Hello Ethical Hackers! Today I share with you the best hacking books I enjoyed reading since the beginning of my career in Information Security! I will constantly update the list as I read more, but you already have enough hacking books to get you started in the information security industry. It also contains some advanced hacking books for those who want to level up their hacking skills.
This content uses referral links. You can choose to support me while I continue delivering more and more hacking content. With that said, let’s dive right into the first hacking book!
This is a hacking book for bug bounty hunters. Peter Yaworsky introduces bug bounty hunting to beginners and pragmatically explains the different vulnerabilities. For each vulnerability, he gives examples of reports from Hackerone’s Hacktivity, which is where HackerOne‘s bug bounty reports get published. I talked about in a previous episode. At the end of the book, he shares a bug bounty methodology using well-known tools.
It is the first hacking book I read when I started doing bug bounty hunting. You can get a free copy when you register an account on HackerOne. You can read it in one day! If you are a beginner in the bug bounty field, give it a try. You won’t be disappointed!
This is the first hacking book I have ever read about penetration testing, and boy was it helpful! If you have limited knowledge and want to kickstart your hacking skills, this is a must-read. I had practically zero knowledge of ethical hacking and penetration testing, but this hacking book opened my eyes wide open!
It teaches penetration testing as a methodical approach, explaining each step at a time. During each phase, you will learn the different concepts, tools and techniques that every penetration tester uses in real-life engagements.
If you want to learn and practice low-level programming and exploitation of buffer overflow vulnerabilities, this book is for you! I remember tackling the Buffer overflow challenges on root-me, and this book gave me a strong boost! I was able to easily understand how they work, what protections usually mitigate them and how to bypass those mitigations as well!
In fact, it starts easy and covers programming in C and bash scripting. It explains various communication protocols and how to interact with them. But the meat of the book is Buffer Overflows. The author has great teaching skills that will make you understand the concepts behind buffer overflow before you know it! It illustrates them with simple examples that you can replicate using the Live CD that comes with the book.
When I barely started exploring the world of hacking, I came across Kevin Mitnick, dubbed as “The Most Wanted Hacker”! I wanted to know how he earned that fame, so I read this book, which is an autobiography. Throughout the thrilling chapters, Kevin Mitnick tries to rehabilitate his image by explaining the details of his hacking journey. They include why and how he hacked many companies, how he has been monitoring the FBI agents who followed him, how he hacked the prison’s phone system and how he has faked his identity many times.
It’s not a hacking book in the sense that it doesn’t teach technical concepts, but it is a great read full of thrilling moments if you want to explore the inner-working of a hacker mindset. Plus, the reader will learn why hacking outside the law can be troublesome!
This hacking book is the bible of web application hacking. If you seriously want to learn how to hack web applications, this book is a must. I read it two times, and let me tell you that it’s so heavy! It presents different angles to attack every web application. Throughout the book, the authors illustrate some real-world examples, present different payloads and explain the hacking concepts in a very detailed way. From application mapping to Business Logic errors, you will learn it all! I suggest you take the time to read and grasp each chapter. Also, take notes while reading as it would help you remember where each topic is located when you want to revisit it. And trust me, you will have to revise it!
This is another hacking book of Kevin Mitnick where he narrates some mind-blowing hacking stories! If you want to explore how creative hackers can get and how far they can go, then this is a must-read! I read it two times because it is so entertaining, educating and thrilling at the same time.
Perhaps the most epic stories I enjoyed reading were the Casino Jackpot hack and the Stealing of a huge Software from outside. Both stories contain so many creative ways of breaking into a system, but I won’t spoil it for you! Give it a read and tell me which stories you have enjoyed the most.
This hacking book covers many hacking tactics used by cybercriminals, but also by advanced ethical hackers during an engagement, especially red team ones, which have wider scope and allow more freedom for ethical hackers to simulate advanced attacks.
I liked the fact that it draws different scenarios for attacking a fictitious bank, which greatly increases its content value. In fact, it breaches the perimeter both using a phishing campaign and hacking the external servers. To add more value, it starts with the tactics you can perform to stay anonymous. When I read this hacking book, I immediately remembered the Software story from the Art of Intrusion book I mentioned earlier. Only this time, I’m witnessing the hack in a very technical perspective.
Throughout this awesome hacking book, you will get to learn the thinking process of a determined hacker as he or she slowly, but surely, infiltrates a fictitious bank IT infrastructure. You will also discover the different hacking tools that can be used for each phase of the engagement.
Hello ethical hackers! Today I share with you an account takeover I achieved during a recent penetration testing of a web application. For those who don’t know know what an account takeover is, there is a dedicated section for that. From there, I will explain how I enumerated all the endpoints. Then, I will walk you through the steps I took to gain access to the highest privilege account. It is going to be a fun and rewarding episode, so stay with me until the end!
Account takeover definition
Account takeover happens when an attacker, with low or no privileges, can take control of another account without authorization. For example, you can find customer account takeover in e-commerce platforms or any other service which manages user accounts.
Is account takeover a vulnerability?
I see account takeover qualified as a vulnerability. However, I don’t think this should be the case. In fact, I tend to describe it as a result of one or more vulnerabilities. Just like a data breach can be the result of a SQL injection vulnerability.
Account takeover scenarios
Based on the distinction we have just set between vulnerability and its outcome, many vulnerabilities can lead to account takeover. For example, you might have an open redirect vulnerability which leaks the user token upon login. In this scenario, an attacker can take over the victim’s account by simply clicking on a malicious link. There are many reports demonstrating account takeover on HackerOne’s Hacktivity, so make sure to check them out.
In the remaining of this episode, the scenario involves unauthenticated endpoints which, once combined, result in a full account takeover without user interaction.
Since this application had a separate front-end, I collected all the API endpoints. It is a tedious task, but it’s rewarding in the long run. I found many endpoints, but the most interesting ones were the user sign up feature, password resetting based on the user identifier and account listing based on the user email. You will see why shortly!
Before account takeover
Before I found how to achieve account takeover, I first tested the endpoints I collected earlier. During application mapping, there was a registration form which returned an error. I thought maybe it’s broken and I moved on. However, I now understand what’s happening.
The debug interface
It turns out that the application sends a confirmation email to the user. However, the mail server was down. Besides, the sign up requires approval from an employee. How did I know that? Well, I found a debugging portal on another port on the server which disclosed all the operations, including the back-end responses. One of them contained a mail server connection error, and another one returned the ID of the newly created user, which means that it has been successfully created, but not yet active.
Bypassing the approval step
If you recall, I mentioned earlier that I found a password reset API endpoint that uses the account ID. Guess what, I have the new user ID. So I quickly send the request. To my surprise, the response is positive and I can now log in as the new user without approval from an internal employee! As a bonus, I have a limited admin role, which is not as powerful as the System Admin, but it’s a good start to hunt for the ultimate account takeover. Sadly, the user identifiers were long and random, also known as UUIDs. Therefore, I needed a way to enumerate them.
Information disclosure to the rescue
Inspecting the debugging portal reveals exhaustive details about this specific feature, including the SQL query, which happened to be using the LIKE operator in the WHERE statement. The SQL query resembled something along the line of select email from user where email LIKE ?. Although there is no SQL injection, I can still use the percent character %, which returned the entire users from the database! A massive information disclosure!
System admin account takeover without interaction
We now have all the ingredients to get that System Admin account. Matter of fact, I didn’t know there is one until I dumped the entire database with that information disclosure vulnerability. I now have the System admin ID, which I use to reset the password, therefore achieving full account takeover of the System Admin user.
In terms of the impact, I essentially got full access to the application as the highest role possible, without any interaction from the victim.
Hopefully, you learned a trick or two on how to achieve account takeover during a web application penetration testing using a black-box approach.
Account takeover is one of the biggest security flaws. Depending on the level of access, attackers can compromise the entire web application or even the whole infrastructure. If you are a developer, I hope you learned why you must always implement authentication and access control on privileged endpoints. Besides, I recommend you request a penetration testing early in the development life cycle. That way, you will avoid any design flaws or business logic errors that will become expensive to patch later.
Hello ethical hackers! In this episode, you will learn everything related to OSCP certification. What is OSCP? Why is it a strong certification? What sets it apart? What are the requirements? How to properly prepare for the exam? What to do the day of the exam? And what’s next once you earn your OSCP certification?
OSCP Certification introduction
OSCP stands for Offensive Security Certified Professional, it is Offensive Security‘s most famous certification. Everyone in the industry respects it, and for good reason. In fact, it proves that its holder can perform a penetration testing assignment using a methodical approach and can write a professional pentest report to deliver to the client. Moreover, it demonstrates that its holder can work under pressure and think outside the box when conducting penetration testing. By the way, the motto of OSCP is Try Harder!
OSCP Syllabus, course material, the lab and more
This certification has a syllabus that covers key aspects of penetration testing, it comes with the PWK course, a lab for training and a video package to support the course.
OSCP covers many penetration testing areas, from information gathering to exploitation. You get to apply your knowledge on various Linux distributions and Windows versions. These machines run a plethora of services. But perhaps the most important aspects I really enjoyed learning was SSH tunnels, privilege escalation and buffer overflows.
With the new 2020 update, this certification offers even more value, especially with the introduction of Active Directory hacking and Empire, which are essential in most real-world infrastructure penetration testing.
PWK course and videos
You won’t pay for the certification voucher only, the price covers the PWK course, which is a PDF file that goes from the basics to the advanced hacking techniques throughout the different chapters. You will learn some Linux commands to work in the terminal, most of the basic web application vulnerabilities, basics of buffer overflow, Active Directory hacking, SSH tunnelling, etc. Each chapter or section comes with a set of exercises that help you apply your knowledge. Besides, if you join the solutions to your final report, you will get 5 extra points.
To support the course PDF, you will get a set of videos that go through the whole concepts in the PDF and demonstrate the concept in practice.
The OSCP lab, price and why I chose it
When I wanted to get certified, I had many certification options. However, I chose OSCP because it provides many key points I was looking for:
It has a hacking lab to practice the course material: I love learning through practice and the lab in the OSCP course is amazing. You will have to breach the perimeter, then work your way through until you own the entire infrastructure.
The exam involves performing actual penetration testing on a new lab and write the report: I wanted to get a great value for the price I am paying and the OSCP exam is also practical, which means that I will apply what I have learned in yet another lab.
With the previous points, the price is reasonable compared to other certifications.
It is respected in the security community: This is reflected in both job offers and the salary. Almost all security offers from junior to senior level include OSCP among the other security certifications. This means that you don’t get a piece of certifying paper, but you actually increase your value in the job market.
Alright, now that you have a general view of what the OSCP is, let’s see what do you need to get it.
OSCP requirements before you apply for it
Although you don’t need prior hacking knowledge to go through this certification, I highly recommend you get comfortable at lease with the basics. OSCP is not for the faint of heart. If you under-estimate it, I doubt you will stand for long.
These are the things I recommend you learn:
Get yourself comfortable working with the terminal
You will spend most of your time on the lab working on remote machines which are only accessible through SSH. Even the Windows machines won’t be exploitable unless you use the command prompt to run your exploitation scripts. Therefore, it is essential to learn at least the basic Linux terminal commands that will help you navigate through the filesystem, install software, copy files around and connect to remote servers.
Learn the basics of web
There is a considerable amount of web applications in the lab, so I advise you to learn how they work. Take your time to understand how the HTTP Protocol works, what is the difference between the client and the server, etc. This will ease your way through the course as you will already have a general view of what they are talking about.
Learn and practice basic hacking techniques
Although the OSCP course teaches you the hacking techniques and concepts from the beginning, I recommend you learn them beforehand. That way, you can quickly go through them and focus on more advanced concepts like exploit development, SSH tunnelling and looting all the machines in the lab. There are many hacking websites which will help you achieve that. They offer great challenges that you can play with, solve and learn along the way. Feel free to read the dedicated article about it.
Practice your skills on boot2root machines
Once you feel comfortable with the hacking challenges, I encourage you to take more time to root some machines. This will allow you to adapt to the kind of hacking activity that you would find during the OSCP lab and the exam. The article I mentioned earlier contains a list of the websites where you can achieve that.
Code something with Python
Many exploits are available in python, and sometimes you will have to modify them to work for your situation. Therefore, knowing Python will help you take full advantage of the labs and speed up your hacking process. Besides, since Metasploit is forbidden in the exam apart from one shot, you have to convert one or two modules to your own Python scripts as a means of practice during your exam preparation.
Understand basic C code
The OSCP course contains a full chapter on Buffer Overflows. Although the concepts are basic, you will still have a hard time understanding and building your exploits if you don’t know anything about the C language. Besides, some machines require you to customize some C code in order to successfully exploit the vulnerability.
The process of applying for OSCP
Do you already have what it takes? Good! You can apply for it online and receive your package. You have three options, either 1, 2 or 3 months of lab access. I recommend you take the 3-month package so that you give yourself enough room for practice.
Expect to present a proof of identity and to use a corporate email. If you don’t have the latter, you can contact the support and tell them that you have no corporate email.
Once the payment is processed, you will get your package containing the course PDF, videos and the VPN access for the lab.
OSCP preparation for the exam
Preparation for the exam starts right when you receive your course material. See, there are some key points I want you to know from the beginning.
Do the course exercises and document them as you go
You will feel lazy solving the exercises and documenting them as you go through the course, but it’s a crucial thing to do. See, documenting your progress and taking notes is a soft skill that you should have if you want to develop quickly. It has two benefits, the first one is that you will secure your extra 5 points in case you need them to pass the exam. Secondly, you will develop the habit of taking notes, which will help you during the exam. Which brings us to the second advice.
Take organized notes
You don’t want to redo all the exploit research, rebuild all your exploits or start Googling how to transfer files between machines during the exam. Everything should be noted beforehand. Your exploits should already be built and organized. Your payloads should be well structured. This will save you tremendous time during the exam.
Take your time to root all the machines in the lab
I recommended you to apply for 3 months of lab access so that you give yourself enough time to grasp, practice and hone your hacking skills on the lab. A friend of mine had a full-time job, a family and purchased one month. Although he was really smart and had already the skills, he simply couldn’t keep up with so many duties on his plates.
Once you root all the lab machines, I think you will be ready for the exam. It’s not a requirement, but I highly recommend you do it first.
As you might have already known, the OSCP exam is 24 hours long and you have to score at least 65 points to pass. I say 65 because you can send the exercises solution along with the exam report and get 5 extra points, which would complete your minimum 70 points to pass the OSCP exam. You won’t have to pivot between the machines though, each one is separate.
Here is a list of tips that will help you the day of the exam:
Revise your notes
You should have all your notes at your hand. That’s when your prior preparation and documentation will pay off. The notes should contain your code snippets for various tasks such as connecting to different services, transferring files using different methods, bind and reverse shells, your exploits already built and grouped by target OS, etc.
Don’t upgrade your Kali machine
Just work with the version you had throughout the course. Upgrading your machine can introduce surprises that will force you to waste your time troubleshooting instead of solving the exam challenges.
Take regular breaks
You can’t stay productive the entire exam without food and good hydration. So, reserve some time for breaks, it will make you feel better, refreshed. Sometimes, all you need is another perspective, which you can’t get when you are stuck in front of the computer. You just have to notify the proctor, as explained in the official FAQ section.
Start with the Buffer Overflow challenge
One of the machines contains a buffer overflow vulnerability that you will be able to solve without problems if you had solved the one in the course. I recommend you start with it first. This will boost your confidence to tackle the remaining ones.
Hopefully, you are now certified OSCP, congratulations! You have proved that you “tried harder” and you now have the skills required to conduct penetration testing in the real world. However, this is not the end of your journey and you are certainly not an expert. OSCP is a great beginning for a bright future in penetration testing, so don’t waste it! Think about niche areas you want to focus on. For example, you may want to learn more about exploit development, web hacking or Active Directory attacks. Learn the subject and pursue some certification in the field.
Other questions you may ask
OSCP vs CEH: Which is the best?
For me, the short answer is OSCP. The long answer is…it depends! See, CEH is great if you are barely starting in the infosec industry and you still want to quickly get a job even if you don’t have enough practice. In fact, it is recognized by most companies and most of the candidates would have it. So it makes sense to apply for it when you are just starting.
However, I don’t think we should compare it to OSCP. In fact, the exam is a 4 hour Multiple Choice Questions. If you want to become a CEH Master, then you have to pass the 6-hour exam which contains 20 mini-challenges. So, both challenges combined are less than 50% of the 24-hour exam challenge on the OSCP. Besides, OSCP wins at the price as well. In fact, with three months of lab access, the total price is 1349USD, compared to 1898USD for the CEH (The Multiple Choice Questions and the Practical exams, plus registration fees). In my opinion, if budget is a concern for you, you may want to apply for CompTIA PenTest+ instead.
Is a certified OSCP salary higher than CEH?
According to payscale.com, the average OSCP salary is 91,538USD, compared to 82,164USD for CEH at the time of writing this article.
Certifications are a good way to prove that you possess a set of skills, and OSCP is a great one for penetration testers. However, getting certified shouldn’t be the goal. In my opinion, the focus should be on acquiring and applying your hacking skills. That’s what counts!
I hope you found this content helpful and wish you good luck in your OSCP journey. I encourage you to subscribe to the newsletter and receive an article every Friday to end your week on a hacking content. If you are new to hacking and want to learn the basics, read the OWASP Top 10 theory and hands-on article on thehackerish.com and apply your knowledge on the lab which supports them. If you enjoy learning with videos, I invite you to watch the OWASP Top 10 Youtube playlist.