Can anyone recommend training for offensive security and/or Kali Linux pentestin...

Shared404 · on Aug 24, 2020

This is a copy/paste of one my comments from a different thread.

Disclaimer: I'm not particularly good at this, so whatever comments I make are well intentioned but may be of varying accuracy.

...

Online sources:

* https://hackthissite.org Wargaming site. Plenty of challenges to practice, but some are a bit outdated.

* OWASP.org is a good place to find info. If you look something up, there's a good chance you will find it here.

* https://owasp.org/www-project-web-security-testing-guide/ Thanks to redis_mic for this one.

* https://overthewire.org Similar to HTS, but you don't need an account. The subject matter covered is also slightly different.

* https://0x00sec.org/ A forum dedicated to security. There's a lot of script kiddies, but also some gold.

* https://www.hackerone.com/ What better way to learn then practice on live targets? That being said, I would do some of the others first.

...

I do a lot of learning through reading, so books:

* Network Security Assessment by Chris McNab. I have second edition, which is a good and instructive read, but quite outdated.

* Real-World Bug Hunting by Peter Yaworski. Web security 101. Good read, and fairly useful.

* Advanced Penetration Testing by Wil Allsop. Outdated, but interesting. You will never use flash again after reading this.

* Social Engineering, The Science of Human Hacking by Christopher Hadnagy. This is a very interesting read. Also, one of the few that can't go out of date.

...

This should be enough to get you started. There's a couple more books I can think of, but they tend to be more specialized into certain fields of security and less approachable/generally applicable. If you want these recommendations as well, feel free to email me, my email's in my bio.

bloblaw · on Aug 24, 2020

I'll just add to what others have already provided.

  - "Black Hat Go" - https://nostarch.com/blackhatgo  
  - "Black Hat Python" - https://nostarch.com/blackhatpython  
  - "Web Security for Developers" - https://nostarch.com  /websecurity  
  - "Cracking Codes with Python" - https://nostarch.com/crackingcodes

Highly recommend those NoStarch books. Of course, depends what you want to pentest, but this is good general information to get started.

Botnet4Lunch · on Aug 24, 2020

https://kali.training

Thats free, and a great place to start if you are not sure if this field is right for you. Only needs a time investment.

greedo · on Aug 24, 2020

No better place than the source: https://www.offensive-security.com/courses-and-certification...

BossingAround · on Aug 24, 2020

I'm honestly quite skeptical. Unless I hear personal recommendations, I'd be very wary of spending 1k+ on a training in "pentesting"...

swesecnerd · on Aug 24, 2020

I did the OSCP (the course was called Pentesting with Kali Linux [PWK]) back in 2017. Costly, but the resources were top notch. A pdf with several hundred pages covering everything from basic Linux commands to modifying existing exploit code to suit your use case. Metasploit was included but the course was not Metasploit heavy. Writing your own remote exploit backend forces you to really understand the mechanics so it felt a bit old school in a good way.

Bundled with this I also got several (i.e many) hours of recorded and narrated video to accompany the pdf.

The best part though is the lab network. During the course I had access to a huge number of virtual machines to scan and exploit. The courseware really encourages you to experiment and evolve. The exam, if you want to try it, is an all out practical pentest from start to finish and 24h to complete. A comprehensive report covering the entire pentest is mandatory.

All in all the OSCP was totally worth the $ IMHO.

I do however recommend that total beginners should start with the free resources and other great sites like overthewire. Get your feet REALLY wet before you pay the $ and lab days start ticking.