So you want to learn ethical hacking? Well I have good news and bad news.
The good news is that everything you need to acquire a strong foundational knowledge is accessible online, mostly for free. You wouldn’t imagine how much professional quality content there is out there, that will help you get started, progress, obtain certifications and even start a new career in infosec. It’s not a myth. You can really do all this.
The bad news is there is a lot (a LOT!) you need to learn in so many different areas. This gets to the point that you will often get lost going down an alley, then branching out into another, then another until you end up deep in the proverbial rabbit hole.
To keep things simple, here are the main steps you need to take:
Learn Linux
This should be your prime focus. A vast majority of the hacking you will do involves Linux command line tools. Being comfortable working in Linux and understanding how the OS works is an absolute requirement. Start by installing Linux on a laptop (either as a standalone or a dual boot with your current OS, or even in a virtual machine >> details in this post) and get comfortable with the command line.
If you’re starting from scratch, here’s a great video tutorial.
Once you get the hang of it, try out the Bandit challenge on overthewire.org. It’s a gamified learning path that will let you test your command line knowledge and add some more.
Otherwise, tryhackme.com has a free Linux Fundamentals learning module. I haven’t tried it myself, but TryHackMe’s learning resources are generally excellent.
Understand computer networks
Hacking requires a good understanding of networking technologies and protocols. Things like MAC addresses, IP addresses, CIDR notation, DHCP, DNS, TCP, UDP and TCP 3-way handshake should be clear to you.
For my part, I acquired these notions as part of INE’s Penetration Testing Student (free) program.
A faster option may be to go for TryHackMe’s Network Fundamentals learning module (part of it requires a subscription).
Understand how the Web works
Understand how web browsers and web servers communicate is a requirement for hacking web sites and web apps. You should be able to write or modify web requests and interpret what web servers will send back. This means being comfortable with http request methods (GET,POST, HEAD, etc), http headers, working with cookies and interpreting http response codes. And that’s just the beginning.
You best bet here is to do TryHackMe’s Web Fundamentals learning path. A good part of the course requires a subscription but it’s definitely money well spent.
Learn some hacking tools
Depending on the type of hosts or resources you want to target, you will need to use a number of software tools (often linux command line tools), each of them handling a specific step of your hacking scenario. I’m covering a number of these tools in this blog. But if you want an organised learning path, INE’s PTS course is a good option, although not always up to date, from my experience.
Otherwise, choose one of TryHackMe’s learning paths, according to the type of hacking you want (red teaming, blue teaming, web hacking, etc).
Learn programming
Some of the command line tools you will use are Python scripts or even shell scripts that you may need to edit or tweak. Also, programming will let you automate some tasks, accelerate your hacking and improve your results.
Python is a language you will need to master at some point. Shell scripting is also something that will be useful to you. And if you want to tackle web hacking, a good understanding of html, php and Javascript will quickly become a necessity.
But if you learn a scripting or programming language and don’t put it to good use right away, you will quickly forget what you have learned and will need to start almost from scratch later down the road.
So if you’re new to programming, I would suggest you only start learning when you need to add programming to your game. Also, this will help you decide which language(s) you want to learn first.
Having said that, here is a great video and another one to get you started with shell scripting.
And here is a Python beginner course that I really liked.
Join the community
Beyond learning, you will also need to stay up to date with what happens in the hacking world, new vulnerabilities uncovered, new threats, new tools, etc. Feel free to look me up in Twitter and check who I’m following. These are people you may want to follow as well.
Also, successful ethical hackers often hunt in packs. Join the following Discord servers (TryHackMe, InsiderPhD, JHDiscord) to get some help when you’re stuck with something, but also to mingle with the community. Try to find other hackers the same level as you that you can talk to and maybe one day hack together.
Finally, you may want to check out my list of favourite Youtube hacker channels.
One final note: you need to take detailed notes on everything you learn. And you need to organise these notes in a series of text files kept tidy, easily accessible, with links to each other. I recommend you write plain text files in the Markdown format, using the Obsidian knowledge base manager. It’s free, open source and works on Linux, Mac OS and Windows.
Get started early (and backup regularly). You’ll save yourself a lot of time when your text files start growing in size and number.