Having spent (wasted) a lot of money on Penetration Testing books that were either not very interesting or just far too advanced for a junior or new learner, I wanted to just put it down in words how I felt about some of the recommended material on offer.
I’ll just list the books in order of usefulness, write a little about them and let you know whether it’s suitable for a new learner in Pen Testing.
Web Application Hackers Handbook V2 – Amazon UK
I read so many great reviews of this book. It’s not called the bible of web testing for nothing. It really is a great reference manual and should feature highly in everyone’s list.
Verdict: Ideal for new learners and experienced people for quick reference. A must!
Penetration Testing: A Hands-On Introduction to Hacking – Amazon UK
I’d say this was a must for any new learner. Especially if you are thinking of taking OSCP. I’d buy this first, get through it and then do OSCP, instead of buying the book halfway through like me.
Verdict: An absolute must for new learners and juniors. Maybe more experienced testers would let it lie on a shelf, not sure.
Hacking Linux Exposed – Amazon UK
I got this book for £4 and it’s been a very worthy addition to my shelf. I’ve used it loads of times as a quick reference during PWK (OSCP) A very worthy addition for the price. It’s old in some cases but still very relevant.
Verdict: Ideal for new learners. Maybe experienced testers will use it from time to time as a refresher.
Network Security Assessment: Know your network – Amazon UK
I found it hard to put this book down when I got it. It’s really easy to read and has a calming effect when you read it. I’d add the newest version of the book even though I have version 3.
Verdict: Ideal for everyone I’d say, and a part of the CREST reading recommendations list.
RTFM: Red Team Field Manual – Amazon UK
The first book I ever bought. A baptism of fire if you’ve never tackled hacking before. The book makes a lot of sense to me now. It’s a great book to have a round and I found it really useful at times during OSCP.
Verdict: It’s worth getting as a new learner. Exposes you to a lot but don’t be put off by it. Before you know it, you’ll be able to recognise everything in the book.
Books I’m still not sold on yet
The Hacker Playbook 2: Practical Guide to Penetration Testing – Amazon UK
This was in many people’s recommendations for new people learning Pen Testing, however, I just found it really strange to follow as a book. There’s no quick reference possible as it has no page index as such. The images are hard to make out and I put it down several times. Probably because it’s based on American Football in it’s approach and I don’t like the sports so it took me a while to read it.
Verdict: I’d advise this be bought later. Save your money. It’s good, but for later.
Mastering Modern Web Penetration Testing – Amazon UK
I have just bought this book so it would be unfair to rubbish it or recommend it. Early thoughts are that it’s a bit expensive for the amount you get. It’s about a 3rd of the size of WAHH.
Verdict: I’d say it was ideal for new learners before reading WAHH. Only if you have money to spare.
Verdict: Ideal for more experienced Python programmers. There’s other things to learn first.
Gray Hat Hacking 4th Edition – Amazon UK
My second ever hacking book, and what an eye opener it was. I still don’t understand half its contents. It’s very focussed on certain parts of hacking. To call it a handbook isn’t fair. It’s a big book, heavy in weight and in technical content.
Verdict: I’d steer clear of this one as a new learner. It’s reserved for many smarter than us.
Open Source Intelligence Techniques – Amazon UK
I was glued to this book for about 3 days, then the notion wore off. It’s a good book if you’re interested in OSINT as a way of finding out more info online, however, I can’t really say I’ve ever had a problem finding what I wanted without the book. I haven’t broke the back on the book yet so that shows it doesn’t feature as a desk quick reference manual.
Verdict: I wasn’t sold on it to be honest. It’s an extra if you want it.
Nmap Network Scanning – Amazon UK
Probably the book I’m most disappointed by. It’s just a load of information and no way to find what you are looking for. I want to know what the -sV switch really does. The book can’t tell me. If it does, it’s in the wrong section of the book.
Verdict: I’d avoid it. There’s a ton of resources online to teach you nmap.
InfoSec/Pen Testing books are expensive. With each of them costing around £30 each in the UK, it adds up to a lot of money you could be using on something else. Training is expensive and when you are starting out you can fall foul to buying the wrong material, hurting your wallet/purse and leaving you feeling deflated at the thought of learning from an advanced book.
I’d also be very wary of books and courses that mention the word ‘advanced’ In my experience (a year into training) there’s not much ‘advanced’ teaching in them. Gray Hat Hacker is advanced, without it mentioning it in the title.
A final note. I’ve written my opinion on these books through my own personal experience with them. I’ve had people rave about a book I’ve hated. To give you a core set to work off I’d stick to the top 5 listed here to get a feel for it. In every case, consolidate your learning by using Vulnhub vulnerable VM’s and Damn Vulnerable Web App.
I hope it helps