10

I am an IT student who wishes to seek a career in the field of Ethical Hacking, more specific in Penetration Testing.

Due to the nature of my course, none of my classes go deep enough into this subject so that I could just do this directly after graduating so I of course want to take a certification exam for this (I intend on taking the OSCP Certified Professional exam, at first at least) but because the course for this exam is time-limited (30 days of labs and then the exam itself) and because at the same time I still have to successfully graduate, I can't prepare for it at the moment.

This is a problem because I seriously doubt I (or anyone for that matter) can just jump right into this course without any preparation, so my question is what books are out there that I could read in order to gain some knowledge on the subject? I would prefer books that are as recent as possible to avoid reading information that is dated or has changed a lot.

Thank you

Spaawny
  • 101
  • 1
  • 1
  • 3

3 Answers3

9

As a penetration tester I don't think that books are the best medium, because there is no substitute for experience. Hunt for bugs in open source software, obtain CVE's and put that on your resume.

...That being said there are books that I have enjoyed and that i think are relevant to modern systems:

The Tangled Web

Cryptography Engineering (Formally known as Practical Cryptography)

Exploiting Software: How to Break Code

A Bug Hunters Diary

rook
  • 46,916
  • 10
  • 92
  • 181
  • Thank you for your advice! Of course practice makes perfect and in this case it seems practice makes... well... everything! :) I will take a look at the books and see what they are about and if they could help me. – Spaawny Aug 08 '12 at 10:06
6

To add to the answers provided, some personal favourites -

On a side-note, if you're a beginner and truly want to learn then books won't totally cut it (but I'm sure you know that).

From a practical perspective, have a look at this link so you can set up your own lab for testing.

Here's a previous answer worth reading also.

Community
  • 1
Mark Hillick
  • 2,124
  • 11
  • 14
  • Thank you Mark! Indeed I truly want to learn this because I want to make this into my "career". Setting up my own lab was indeed one of the problems I encountered and I thank you for the link in regards to this issue! The previous answer also contains a lot of information that I was looking for, so again thank you! I will for sure be keeping an eye open on security.stackexchange.com also from now on. :) – Spaawny Aug 08 '12 at 10:10
  • No worries, glad it was helpful. – Mark Hillick Aug 08 '12 at 13:02
  • 1
    As a heads-up the linked version of SQL Injection Attack and defence is the 1st Ed, and the 2nd Ed. is out now :) (http://www.amazon.co.uk/Injection-Attacks-Defense-Justin-Clarke/dp/1597499633/ref=sr_1_3?ie=UTF8&qid=1344441198&sr=8-3) – Rory McCune Aug 08 '12 at 15:53
  • Thx, I knew it was coming but didn't think he'd released it yet :) – Mark Hillick Aug 08 '12 at 16:30
2

For someone who is just beginning I'd recommend (in this order):

  1. The Web Application Hacker's Handbook
  2. The Tangled Web
  3. The OWASP Testing Guide (free)

These books should give more than enough information to get you started in testing web applications. Leave the OWASP Guide for last as it skips any introduction on how applications work.

Gurzo
  • 1,117
  • 6
  • 18