Ethical hacking is a learning journey that involves understanding cybersecurity principles, tools, and techniques used by hackers to identify and exploit vulnerabilities in computer systems. But where do you start? Here are some tips to assist you.
1. Get familiar with Kali Linux
Kali Linux is an open-source, Debian-based Linux distribution aimed at penetration testing and security auditing. It provides common tools, configurations, and automations.
Download and install a virtualization software like Oracle VM VirtualBox or VMware Workstation Player. Install Kali Linux or use the pre-built virtual machines. Refer to the official documentation.
Read about the tools that come with Kali Linux. You will be able to experiment with them on online learning platforms.
2. Online learning platforms
There are many online platforms that provide hands-on learning experience. Start with the beginner-friendly platforms below.
TryHackMe
If you want to learn about the basics but still want some hands-on exercises, register for free on TryHackMe. TryHackMe is divided into rooms, which are virtual classrooms dedicated to particular cyber security topics. Some rooms contain mostly reading material with questions and include a few hands-on challenges. Some tasks will require you to start a machine and connect to it with OpenVPN – which is already included in Kali Linux.
These rooms are a good start point:
- Hello and OpenVPN – to learn how to use TryHackMe
- OWASP Top 10
- Advent Calendars: 2019, 2020, 2021, 2022, 2023
Root-me
If you want to start with hands-on challenges, you can register for free on Root Me. Choose challenges that have a high validation percentage – meaning people were able to do them. Read the documentation provided with each challenge to help you learn about that specific topic.
These easy challenges are a good start as they can be solved using any web browser:
After a few challenges, explore other categories, or start familiarizing yourself with Burp Suite on these challenges: Directory traversal, SQL injection – Authentication, and HTTP – User-agent.
Web Security Academy
Register for free on PortSwigger’s Web Security Academy. This platform is useful to learn about web attacks and getting familiar with Burp Suite – a web proxy used for web application security testing.
Download and install PortSwigger’s Burp Suite, or use the Community version that comes with Kali Linux.
Read the documentation on each lab topic before starting. Some web attacks can be complex; follow the suggested learning paths.
Capture the Flag (CTF)
The SANS Holiday Hack Challenge is a beginner-friendly CTF platform made by the SANS Institute. It is in a game format with a storyline and contains great ethical hacking content. This CTF includes easy “terminal” challenges that give hints for the main challenges. SANS also provides YouTube videos about topics related to the challenges.
This CTF happens annually during the holidays. Past challenges are fun learning opportunities, and the last three years of challenges are still available.
More advanced platforms
Other more intermediate or advanced platforms like Hack the Box are also available. Do not be fooled by the “Easy” machine rating… You can still make good use of this platform to practice your enumeration techniques.
The free version allows you to hack “active” machines. For “retired” machines, you need to pay for VIP access. Retired machines often have walk-throughs available on the Internet. Reading walk-throughs is also a good way to learn.
3. Videos & Podcasts
Subscribe to YouTube channels on ethical hacking:
- The Cyber Mentor – ethical hacking courses
- Cyber Insecurity – from former NSA hacker Neil Bridges
- PortSwigger – the creator of Burp Suite
- Hak5 – hacking tools & gadgets from Hak5
For true stories about hackers and cybercrime, listen to these podcasts:
4. Learn the basics
Ethical hacking involves some degree of curiosity and wanting to understand how things work. Use your Google skills to familiarize yourself with concepts such as:
- Operating systems: Windows, Linux and MacOS
- TCP/IP protocols
- Programming: Python, Bash, JavaScript or any language of your choice
- Cybersecurity concepts, like encryption, authentication, access control, threats, attack vectors
5. Set realistic goals
Make a plan and set realistic goals for yourself. Keep track of your progress to stay motivated. This is a journey that will not happen over night. Do not forget to take notes and get organized in your learning.
And finally the most important thing… have fun!