Feb 16, 2015

Top 5 Ethical Hacking and Pentesting Books of 2015

I've always preferred reading books instead of enrolling for ethical hacking course, I still encourages my readers to read paper-books, blogs and whitepapers instead of doing CEH. There are countless advantage of reading books, In this following article; I've listed Top 5 Ethical Hacking and Pentesting books of 2015.

Top 5 Ethical Hacking and Pentesting Books of 2015

5 Best Ethical Hacking, Pentesting Books for hacking career

Books listed below are very helpful to anyone interested in Ethical Hacking, Penetration Testing and Security. The top 5 Ethical Hacking books list is suggested by an expert security researchers and hackers. The article is completely based on my experience, learning and few guides by experts. All the books listed below are easily purchase-able from following attached links.
  • The Hacker Playbook (Practical guide to Penetration Testing)
  • Ethical Hacking and Penetration Testing Guide
  • Web Application Hacker's Handbook (Finding and Exploiting Security Flaws)
  • Black Hat Python (Python Programming for Hackers and Pentesters)
  • Hacking Exposed Web Applications

The Hacker Playbook (Practical guide to Penetration Testing)

The Hacker Playbook (Practical guide to Penetration Testing)
Buy Now at Amazon → The Hacker Playbook written by a security professional and CEO of Secure Planet. - A very informative book for beginners in Penetration Testing with practical guides, hands on examples and helpful advice from the top of the field. The Hacker Playbook is for those who have huge interest in Penetration Testing. This book is a great reference manual, described from the perspectives of a professional. It provides a valuable learning experience to practice and get familiar with the tools and methods.

Ethical Hacking and Penetration Testing Guide

Ethical Hacking and Penetration Testing Guide - Book by Rafay Baloch
Buy Now at Amazon → Ethical Hacking and Penetration Testing Guide written by a Pakistani prodigy hacker and security researcher Rafay Baloch. I personally recommend this book to every beginners in hacking, A step-by-step guide that empowers you on how to prevent threats associated with hacking. Readers will acquire knowledge on how to interpret hacking tools and will learn to perform pentesting with tools like fender Rootkit, Netcat, Fast Track Autopwn, Metasploit, Nessus, Nmap, Google Reconnaissance and Backtrack Linux

Web Application Hacker's Handbook (Finding and Exploiting Security Flaws)

Web Application Hacker's Handbook (Finding and Exploiting Security Flaws)
Buy Now at Amazon → The Web Application Hacker's Handbook guide its reader in finding and exploiting web apps security flaws. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. The book consists of 912 pages of guide and techniques on Web app hacking, security and pentesting. I highly recommend it to beginners in web app ethical hacking.

Black Hat Python (Python Programming for Hackers and Pentesters)

Black Hat Python (Python Programming for Hackers and Pentesters)
Buy Now at Amazon → Black Hat Python is one of the best and most wanted book because whenever it comes to creating powerful and effective hacking tools, Python is the language of choice for most security analysts. But just how does the magic happen? In this book, you'll explore the darker side of Python's capabilities - writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and more.


Hacking Exposed Web Applications

Hacking Exposed Web Applications
Buy Now at Amazon → Hacking Exposed Web Applications is a very informative real web app hacking book which explores full details on the hacker's footprinting, scanning, and profiling tools, including SHODAN, Maltego, and OWASP DirBuster. You can learn lot of advance web app hacking and pentesting techniques including the most devastating methods used in today's hacks, including SQL injection, XSS, XSRF, and XML injection techniques etc...


Final Conclusion

All books listed above is very informative based on its topic, but from all of them I highly suggest everyone to go for Ethical Hacking and Penetration Testing Guide and Black Hat Python. What do you think? Which book is best for beginners and please do let me know your review about my post.

Jan 18, 2015

Inspirational interview of Raj Sukali - Security Researcher

An inspirational interview of an Indian security researcher Raj Sukali - A well known popular security researcher and bug bounty hunter. Raj has discovered many critical vulnerabilities and flaws in giant sites like Twitter, Facebook, Nokia etc and received gifts, fame and bounties as appreciation. Currently he is working as senior security analyst in a web security firm.

He's the first Security Researcher/ Hacker I've met in real life. He have guided me many times in this field. So today I've organized an exclusive casual text interview. He answered 10 questions related to his journey and field. There is lot to learn from Raj's journey and he also have little advise for you. I'm sure you'll like it and end up motivated


Hi Raj, please introduce yourself to readers

Hi , I’m Raj Dasharath Sukali, An Internet Geek who loves to learn new things. I have completed my graduation in IT and looking forward for my masters. Mean time completed MCITP and CCNA. My area of interest is Web Application and Network Security and bit in to APK development. Professionally I'm working as Senior Security Analyst at Defencely and in remaining time I handle my freelance projects.

How you got fascinated towards Security field?

As an IT student I was quite indulged in computing and networking field. So it all started for free internet, I learned to crack WEP key and access internet for free. That made me eager and curious to learn more; What else can be done, soon I was into defacing Websites (Honestly that was waste of time) but It was fun, Meanwhile I found few Responsible disclosure program, So I started hunting vulnerabilities and reported, which luckily got triggered and I was thanked, I felt good. It made me think that its rather good to be preventive than destructive. That's how I came into White Hat Community and started reporting vulnerabilities. Well nowadays I'm working on malware and forensic analysis.

What motivates you? and who stands as your ideal?

Motivation and Inspiration are the pillars which helps you reach your goal, As Per  the life, My parents motivates me at every journey I carry out, Their support inspires me to do things in more greater way. In Security it’s the people who report amazing bugs which motivates me to find even more logical and advance bugs, I idealize Neal Pole and Rahul Sasi for their findings which I liked.

What else you like to do except Hacking and Computing?

I like to sketch, visiting historic places and clicking pictures (I would be an Archaeologist if I was not into Security). My most favorite spot is sitting sea side and watching Sunset, It makes me calm.

Why did you chose Hacking / Security field?

My motto was to learn how this “Hacking” works and what else I can do with it which can make me grow and eventually help community. Security is a big field where you can learn new concepts every time. There is always some new discoveries in Information Security.

When did you begin to learn Hacking?

I started it 5 years back, when I was about to complete my graduation. As the word Hacking made me curious to learn its concept I joined few forums, IRC and use to spend my half time there exploring.

Where did you learn everything?

For most people Google is the best teacher same goes for me too most of the topic I learned from Google by searching and exploring them. Few forums like Rdot, Ashiyane, HackForums were my few sources in beginning. But Twitter is the best If you want to be updated with latest discoveries follow people who are in Information Security you can get enough information and resources to learn.

Do you recommend Hacking / Security field as career option?

Yes I do recommend security field as career choice but “Hacking” does not stand as a career if you are utilizing your skills in negative way. If you are using your skills for helping the community then it’s the best choice. But the fact remains the same most of the journey starts from Black Hat to White Hat. Security field have a vast scope both in learning and earning aspects. Every time you can learn new things and eventually you get paid if you are Good at your work. Day by day, New application, systems are Introduced in market so for that Security is must.

Which is your most favorite quote or thought?

Learning an Earning are two sides of coin, the more you Learn the more you Earn.

Which is your most favorite vulnerability found by you?

As for now I have handled many thick clients in my current company. The best one I remember was RCE vulnerability in one of the Matrimonial site, I was able to call my shell on server, It was a old kernel so I was able to get the root box.

Another one is CSRF using HPP in Parse.com where you can delete the app created by another user.

What is your advice to beginners in Hacking field? 

I am still a learner and yet to explore many things but I want to suggest few points

Most of the guys still think to start as a pentester they need to pursue security certifications, But the reality is for starting you don’t need such certification you can learn everything on Internet and clear your basics. Then you can go for certification like OSCP, CEH etc as after clearing basic you will actually know what they are teaching. I to started learning on my own by searching on Google reading blog post, following responsible disclosure programs. One should have eagerness to learn.
Don't learn to Hack – Hack to Learn
If one can try to learn at least few languages like perl, php, java any Language It helps you understand the mechanisms of the application. You can even code your own payload write your own scripts.

Try to keep your self updated with latest vulnerabilities. Google is your friend still you can check Packetstrom,  Exploit-db , Hackerone Follow other Security researchers on Twitter. Learn from their write ups and try to learn the mechanism how they found out the bug if not understood you can freely ask them, Youtube and Vimeo are good source to get video POC (Proof of Concepts)

Create Penetration testing Lab

For practicing one can download and install "Vulnerable web applications" like DVWA (Damn Vulnerable Web App), Webgoat, Mutillidae, Hackxor etc (Web Pentesting Apps)

Last suggestion would be if you are trying your hands on BugBounty avoid Automated scanners as already other guys must have used it so most probably your bug would go duplicate. XSS, CSRF, Clickjacking are quite easy to find but if you’ll try harder you would end up finding a RCE. It is about time and patience which can make you find good bugs. Be patience try learning and you are good to go.

What do you think about Hackw0rm blog?

Hackw0rm is one of the blog which I often visit, The write ups are quite interesting while reading with proper explanation. It is good to see how you guys have helped community by sharing knowledge by blogging which helps learners and IT experts. There is something new everyime; I wish good luck to Hackw0rm. Hope they grow more and keep helping people by sharing awesome articles.

Thanks for reading my article. If you've any doubt or question for Raj please feel free to ask him in comment. Find Raj on social sites Facebook | LinkedIn | Twitter | Google+

Jan 8, 2015

How to Learn Web Programming Languages - Beginner's Guide

Programming languages are rid of all technology today, whether its Smart-phone, Computer Software, Internet or telecoms. All advance technology devices are programmed in specific programming language. Everyone must learn programming, its always good and So in this post I've shared few effective tips on How to start learning Web programming languages and become champ in it.

Getting started with Web Programming Languages

You wanna become Web designer or developer? Then you've to learn web programming languages, Although this articles is also for those who is interested in becoming Web Hacker or Penetration tester, Because everything you see on web page is programmed in specific programming language and to Hack/ Pentest an application you must know web coding. So are you a computer geek? wow! that's great, then you know web programming languages, well if not follow the below guide on How to Get Started with Web Programming Languages.

Begin with Basic Web Programming language

Always begin with basic, Start with static web  markup language called HTML (Hyper Text Markup Language) one of the most basic and useful web language. Well its not officially considered a programming language but everybody prefers it calling programming language.

Learning static and client side Web languages (HTML, CSS and JavaScript)

Along with HTML, I also suggest you to learn CSS (Cascading Style Sheet) for designing your web page in creative and unique ways. CSS is widely used for designing all your web contents. Its pretty easy and fun learning CSS. Its nothing hard learning HTML and CSS, It will hardly take a month to get familiar with codes, tags and attributes. All you need is little focus and practice and after getting done with HTML and CSS move on to JavaScript.

JavaScript is light weight script language, It is widely used on almost all websites today. It reduces server load and bandwidth because its a client-side programming language. Its highly recommended you to learn JavaScript as its very popular and easy to learn.

Choose Dynamic Web Language and Stick to it

After learning static and client-side language move on to advance Dynamic server-side programming. It is important for you to choose your area of interest. For example ASP.NET, PHP or Java etc... are the most demanded and used languages. You can choose any based on your interest, just make sure you learn it very well. It is also recommended to learn database programming languages SQL (Structured Query Language).


Start coding simple web applications : After learning Static, Dynamic Web programming languages take on a project. Try to create your own web applications, design it, try to make it look little dynamic. Learn how web applications work and how to connect it with forms and database. Challenge yourself and your skills to create an web application login forms connected to Database. Start with basic and go on smoothly, If you get stuck use google to get solutions.

Deconstruct an online application

This is one of the best way to learn advance web coding, Just deconstruct any online application using view-source and understand its logic and method. This would help you to understand advance coding and logic. You can also copy and create your own to understand.

Practice coding daily

Don't miss it single day. Practice makes man perfect! To become a programming champ you'll need to practice daily and get used to every code. It requires lot of experience and coding knowledge to become professional programmer or web developer.

Sources of learning Web Programming Languages

You can either apply for programming courses in your nearest IT institutes or the best you can learn all by yourself online, w3schools is the best place to learn most of the web programming languages for free.

Dec 25, 2014

Top 4 Ethical Hacking Pentesting and Security Courses

I've compiled Top 4 Ethical Hacking, Pentesting and Security courses for your ethical hacking career. After writing How to become an Ethical Hacker, readers asked me what are some good professional courses for ethical hacking and security profession. Well here is an answer, I've described best and Top 4 courses which is definitely very good for your career.

Ethical Hacking Career Fact

Nobody becomes Hacker or Security expert just by reading books or getting certified. Professional certificates merely acts as a proof that this person has completed and passed Ethical Hacking, Security or Pen Testing exam. To become a security expert or hacker one must have dedication and passion of learning. I strongly recommend you to learn programming and networking before applying to any certification courses. If you think you can hack any application or computer after getting certified then you're totally wrong. Security keeps changing.

Top Professional Ethical Hacking and Pentesting Courses

Top 5 Ethical Hacking Pentesting and Security Courses
If you're aiming to become Security Professional / Expert, Ethical Hacker or Penetration tester then I recommend you to apply for any courses which you think is suitable and perfect for your career. Below mentioned courses are professional certification courses which also requires examination, If you fail then surely won't get any certificates you'll have to re-appear for exam.

CISSP - Certified Information System Security Professional

(CISSP) is professional course for security experts or professional. It offers many opportunities and it is considered one of the most advance security course. It is consist of top ten security practices such as Access Control, Cryptography, Software Development Security, Network Security and Architecture etc...  I recommend CISSP training to those who are aiming to get job in giant companies as a Security Professional or Expert.

LPT - Licensed Penetration Tester

(LPT) is a professional training for Penetration Testers. If you crack LPT exam test, You'll get a certificate and license for penetration testing. You can't apply for LPT until you hold a CEH certificate and you can only get admission if your criminal background is clear. If you want to become a Penetration tester go for LPT, It is one of the best Pentesting and Hacking course. There is lot of scope and opportunities for LPT holders.

CHFI - Computer Hacking Forensics Investigation

(CHFI) is a computer forensics training for Cyber Security Experts or Cyber Space Investigators. In CHFI you'll be trained with professional skills to track down any hacking crime activity. Computer Forensics application . You'll learn advance concepts of Computer Forensics Application including digital crime scene analysis, Cyber Crime Investigation etc. CHFI is recommended to those who interested in joining Cyber crime department.

CEH - Certified Ethical Hacker

(CEH) is one of the most popular Ethical Hacking course. CEH is for beginners interested in Ethical Hacking. CEH is a base training course of all advance courses. CEH syllabus is very interesting, It is consist of Web Hacking, Software Hacking / Cracking, Vulnerability Hunting, Network hacking guide etc... If you're interested in Hacking but not getting started or not u, You can apply for CEH without any eligibility. It is good to have CEH certificate.

Conclusion

Think twice before applying to any course, If you're really interested in Hacking and Security then I strongly recommend you to go for CISSP and LPT, these two courses has the most demand and As I said in Hacking Fact paragraph don't apply for any courses until and unless you learn programming, networking and basic knowledge of Hacking. Also make sure you choose proper institute for courses.

Dec 22, 2014

OWASP Insecure Web Pentesting App Installation and Guide

Hi guys I'm back with an interesting web penetration testing lab article. This time its OWASP Insecure, It includes common web vulnerabilities. It is coded very poorly which helps security beginners learn lot how to secure application. Pentesters and Hackers also uses it as testing lab for manual penetration testing, source code analysis and vulnerability assessment. I recommend you to get hands on OWASP Insecure app.

Things you can learn and practice using OWASP Insecure


OWASP Insecure WebApp Pentesting Installation and Guide
SQL Injection, HTML flaws and other injection vulnerabilities such as XSS (Cross Site Scripting). You can learn how to patch these vulnerabilities and how to exploit it. You can learn web app security, hacking and pentesting. But the most important it will help you to hone your pentesting and source code analysis skills. However you can also demonstrate in tutorials, presentation or articles. It's an open source project by OWASP so its totally free and customizable. Follow below tutorial on how to install OWASP Insecure and get started.



How to Install and Create Penetesting lab using OWASP Insecure


It's very simple just download OWASP Insecure (Download insecure-20051027.zip file). Its a ZIP file contaianing .war file, XML and some notes. Now download and install XAMPP Server.

Step 1. After XAMPP installation start its Control Panel and click on Start Tomcat. See below image.

XAMPP Start Tomcat Server

Step 2. You'll see CMD pop-up with lots of commands raining, Do not close it. Now open your favorite browser and follow this URL http://localhost:8080 Its tomcat local server address, If you see Tomcat homepage, It means you've successfully installed Tomcat server. Now its time to install OWASP Insecure and get started with it.

Step 3. But first we'll set-up users. Download Modified Tomcat User file (2KB) Go to C:\xampp\tomcat\conf  Delete tomcat-users.xml file and paste modified tomcat user file. Replace downloaded file with existing one, that's all.

Step 4. Now Go back to Tomcat homepage (http://localhost:8080) Refresh page and click on Manager App. It will ask for login details so Username is Okay and password is Lets (You can change login credentials in tomcat-users.xml which you downloaded. (Open it with notepad and go to bottom page and there on you'll see <role rolename="manager-gui"/> If you want you can change username and password or let it be.

Step 5. After logging in you'll land on server WebApp managing page. Go to bottom of page and there you'll see an option to deploy WAR file. Click on Choose and select insecure.war file which you've downloaded in beginning. Deploy it.

Step 6. You've successfully deployed insecure app on server, Now its time to access it. After deployment it will reload page and you'll see tables, Just find insecure app name and click on it. As shown in below image.

OWASP Insecure WebApp installation

That's all, OWASP Insecure Web page has loaded. Now penetrate its application, analyze its source code, try SQL Injection and XSS techniques. Most important learn about vulnerabilities security and hack it.

Dec 9, 2014

Important Programming Languages for Ethical Hackers

In my previous post, I explained How to become Professional Ethical Hacker, However still it wasn't complete guide, Many people's asked me which programming languages should i learn, So here I'm with new article - which programming language one should know and learn to become a successful professional Ethical hacker.

Can I learn Hacking without Knowing Programming?

Simply you just can't, Even if you managed to learn it step-by-step tutorial, You'll never be able to hack or pentest on your own. Its because you don't know the core and logic of target application, If you understand application logic you can easily play with it. So that's why it is highly recommended to learn programming languages to become an Ethical Hacker.

Which Programming language should I learn to become Ethical Hacker 

Here comes the main question which programming should i learn. Read below guide


Web Hacking

So if you're interested in web hacking. You should follow below guide.

HTML : Hyper Text Markup Language. Always learn from basic and HTML is important and most basic markup language. One should know it very well to understand web action/reaction and logic. HTML is static markup language.

JavaScript : JavaScript is the most used as client-side programming. You should learn it on high priority mode. Understanding JavaScript code logic can help you find web-apps flaw.

SQL : Structured Query Language is database programming language. Each and every data is stored in database so you should know about database programming and vulnerability as it is the most sensitive part of Web.

PHP : PHP is most popular dynamic programming language, Unlike JavaScript It is server-side programming language. PHP is strongly recommended to every beginner in Hacking and Penetration testing.

Programming Languages for Exploit Writing


Exploit writing is difficult and advance part of Hacking, It requires higher level of programming language. Every professional hacker must know Exploit Writing, It can be done in any programming language like C, C++, Ruby, Python etc.

C : The mother of all programming language, C is most used in software creation for Linux, Windows etc... However it is also used for Exploit writing and development. I would prefer to learn C first and recommend to you as well.

Python : Python is most used language for exploit writing, It is highly recommended you to learn Python Socket Programming because it helps lot learning exploit creation.

Ruby : Ruby is simple but complicated object oriented programming language. Ruby is very useful in exploit writing. Ruby is used for meterpreter scripting and do you know Metasploit Framework itself programmed in Ruby.

Programming Languages for Reverse Engineering


Assembly language, the one and only Assembly nothing but Assembly.

Assembly Language : Assembly Language is low level programming language but very complicated. One can instruct a machine hardware or software using Assembly language. Reverse Engineers uses Assembly language, and if you want to learn Reverse Eng, you must need to know Assembly Language.

Thanks for reading my article, It is purely based on my knowledge few resources and advice by Security Researchers. If you've any doubt feel free to ask in comment.

Nov 25, 2014

How to Become an Ethical Hacker - Beginner's Guide

I've shared few effective tips on How can you become an ethical hacker. All the tips and guide are purely based on my experience, knowledge and few tips by security researchers. I've explained what you should know and learn to become an ethical hacker.

What you must know to become an Ethical Hacker?

How to Become an Ethical Hacker - Beginner's Guide
How can you become an Ethical Hacker? - A beginner's Guide

  • Right meaning and role of an Ethical Hacker
  • Patience and Passion of learning
  • Programming languages and Networking
  • Proper sources to learn Hacking
  • Use Penetration Testing Lab
  • Learn Kali Linux (Penetration Testing OS)
  • Professional Ethical Hacking Certifications

Who is an Ethical Hacker and what's its role?

An ethical hacker is someone who is trained with hacking skills not to hack but to secure the target by finding its weakness and reporting the vulnerability to security experts. An ethical hacker plays an important role in computer security by securing online applications, software and business databases. An ethical hacker has a legal license and rights to test application for vulnerabilities.

Keep patience and be passionate about learning.

So you want be a hacker? Good but its not easy you know. It takes years to become a professional ethical hacker or a security expert so be patient, nobody is born expert, start from scratch and be passionate about learning new things. Keep yourself inspired by reading inspirational Interviews of successful Hackers and Security researchers and Always remember —
Every expert in anything was once a beginner and beginning is the hardest part.

Learn Programming languages and Networking

Programming and Networking are the two most important things in Hacking and Security. Every application you use is programmed in particular programming language and with the help of networking it can be used online or shared computer network, Now if you want to hack an application so first of all you've to understand how it works and without knowing programming language you cannot understand its logic and so it becomes harder for you to find vulnerability in its logic.

Read — Which are essential programming languages for Hackers

Networking is another essential topic in hacking and security. Networking is the major part of internet security. If you want to be a professional security expert or hacker then learning networking is very important because the whole internet relies on TCP/IP and In order to find vulnerabilities in web sites and applications you must need to understand the network logic.

Sources of learning Ethical Hacking For Free

Internet is the only best place to learn Ethical Hacking for free of cost. All you need is little Googling skill and patience to learn. There are countless Hacking and Pentesting blogs on internet where you can learn a lot about Hacking, Pentesting and Security. The another best way is watching video tutorials, Security Researcher's vulnerability POCs, reading white papers and free online eBooks etc.... I also suggest you to join Hacking forums and subscribe to blogs.

ReadTop 5 Ethical Hacking and Pentesting Books of 2015

Install Penetration Testing lab

Creating virtual penetration testing lab in your computer is the method to learn web application pentesting and hacking. A virtual pentesting lab is a real vulnerable application which can be used to explore, demonstrate common web vulnerabilities and its impact. Pentesting lab is widely used by Security Experts and newbies in hacking to learn new web vulnerabilities and how to discover them. I highly suggest you to use a pentesting lab to learn and hone your hacking skills.

Learn Kali Linux - Advanced Penetration Testing OS

Kali Linux is an operating system especially made for hackers and penetration testers, It has hundreds of pre-installed Hacking tools, Automated scanners, fuzzing, forensics and other essential penetration testing tools. One must learn to operate Kali Linux and learn to use its tools. Kali Linux is the latest version of (BackTrack), It is one of the most popular and widely used by Hackers.

Read — Create Penetration Testing lab in Kali Linux
Creating pentesting lab in Kali is the super best method to learn web hacking by using Kali's tools, I highly recommend you to install pentesting lab in Kali Linux.

Professional Ethical Hacking Certifications

If you're really serious about considering hacking and security as your career choice then you must get Penetration testing license, Ethical hacking and Security certificates. Read Top 4 Ethical Hacking Pentesting and Security Courses for your career.

Conclusion!

Becoming an ethical hacker isn't so easy, as I said it takes years to achieve success. As soon as you start learning you'll acquire knowledge and wisdom step-by-step, just be patient and keep learning. Always use Penetration testing lab for practicing your skills and exploring vulnerabilities, its also recommended to use Kali Linux's tools to pentest the applications and last but not least get certified.