Penetration Testing in general and hacking questions

[digip]

So I received a message from one of our fellow members on the forums. Maybe this should be stickied, maybe just moved to another thread, but the answer I gave applies to pretty much everyones questions in how to get started in hacking. DigiNinja did a whole questionnaire as well as a few talks on the same subject answering much of the same things, so I would suggest anyone having similar questions, go seek out his talk on YouTUBE. I'd post the links but I don't have them handy. They may even be on his site. Below was the question posted to me though, and my answer, and I hope it helps anyone looking for help in the same areas.

-----------------------------------------------------------

Hi Digip, something very important info i need, if i wanna learn penetration testing network & web based what books should i go for ? the problem is that i want to be in steady with kali linux. most of the stuff outside are based either on backtrack or something else.will u please suggest me how to get straight with latest ?

awaiting u r promt reply

Faithfully
skorpinok.

Backtrack and Kali have much of the same tools installed. Kali is just 1, more stable, 2, more linux file system compliant, and 3, long term support with many new additions.

As for books, I'm self taught up till now and am taking the OSCP class. If you want to learn it without taking a course, best place to start is 1, download either distro, 2, setup some virtual machines on your home network and 3, dive right in. Use places like YouTUBE and SecurityTube. Especially SecurityTube, for demos of tools found in both distros, but also the kali.org and backtrack-linux site's and their forums, as well as wiki's and documentation. Hacking is not exactly something one can learn by reading alone. It will get you started on terms and familiar with concepts but in reality hacking only happens by trial and error. No amount of books will change this other than one that took every question you had, and was written specifically to hold your hand and walk you through each hack, and there are no such books.

People and Conference talks I would look to for videos, Derbycon conference videos, Defcon archives, Georgia Weidman and Raphael Mudge(for metasploit and armitage demos, classes). Georgia even gives online classes reguarly and has lots of talks online for free, hence check out SecurityTube.

For reading, IronGeek's site has a shit ton of documentation, videos, links and more, and should also be on your list of things to dive into.

There is no quick answer. It takes time, patience, dedication, lots of self searching, trial and error, and perseverance to get anything out of hacking, and its not the distro you use. Its not the tool someone else wrote. Its curiosity, not being afraid to try something new, and spending hours upon hours of trying one simple thing, that might take someone else 3 lines of code to do, but so long as you do it, you learn as you go, just like the rest of us. I'm also going to post this in a thread, since this is more or less helpful to everyone, and hopefully can answer peoples questions.

-------------------------------------------

Anyone who has other suggestions, answers to give for the above question and topic in general, please feel free to add, such as books to help point in the right direction, classes to look into, sites, etc.

There are more I could of listed, but for me, hacking is not something one simply sits down to do and "poof" magic happens because you booted Linux and suddenly your mr leet haxor(and no, that is not directed at the person asking the question, its a general comment for anyone thinking it makes a hill of beans difference what you use).

Hacking starts with yourself, desire to learn, curiosity to tinker, self discovery and hard fucking work to research anything you want to learn. Most of us are self taught. I am, and would have loved to have been able to go to school for computers, find local 2600 meetings in my area or have a mentor, but the truth is, I had none. I learned what I know on my own, as I think most people have. Sure, some of you have taken a class on programming, so you may have a one up on others when it comes to understanding the fundamentals, but don't be deterred. Johnny Long, infamous creator of the GHDB, was self taught, and spawned a whole industry of OSINT hacking by simply trying things on his own, and networking with like minded people. This I would say, is your best bet as well.

You can read all the books you want, and try all the tools in the world, but if you don't get your hands dirty actually trying things, learning how and why thing do what they do, or how a tool works in the first place and what its actually doing to make that happen, you won't be learning. You will be regurgitating and repeating nothing more than documentation on how to carry out a process, and that isn't hacking.

For me, hacking is the desire to tinker, play, invent, and use your curiosity to learn as much as you can about something, and that takes time, and dedication. You can't get that from a book, or a tool. You can only get that from doing it yourself, and if you are not much of a self starter, well, there is no time like the present to start! I don't consider myself leet, or even a tenth knowledgeable about things regarding high end hacking techniques. That doesn't stop me from learning every day, and poking away at something for hours, that might take someone 5 minutes to do.

You want to learn, you have to put in the time and effort to do so. There is a famous quote, one Mati uses in the OSCP course, taken from Abraham Lincoln. If I had 8 hours to chop down a tree, I'd spend 6 hours sharpening my ax. The same goes for anything you do in life, not just hacking. If you don't have the time to dedicate to researching and trying, even if you don't understand or know where to start, you won't ever get anywhere. Not to be cliché, but if you want to learn to swim, jump in the water and get started! (Just make sure you have a life vest on first. Some of you aren't very good swimmers, myself included...)

- DigiP

[Skorpinok Rover]

Thanks for this suggestion, greatly appreciated. like u said it takes lot of time,patience,trial & error & most of us are self taught.

Edited August 31, 2013 by Skorpinok W7PC

[factgasm]

I was just watching this edition of Hak5 from January 2011 where Raphael Mudge walks us through Armitage - a hacking tool based on metasploit with a nice GUI front end.

http://www.youtube.com/watch?v=Z0x_O75tRAU

(starts at 8 minutes in)

As a noob I am going to give that a whirl.

[Mr-Protocol]

I was just watching this edition of Hak5 from January 2011 where Raphael Mudge walks us through Armitage - a hacking tool based on metasploit with a nice GUI front end.

http://www.youtube.com/watch?v=Z0x_O75tRAU

(starts at 8 minutes in)

As a noob I am going to give that a whirl.

It's not "based" on metasploit, it is a metasploit GUI frontend with collaboration added and I'm sure other features.