How to learn penetration testing at home?

Question

I am interested in learning ethical hacking or penetration testing to head towards a career in that direction.

I have a strong knowledge of linux and unix, basic computer theory and practice and basic programming knowledge (arrays, methods, loops).

I have looked at gruyere and webgoat, however I find these to be too advanced for me. They ask to solve a problem without sufficiently explaining the problem, why it can be used to attack and giving examples.

Are there any courses or interactive programs, for free, that I can do from home that I can teach myself this information?

A bonus would be giving programming lessons useful in this area, for example teaching JavaScript to demonstrate cookie attacks and manipulations.

Answer 1

Free options are few, but there are tons of videos and tutorials on specific attack vectors or products/tools. They will NOT make you a Penetration Tester, but they are free learning resources.

Some decent options to start you off:

• MetaSploit Unleashed: Learn an exploitation framework
• SecurityTube: various videos covering a multitude of topics
• NMap: The standard network enumeration tool
• Web Application Hacker's Handbook: It's not free, but it is the bible on Web App Security

For practice, there are a number of resources:

• Metasploitable VM (and other purposely vulnerable VMs)
• DVWA
• Mutillidae
• WebGoat
• Vulnhub
• hack.me

Do some searching on this site for other people offering opinions on free learning resources. But, the only way to learn is to get your hands dirty.

Keep working at it, and keep asking questions!

Answer 2

In addition to the links to tools, vulnerable practice apps etc., the Penetration Testing Execution Standard aims to be the definitive standard on how to approach testing: http://www.pentest-standard.org/index.php/Main_Page

Answer 3

You can put these on a virtual machine using VM Player and play around.

Damn Vulnerable Linux (http://sourceforge.jp/projects/sfnet_virtualhacking/downloads/os/dvl/DVL_1.5_Infectious_Disease.iso/)

De-Ice/Hackerdemia (http://forums.heorot.net/)

For learning I would look at different penetration testing methodologies like Open-Source Security Testing Methodology Manual (http://isecom.securenetltd.com/osstmm.en.2.1.pdf). These commonly give a list of things to check for. You can then take these checklists and look up various tutorials on the web on how to defeat the various technologies.

One of the better books I've read recently was Writing Security Tools and Exploits (http://www.amazon.com/Writing-Security-Tools-Exploits-Foster/dp/159749997/ref=sr_1_1?ie=UTF8&qid=1328592753&sr=8-1). It covers basic assembly, creating shellcode, tips on finding and writing buffer overflows, format strings, heap attacks and more. The book is a little dated and doesn't cover things like ASLR and NX, but gives a solid foundation with numerous examples with great explanations.

Answer 4

Information Security is a very wide field, it consists of various sub-fields: infrastructure security, application security, network security and so on. From your question I believe the field you are interested in is Web Application Security - WebGoat and Gruyeres are two vulnerable applications dedicated to teach the most common vulnerabilities in Web Application Security. This is the only subject they mention and explain on.

In my honest opinion, the best way to start in web application security, is reading the OWASP top 10 list and explanations, and then continue to test web applications for vulnerabilities (of course only against your own QA machines or with the administrators written consent) . As mentioned, the Fundstone (now Mcafee) Hacme series is very good, comes in many languages (so you might find a language you are familiar with) and comes with detailed tutorials on how to manipulate and break the Hacme applications.

For more complete list of vulnerable applications and virtual machines, you may want to try the Vulnerable Applications Market

Another excellent way to learn, although it is a bit old, is to pass the MSDN Security Labs which are free and teach a wide variety of subjects:

• Developer Starter Kit: Buffer Overflows
• Developer Starter Kit: Code Analysis
• Developer Starter Kit: Compiler Defenses
• Developer Starter Kit: Fuzz Testing
• Developer Starter Kit: Security Code Review Developer Starter Kit: SQL Injection Vulnerabilities

Good Luck!

Answer 5

Most of the suggestions here point to some great resources and ideas. I recommend using VirtualBox for your VM test environment. Also, if you have the spare funds, get a TechNet Subscription so that you can build plenty of test boxes. I believe CERT or another organization also puts out some Windows-based VM images that you can download, but I can't remember for sure who does it or where to find them.

While I do prefer and recommend VirtualBox for running VMs, it should be noted that testing works best when all your VMs are running on the same virtualization platform. So, if you're looking to hack systems running in VMWare Player, you should also have your attack system in VMWare Player.

Answer 6

To add a bit to schroeder's excellent (+1) answer.

http://exploit-exercises.com are interesting; its a couple virtual machines with challenges to escalate somehow. Nebula teaches how to escalate from a normal account to root in flawed environments -- many of the solutions are standard tricks (don't trust environmental variables or running eval on user input or make assumptions that the executable will be run as suggested).

Protostar/fusion are more advanced (e.g., buffer overflows).

Also recommend reading WAHH (it's not free; but its cheap) and Secure Programming in Linux/Unix.

Answer 7

Download various PHP applications in initial period host them on your local server and then try to find vulnerabilities in that using 2 different methdologies whichever you like

1. OWASP testing methodology - https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf 2.WATC - http://projects.webappsec.org/f/WASC-TC-v1_0.pdf

If you do not have much knowledge about manual pentesting then, run acunetix and nessus against your hosted application on localhost see the results generated by them and then try to exploit them manually using BURP suite. That will give you boost and confident.

Then go for any of these methodology.

Once you are expertise in this methodology try to make your own checklist of testing and add new test cases every time when you find.

Once you do all these go for bug bounty program.

BUGCROWD is very reputed bug bounty program and here you can find the list of vendors on whom you can do pentest. https://bugcrowd.com/list-of-bug-bounty-programs

This is how whole process should go like.

Answer 8

I have not read all the answers, but in order to learn about penetration testing and to do this for free you could try this set of tutorials by irongeek.com here: http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

This is instructions on downloading an intentionally vulnerable web application called mutillidae that you can use to practice pen-testing on. The application, mutillidae, has hints that you can enable to learn from. If you have some sort of LAMP server you can just drop the folder into your server's www folder and access it on your local loopback address, 127.0.0.1. You also have to create some database tables in MySQL server though so this pen-test tool maybe more advanced for you at the present time. Populating tables is not that tough though. Nor is creating the necessary database. :D

This would be great to run on a virtual machine running Kali Linux or Ubuntu. Especially, if your machine has enough RAM and CPU power.

You can learn all sorts of things from this such as SQL Injection, Cross Site Scripting, and other types of attacks you can educate yourself on to be able to defend against through secure coding practices, etc.

Answer 9

I'd like to add my two cents to the pot. I think reviewing some of Tom Scott's security videos on Computerphile and his own channel is a great way to start. They're technically sound and explain the concepts in a very clear way. Following that, let curiosity guide you.

Try installing nmap and see what you can find out about, say Amazon's servers. Look up things on SQL Injection. What about SHA-1 or MD5 freestart? How much would it cost? Questions like these can guide you deeper into the field of information security.

Keep this in mind to: You need to know the things you're trying to protect or hack; for example, you must know TCP to hack networks and likewise JS for websites.

---

Jeff's answer offer's some insights, albeit in a sideways fashion. Try setting up your own Amazon AWS server and DDoS'ing it using several kinds of tools, for example.

You could also test your skills as a hacker (legally) on real websites and earn a little bit of dough on security bug bounty programs. Hackerone offers a directory of such programs.

Answer 10

First of all you should consider which kind or area of pentesting would you like to start. For example you may start looking for vulnerabilities in webs (OWASP, CTF's), you may start looking for open ports and analyzing which services are running (seeking information about exploits for the current version), etc.

I recommend the first one. First because is easiest to understand, second because is most common find a vulnerability in a bad coded web than in a system, and third because there are a lot of material about the subject and free challenges where you can test your knowledge (CTF's)

Answer 11

Though I am no expert, I did spend quite some time with Foundstone's Hacme Bank (just thought it would be nice to add this one too).

Answer 12

You want to start from the basics? Jump to 0:57

Nearly all exploitation exists because we exploit Von Neumann architecture. Any time you can possibly treat data as code, you have an attack vector. It doesn't matter what the architecture is, what the platform is, what the technology stack is... modern web applications cross multiple contexts: HTML/Javascript in the browser. (Attack vector!)

Exploitation means you're getting your target to execute your code. That's the point behind SQL injection, XSS, shellcodes -- about everything! If you want to learn to be a pentester... get the "Pentester's Open-Source toolkit." (There's free versions legally obtainable.)

Defcon lectures are available freely, and they're some of the best overall classes I've ever taken. But more than anything else: you have to get your hands dirty. You mentioned webgoat. Did you install Tamperdata on firefox? Did you install wireshark? Hacking is about having as many tools as possible collecting data so you know what's going on. This video talks a lot about monitoring... everything...

https://www.youtube.com/watch?v=Jwot7S6NmLE

Answer 13

For Web App Security you might want to try

• https://hack.me

I might be biased but it's the only free virtual lab on the subject ;)

Answer 14

The best way to learn is by doing. I am not suggesting anything illegal mind you, but see if you can get a pen-testing gig. Find a local small business and do it pro-bono. Find a church and offer your services to them. Just a few suggestions if you go this route:

• Have them back up before you do anything!
• Just start out by doing passive and active recon.

I know port scanning isn't necessarily the glamour of pen testing, but it's a good place to start.

Edited answer

Updating my answer since so many downvotes. I maintain that the best way to learn is to do, but STRONGLY state that you should not ever hack any company without express written consent from the owner, and even then, you should get a lawyer involved (IMO). Also to the points below, if you don't know what you are doing, you can brick something. It's better to learn on your own stuff. So,

Don't hack. Stay in school. Don't do drugs.

Now that the disclaimer is done:

I have started checking out a few tools with Kali Linux (formerly backtrack), and there are a lot of great tools there. The one I'm on right now is DVWA (damn vulnerable web application), which has a customize-able security level for you to try your hand at CSFR, XSS, Brute Force attacks, SQL injections, Remote shell execution, etc. There are a few other resources like this, a google search will reveal it. Just think, "what do I want to pwn?" if the answer is systems, networks, or applications, include that in your search.

A few more resources:

• DVIA (for the mobile lovers)
• the Aforementioned DVWA
• DVL for the linux haxxors