When you first start learning something, it can be difficult to discover high-quality resources to help you on your journey. This article is going to outline what I think are the best resources for learning to hack at the moment (Date check: August 2021). In particular, these resources will provide beginner hackers with an excellent foundation for bug bounty hunting or penetration testing. Now keep in mind that there are a lot of resources out there, so I am definitely missing a lot of them. If I missed anything that you think should be covered – let me know!
The list is quite long, but don’t be overwhelmed. You don’t need to binge every piece of content at every link. You would have a hard time ever getting through it all. I certainly haven’t. Instead, aim to learn a little bit regularly. Or, as James Clear put it, “you should be far more concerned with your current trajectory than with your current results.”
The list of lists
I am not the first person to create a list of resources for beginner hackers, and I won’t be the last! Below you will find a list of lists. Each one is it’s own repository of resources, similar to this one.
- Nahamsec’s “Resources for Beginner Bug Bounty Hunters” is an organised index of resources for learning to hack. It is quite comprehensive and well curated. It would take months to get through it all!
- Codingo’s search functionality on his website indexes a huge stack of public content from hackers. This is particularly useful if you’re looking for content about a specific topic or vulnerability class.
- S0cm0nkey’s “Security Reference Guide” is another excellent, well-curated and well-organised repository of cybersecurity resources.
- InfosecWriteups is a Medium publication that has a huge amount of cybersecurity related write-ups for CTFs and bug bounties.
- Pentesterlab has a hands-on approach to learning hacking. Each lesson is a hands-on lab where you need to exploit a vulnerability that mimics something you might see in a real-world application. It covers a lot of different bug classes from basic to advanced. They have a hosted paid offering, or you can download some of their more basic exercises as ISOs.
- Portswigger labs is a huge set of web application security labs that are totally free. Each hands-on lab also comes with a solution and a “community solution” which is typically a YouTube video from the hacking community.
- Tryhackme is a cybersecurity training platform and competitive hacking game. When you sign up, you choose between three streams: pre-security for fundamentals, offensive pentesting or cyber defense. The platform seems quite comprehensive, and includes labs for more than just web application vulnerabilities including buffer overflow, active directory and more.
- Hackthebox is best known for being an ongoing worldwide competitive CTF, but they also provide some very high quality training “tracks” for any / all topics that you could think of. They offer a lot of labs/boxes for free, but also have different premium subscriptions that allow you to hack expired boxes, less crowded lab environments and pro labs.
- Kontra is an online platform that offers a series of hosted labs designed to teach developers about application security. The platform is very slick and beginner friendly – each lab is story based. It walks through a plausible real-life attack scenario, teaching the student how the vulnerability would be exploited, and also what the vulnerable code looks like.
- Hacker101.com is an online training platform for web security, created by bug bounty platform Hackerone. It includes a bunch of CTF challenges inspired by real-world vulnerabilities and also a series of video tutorials about all elements of web hacking.
- Vulnhub is a platform that allows users to upload “challenge boxes” which are purposely vulnerable virtual machines, the aim is to gain root/system level access on these machines by exploiting various vulnerabilities.
- John Hammond has a very entertaining channel covering all kinds of topics including CTF walkthroughs, programming tutorials, interviews, the dark web, malware analysis, and more!
- Nahamsec does “Recon Sundays” every Sunday, where he streams live recon and brings on guests to interview or hack with. He also hosts “Nahamcon”, a virtual security conference with great speakers.
- STÖK makes all kinds of different cybersecurity related videos, mostly pertaining to bug bounties. He interviews some great hackers and documents live hacking events. He releases “Bug Bounty Thursdays” every week which outlines the latest bug bounty news.
- Farah Hawa is excellent at taking complex topics and explaining them in a way that you will understand by breaking it down to fundamentals. She describes different bug classes, hacking process and career.
- Codingo creates bug bounty specific videos including videos about tools, hacking processes, recon and more.
- Liveoverflow is a cybersecurity YouTube legend at this point, having released over 300 videos about a huge range of topics.
- PwnFunction also focuses primarily on web application hacking. The videos have a really nice style and are very well explained.
- Ippsec almost exclusively creates walkthroughs of HackTheBox challenge boxes. Every action is explained very well, it feels like you are watching a pro over their shoulder, and it is an excellent way to learn.
- InsiderPhD “Dr, apparently, hacker, Lecturer in Cyber Security, Educational YouTuber, Application Security Engineer and still awaiting the nobel prize for more hours in the day.” Makes great videos about hacking, bug bounties, machine learning and more!
- The Cyber Mentor (TCM) is an excellent cybersecurity educator who now runs his own academy, “TCM Security Academy“. He is best known for developing excellent cybersecurity courses, particularly in penetration testing.
- Hakluke. I can recommend myself, right? I make instructional videos, bug bounty report explainers, career and mindset videos.
I won’t give a description of each Twitter account because the content being posted will vary quite significantly from day to day. All of these Twitter accounts post excellent cybersecurity related content, most of them with a lilt towards bug bounties.
Blogs and Write-ups
- Hackerone Hacktivity has an unlimited stream of disclosed vulnerabilities on the Hackerone platform. Reading through them is a great way to see what kinds of things people are finding and inspiring your own hacking.
- Crowdstream is the Bugcrowd equivalent of Hackerone’s Hacktivity. Although there are far less disclosed reports there, it’s worth reading through them!
- Pentesterland has a huge, curated list of bug bounty writeups and resources for beginner hackers.
- Inti De Ceukelaire is a great bug bounty hunter and the Head of Hackers at bug bounty platform Intigriti. He has a knack for finding critical systemic bugs that affect a lot of organisations, and doing great write-ups!
- D0nut’s blog is a total mixed bag with lots of gems.
- Intigriti’s Medium Publication is filled with great bug bounty content!
- Secjuice is a not-for-profit publication that posts all kinds of articles about cybersecurity including CTF writeups, tutorials, methodologies and more.
- Tomnomnom‘s blog has three exceptional technical write-ups about cooking cake, cooking steak and debugging a bug in an extremely niche window manager. As it turns out, “medium sized” eggs vary in size quite significantly.
- My blog has a bunch of insights into bug bounties and hacking process.
There are also some great blogs with more advanced security research content, you can see a few of them below!
- Detectify Labs posts an impressive amount of cybersecurity research.
- Portswigger Research also posts an impressive amount of cybersecurity research.
- Bishopfox Labs releases great research papers and tools.
Discord / Forums
Being a part of the community and finding people to bounce ideas off is sometimes really helpful! Here are a bunch of invites for hacking-related Discord servers.
- Bugcrowd Community Discord
- TryHackMe Discord
- The Cyber Mentor Discord
- 0x00sec Forum
- 0x00sec Discord
- InsiderPhD Discord
- Nahamsec Discord
- HackTheBox Discord
And so many more – you can use Discord’s “discover” feature to search for cybersecurity-related keywords.
This really is only a small taster of the resources that are available for learning hacking, but we need to stop somewhere! Hopefully this will give you a good starting point in your hacker journey. Good luck and happy hacking!
My name is Luke Stephens but most know me as hakluke. I am currently living on the Sunshine Coast, in Australia. I recently resigned from my role as the Manager of Training and Quality Assurance for Bugcrowd to start my own consultancy, Haksec. I do a lot of penetration testing and bug bounties and create content for hackers. Check out my Youtube channel.