How to learn penetration testing at home?
I am interested in learning ethical hacking or penetration testing to head towards a career in that direction.
I have a strong knowledge of linux and unix, basic computer theory and practice and basic programming knowledge (arrays, methods, loops).
I have looked at gruyere and webgoat, however I find these to be too advanced for me. They ask to solve a problem without sufficiently explaining the problem, why it can be used to attack and giving examples.
Are there any courses or interactive programs, for free, that I can do from home that I can teach myself this information?
start from Basics.. you can learn and understand vulnerabilities/exploits. but they are already patched! as a pentester you have to find new vulnerabilities before bad guys. for that you need very strong basics.. system level/network level basics
I agree that you need to start from basics, but I do not agree that in order to be a pen tester you have to find 0-day exploits. Being able to show and explain the risks of not patching absolutely everything on a network is part of the job. That means knowing how to exploit known vulnerabilities and being able to find the holes a network didn't know it had. Enumeration is more important than exploitation ...
I personally found the security challenges to be a great way to way to learn(learn by doing). Meaning a testing environment that has some sort of goal: boot2root, capture the flag,etc. The test applications, like DVWA are only helpful to a point (IMO). Some good security challenges are the vulnhub.com vm's: these cover Web app security to reverse engineering (i think these are fantastic ). Other good challenges are OverTheWire.org (all kinds) and pwnable.kr (systems challenges)
Free options are few, but there are tons of videos and tutorials on specific attack vectors or products/tools. They will NOT make you a Penetration Tester, but they are free learning resources.
Some decent options to start you off:
- MetaSploit Unleashed: Learn an exploitation framework
- SecurityTube: various videos covering a multitude of topics
- NMap: The standard network enumeration tool
- Web Application Hacker's Handbook: It's not free, but it is the bible on Web App Security
For practice, there are a number of resources:
- Metasploitable VM (and other purposely vulnerable VMs)
Do some searching on this site for other people offering opinions on free learning resources. But, the only way to learn is to get your hands dirty.
Keep working at it, and keep asking questions!
In addition to the links to tools, vulnerable practice apps etc., the Penetration Testing Execution Standard aims to be the definitive standard on how to approach testing: http://www.pentest-standard.org/index.php/Main_Page
You can put these on a virtual machine using VM Player and play around.
For learning I would look at different penetration testing methodologies like Open-Source Security Testing Methodology Manual (http://isecom.securenetltd.com/osstmm.en.2.1.pdf). These commonly give a list of things to check for. You can then take these checklists and look up various tutorials on the web on how to defeat the various technologies.
One of the better books I've read recently was Writing Security Tools and Exploits (http://www.amazon.com/Writing-Security-Tools-Exploits-Foster/dp/159749997/ref=sr_1_1?ie=UTF8&qid=1328592753&sr=8-1). It covers basic assembly, creating shellcode, tips on finding and writing buffer overflows, format strings, heap attacks and more. The book is a little dated and doesn't cover things like ASLR and NX, but gives a solid foundation with numerous examples with great explanations.
Information Security is a very wide field, it consists of various sub-fields: infrastructure security, application security, network security and so on. From your question I believe the field you are interested in is Web Application Security - WebGoat and Gruyeres are two vulnerable applications dedicated to teach the most common vulnerabilities in Web Application Security. This is the only subject they mention and explain on.
In my honest opinion, the best way to start in web application security, is reading the OWASP top 10 list and explanations, and then continue to test web applications for vulnerabilities (of course only against your own QA machines or with the administrators written consent) . As mentioned, the Fundstone (now Mcafee) Hacme series is very good, comes in many languages (so you might find a language you are familiar with) and comes with detailed tutorials on how to manipulate and break the Hacme applications.
For more complete list of vulnerable applications and virtual machines, you may want to try the Vulnerable Applications Market
Another excellent way to learn, although it is a bit old, is to pass the MSDN Security Labs which are free and teach a wide variety of subjects:
- Developer Starter Kit: Buffer Overflows
- Developer Starter Kit: Code Analysis
- Developer Starter Kit: Compiler Defenses
- Developer Starter Kit: Fuzz Testing
- Developer Starter Kit: Security Code Review Developer Starter Kit: SQL Injection Vulnerabilities
Most of the suggestions here point to some great resources and ideas. I recommend using VirtualBox for your VM test environment. Also, if you have the spare funds, get a TechNet Subscription so that you can build plenty of test boxes. I believe CERT or another organization also puts out some Windows-based VM images that you can download, but I can't remember for sure who does it or where to find them.
While I do prefer and recommend VirtualBox for running VMs, it should be noted that testing works best when all your VMs are running on the same virtualization platform. So, if you're looking to hack systems running in VMWare Player, you should also have your attack system in VMWare Player.
To add a bit to schroeder's excellent (+1) answer.
http://exploit-exercises.com are interesting; its a couple virtual machines with challenges to escalate somehow. Nebula teaches how to escalate from a normal account to root in flawed environments -- many of the solutions are standard tricks (don't trust environmental variables or running
evalon user input or make assumptions that the executable will be run as suggested).
Protostar/fusion are more advanced (e.g., buffer overflows).
Download various PHP applications in initial period host them on your local server and then try to find vulnerabilities in that using 2 different methdologies whichever you like
- OWASP testing methodology - https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf 2.WATC - http://projects.webappsec.org/f/WASC-TC-v1_0.pdf
If you do not have much knowledge about manual pentesting then, run acunetix and nessus against your hosted application on localhost see the results generated by them and then try to exploit them manually using BURP suite. That will give you boost and confident.
Then go for any of these methodology.
Once you are expertise in this methodology try to make your own checklist of testing and add new test cases every time when you find.
Once you do all these go for bug bounty program.
BUGCROWD is very reputed bug bounty program and here you can find the list of vendors on whom you can do pentest. https://bugcrowd.com/list-of-bug-bounty-programs
This is how whole process should go like.
I have not read all the answers, but in order to learn about penetration testing and to do this for free you could try this set of tutorials by irongeek.com here: http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae
This is instructions on downloading an intentionally vulnerable web application called mutillidae that you can use to practice pen-testing on. The application, mutillidae, has hints that you can enable to learn from. If you have some sort of LAMP server you can just drop the folder into your server's www folder and access it on your local loopback address, 127.0.0.1. You also have to create some database tables in MySQL server though so this pen-test tool maybe more advanced for you at the present time. Populating tables is not that tough though. Nor is creating the necessary database. :D
This would be great to run on a virtual machine running Kali Linux or Ubuntu. Especially, if your machine has enough RAM and CPU power.
You can learn all sorts of things from this such as SQL Injection, Cross Site Scripting, and other types of attacks you can educate yourself on to be able to defend against through secure coding practices, etc.
You want to start from the basics? Jump to 0:57
Exploitation means you're getting your target to execute your code. That's the point behind SQL injection, XSS, shellcodes -- about everything! If you want to learn to be a pentester... get the "Pentester's Open-Source toolkit." (There's free versions legally obtainable.)
Defcon lectures are available freely, and they're some of the best overall classes I've ever taken. But more than anything else: you have to get your hands dirty. You mentioned webgoat. Did you install Tamperdata on firefox? Did you install wireshark? Hacking is about having as many tools as possible collecting data so you know what's going on. This video talks a lot about monitoring... everything...
I'd like to add my two cents to the pot. I think reviewing some of Tom Scott's security videos on Computerphile and his own channel is a great way to start. They're technically sound and explain the concepts in a very clear way. Following that, let curiosity guide you.
nmapand see what you can find out about, say Amazon's servers. Look up things on SQL Injection. What about SHA-1 or MD5 freestart? How much would it cost? Questions like these can guide you deeper into the field of information security.
Keep this in mind to: You need to know the things you're trying to protect or hack; for example, you must know TCP to hack networks and likewise JS for websites.
Jeff's answer offer's some insights, albeit in a sideways fashion. Try setting up your own Amazon AWS server and DDoS'ing it using several kinds of tools, for example.
You could also test your skills as a hacker (legally) on real websites and earn a little bit of dough on security bug bounty programs. Hackerone offers a directory of such programs.