Top products from r/AskNetsec

We found 101 product mentions on r/AskNetsec. We ranked the 169 resulting products by number of redditors who mentioned them. Here are the top 20.

Next page

Top comments that mention products on r/AskNetsec:

u/xSinxify · 6 pointsr/AskNetsec

That's a good setup you have going on, honestly. If you're looking for more resources, I can think of a few resources to supplement what you're already reading/doing

The Tangled Web - https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886

SQL Injection Attacks and Defense - https://www.amazon.com/gp/product/1597494240

Hacking Exposed: Web Application - https://www.amazon.com/HACKING-EXPOSED-WEB-APPLICATIONS-Edition/dp/0071740643/

https://pentesterlab.com/bootcamp - At this point, you can probably filter out what's relevant to you or not, this will map out other topics related to what you need to know, and may fill in any gaps you have at this point.

OWASP - https://www.owasp.org/index.php/Main_Page [Borderline vital to web app exploitation, Highly recommend if you haven't explored this site yet]

Now, the books and study materials are nice and all, but the most important thing is practical experience, and I see you've identified that by engaging yourself in DVWA. A few additional hands on labs you could dive into are vulnhubs that target the web (Broken Web Applications Project by OWASP is a must):

https://www.vulnhub.com/?q=Web&sort=date-asc&type=vm

Wargames (Overthewire / Smashthestack):

http://overthewire.org/wargames/natas/

SecurityInnovation (canyouhack.us):

http://canyouhack.us/ - It will start off with web challenges, feel free to stop when it starts getting into binary exploitation. What you've learned up to this point should carry you through the web application portion of this challenge, although some lateral thinking is required, which is also a skill you'll need for the GWAPT.

Google-Gruyere - https://google-gruyere.appspot.com/

Since you stated that you were going through the WAHH book, the labs over at mdsec may be a good investment for you at this point to follow along (although not exactly required if you properly use the resources above)

http://mdsec.net/labs/

https://www.wechall.net/challs - Again, filter out what you need to practice here. Lots of good challenges for multiple different areas of study.

CTF's: Be on the lookout for CTF's on http://ctftime.org and put a focus on the web challenges. These challenges will encourage lateral thinking like the securityinnovation challenge.
http://shell-storm.org/repo/CTF/ is an archive of older CTF's if you're having a hard time finding upcoming CTF's with good web exploitation sections. In my opinion, CSAW is especially good when it comes to web challenges, but check most of them out if you get time.

Another recommendation to you is to develop a decent understanding of how a web application is structured. It becomes easier to visualize how to attack a web application, when you can engineer one. So I will recommend that you learn:

HTML/CSS - don't spend way too much time on this, codecademy should suffice here

Javascript: The source of the client side exploits you will find in the future. Get your feet wet in javascript via codecademy, and progress further.

PHP: Source of the majority of server side exploits you will find (RFI/LFI, SQL Injection, etc). As with javascript, get your feet wet through codecademy, and try to progress further from there.

SQL: Important to know for SQL Injection. PHP is responsible for the implementation that leads to SQL Injection, but you should really know SQL to actually manipulate the DBMS to your needs.

With the web languages I listed, the end goal for you, should be to identify vulnerable source code, as well as being able to intentionally develop vulnerable source code, and fix it.

At this point, you should be relatively comfortable with the concepts covered in the GWAPT, however if not, take a look at the bulletin/syllabus of the actual exam, and individually research each topic.

http://www.giac.org/certification/web-application-penetration-tester-gwapt

Looking at the syllabus for the actual course that maps to GWAPT may provide some insight as well.

https://www.sans.org/course/web-app-penetration-testing-ethical-hacking

Hope I was able to help. Best of luck to you, and if you have any questions, feel free to let me know.

u/JasonCarnell · 5 pointsr/AskNetsec

Part of me wants to say just do it. The course starts at a beginner level, but bear in mind that most people, myself included spend between 2-4 weeks of the precious lab time doing the course. Unfortunately there is no way to get the course material ahead of time, so factor that in when choosing how much lab time to prepare.

Having said that, I highly recommend reading Georgia Weidman’s book prior as this covers a lot of the same material as the PWK and is a great way to prep for the coursework so some of the ideas presented are not completely new to you

https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641

Depending on your ease with programming, you may want to bone up on some python fundamentals as well. I did about 1/4 of this Udemy course before starting

https://www.udemy.com/the-modern-python3-bootcamp/learn/lecture/7991038#overview

Here’s a great guide from Abatchy on OSCP Prep, although a lot of the stuff he discusses in the guide are covered in the OSCP course

https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html

There is also a YouTuber named IPPSEC that does video walkthroughs for retired Hackthebox machines. some of the machines are very CTF like, so Just watch the OSCP Like ones in this playlist.

https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

Finally, if your willing to shell out some money, 30 days on Virtualhackinglabs.com is a great way to practice. Their course is very OSCP like and a good way to jump right in.

https://www.virtualhackinglabs.com

Of course Hackthebox is always a great resource to practice your pwnage skills.

https://www.hackthebox.eu

Don’t feel like you have to do ALL of this before the OSCP, the list I gave is pretty much every resource outside of the PWK course I used to pass the exam.

If you only did one thing before you start the course, Definitely read Georgia’s book. Everything else can be used in conjunction with the course if you need extra help.


There is also an active discord channel for PWK students, use it!

u/drstranglove · 7 pointsr/AskNetsec

Servers should always be hardened and because everyone likes long guides the National Vulnerability Database actually maintains a lot of information regarding hardening servers. So for the actual server itself can be hardened using the following guide located here. That is for Red Hat Enterprise Linux 5. It will change from distro to distro, but some things are pretty standard. I agree with PalermoJohn as well that learning more about networking will certainly help you in securing your server and network.

For applications running on your web server the link for OWASP Top 10 that Rsaesha posted will help you. If you have more time and would like to learn about Application Security, The Web Application Hacker's Handbook is a great resource to learn a lot about security in Web Applications.

Both application and network level security are required to truly secure your web server.

Cheers!

u/PM_ME_YOUR_0-DAYS · 2 pointsr/AskNetsec

> Ps; anyone know of a good recommendation on how to start on web apps on the labs. Looking for a good book or resource.

The OSCP web app portion is good, but if you're like me you might benefit from some supplemental materials. Not necessarily specific to the course, but I found these resources really helpful for working on my web app skills

u/spidermesh · 11 pointsr/AskNetsec

As a pentester you would typically need to follow a methodology of some sort. Here is a well known one http://www.pentest-standard.org/index.php/Main_Page

Typically you would first enumerate all open tcp/udp ports using a port scanner such as nmap. Then you would analyze ports one by one to see if they contain any vulnerabilities. If it’s a service running an outdated version of a particular software you would look up exploit-db and see if there is a corresponding exploit. Then tweak it to give you reverse shell to your IP address in metasploit or netcat. If it’s a web service you would use web methodology such as the one from here https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/ to look for web vulnerabilities in the web application and attempt to gain a shell that way. After you get a shell you might be highest privileged user or you might need to escalate your privileges. If you are regular user you look for ways to escalate your privileges depending on operating system you are logged in to. Get hackthebox vip account because this will give you access to retired vms and especially windows.

The OSCP certification is pretty much is doing combination of the steps described above on multiple machines. There is a book which goes over this methodology as well https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641

Here is a great resource that many people use as a resource to study for OSCP as well https://xapax.gitbooks.io/security/content/
And if you search for oscp survival guide you can get additional resource to reference. Also rtfm is a good reference book as well.

Edit: here’s a good guide on using methodology with template you can import https://411hall.github.io/OSCP-Preparation/

u/pres82 · 2 pointsr/AskNetsec

I may be a bit too harsh, I admit. I'm a jaded tech douche. But consider this....

>This is the worlds most advanced ethical hacking course with 18 of the most current security domains any ethical hacker will ever want to know when they are planning to beef up the information security posture of their organization.

>In short, you walk out the door with hacking skills that are highly in demand, as well as the internationally recognized Certified Ethical Hacker certification!

This is directly from their website. I feel like they make some pretty bold claims there. My instructor was, overall, a pretty solid guy. But my qualms were with the 3rd-party training facility, (my employer had made me do this as OSCP wasn't recognized by the client I was working with), as well as the material. I felt that EC misled people taking the course by what skills they would gain and that it also misleads others by what cert holders are capable of.

But I think we get off of topic - I would suggest that a better book for someone is this.

Maybe v9 is very different. I had several EC Certs as I was once subject to the DoD 8570. But I let them expire as I have several issues with EC Council. One of which being you need 120 CPEs annually. Taking another one of their certifications, gives you a full 120. But discovering a vulnerability is only 5 CPEs. (What?!)

u/_Skeith · 16 pointsr/AskNetsec

Hey man! I work as Security Analyst - about a year away from graduating with my Bachelors.

I suggest you pick up the CompTIA Security+ Certification, as well as start learning the basics of Networks and how they function. Learn ports and protocols, as well as how IDS/IPS/Firewalls function. This will get you an entry level role as a Jr Analyst. I suggest you use [http://www.professormesser.com/security-plus/sy0-401/sy0-401-course-index/](Professor Messers Security+ Videos) This will teach you the basics of security work, networking concepts, threats, etc.

At the same time start listening to podcasts like Paul's Security Weekly, Down the Security Rabbit Hole, etc. As well as start reading blogs on hacking to get a feel for whats done.

Get a home lab and learn a few tools like Wireshark and Nmap for basic Security Analyst work - to learn how packets work, how they are structured, and how to scan pc's for ports and services. At the same time, focus on learning about threats and vulnerabilities (which are covered in security+).

If you want to get into PenTesting then you need a wide range of knowledge. Pick up and learn a few languages (master the basics and understand what the code does and how to read/interpret it). You need to know: PHP, HTML, SQL, Python (or Ruby), and a basic language like C, or Java.

If you want to dig deeper into PenTesting then start reading: https://www.offensive-security.com/metasploit-unleashed/

Good way to get into the Kali Distro and learn how to run Metasploit against vulnerable VM's.

Take a look at https://www.vulnhub.com/resources/ for books, and vulnerable VM's to practice on.

https://www.cybrary.it/ is also a good place with tons of videos on Ethical Hacking, Post Exploitation, Python for Security, Metasploit, etc.

Pick up some books such as

The Hacker Playbook 2: Practical Guide To Penetration Testing

Hacking: The Art of Exploitation

Black Hat Python: Python Programming for Hackers and Pentesters

Rtfm: Red Team Field Manual

The Hackers Playbook and The Art of Exploitation are great resources to get you started and take you step by step on pen testing that will allow you to alter explore the endless possibilities.

Also a good list of resources that you can learn more about security:

Getting Started in Information Security

Pentester Labs

Awesome InfoSec

Awesome Pentest

Overall experience and certification are what will get you into the door faster. Most employers will look for experience, but if they see you have motivation to learn and the drive to do so, then they might take you. Certifications also are big in the infosec field, as they get you past HR. And having a home lab and doing side projects in security also reflects well.

u/cquick97 · 3 pointsr/AskNetsec

Depends on what you want to learn.

Web Application Security?

Exploit Development?

"Pentesting" techniques?

Also check here for tons other of resources.

As for certs, if you are a beginner beginner, then probably stuff like Security+ and Network+. Unlike the guy behind me, I will never get, nor do I really recommend CISSP, unless you are going for strictly blue team (defense) work. I personally enjoy red team (pentesting, etc), so something like OSCP would be more useful.

Like I said in a post above, feel free to PM me with questions. I'm always happy to help others on their quest to learn more about the wide world of infosec :)

u/vedge85 · 2 pointsr/AskNetsec

Building Virtual Machine Labs: A Hands-On Guide https://www.amazon.ca/dp/1546932631/ref=cm_sw_r_cp_apa_i_QFOQCbBVY1YD2

This book walks through setting up Splunk using their free developer license (I think like 500mb/day or something around there). Goes through some basic examples for rules to set up. Also a great resource for lab set up in general. I think there is a new version in the works as well?! For a long time the author was giving this away for free.

Security Onion is another good resource, has built in SIEM tools as well.

u/subsonic68 · 3 pointsr/AskNetsec

Do you have a home lab, even if it's just VirtualBox running on your computer? Running virtual machine labs is critical to learning and getting into infosec.

If you're not familiar with how to run virtual machine labs, this book is a great place to start. It will get you up to speed quickly. https://www.amazon.com/Building-Virtual-Machine-Labs-Hands/dp/1546932631

This blog post has some good info and links to further reading: https://www.stevencampbell.info/2016/07/how-to-break-into-information-security/

BTW, don't be tempted to try to get into pentesting (offensive) because it seems like an exciting job. There's much more demand and opportunity for security analysts and engineers. If you want to go that route, get a few years of experience in a "blue team" (defensive) security role first.

Also, check out the sidebar here. There's a lot of good resources linked there.

u/0x7262 · 3 pointsr/AskNetsec

the tao of network security monitoring explains a framework for stitching together different pieces of network security data into a process for investigation (the follow-up is also good).

yes, the thing you want is called 'full packet', and yes, it usually involves just sniffing, saving, and indexing all traffic at your network ingress/egress. there's some good open source frameworks like moloch for doing that, or if you've got money kicking around, something like solera or netwitness will do the trick nicely.

u/MikeCodesThings · 2 pointsr/AskNetsec

Some great resources are The Web Application Hackers Handbook. It's a long read but very in-depth. Link

If you want to practice as you read look into Damn Vulnerable Web App (DVWA) [Link] (http://www.dvwa.co.uk/), Pentester Lab challenges [Link] (https://www.pentesterlab.com/), bWapp. Learn how to use tools like Burp, ZAP, sqlmap, and BEEF (among others).

I've also heard that Security Tube has a lot of great videos but I haven't checked it out personally yet.

As for fundamental knowledge, you'll need to understand how the web and web applications work. Things like HTTP/HTTPS, HTTP methods, forms, Javscript, sessions, cookies, databases. Also about application input, application frameworks, application firewalls. If you don't have any programming experience, you should start learning some fundamentals to understand application logic and structure. This can help you think of assumptions that developers made and how you might be able to bypass or work around those assumptions to do things that weren't intended or anticipated.

u/[deleted] · 2 pointsr/AskNetsec

Well give CISSP a wide birth as it's not what you want.

If you just want to get a simple over view to understand some basic concepts then 'Learn Ethical Hacking from Scratch' is available as an Ebook/Book from Packtpub and there's an accompanying course on Udemy.

https://www.packtpub.com/networking-and-servers/learn-ethical-hacking-scratch

https://www.udemy.com/learn-ethical-hacking-from-scratch/

Both are on special offer regularly and will just scratch the surface of some concepts and tools just to give you a taste for it.

Another good beginnner resource is Georgia Weidman's 'Penetration Testing: a Hands-on introduction to hacking'

https://www.amazon.co.uk/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641

and she has a course on Cybrary which I believe follows on from that book:

https://www.cybrary.it/course/advanced-penetration-testing/

​

Good luck!

u/StoveyJ · 2 pointsr/AskNetsec

I think the main issue with the C|EH (I have it) is that the exam format is based around remember / regurgitate multiple choice answers, and doesn't really encourage the student to learn the practical side of things. With a couple of weeks and a decent book, it's fairly easy to pass. You'll have the cert but no further on in knowing how to actually conduct a pen test.

IMHO, if there was more of a focus on doing things, such as actually running and interpreting an nmap scan, with perhaps 10 or so simulations on the exam, I think it would improve it's standing and be of more benefit to the student.

EDIT Save yourself the $870 and buy these two books

https://www.amazon.com/Certified-Ethical-Hacker-Guide-Third/dp/125983655X/ref=sr_1_1?ie=UTF8&qid=1481303255&sr=8-1&keywords=certified+ethical+hacker+exam+guide

https://www.amazon.com/Certified-Ethical-Hacker-Practice-Exams/dp/1259836606/ref=pd_sim_14_3?_encoding=UTF8&pd_rd_i=1259836606&pd_rd_r=D0PT9NP2JQPKJFZBCRYK&pd_rd_w=nnz94&pd_rd_wg=3DMrQ&psc=1&refRID=D0PT9NP2JQPKJFZBCRYK

You then need to jump through a few hoops and convince the EC Council that you don't need their training package, and just want to take the exam for $500

u/JoshBrodieNZ · 1 pointr/AskNetsec

It's the standard reference for web application testing. I'm a security consultant who spends a significant portion of my time reviewing web applications and we hand WAHH to every junior who comes on board, while intermediate/senior testers brush up on it periodically alongside the OWASP Testing Guide.

Once you're comfortable with the material in WAHH, also check out The Tangled Web: A Guide to Securing Modern Web Applications which starts to look into browser mechanics and their impact on web application security.

u/everythingmalware · 1 pointr/AskNetsec

Currently Practical Malware Analysis is the go to book. The first few chapters go over basic techniques and tools. The remaining of the book focuses on advanced techniques like disassembling and debugging samples.

Another good book is Malware Analyst's Cookbook. This gives some good recipes and tools to use.

I don't have much experiencing detecting samples that AV misses. I would first start out with a tool like MalwareBytes Anti-Malware. A lot of malware will try to "phone home", so you could monitor networking from the system. There are also common places on the system malware uses. I've seen samples use the temp, startup, and application data directories. You should also check the registry for any files to run at start. Hope this helps.

u/Kravego · 3 pointsr/AskNetsec

Get this book and go through it. A LOT of the crowsourced pentesting platforms have web application testing as their bread and butter.

And the other user who suggested it got downvoted for some reason, but further down the line you should go for GWAPT. I say further down the line because, like all SANS certs, it's expensive af.

Web app pentesting is the largest pentesting market around right now, so it's a good one to jump into. Good luck!

u/Chedder_Bob · 5 pointsr/AskNetsec

>I don't want to ask the kids at school because I don't want them to think I'm dumb and also I want to be able to learn this on my own!!

Communication and respect are two key things that need to happen to really succeed at things like the CCDC. If you can't do that with your classmates now then you're not going to get super far.
(Vice versa to them as well)

BUT on the other note if you dont know where to start on building a lab
"Building Virtual Machine Labs: A Hands-On Guide" LINK
seems to be a solid book on the subject in general in regards to VMs. But at the end of the day its really just figuring out what you want to start on and then just using your favorite search engine on how to get started.

u/icytrues · 19 pointsr/AskNetsec
  • The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition (2012)

    This book covers rootkit development, not analysis, on Windows 7 and x86/IA32. It's a must read, if you're interested in rootkits.

  • Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats (Release date set to january 2019)

    While not yet released, it looks very promising. Over the years, Microsoft has continually introduced better protections against rootkits and malware in Windows. Among other things, the book will cover how some of the rootkits/bootkits seen in the wild have bypassed protections such as Secure Boot, kernel-mode signing, Patch Guard and Device Guard.

    I'd also recommend having a look at the following books:

  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (2012)

  • Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation 1st Edition (2014)

  • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory 1st Edition (2014)


    Also, Windows Internals for both Windows 7 and Windows 10 is a great reference to have laying around.
u/iownahorseforreal · 1 pointr/AskNetsec

I would recommend the Alfa AWUS036NH. Does b/g/n and does it well. packet injection and all. I'm pretty sure it's industry recommended by now.

u/B_Byte · 12 pointsr/AskNetsec

I'd suggest you first take an ASM course.
This would be a great start
http://opensecuritytraining.info/Training.html
Next, you have two options.
You can get this awesome book
https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
or you can start with this course
https://samsclass.info/126/126_S16.shtml
which is a reduced version of the book.

After you're done, I think the best thing to do is to find someone who can sponsor you to attend SANS 610 course.

u/RageAdi · 2 pointsr/AskNetsec


Do you want an already identified vulnerability from this post to include in your work? Or do you want suggestions for an open source application which you’ll test?

In either of the case, you really need to start with reading up on setting a test environment first. I would suggest this book:
Building Virtual Machine Labs: A Hands-On Guide https://www.amazon.com/dp/1546932631/ref=cm_sw_r_cp_api_i_N-bIDb1Z79EN7

Or do you want a setup for doing a security audit? In which case, I would give you the tool which I always use primarily: Burp Suite.
You can always make your own custom python tools according to your needs. Good luck.

u/blizz017 · 3 pointsr/AskNetsec
u/Hellacious_CatAttack · 2 pointsr/AskNetsec

This is an excellent start:

https://www.amazon.com/Building-Virtual-Machine-Labs-Hands/dp/1546932631

I worked through this a while back. Learned a lot and enjoyed the process.

u/Metasploit-Ninja · 1 pointr/AskNetsec

Like the All-In-One series CEH book. I only read that book and I passed with a perfect score. Even has example/practice tests in the back that were very close to the real test.

u/gnullify · 2 pointsr/AskNetsec

I have 3 semesters left so my plan has been to seek an internship next summer closer to graduating. Do you think it's unwise to wait that long? My independent study could be better but I've become proficient with Linux using Arch as my daily driver and reading through The Linux Command Line. I'm also going through The Basics of Hacking and Pentesting which had me set up a "lab". Just finished the recon chapter. Also proficient in Python/Java/C++ ("proficient" might be a bold claim, rust considered).

u/honcas · 1 pointr/AskNetsec

I really like the book Practical Packet Analysis

But just to get you started, try capturing traffic and then going to a website (non-ssl) like reddit.com. After loading the first page, stop the capture and take a look at it. You can search for strings you would expect in the capture, like "reddit.com" or "GET". You can start looking at the payload portion of the packets and go up to see all the layers.

u/tacobellsupport · 1 pointr/AskNetsec

I would recommend reading:

http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470

and looking at CTF challenges focused on web over at CTFTime.org

u/AZXXZAZXQ · 1 pointr/AskNetsec

How useful do you think books like these to be?

https://www.amazon.com/d/Books/Black-Hat-Python-Programming-Pentesters/1593275900


https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441

I just finished up a mini project in python and am looking for something else to do (other than learning C and another text on data structures). These books seem to be more about pen testing so I'm not sure it's really relevant.

u/kira156 · 2 pointsr/AskNetsec

The web application hacker's handbook is an excellent book for web applications pentesting. https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470

u/oregonsysadmin · 1 pointr/AskNetsec

I believe I've heard good things about The Tao of Network Security Monitoring, but haven't had a chance to read it myself. In the description lists a few other books the author recommends.

u/observantguy · 2 pointsr/AskNetsec

In that case, Violent Python may be helpful--not a tutorial on kali/netsec, but it'll help you learn about netsec aspects through coding your own "exploits"...

u/B0b_Howard · 3 pointsr/AskNetsec

One of the books I see come up time and again in recommendations for OSCP prep is Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman.

She has also done a video series along the same lines as the book that is available for free from Cybrary.

u/just_mr_c · 1 pointr/AskNetsec

This book is really good for setting up a pentesting lab for multiple hypervisors including VMWare.

u/serious_face · 2 pointsr/AskNetsec

http://www.amazon.com/The-Linux-Command-Line-Introduction/dp/1593273894


I bought and read this book as a before taking OSCP, and it's been one of the most useful books I've read.

u/netscape101 · 2 pointsr/AskNetsec

Thanks, what do you think of this book?
http://amzn.com/1118026470 (Web Application Hacker's Handbook 2nd Edition)

u/Secure4Fun · 3 pointsr/AskNetsec

The book "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman isn't free, but it's low cost and will give you the same information that PWK course materials provides, and a lot more. https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641/ref=sr_1_1?ie=UTF8&qid=1503490444&sr=8-1&keywords=georgia+weidman+pentesting

For completely free training, search around Vulnhub for targets to go after. Plenty of lists on the internet about which ones are similar to the OSCP lab machines.

u/moomoocow · 1 pointr/AskNetsec

I recommend reading the following to get an overview:

The Basics Hacking Penetration Testing

If you want to do some programming specific (i.e. Python) try

Violent Python

u/averagesecguy · 1 pointr/AskNetsec

Build a lab at home and start learning networking and system administration. While you are doing that, start filling out applications for any computer/network related jobs you can find and hopefully you will get a hit. Depending on how rural you are, you may have to commute into a city to find work. But these days, everyone has computers.

​

https://www.amazon.com/Building-Virtual-Machine-Labs-Hands/dp/1546932631

u/JustinEngler · 1 pointr/AskNetsec

Great intro resource to web attacks and defenses. Start with their "top 10":
http://www.owasp.org

In-depth discussion of exactly how to carry out different types of attacks:
http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470

u/ftnwo · 2 pointsr/AskNetsec

I missed your bit about books and training question- try checking out some stuff like this http://www.amazon.com/The-Tao-Network-Security-Monitoring/dp/0321246772

u/flexxoh · 6 pointsr/AskNetsec

https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641

IMO Georgia's book covers everything you'll need for the exam (specifically exploit development and POC modification).

The Metasploit book is cool, but since you don't really get to use it in the exam lab (you only get one Metasploit "lifeline" to use) it may not be worth picking up right now.

u/F157 · 1 pointr/AskNetsec

To understand Windows OS, check out Windows Internals Part 1 and Part 2 books: http://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735648735

u/Daftwise · 1 pointr/AskNetsec

Blahhh i meant Don Murdoch's book, Blue Team Handbook vol 2

​

https://www.amazon.com/dp/1500734756/

u/lortik · 3 pointsr/AskNetsec

I wouldn't say this a good training book as it's just a list of commands that can be used as a reference for those who already know what they're doing but need to job their memory.

I'd say look at Metasploit The Penetration Testers Guide or Georgia's book Penetration Testing A Hands On Introduction to Hacking to get started off.

u/WOLF3D_exe · 1 pointr/AskNetsec

Also want to add "Blue Team Handbook: Incident Response Edition".

http://www.amazon.com/Blue-Team-Handbook-condensed-Responder/dp/1500734756

Edit:

Don't forgot to grab all the Humble Bundle for 15$ {you can pay 0.01$ and get most of them}.

https://www.humblebundle.com/books/no-starch-hacking-books

u/BlastedInTheFace · 4 pointsr/AskNetsec

No. If it were so easy, pentesters wouldn't get pais so much to do it. That being said, start here

u/qasimchadhar · 3 pointsr/AskNetsec

Offensive Security's OSCP should be your goal if you wanna get into pentesting. Start with reading CEH material and The Hacker Playbook http://www.amazon.com/The-Hacker-Playbook-Practical-Penetration/dp/1512214566.

u/mhurron · 2 pointsr/AskNetsec

I've had this bookmarked forever (Probably linked to from here)

http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

I have no comments on the quality of the information, it's been on the master to-do list for damn near ever.

If you want to spend some money there is also http://www.amazon.com/gp/product/1118026470/ref=ox_sc_sfl_title_2?ie=UTF8&psc=1&smid=ATVPDKIKX0DER

(again, it's been mentioned here, and again, can't say anything about it personally, master to-do list)