Most new white hats typically want to start practicing their new skills immediately. That makes sense. After all, what good is your Kali Linux attack platform without something to attack?
However, there are rules and even laws that govern breaking into (or breaking) other people’s applications, sites, or networks. Here’s how to learn white hat basics, and a few places where you can try them out — legally.
First, build a Kali Linux lab
A homelab should be the first tool in your security kit. CBT Nuggets security trainer Keith Barker recommends that you go for a Kali Linux setup — the industry standard for penetration testing and security auditing. He’ll even help you set one up in his White Hat Hacking course.
Kali Linux comes with literally hundreds of Pen testing tools that you’ll need to track down vulnerabilities and intruders. These include tools for scanning ports, packet analysis, password cracking, wireless network detection, and network mapping.
The best part? It’s Linux, which means it’s open source and free. Download the current Kali Linux distribution here.
Next, learn the basics with Capture the Flag
Now you have a lab environment, and that’s great. It’s clean and predictable, which is exactly what you want when you’re learning the tools. However, security is all about locating vulnerabilities in a messy environment. It’s best to learn while also solving real-world problems, or at least simulations of real-world problems. That’s where Capture the Flag (CTF) challenges come into play. They’re fun, self-paced, and legal.
Find Capture the Flag hacking challenges
While acquiring your white hat skills, you’ll want to hone your skills with practice. Capture the Flag (CTF) competitions are a great way to test your knowledge, learn new tactics, and maybe earn a little cred. But realistically, you should start with CTF challenges instead. Lots of people start with PictoCTF, and then find more challenges as they advance.
There are plenty of CTF challenge sites, and here are our five favorites.
Sponsor a CTF tournament at work
Once you’ve got the CTF challenges down, bring in more people. Lots of companies have a Freedom Friday or “20% time” — policies that allow employees have a side project at work. Even if your company doesn’t explicitly provide project time, it should be an easy sell to host CTF competition as training time.
If you haven’t run a CTF event before, there are great resources out there for ideas on how to set up and run a successful contest.
Start entering capture the flag competitions
Once you’re ready, gather your team and compete for real. You’ll get to face off against experienced security professionals with challenges that are based on real-world situations and vulnerabilities.
When you’re ready, you can take it to the next level and enter a CTF competition. It’s easy to find them. The CTFtime web site has a list of upcoming events, as well as an archive of past competitions. Who knows, maybe you can aspire to participate in the so-called “World Series of Hacking” at the annual DEFCON hacker convention in Las Vegas.
If you’re new to CTF, we explained how these competitions work earlier this week.
Finally, start attacking these purposefully vulnerable sites
If you don’t think you’re ready for a CTF — or if you’re in between events — you can hone your hacking skills by practicing on sites that have been intentionally designed to be vulnerable.
Luckily, there are a few places to practice your new skills (legally and ethically) out in the wild.
bWAPP (Buggy Web Application)
bWAPP is a web app that was deliberately developed to be vulnerable. It’s available as a free, open source download, and includes over 100 common issues derived from the OWASP list of the top security vulnerabilities.
How to get started: Developed with PHP, bWAPP uses MySQL and can be downloaded from SourceForge.
Damn Vulnerable iOS App (DVIA)
There are numerous web apps that are available for practice hacking, but not that many mobile apps. As the name suggests, DVIA is vulnerable mobile application for Apple’s iOS platform. It runs (insecurely.) on iOS 8 up to iOS 11. DVIA vulnerabilities include Jailbreak Detection, Excessive Permissions, Touch/Face ID Bypass, Phishing, Data Leakage to Third Parties, and more.
How to get started: The app is free and open source, and is available in both Swift and Objective-C versions from the DVIA site.
We mentioned WebGoat upfront, as part of your Kali Lab setup. It was developed by OWASP as an insecure web app that can provide a realistic learning environment for developers who want to learn about web app security. WebGoat is more than just a hackable app. It’s designed to also be a teaching tool, with lessons focused on specific vulnerabilities. WebGoat is available in versions for Windows, OSX Tiger and Linux and for J2EE and .NET environments. You can also get it in run-time or source versions.
How to get started: Download the latest version from the WebGoat GitHub page.
McAfee HacMe Sites
Although released in 2006, McAfee’s HacMe sites are still useful practice devices for new white hat hackers. They were developed by McAfee’s Foundstone professional services group and simulate real-world vulnerabilities in a range of business environments, including banking, reservations, and casinos.
How to get started: Available sites for download include Hacme Bank, Hacme Bank for Android, Hacme Books, Hacme Casino, and Hacme Travel.
This site is “full of holes” — unlike the Gruyere Cheese for which it’s named. Still, nobody says that cheese expertise is a required hacking skill. The code lab has lots of vulnerabilities and is designed to teach beginner hackers how to find security vulnerabilities, how they can be exploited, and how to prevent hackers from finding and exploiting them. Security flaws in Gruyere include cross-site scripting, cross-site request forgery, denial of service, and remote code execution. Interestingly, Gruyere supports both black-box, and white-box, testing, so you can learn both attack and defense.
How to get started: Setup instructions are available at Gruyere code lab.
Hellbound Hackers (HBH) is a web-based security training ground that offers hands-on security challenges designed to help members teach themselves how to identity and fix vulnerabilities that can be exploited. HBH is one of the largest hacking groups, with over 100,000 registered members. Once you register, you’ll have access to hacking tutorials, downloads, articles, and member forums.
How to get started: Register for an HBH account.
Hack.me is a community site created by eLearnSecurity, an IT security certification and training company. Hackers joining the Hack.me community can build, host, and share their vulnerable web apps for others to access and learn from. Members can set up their own ‘hackme’ in a dedicated sandbox for their own use only, or make it public so that other members can hack it.
How to get started: Join the Hack.me community.
This site — the self-proclaimed “Hacker’s Playground” — was designed to teach how hacks, dumps, and website defacement are done and how to secure against those attacks. The site offers over 50 levels of hacking challenges that cover a wide range of security. The site has a community of over 250,000 members providing the opportunity for discussion, questions, and sharing of advice. There’s also a library of articles on a range of categories including forensics, hacking, lock picking, phreaking, and encryption.
How to get started: Start hacking away at the challenges on HackThis
VulnHub was launched to provide a repository of apps, websites and network setups that are by design “breakable, hackable & exploitable.” Its more than 200 security challenges are built by security professionals, which makes it a very robust challenge site, but also a little unorganized for the “learning hacker.”
How to get started: Go to Vulnhub and started downloading challenges.
This wargame site provides numerous hacking challenges based on system exploitation. The site’s challenges are similar to a Capture the Flag, where a player has to complete a challenge and submit to the site to be awarded points. Although Pwnable.kr requires basic hacker skills, they say that their challenges are “orders of magnitude easier” than top-of-the-line competitions such as DEFCON CTF.
How to get started: Join the pwnable.kr community.
OWASP Mutillidae II
Like WebGoat, Mutillidae is a pen test project from OWASP. It’s a deliberately vulnerable web application built for Linux and Windows. Mutillidae comprises a set of PHP scripts that contain the OWASP Top Ten vulnerabilities back to 2007. The app comes with multiple levels of hints for the beginning hacker and has a dedicated YouTube channel and Twitter account.
How to get started: OWASP Mutillidae II is available through SourceForge.
OWASP Juice Shop Project
How to get started: Learn more and download Juice Shop from the OWASP community website.
Try2Hack provides multiple security challenges at increasingly difficult levels, designed to help hackers develop their skills. The basic ‘text’ look of the site reflects the practical, “let’s get to it” nature of the site.
How to get started: For beginners, there’s an IRC channel where you can interact with the Try2Hack community and ask for help. Try2Hack also has a complete walkthrough on GitHub.
If you think you need a kickstart for your white hat skills, then check out the brand new CBT Nuggets White Hat Hacking v10 course. Trainer Keith Barker introduces you to the hacking tools and techniques needed to improve your network’s security posture.