The best hacking books for ethical hackers
Hello Ethical Hackers! Today I share with you the best hacking books I enjoyed reading since the beginning of my career in Information Security! I will constantly update the list as I read more, but you already have enough hacking books to get you started in the information security industry. It also contains some advanced hacking books for those who want to level up their hacking skills.
This content uses referral links. You can choose to support me while I continue delivering more and more hacking content. With that said, let’s dive right into the first hacking book!
Web Hacking 101: How to make money hacking ethically
This is a hacking book for bug bounty hunters. Peter Yaworsky introduces bug bounty hunting to beginners and pragmatically explains the different vulnerabilities. For each vulnerability, he gives examples of reports from Hackerone’s Hacktivity, which is where HackerOne‘s bug bounty reports get published. I talked about in a previous episode. At the end of the book, he shares a bug bounty methodology using well-known tools.
It is the first hacking book I read when I started doing bug bounty hunting. You can get a free copy when you register an account on HackerOne. You can read it in one day! If you are a beginner in the bug bounty field, give it a try. You won’t be disappointed!
The Basics of Hacking and Penetration Testing
This is the first hacking book I have ever read about penetration testing, and boy was it helpful! If you have limited knowledge and want to kickstart your hacking skills, this is a must-read. I had practically zero knowledge of ethical hacking and penetration testing, but this hacking book opened my eyes wide open!
It teaches penetration testing as a methodical approach, explaining each step at a time. During each phase, you will learn the different concepts, tools and techniques that every penetration tester uses in real-life engagements.
Hacking: The Art of Exploitation, 2nd Edition
If you want to learn and practice low-level programming and exploitation of buffer overflow vulnerabilities, this book is for you! I remember tackling the Buffer overflow challenges on root-me, and this book gave me a strong boost! I was able to easily understand how they work, what protections usually mitigate them and how to bypass those mitigations as well!
In fact, it starts easy and covers programming in C and bash scripting. It explains various communication protocols and how to interact with them. But the meat of the book is Buffer Overflows. The author has great teaching skills that will make you understand the concepts behind buffer overflow before you know it! It illustrates them with simple examples that you can replicate using the Live CD that comes with the book.
Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
When I barely started exploring the world of hacking, I came across Kevin Mitnick, dubbed as “The Most Wanted Hacker”! I wanted to know how he earned that fame, so I read this book, which is an autobiography. Throughout the thrilling chapters, Kevin Mitnick tries to rehabilitate his image by explaining the details of his hacking journey. They include why and how he hacked many companies, how he has been monitoring the FBI agents who followed him, how he hacked the prison’s phone system and how he has faked his identity many times.
It’s not a hacking book in the sense that it doesn’t teach technical concepts, but it is a great read full of thrilling moments if you want to explore the inner-working of a hacker mindset. Plus, the reader will learn why hacking outside the law can be troublesome!
The Web Application Hacker’s Handbook
This hacking book is the bible of web application hacking. If you seriously want to learn how to hack web applications, this book is a must. I read it two times, and let me tell you that it’s so heavy! It presents different angles to attack every web application. Throughout the book, the authors illustrate some real-world examples, present different payloads and explain the hacking concepts in a very detailed way. From application mapping to Business Logic errors, you will learn it all! I suggest you take the time to read and grasp each chapter. Also, take notes while reading as it would help you remember where each topic is located when you want to revisit it. And trust me, you will have to revise it!
The Art of Intrusion
This is another hacking book of Kevin Mitnick where he narrates some mind-blowing hacking stories! If you want to explore how creative hackers can get and how far they can go, then this is a must-read! I read it two times because it is so entertaining, educating and thrilling at the same time.
Perhaps the most epic stories I enjoyed reading were the Casino Jackpot hack and the Stealing of a huge Software from outside. Both stories contain so many creative ways of breaking into a system, but I won’t spoil it for you! Give it a read and tell me which stories you have enjoyed the most.
How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK
This hacking book covers many hacking tactics used by cybercriminals, but also by advanced ethical hackers during an engagement, especially red team ones, which have wider scope and allow more freedom for ethical hackers to simulate advanced attacks.
I liked the fact that it draws different scenarios for attacking a fictitious bank, which greatly increases its content value. In fact, it breaches the perimeter both using a phishing campaign and hacking the external servers. To add more value, it starts with the tactics you can perform to stay anonymous. When I read this hacking book, I immediately remembered the Software story from the Art of Intrusion book I mentioned earlier. Only this time, I’m witnessing the hack in a very technical perspective.
Throughout this awesome hacking book, you will get to learn the thinking process of a determined hacker as he or she slowly, but surely, infiltrates a fictitious bank IT infrastructure. You will also discover the different hacking tools that can be used for each phase of the engagement.
How to hack like a God
If you enjoyed reading the previous book, How to hack like a P***star, I bet you will have already read this one! If you didn’t, here is my experience with the book.
In fact, the narrator walks you through the journey of hacking a fictitious fashion company, from no access to full control.
This time, instead of breaching the DMZ remotely, the hacker implants a malicious raspberry pi into one of the stores. Once he connects to it from the front gun server, he uses multiple techniques to escalate his privileges and take control of the domain hosting the store. From there, he abuses domain trusts to expand his presence, eventually taking full control of the entire company and exfiltrating sensitive data from the mainframe.
Throughout the entire journey, you get to see exactly how the hack is planned and executed down to the technical details and the code snippets, without compromising the thrilling part of the story plot.
If you enjoy reading novels and you want to step up your hacking game, this is a must read!
How to Hack Like a Ghost: A detailed account of a breach to remember
Continuing with this amazing saga, the author describes how to hack a target through a partner by compromising this one’s software. The scenario is similar to what happened in the SolarWind hack.
The hacker walks through all the stages of the kill-chain. During the process, he demonstrates how to bypass some advanced security protections such as Microsoft’s Advanced Threat Analytics, PowerShell script block logging and SIEM solutions.
It is very satisfying to see a full compromise of a target after a journey full of hurdles, frustration, determination and skills.
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon
In this book, the cybersecurity journalist Kim Zetter tells the story of the first digital weapon that sets the age of cyber warfare. Stuxnet was the malware that sabotaged the Iranian nuclear program for years without detection.
Throughout the book, the author covers many facets of the story. For instance, you will learn the history of the Iranian program before it even started. Besides, you will discover the geopolitics of the western world and the middle east that influenced the chain of events. Furthermore, you will explore the tactics and techniques used by the state-sponsored threat actors to sabotage the Iranian nuclear program.
The author strikes an outstanding balance between the engaging plot and the technical details. You will feel as if the author is painting the cybersecurity picture with its different colors and shapes.
I am sure you will hold your breath of suspense as you encounter the twisting events of this incredible story. If you want a story about hacking, this book is for you.
How to hack like a Ghost: Breaking the Cloud
The new ethical hacking book of the “How to hack like” saga focuses on the Cloud and its supporting technologies. Similarly to the previous books of the same author, I enjoyed the realistic plot. This time, the target does not have Active Directory and hosts all its services on the Cloud. It operates in the advertisement industry. More specifically, it helps parties win elections through targeted campaigns.
The book takes the time to explain technologies such as Docker, Kubernetes, Chef, Terraform, etc. All of them support the accelerating pace of DevOps, which is adopted by competitive companies that don’t want to lose their business.
Throughout the hacking process, the tactics stay the same. However, we learn how to approach companies that have assets on the Cloud, re-evaluate vulnerability severity based on the new Cloud model, and experiment with esoteric technologies to achieve initial access, privilege escalation, credential access, lateral movement, data exfiltration and more.
I highly recommend this book for ethical hackers seeking some inspiration about approaching Cloud-based targets. However, it might be heavy material without some basic knowledge about the different DevOps technologies. Besides, it is perfect for every SysOps and DevOps engineer who would like to build secure IT infrastructure.