The number one question I get asked by people is:
"How can I learn how to hack?"
Googling it will almost certainly lead most people down a series of dark and confusing rabbit holes. So, to fix that, I've created a 10-step plan for anyone keen to learn how to hack. Learning to hack computers is a funny process. It's all a bit chicken and egg.
Depending on what you read online, you might be inclined to start learning to code or understand getting into computer science.
Let's not do that.
Let's not take the fun out of it.
You said you want to know how to hack?
I'll show you.
1. Get a computer
This first step should be obvious. The computer you get doesn't have to be expensive but should have enough RAM to run virtual machines. I use a MacBook Mini with 16Gb of RAM, but if you don't know what you need, you can search online for "laptop for hacking".
If you already have a suitable computer, don't worry about getting viruses or breaking it, because the next step takes care of that.
2. Get a hypervisor
A hypervisor is software that allows you to run a computer within a computer. We call them Virtual Machines or VMs. I use VMware Fusion because I'm on macOS and it feels like it belongs on macOS, but you can use VirtualBox if you prefer. If you're on Windows you can use VMware Workstation.
You could totally skip this step and use Virtual Machines in the cloud on something like Amazon Web Services. But it's good to learn on your local machine and understand what's happening.
3. Download Kali Linux
Kali Linux is a free, well-maintained operating system that you will learn to love. It is the operating system of choice for hackers the world over. It comes with hundreds of hacking tools built-in and you can add more as you progress.
All for free.
Make sure you get the version that works on your hypervisor. If you're stuck on the setup process, search for it on YouTube.
4. Setup Kali
You'll need to set up Kali inside your hypervisor. This might sound like a lot of work, but it's worth it. Again, if you have difficulty with the connection, just YouTube has the answers. Top tip if you're having an issue connecting to the Internet from inside Kali: pay attention to the network settings in your hypervisor (look out for words like bridged, NAT, auto-detect).
5. Gain knowledge
Now you have all the equipment that hackers use day-to-day. What you lack is knowledge. There are a lot of websites, YouTube channels, and books to choose from. Get ready to be busy organising your bookmarks. I recommend GitBook and Notion for staying organised.
6. Get a hold of this book
Penetration Testing by Georgia Weidman (paid, available here). This book is possibly the best all-rounder when learning to hack. You will cover setting up your lab, attacking computers, breaking passwords, and all that exciting stuff. It's a lot to learn, but stick with it and supplement it with YouTube videos.
7. Setup Metasploitable
Metasploitable is an intentionally vulnerable VM made by a company called Rapid7. You set it up alongside your Kali VM and then attack it. There are plenty of videos on YouTube to show you how to make use of it. You can get a hold of it here and there is an official guide on that page too.
8. Join Hack the Box
This is it: the big one! Hack the Box is the top dog when it comes to online training labs. I highly recommend buying the VIP access; it's a bargain at twice the price. You'll get access to active and retired machines, challenges, a members area, and there are "pro" labs when you're ready to really test your skills. The retired machines are where you will do the majority of your learning, with great videos from IppSec. You can even apply for jobs directly on the site whenever you have earned the relevant rank. There's a strong community on the platform and don't need to download anything other than a VPN configuration file. This is not a paid endorsement.
9. Test what you have learned
If you've gone through all that, you've come a long way. Well done. Perhaps you'd like to consolidate what you know in a common format that employers will understand: a certification. There are a lot of information security training courses and exams out there. Here are a few vendors and courses to check out:
- eLearn Security: eJPT ($ - a fun and cost effective way to get your first certificate).
- Offensive Security: OSCP ($$ - 48 hours of pain, the most coveted certificate on the market).
- Spectre Ops: Red and Blue team training ($$$ - these people invented some of the best attack tools on the market).
- SANS: They teach almost everything ($$$$ - not cheap, but very well regarded in the industry).
10. Join the community
It's fine learning on your own, but you'll supercharge your hacker experience by making friends online and in reality. You'll also shake off some of your imposter syndrome because you'll get to meet other people starting out who don't know how to attack Metasploitable. Being an active member of the community will take you to the next level.
I hope I've helped give you some direction on how to get started with hacking stuff. If you have further questions, don't hesitate to reach out.