, before you even start your first test, you should interact with the application and see how it works and start identifying all the inputs and start manipulating them against well known bugs. To be a better penetration tester, you need to be good at finding logical bugs, which you can only find given that you understand how the application really works.

Do you suggest Ethical Hacking as a career choice?

I would definitely recommend it to any one who is passionate to take challenges and break things.

How does it feels like to be so popular?

I don't think i am really popular, It's true that i have finally received some recognition for my years of research and effort , as a matter of fact I was awarded as student of the year of 2014.

What are your future plans Rafay? 

I do have a lot of plans, however they are still in hypothesis phase part of them include writing another book, launching my own security startup and researching on new dimensions in security.

What are your thoughts about Hackw0rm blog?

I am a regular reader of your blog and I feel like that you are going in correct direction. The author is very hard working and is always looking for ways to improve himself. The only suggestion at this point i could give you is to be consistent with the post frequency and have someone to proof read your posts.

I appreciate your time Rafay would you like to say anything else?

My pleasure, thank you very much. The last message I would like to give is never to get demotivated by your failures, turn your weaknesses into your strength and follow your passion.

You can ask Rafay anything related to Hacking and Security, I'm sure he will definitely reply to your comment and do let me know your valuable feedback about this interview with Rafay Baloch; You can also follow him on Facebook and Twitter. (Special thanks to Shritam Bhowmick)

Feb 16, 2015

Top 5 Ethical Hacking and Pentesting Books of 2015

I've always preferred reading books instead of enrolling for ethical hacking course, I still encourages my readers to read paper-books, blogs and whitepapers instead of doing CEH. There are countless advantage of reading books, In this following article; I've listed Top 5 Ethical Hacking and Pentesting books of 2015.

Top 5 Ethical Hacking and Pentesting Books of 2015

5 Best Ethical Hacking, Pentesting Books for Hackers

Books listed below are very helpful to anyone interested in Ethical Hacking, Penetration Testing and Security. The top 5 Ethical Hacking books list is suggested by an expert security researchers and hackers. The article is completely based on my experience, learning and few guides by experts. All the books listed below are easily purchase-able from following attached links.

The Hacker Playbook (Practical guide to Penetration Testing)

The Hacker Playbook (Practical guide to Penetration Testing)
Buy The Hacker Playbook  now at Amazon
The Hacker Playbook written by a security professional and CEO of Secure Planet. - A very informative book for beginners in Penetration Testing with practical guides, hands on examples and helpful advice from the top of the field. The Hacker Playbook is for those who have huge interest in Penetration Testing. This book is a great reference manual, described from the perspectives of a professional. It provides a valuable learning experience to practice and get familiar with the tools and methods.

Ethical Hacking and Penetration Testing Guide

Ethical Hacking and Penetration Testing Guide By Rafay Baloch
Buy Ethical Hacking and Penetration Testing Guide now at Amazon
Ethical Hacking and Penetration Testing Guide written by a Pakistani prodigy hacker and security researcher Rafay Baloch. I personally recommend this book to every beginners in hacking, A step-by-step guide that empowers you on how to prevent threats associated with hacking. Readers will acquire knowledge on how to interpret hacking tools and will learn to perform pentesting with tools like fender Rootkit, Netcat, Fast Track Autopwn, Metasploit, Nessus, Nmap, Google Reconnaissance and Backtrack Linux

Web Application Hacker's Handbook (Finding & Exploiting Security Flaws)

Web Application Hacker's Handbook (Finding & Exploiting Security Flaws)
Buy Web Application Hacker's Handbook now at Amazon
The Web Application Hacker's Handbook guide its reader in finding and exploiting web apps security flaws. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. The book consists of 912 pages of guide and techniques on Web app hacking, security and pentesting. I highly recommend it to beginners in web app ethical hacking.

Black Hat Python (Python Programming for Hackers and Pentesters)

Black Hat Python (Python Programming for Hackers and Pentesters)
Buy Black Hat Python now at Amazon
Black Hat Python is one of the best and most wanted book because whenever it comes to creating powerful and effective hacking tools, Python is the language of choice for most security analysts. But just how does the magic happen? In this book, you'll explore the darker side of Python's capabilities - writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and more.

Hacking Exposed Web Applications

Hacking Exposed Web Applications
Buy Hacking Explosed Web Applications now at Amazon
Hacking Exposed Web Applications is a very informative real web app hacking book which explores full details on the hacker's footprinting, scanning, and profiling tools, including SHODAN, Maltego, and OWASP DirBuster. You can learn lot of advance web app hacking and pentesting techniques including the most devastating methods used in today's hacks, including SQL injection, XSS, XSRF, and XML injection techniques etc.

All books listed above is very informative based on its topic, but from all of them I highly suggest everyone to go for Ethical Hacking and Pentesting Guide and Black Hat Python.

Jan 18, 2015

Inspirational interview of Raj Sukali - Security Researcher

An inspirational interview of an Indian security researcher Raj Sukali - A well known popular security researcher and bug bounty hunter. Raj has discovered many critical vulnerabilities and flaws in giant sites like Twitter, Facebook, Nokia etc and received gifts, fame and bounties as appreciation. Currently he is working as senior security analyst in a web security firm.

He's the first Security Researcher/ Hacker I've met in real life. He have guided me many times in this field. So today I've organized an exclusive casual text interview. He answered 10 questions related to his journey and field. There is lot to learn from Raj's journey and he also have little advise for you. I'm sure you'll like it and end up motivated

Hi Raj, please introduce yourself to readers

Hi , I’m Raj Dasharath Sukali, An Internet Geek who loves to learn new things. I have completed my graduation in IT and looking forward for my masters. Mean time completed MCITP and CCNA. My area of interest is Web Application and Network Security and bit in to APK development. Professionally I'm working as Senior Security Analyst at Defencely and in remaining time I handle my freelance projects.

How you got fascinated towards Security field?

As an IT student I was quite indulged in computing and networking field. So it all started for free internet, I learned to crack WEP key and access internet for free. That made me eager and curious to learn more; What else can be done, soon I was into defacing Websites (Honestly that was waste of time) but It was fun, Meanwhile I found few Responsible disclosure program, So I started hunting vulnerabilities and reported, which luckily got triggered and I was thanked, I felt good. It made me think that its rather good to be preventive than destructive. That's how I came into White Hat Community and started reporting vulnerabilities. Well nowadays I'm working on malware and forensic analysis.

What motivates you? and who stands as your ideal?

Motivation and Inspiration are the pillars which helps you reach your goal, As Per  the life, My parents motivates me at every journey I carry out, Their support inspires me to do things in more greater way. In Security it’s the people who report amazing bugs which motivates me to find even more logical and advance bugs, I idealize Neal Pole and Rahul Sasi for their findings which I liked.

What else you like to do except Hacking and Computing?

I like to sketch, visiting historic places and clicking pictures (I would be an Archaeologist if I was not into Security). My most favorite spot is sitting sea side and watching Sunset, It makes me calm.

Why did you chose Hacking / Security field?

My motto was to learn how this “Hacking” works and what else I can do with it which can make me grow and eventually help community. Security is a big field where you can learn new concepts every time. There is always some new discoveries in Information Security.

When did you begin to learn Hacking?

I started it 5 years back, when I was about to complete my graduation. As the word Hacking made me curious to learn its concept I joined few forums, IRC and use to spend my half time there exploring.

Where did you learn everything?

For most people Google is the best teacher same goes for me too most of the topic I learned from Google by searching and exploring them. Few forums like Rdot, Ashiyane, HackForums were my few sources in beginning. But Twitter is the best If you want to be updated with latest discoveries follow people who are in Information Security you can get enough information and resources to learn.

Do you recommend Hacking / Security field as career option?

Yes I do recommend security field as career choice but “Hacking” does not stand as a career if you are utilizing your skills in negative way. If you are using your skills for helping the community then it’s the best choice. But the fact remains the same most of the journey starts from Black Hat to White Hat. Security field have a vast scope both in learning and earning aspects. Every time you can learn new things and eventually you get paid if you are Good at your work. Day by day, New application, systems are Introduced in market so for that Security is must.

Which is your most favorite quote or thought?

Learning an Earning are two sides of coin, the more you Learn the more you Earn.

Which is your most favorite vulnerability found by you?

As for now I have handled many thick clients in my current company. The best one I remember was RCE vulnerability in one of the Matrimonial site, I was able to call my shell on server, It was a old kernel so I was able to get the root box.

Another one is CSRF using HPP in Parse.com where you can delete the app created by another user.

What is your advice to beginners in Hacking field? 

I am still a learner and yet to explore many things but I want to suggest few points

Most of the guys still think to start as a pentester they need to pursue security certifications, But the reality is for starting you don’t need such certification you can learn everything on Internet and clear your basics. Then you can go for certification like OSCP, CEH etc as after clearing basic you will actually know what they are teaching. I to started learning on my own by searching on Google reading blog post, following responsible disclosure programs. One should have eagerness to learn.
Don't learn to Hack – Hack to Learn
If one can try to learn at least few languages like perl, php, java any Language It helps you understand the mechanisms of the application. You can even code your own payload write your own scripts.

Try to keep your self updated with latest vulnerabilities. Google is your friend still you can check Packetstrom,  Exploit-db , Hackerone Follow other Security researchers on Twitter. Learn from their write ups and try to learn the mechanism how they found out the bug if not understood you can freely ask them, Youtube and Vimeo are good source to get video POC (Proof of Concepts)

Create Penetration testing Lab

For practicing one can download and install "Vulnerable web applications" like DVWA (Damn Vulnerable Web App), Webgoat, Mutillidae, Hackxor etc (Web Pentesting Apps)

Last suggestion would be if you are trying your hands on BugBounty avoid Automated scanners as already other guys must have used it so most probably your bug would go duplicate. XSS, CSRF, Clickjacking are quite easy to find but if you’ll try harder you would end up finding a RCE. It is about time and patience which can make you find good bugs. Be patience try learning and you are good to go.

What do you think about Hackw0rm blog?

Hackw0rm is one of the blog which I often visit, The write ups are quite interesting while reading with proper explanation. It is good to see how you guys have helped community by sharing knowledge by blogging which helps learners and IT experts. There is something new everyime; I wish good luck to Hackw0rm. Hope they grow more and keep helping people by sharing awesome articles.

Thanks for reading my article. If you've any doubt or question for Raj please feel free to ask him in comment. Find Raj on social sites Facebook | LinkedIn | Twitter | Google+

Dec 25, 2014

Top 4 Professional Ethical Hacking Courses of 2015

If you're thinking to pursue Ethical Hacking as a professional career then you must do these Top professional Ethical Hacking, Pentesting and Security courses. It will not only give you an advantage of professional certificate but also wide knowledge and skills.

Professional Ethical Hacking, Pentesting and Security Courses
Professional Ethical Hacking certifications are very helpful for any job related to Hacking or Security. I would suggest you to start from basic like CEH because it is the base and without CEH you can't apply for other higher level certifications.

CEH - Certified Ethical Hacker

CEH is one of the most popular Ethical Hacking course. CEH is for beginners interested in Ethical Hacking. CEH is a base of all advance courses. It is consist of Web Hacking, Software Hacking / Cracking, Vulnerability Hunting, Network hacking guide etc. If you're interested in Hacking but not able to get started so you can apply for CEH easily. It is good to have CEH certificate.

LPT - Licensed Penetration Tester

LPT is a professional training for Penetration Testers. If you crack LPT exam test, You'll get a certificate and license for penetration testing. You can't apply for LPT until you hold a CEH certificate and you can only get admission if your criminal background is clear. If you want to become a Penetration tester go for LPT, It is one of the best Pentesting course. There is lot of scope and opportunities for LPT holders.

CHFI - Computer Hacking Forensics Investigation

CHFI is a computer forensics training for Cyber Security Experts or Cyber Space Investigators. In CHFI you'll be trained with professional skills to track down any hacking crime activity. Computer Forensics application . You'll learn advance concepts of Computer Forensics Application including digital crime scene analysis, Cyber Crime Investigation etc. CHFI is recommended to those who interested in joining Cyber crime cell.

CISSP - Certified Information System Security Professional

CISSP is professional course for security experts and professional. It offers many opportunities and it is considered one of the most advance security course. It is consist of top ten security practices such as Access Control, Cryptography, Software Development Security, Network Security and Architecture etc. I recommend CISSP training to those who are aiming to get job in giant companies as a Security Professional or Expert.

Final Words

Think twice before applying to any course, If you're really interested in Hacking and Security then I strongly recommend you to go for CISSP and LPT, these two courses has the most demand and also make sure you choose proper institute for courses.

Dec 9, 2014

Essential Programming languages for Ethical Hackers

In previous post, I shared How can you Become an Ethical Hacker, although I didn't mention what programming languages are required to become an ethical hacker, So here I've mentioned few very essential and powerful programming languages.

Essential Programming Languages for Ethical Hackers

Why you need to learn Programming languages?

Every hacking requires understanding of application logic, before hacking anything one needs to understand this logic and it is only possible when you understand How an Application works. If you don't understand how program works, you may not be able to find logical flaw but if you know programming language then you can easily understand and proceed to find vulnerabilities.
To Hack something, First you need to understand the logic of an application, then find the vulnerability and then hack it by exploiting the weakness.

Programming languages for Web Hacking and Pentesting

Web hacking is very common these days but not so easy when it comes to secure targets. So you may have wondered what languages should I know to hack or penetrate web applications?

HTML : Hyper Text Markup  Language is in every web-site you see in your browser and it is also one of the simple and widely used web language. It is recommended to learn HTML very well, It can help you to understand  web actions, response, and web-app logic.

HTML is a static markup language.

JavaScript : JavaScript is a client-side web programming language widely used in web sites for quick response and increase user interface. You should learn it on high priority mode, It can help you to find client-side flaws as well as common web vulnerabilities.

SQL : SQL is a database programming language used in almost all data storing sites. SQL is responsible for storing and managing most sensitive and confidential data such as user credentials, credit card or even bank details. You must know about database programming and its vulnerability.

PHP : PHP is one of the most popular dynamic programming language, unlike JavaScript its a server-side language which is responsible for managing information, web-apps and database.

PHP is strongly recommended to every beginner in Hacking and Penetration testing.

Programming languages for writing Exploits

Exploit writing is an advance part of Hacking, It requires higher level of programming language. Every professional hacker must know Exploit Writing, It can be done in any programming language like C, C++, Ruby, Perl, Python etc.

Python : Python is widely used language for exploit writing or creating pentesting/hacking tools. A Hacker must know Python and  Python Socket Programming. It helps lot learning exploit creation.

Ruby : A simple but complicated object-oriented programming language. Ruby is very useful in exploit writing. It is used for meterpreter scripting and you may know Metasploit framework itself programmed in Ruby.

C : C is most used in software programming for Linux, Windows etc... However it is also used for Exploit writing and development. It may not provide wider flexibility as compared to Python yet it is very useful in some cases.

Programming languages for Reverse Engineering

Assembly language, the one and only Assembly nothing but Assembly.

Assembly Language : Assembly is low level programming language but very complicated. One can instruct a machine hardware or software using Assembly language. Reverse Engineers uses Assembly language, and if you want to learn Reverse engineering, you must need to learn Assembly language.

Final Words...

I've already explained you why programming is so important for hacking. It also depends upon application you want to hack, For example - If a web-app is coded in ASP.NET then you may find it difficult to understand its structure and flow, However you may understand its logic but to execute your command you must be familiar with app language and code logic.

Nov 25, 2014

How to Become an Ethical Hacker - Beginner's Guide

I've shared few effective tips on How can you become an ethical hacker. All the tips and guide are purely based on my experience, knowledge and few tips by security researchers. I've explained what you should know and learn to become an ethical hacker.

How to Become an Ethical Hacker - Beginner's Guide

What you must know to become an Ethical Hacker?

  • Right meaning and role of an Ethical Hacker
  • Programming languages and Networking
  • Proper sources to learn Hacking
  • Use Penetration Testing Lab
  • Learn Kali Linux (Penetration Testing OS)
  • Professional Ethical Hacking Certifications
  • Patience and Passion of learning

Who is an Ethical Hacker and what's its role?

An ethical hacker is someone who is trained with hacking skills not to hack but to secure the target by finding its weakness and reporting the vulnerability to security experts. An ethical hacker plays an important role in computer security by securing online applications, software and business databases. An ethical hacker has a legal license and rights to test application for vulnerabilities.

Learn Programming languages and Networking

Programming and Networking are the two most important things in Hacking and Security. Every application you use is programmed in particular programming language and with the help of networking it can be used online or shared computer network, Now if you want to hack an application so first of all you've to understand how it works and without knowing programming language you cannot understand its logic and so it becomes harder for you to find vulnerability in its logic.

Which are essential programming languages for Hackers

Networking is another essential topic in hacking and security. Networking is the major part of internet security. If you want to be a professional security expert or hacker then learning networking is very important because the whole internet relies on TCP/IP and In order to find vulnerabilities in web sites and applications you must need to understand the network logic.

Sources of learning Ethical Hacking For Free

Internet is the only best place to learn Ethical Hacking for free of cost. All you need is little Googling skill and patience to learn. There are countless Hacking and Pentesting blogs on internet where you can learn a lot about Hacking, Pentesting and Security. The another best way is watching video tutorials, Security Researcher's vulnerability POCs, reading white papers and free online eBooks etc. I also suggest to join Hacking forums.

Top 5 Ethical Hacking and Pentesting Books of 2015

Create Virtual Penetration Testing lab

Creating virtual penetration testing lab in your computer is the best method to learn web application pentesting and hacking. A virtual pentesting lab is a real vulnerable application which can be used to explore, demonstrate common web vulnerabilities and its impact. Pentesting lab is widely used by Security Experts and newbies in hacking to learn new web vulnerabilities and how to discover them. I highly suggest you to use a pentesting lab to learn and hone your hacking skills.

Learn Kali Linux - Advance Penetration Testing OS

Kali Linux is an operating system especially made for hackers and penetration testers, It has hundreds of pre-installed Hacking tools, Automated scanners, fuzzing, forensics and other essential penetration testing tools. One must learn to operate Kali Linux and learn to use its tools. Kali Linux is the latest version of (BackTrack), It is one of the most popular and widely used by Hackers.

Create Penetration Testing lab in Kali Linux
Creating pentesting lab in Kali is the super best method to learn web hacking by using Kali's tools, I highly recommend you to install pentesting lab in Kali Linux.

Get Professional Certifications

If you're really serious about considering hacking and security as your career choice then you must get Penetration testing license, Ethical hacking and Security certificates. Read Top 4 Ethical Hacking Pentesting and Security Courses for your career.

Keep patience and be passionate about learning

So you want be a hacker? Good but its not easy you know. It takes years to become a professional ethical hacker or a security expert so be patient, nobody is born expert, start from scratch and be passionate about learning new things. Keep yourself inspired by reading inspirational Interviews of successful Hackers and Security researchers.
Every expert in anything was once a beginner and beginning is the hardest part.