Learning hacking especially if you're a complete beginner, is no easy task but there are lots of resources online such as online hacking tutorials, YouTube videos on hacking and even online courses like this complete ethical hacking course on Udemy.
But hacking resources are often sparse and spread out all over the web so it's often helpful to read books. In fact in my opinion, it's the best way to learn hacking for beginners because all of the information is gathered together in one place. And from a personal standpoint, although a different topic, when I was learning how to program, I started off by reading books on the subject.
Why learn hacking?
As you know, hacking can be used unethically and can cause harm and destruction to individuals and companies alike. But ethical hacking is actually beneficial to companies because it allows them to find vulnerabilities in their systems before the bad guys do.
With that in mind, there are many organizations out there that are looking for penetration testers, hackers and consultants to help them find vulnerabilities in their code to ensure the security and integrity of their systems and information. As such, companies are willing to pay a premium for these services to protect their reputation and this is what makes ethical hacking a highly lucrative profession. In fact recently, The Register revealed that you could be earning three times more as a bug bounty hunter than as a programmer.
Not only is it possible to work for these organizations as a full-time pentester, it is also possible to make money through the various bug bounty programs that are on offer, such as Bug Crowd and HackerOne.
So that's they 'why' covered, so how do you actually become an ethical hacker? Well there's no secret to learning hacking and it's not too difficult either, but you do have to have a good grasp of computing and have a strong interest in it, because it can be frustrating. Beyond that though, like anything, it's just a matter of practice.
First of all I recommend learning 'penetration testing'. This involves penetrating computer systems and looking for bugs or vulnerabilities - looking for unusual things and behaviour. Look at topics such as cross-site scripting, Cross-Site Request Forgery, SQL injection or look for bugs in the actual business logic of the application. These topics are just the start, and you should read about them and more in these hacking books.
Best Hacking Books of 2018
So which books should you read then? Well admittedly there's a lot of hacking books out there, some good, some not so good. So what I've done is select the best hacking books based on popularity and the general consensus on some of the hacking subreddits.
This list is the best of the best if you like, but they're not in any specific order. I do however have a favourite that I will reveal at the end ;)
So without further ado, here they are:
#1 Hacking: Computer Hacking Beginners Guide How to Hack Wireless Network, Basic Security and Penetration Testing, Kali Linux, Your First Hack
This beginners guide focuses on teaching you how to protect yourself from common hacking attacks by teaching you how hacking works and how to stay ahead of criminal (black hat) hackers.
Contained within this book are the tools and techniques that are used by both criminal and ethical hackers. The book also shows you how to spot an attack on your system so that you can minimize any potential damage.
Hacking - the art of exploitation is probably one of the best hacking books of all time. It is a must if you're a beginner and covers everything from programming, to machine architecture through to network communications and the latest hacking techniques.
The book doesn't just show you how to run existing exploits, it also explains how hackers exploit programs and come up with original exploits.
Included with the book is a LiveCD which provides you with a Linux environment without having to modify your existing OS setup. You can follow along in the book's examples, debug code, overflow buffers, exploit cryptographic weaknesses, and it even shows you how to invent your own new exploits. Awesome book.
The Hacker Playbook has been written by a longtime security professional and CEO of Secure Planet, LLC and provides a step-by-step guide to penetration testing and provides plenty of hands-on practical hacking tutorials.
In this book, the author uses a unique method of teaching penetration testing (by teaching it like a series of football-style "plays") and addresses the main problems and roadblocks that many beginners face while penetration testing, so it's perfect for newbies.
The book teaches how to attack different types of networks, how to escalate privileges and evade antivirus software using hands-on examples and helpful advice from the top pen testers in the field.
This password cracking manual is an absolute must for anyone wanting to know how to crack passwords. The book contains a compilation of basic and advanced techniques which penetration testers and network security professionals can use to evaluate the security of an organization from a password viewpoint.
The manual contains the most popular password cracking and analysis tools and basic password cracking methodologies. The manual also contains all the tables, commands and online resources you're going to need to crack passwords and also protect against password attacks.
This book emphasises that you need to learn how to hack in order to stop someone from hacking you, which is something I definitely agree with.
By reading this book, you'll learn about hackers themselves, the different types of attacks that exist out there and the exact steps and techniques that the world's best hackers use to attack systems.
The book is suitable for beginners and experts alike because it takes you from basic principles, through to more advanced techniques which you can use to either hack or protect yourself and your devices from being hacked.
If you're interested in hacking hardware, then this book by one of the world's most prolific hackers Andrew "bunnie" Huang, will help inspire you.
In this book, the author (and author of Hacking the Xbox) takes you through the ins and outs of hardware manufacturing and shares a collection of personal essays on his visits to the electronics markets in Shenzhen and interviews on topics such as reverse engineering.
The book takes you from the basics of the internet, through to how to find the most vulnerable areas of an application and finally through to finding vulnerabilities themselves within a web application.
The book teaches you step-by-step how to attack and defend web applications and also covers the latest technology designed to defend web application from attacks.
This is a hefty book, with 21 chapters in total, but the bulk of it is dedicated to explaining web technologies, how to exploit them and it explains the tools and techniques which can be used to break any web application.
This book is an absolute must for any aspiring ethical hacker in my opinion.
As the title of the book suggests, this book gives you a practical understanding of hacking web browsers so that you can launch further attacks into corporate networks.
The book provides hands-on, practical tutorials and covers complex security issues such as bypassing the Same Origin Policy, exploiting the browsers and its plugins/extensions, DNS tunneling and proxying directly from the browser.
The first part of the book starts by mentioning important laws, so that as a pentester, you don't get in trouble with the law, after all there is a fine line when it comes to hacking websites. The second part is highly technical, with topics ranging from network scanning, fingerprinting through to shellcode writing and vulnerability exploitation.
In addition, the book covers the writing of exploits, addressing fundamentals such as buffer overflows (Linux and Windows platforms), heap overflows, and format string overflows. The book also goes into detail around lesser-known vulnerability detection methods, such as "fuzzing", reverse engineering, and mentions some commercial tools which are useful to pentesters such as Core Impact and Canvas.
This book is an excellent, informative book, but highly technical at times. But I would recommend it to any reader interested in learning how to do security penetration testing.
The book will teach you how to bolster your system’s security to help you defeat the tools and tactics of cyber-criminals. It will provide you with expert advice and defense strategies from the world-renowned Hacking Exposed team.
Contained within the book are some awesome case studies which expose the hacker's latest methods and illustrate field-tested remedies. By reading this book you will find out how to block infrastructure hacks, minimize advanced persistent threats, neutralize malicious code, secure web and database applications, and fortify UNIX networks.
The Red Team Field Manual is an incredibly useful and concise book and is an essential read for Red Teamers. The book a reference guide and is filled with lots of commands, scripts, and tables for a variety of devices, operating systems, and application software.
The book mainly contains the basic syntax for commonly used Linux and Windows command line tools, but it does provide some unique use cases which can be used with the Python programming language and and Windows PowerShell. Because the book is a reference guide, it will repeatedly save you time when it comes to looking up hard to remember Windows command line tools and scripting.
The Blue Team Handbook is another reference guide like the Red Team manual above and is written for cyber security incident responders, security engineers, and InfoSec pros alike.
The main topics covered in this book include the incident response process, how attackers work, common tools for incident response, a methodology for network analysis, common indicators of compromise, Windows and Linux analysis processes, tcpdump usage examples, Snort IDS usage, packet headers, and lots of other quick reference topics.
The book is filled with practical techniques from the authors' extensive career in handling incidents. So no matter what your job role is, whether it's writing up your cases notes, analyzing potentially suspicious traffic, or looking over a misbehaving server – this book should help and will teach you some new techniques along the way.
When it comes to hacking, hackers often turn to popular hacking tools such as Burp Suite to find their vunlerabilities. Despite these tools, hackers also create their own powerful and effective hacking tools on the fly and often, Python is the language of choice because it's easy to use, versatile and you build proof of concepts in minutes with relatively few lines of code.
In Black Hat Python, the latest book from Justin Seitz (and author of the best-selling Gray Hat Python), you'll explore the darker side of Python's capabilities. It will teach you how to write network sniffers, manipulate packets, infect virtual machines, create stealthy trojans, and much more.
Other things this book covers are how to create a trojan command-and-control using GitHub, how to detect sandboxing and automate common malware tasks, like keylogging and screenshotting and how to escalate Windows privileges with creative process control.
One of the best things about this book is that it teaches you how to extend the popular Burp Suite web-hacking tool so you can create your own custom plugins and extensions to help you find potentially lucrative and critical vulnerabilities faster.
Let's face it, the best form of defence is attack, so if you want to secure your network or find out how secure it really is, then probably the best way to find out is to attack it.
Network Security Assessment provides you with the tricks and tools you need to use as an ethical hacker to identify and assess risks in internet-based networks. Outlined in this book is the same penetration testing model used to secure government, military, and commercial networks. And with this book, you can adopt, refine, and reuse this testing model to design and deploy your own networks that are hardened and immune from attack.
This book demonstrates how a determined attacker browses around Internet-based networks to find vulnerable components, not only at the network level but also at the application level too. This latest edition contains all the latest hacking techniques, but also teaches you how to create defensive strategies against entire attack categories which will help you secure your networks both in the short term and the long term.
#15 Violent Python
When it comes to offensive computing concepts, Violent Python takes you from theory right through to a practical implementation. Rather than relying on another attacker's tools, this book will teach build your own attack weapons using the Python programming language. This book demonstrates how to write Python scripts to automate large-scale network attacks, extract metadata, and investigate forensic artifacts.
It also shows you how to write code to intercept and analyze network traffic using Python, craft and spoof wireless frames to attack wireless and Bluetooth devices, and also how to data-mine popular social media websites. It even shows you how to evade modern anti-virus.
By reading this book you will gain a better understanding of IT security as a whole and also a good understanding of the Python language. Violent Python is really aimed at beginners and so more advanced readers may not find the book as useful.
The Metasploit Framework is a well known tool for quickly discovering, exploiting, and sharing vulnerabilities and is used by security professionals everywhere. But it's not really for those just getting started in the field as it can be hard to grasp. This book however fills that gap by teaching you how to use the Framework and help you to interact with the community of Metasploit contributors.
By reading this book, you'll learn the Framework's conventions, interfaces, and module system. You'll also learn advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.
The book even touches on exploit discovery for zero-day research, it will teach you how to write a fuzzer, port existing exploits into the Framework, and it will also teach you how to cover your tracks so you don't get caught!
This guide is useful to anyone wishing to secure their own networks or test someone else's.
The Basics of Hacking and Penetration Testing provides you with the steps you need to take to complete a penetration test or perform an ethical hack from beginning to end without any previous hacking experience, so it's aimed at the complete beginner.
You will learn how to properly utilize and interpret the results of modern day tools such as Backtrack and Kali Linux, Google reconnaissance, MetaGooFil, DNS interrogation, Nmap, Nessus, Metasploit, the Social Engineer Toolkit (SET), w3af, Netcat, post exploitation tactics, the Hacker Defender rootkit, and more.
The book provides simple and clean explanations with step-by-step guides for conducting a penetration test or hack and by reading the book you will gain a better understanding of offensive security which will help your career as a pentester.
This is a classic book that explains how exploits work such as stack overflow, heap overflow and format string vulnerabilities. The book also talks about stack protection and how to evade stack protection. The book is expertly written, covers some very advanced concepts and contains a lot of hex bytes, code, and memory addresses. So you're going to need a good understanding of languages such as C and C++ and assembly language to be able to understand this book.
So if you're looking for a beginners book, this is probably not for you. But if you take the time to read it properly, research around each of the concepts independently, then you'll be well on your way to thinking like a pro.
#19 Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Nmap Network Scanning is the official guide to the Nmap Security Scanner, which is a free and open source utility used by millions of pentesters the world over for network discovery, administration, and security auditing.
This book starts with port scanning basics, so it's suitable for novices but then it starts going into detail around low-level packet crafting methods which are used by advanced hackers. So there's something in it for all levels of security and networking professionals.
Contained within the book is a reference guide which documents every Nmap feature and option, but the book also demonstrates how to apply them to quickly solve real-world tasks such as subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.
I've included this book not because it will make you a better hacker, but to serve as an inspiration to those who aspire to get into this field. The book is a book about Kevin Mitnick - one of the most elusive hackers/social engineers in history. He accessed computers and networks at the world's biggest companies and was able to hack into phone switches, computer systems, and cellular networks.
This book covers everything Mitnick did, from the time he started hacking until the time he was finally arrested by the feds, and a little after that. It's a book that's going to hold your attention, is humorous, and overall is a very good read.
OK so there you go, the best books on the market at the moment for ethical hacking. I promised you I'd reveal my favourite, which is The Web Application Hacker's Handbook. This is a fantastic book that starts with the basics and gets you to a point where you can start finding vulnerabilities in web applications using tools such as Burp Suite. That's my personal favourite, but the other books that I've listed are great in other areas of ethical hacking.
Now reading books won't instantly make you into a hacker. These books are merely just the start and will provide you with the knowledge that you need. Once you have a good knowledge and understanding of hacking, you must then put the knowledge that you have learned to good use and you can then start practicing on deliberately vulnerable websites. Following on from that, you can then start getting involved with bug bounty programmes.