We gather some interesting resources that can be useful if you plan to become an ethical hacker. Do you know any more?
After a successful series of articles where we show a guide for those who start in computer security and some resources to start learning, many of our most habitual readers were asking us “how do I become an ethical hacker?” And have asked for some specific resources.
So after exchanging ideas with some of the members of the ESET Lab, I gathered some interesting resources that could be useful if you were to become an ethical hacker.
First things first: the methodology
Defining a methodology for testing will allow you to efficiently develop tasks.
The first step is to know a methodology that helps you organize your work. The tools are very varied, some have more or fewer functionalities, so as you develop, you will change them.
Having a defined methodology to do the tests will really give you the structure to efficiently develop the tasks, beyond the tools used.
Perhaps one of the most well-known options is OSSTM, one of the most complete standards and that is usually most used when it comes to security audits in systems. This methodology includes a complete framework of work with the phases that an audit of this type should comprise.
If you are interested in testing the security of web applications, you can find an excellent methodological option in the OWASP Testing Guide v4, and if you prefer it in Spanish there is also a preliminary version already translated.
On the other hand, a very interesting book to get started on these topics is Ethical Hacking, a methodological approach for professionals written by Ezequiel Sallis, Claudio Caracciolo and Marcelo Rodríguez, and which contains the precise information to start your journey as an ethical hacker.
From the theory to the practice
Once you have the methodology clear, the next step is to arm yourself with the right tools to start performing the tests; At this point, the most controversies are usually generated, since there are many very good ones and in the end it becomes a matter of taste to choose which one to use.
To begin with, you must choose a system to work on. As a starting point it is recommended Kali Linux, which already includes a lot of tools to do many types of tests. Already with the time and experience that you will be acquiring, surely you will be debugging your testing environment and migrating to other alternatives such as BlackArch or even other free distributions that go around the network.
Now the question you might be asking yourself is which tools to use and how to do it. And at this point, we again find a wide variety of options. Next, I leave you a list with some options.
- Metasploitable is one of the most popular virtual environments to test the functioning of tools and the demonstration of different vulnerabilities
- OWASP WebGoat Project Contains more than 30 lessons to test the exploitation of different types of vulnerabilities.
- OWASP Hackademic Challenges Project contains a series of challenges to test your knowledge in realistic environments
- SQI-LAB is a platform to test different scenarios of SQL Injection
- Moth is an image of a virtual machine with a variety of vulnerable applications to test different types of tools.
- Mutillidae II is a quite complete training environment for you to practice a wide variety of skills.
- Peruggia is a testing environment to test the most common attacks that may arise during a security audit
- GameOver is an environment for those who start with web security issues
- BodgeIT Store is a vulnerable web application very useful for those who start pentesting.
- DIVA is an Android app designed in an insecure way, for those who want to focus on the part of mobile devices.
With the above, you already have a good amount of resources to get started in this interesting world of ethical hacking.
As surely as you read a large number of additional options come to mind, I invite you to comment below and help us enrich this list.
Also published on Medium.