What is Reddit's opinion of
Hacking: The Art of Exploitation, 2nd Edition?
From 3.5 billion Reddit comments
By popularity on Reddit, this product is:
44 reviews of this product found across Reddit:
Yeah sounds like you have enough background now to be able to successfully make a move into netsec, it's not something that day 1 IT staff can expect to be good at or move into and is really a more advanced career path.
Sounds like your linux, and programming experience will give you an edge that direction.
A good book/resource is hacking art of exploitation https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
"Hacking: The Art of the Exploit" is a great book for foundations in low level C. It teaches C at the beginning but only very briefly (still enough with some practice) and then goes on about the inner workings of UNIX environments, Networks, Cryptograhpy and how to abuse them. Although it is an introduction to binary exploitation it should be of interest to every C programmer. It focuses mainly on UNIX systems but that is probably the way you want to go anyways with low level development since on Windows you need a little more skill to go any deeper than the API allows. Its also by far the best book I have ever read.
Not necessarily, there is a reason why they are different professions. If you just want to learn how to defend and not spend a lot of time on the subject look into device and OS secuirty as well as IPS/IDS.
If you want to learn hacking from a deep level I'd suggest learning assembly language. Although it doesn't have many practical uses.
Im reading this book currently: Hacking : The Art of Exploitation, 2nd Edition https://www.amazon.ca/dp/1593271441/ref=cm_sw_r_apan_glc_i_AFXT12YS0Q6PSFT1Z6GT
And trying to complete Over The Wire CTF challenges when I can.
There's some things you may have to learn on your own like social engineering. But I would just read about anything you're interested in learning.
Hate to go on a rant, but I'm probably the same as you. I know how to boot kali, scan networks, find vulns and use Metasploit to exploit a system.
I'm a Linux admin who would rather be a developer than an admin. My job already requires development in a variety of languages, like C, Python, Java, Perl, PHP, and JavaScript. One of my most major work projects is a client/server written in C. When I dip my toe into the job market, most employers don't care about my C experience. At a hiring event last year, most employers hiring for the back end were looking for Java. A few wanted Python or Ruby experience. For the most part, the Java shops dismissed my programming experience as just scripting as soon as they heard the word "Python", didn't believe I knew any Java even though I did, and expressed confusion at C.
C is used in embedded development and low-level OS development. I haven't seen many jobs available for it, but I haven’t looked in niche jobs. Personally, I like C. If you want to do more with it, you could look into kernel hacking. Other interesting topics that use C are compiler construction and exploitation/security. <em>Hacking: The Art of Exploitation</em> is on my to-do list.
Hi! You could think of it like a car: if PressingOnGas = true { increase speed }
If TooMuchTraffic {
change to route } i would recommend reading a book on programming, they look thick and boring but you dont need to read the whole thing, watch videos online to help, read others code. Theres a website called code academy to help thats free. https://www.amazon.com/Hacking-Art-Exploitation-2nd-Erickson/dp/1593271441 the beginning of this book talks all about programming and is awesome
I wouldn't take those responses too seriously. K&R is like the holy bible of the C community and Zed Shaw said mean things about it while being, well, Zed Shaw (read: a dick). So naturally they're jumping on the opportunity to shit on him and his book. When I first read Hentenaar's blog post I just kinda rolled my eyes since it was pretty obvious he saw that K&R critique, got irked by it, and then skimmed the alpha (or beta version - I honestly forget which but LCTHW was a WIP at the time) version of Zed's book while cranking the nitpicky pedantry up to 11 trying to find things to criticize.
LCTHW is by no means perfect, but it's a completely acceptable resource to learn C programming. Try picking up the finished version though; the one online seems to be the beta version still. The Art of Exploitation is another good read I'd recommend; it'll teach you how to exploit insecure C code.
Of course, you could always just read both K&R and LCTHW and decide for yourself which is better.
Actually, start with some programming, then move on to "The Art of Exploitation" it's the best book on "hacking" I've ever used...
By reading:
Hacking: The Art of Exploitation, 2nd Edition
CEH v9: Certified Ethical Hacker Version 9 Kit
One of my favorites: Designing BSD Rootkits: An Introduction to Kernel Hacking
Then set up your own lab (can just be a few VMs) and hack yourself.
Then take your Security+ and CEH exams. And don't forget to subscribe to the 2600!
Excellent questions! If you are a CS grad you are ahead of the game. However, it all depends on what you want to do. I suggested learning programming/CS principles for two reasons:
The more you understand how computers, code, compliers, software, stacks, memory randomization, CPU protection rings, and the such work the better you are at hacking. You can find novel ways to get into systems and exploit them, etc.
You can write basic tools on the fly. It is amazing the tools you can create with a few lines of code when you have access to nothing but a GCC compiler in a *nix environment.
If you want to find zero day exploits, yes learn how low level languages work. It would be very helpful in that case.
Otherwise, Learn python (or whatever is popular at the time) to write your own exploit tools....or to modify existing ones.
If you want to be apart of a red team learning lower level languages could make you a better exploiter. However, IMO, I would start with just learning the basics of hacking.
These two books are old but they are absolute standards for anyone starting off:
https://www.amazon.com/dp/1593271441/ref=cm_sw_r_cp_awdb_t1_GYIACb1Z2YXFA
And:
https://www.amazon.com/dp/1593275641/ref=cm_sw_r_cp_awdb_t1_zZIACbMH0WTMP
Also, learn as much as you can on how windows/Linux/virtual machines (and containers) work. The more you know about how an OS works the easier it is to exploit.
Learn to exploit, there are a ton of free sites to help you learn:
http://overthewire.org/wargames/
http://google-gruyere.appspot.com
Learn CTF challenges:
When you are able to hack take part in real challenges:
Then start your career with a RESPECTED CERT, OSCP:
The OSCP is no joke and it is a timed, 24 hour cert test. Yes, you read that right, 24 hours.
Unless you want a government gig stay away from C|EH, it is a joke cert in the community. Again, unless you need to work for a gov agency
Finally, and I cannot stress this enough.....LEARN CLOUD COMPUTING!!! It is here to stay and on-prem systems are dying a slow death. It will change how you exploit systems and how software is engineered/deployed.
There’s a book called, “Hacking: The Art of Exploitation,” that includes a lot of assembly. https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
Hacking the art of exploitation (Amazon) (No Starch) is good for learning the foundation stuff. Its getting a bit old but the foundations are still the same there are just more defenses for some of the techniques now
this book taught me a bit about it. It was interesting to say the least. It gives examples of exploits, like how pointers can totally ruin someone's day.
Warning, it'll make you peek at some assembly. You don't really need to understand it fully to get the jist tho.
Computerphile also has some good videos on this topic, and how people "attack". It may give you an idea.
I don't know a lot, but this is how I learned about it to some degree until I swapped to a different education path.
I can talk to Cyber Security as I have a bachelors degree in Computer Science and a masters degree in Cyber Security.
Cyber Security is a touchy subject to teach for high schoolers as they are naturally curious. Therefore, I highly recommend subjects on legality, tools, and programming.
Now, what is your goal for the course? Are you looking to teach secure software development? Using security tools / penetration testing? Are you looking to teach reverse engineering?
My favorite resources for Cyber Security:
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
and Gray Hat Hacking the Ethical Hackers Handbook.
I have this one Learn Ethical Hacking From Scratch.
I think its not bad but course content is a little bit poor and hacking methods old.
If you want to start hacking
this books very good. Also u dont have money you can also find it on Google..
​
Hacking: The Art of Exploitation
"This book will teach you how to:
– Program computers using C, assembly language, and shell scripts – Corrupt system memory to run arbitrary code using buffer overflows and format strings
– Inspect processor registers and system memory with a debugger to gain a real understanding of what is happening
– Outsmart common security measures like nonexecutable stacks and intrusion detection systems"
etc., etc.
Dunnow if it's exactly what are you looking for, but sounds similar.
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 This book is a good place to start
Get this book, it will be your bible. https://www.amazon.co.uk/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
Get this book, it will be your bible - https://www.amazon.co.uk/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
Hacking the art of exploitation (Amazon) (No Starch) is good for learning the foundation stuff. Its getting a bit old but the foundations are still the same there are just more defenses for some of the techniques now.
Google stuff until you can understand the whole book.
Hacking the art of exploitation (Amazon) (No Starch) is good for learning the foundation stuff. Its getting a bit old but the foundations are still the same there are just more defenses for some of the techniques now
Google stuff until you can understand the whole book.
I don't recall reading Kevin Mitnick, but there was a phase like 6 years ago when I read a ton of computer science books including Cryptography and Hacking 2nd edition: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
Ghost in the Wires may have been something I shot through at that time period.
I haven't read much lately.
>https://www.amazon.com.au/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
I will add this to my shopping cart now. Thank you for the advise!
https://www.amazon.com.au/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
Excellent book. Covers basic fundamentals of programming, prior to examples of old and recent exploits. Has a live distro of linux so you can follow along in the terminal with the exercises. Breaks down machine code & compiling. Excellent read, you can download the iso of the live distro to use within a virtual machine.
If anyone has any trouble with something in the walk-through as far as needing clarification or they are attempting to do it themselves and find I messed up somewhere, please let me know! Thank you.
The binary can be found on my github: https://github.com/emtuls/ctf/tree/master/2018-hacktober.org/Binary_Analysis/binaries -> Larry.out
For anyone that needs resources for learning Reverse Engineering, I can provide you with a baseline that I would recommend starting with. Eventually, I plan on making my own set of tutorials...but that's in the works.
x86 Assembly:
If you don't know assembly language at all, this list of videos was where I picked up a decent amount of x86 assembly language.
A few good books would be:
Hacking: The Art of Exploitation I am a huge advocate for this book. I learned a lot from this and have read it multiple times. It is written very well and teaches someone with no experience how to do C programming and assembly. This is mainly a book for learning exploitation/vulnerability research, but that can play hand and hand with Reverse Engineering. It will show you the assembly language break down of basic exploits and this can help you with RE.
Practical Reverse Engineering I read through the beginning of this book and it gave me some good foundations of understanding memory and computer architecture for RE along with assembly of course
Secrets of Reverse Engineering This book is a bit in depth, but the beginning gives another good foundation for Comp Architecture and assembly stuff.
The IDA Pro Book Haven't personally read this book yet, but I have been told it is the defacto standard for learning IDA Pro, and it has examples you can learn from.
Hands On:
Legend of Random Very useful hands on with tutorials. Mainly based on cracking, but that requires reverse engineering. Highly recommend this!
Lenas Tutorials Again, another awesome hands on tutorial, mostly based on cracking as well.
Crackmes These are more of challenges once you start to have a little understanding down
Courses:
Tons of courses on youtube. I learn well from visual, so I recommend these youtube videos:
- Basic Dynamic Analysis
- Real World Decompilation There are a few videos to this series and he disassembles a game, definitely nice to learn from.
Beyond that, Google will always be your friend, and /r/reverseengineering. I also have a bunch of material for Malware RE, but that's a bit different than Software RE, though it is relatable.
How useful do you think books like these to be?
https://www.amazon.com/d/Books/Black-Hat-Python-Programming-Pentesters/1593275900
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
I just finished up a mini project in python and am looking for something else to do (other than learning C and another text on data structures). These books seem to be more about pen testing so I'm not sure it's really relevant.
At UVic, I think there are security specializations for degrees such as the MTIS or the Computer Science Options (such as Network Security -- although I did the Software Engineering option for C.Sc. in my undergrad)
I focused on taking classes, but I did a LOT of my own (legal) research/projects. That "legal" caveat is IMPORTANT. Don't get arrested for a hobby, it doesn't achieve your goal, and it's not worth it. Do things the right way, don't trespass or break the law.
Most of the government cyber defense jobs are in Ontario -- so expect to have to move there if you want to work with them. I hear there are ... "sites" ... elsewhere, but realistically you would have to "do your time" there before anything like that became available.
Business and Finance classes are always a good idea -- not just for business but personal benefit. My wife is an accountant and those skills are really helpful to have for our daily/monthly/etc finances.
Advice
- You have to "shoot straight" when it comes to security. Gone are the days where someone hacks the FBI and they offer him a job. Now they just arrest you and you stay there. It makes sense, why incentivise it. Don't do something that might even be construed as illegal. (With that being said, there is an argument to be made for making security education too "academic" and forgetting that people actually have to work on practical aspects -- this is outside the scope of this conversation though)
- There are plenty of projects such as OWASP Broken Web App, classes like Elec 567 at UVic, or just learn how to make your own VMs and attack them locally (the best route -- then you can control what's installed, with a fine-tooth comb) -- this also helps test new patches, etc to see if the software is vulnerable.
- Read. Lots. Subscribe to blogs, order books (I am partial to books such as Hacking: The Art of Exploitation (Pretty low level, but helps you understand what is going on under the hood), and Violent Python (more of a cookbook / handbook)), and read up on security news. Rule of thumb: Read at least 2 new security books every year (at a minimum) -- It gets easy when you have a dedicated app for security podcasts, RSS feeds, and you keep a book or two with you all the time.
- When interviewing for government security jobs, don't lie to them. If they asked you if you have smoked pot, tell them if you did. They are looking for truthfulness.
- Look at open source projects where you can contribute (general coding advice, but it helps). It doesn't have to be the Linux kernel, just work on something that isn't an assignment/project from school.
- Learn who the big players are in security -- Like everything on the internet, there is lots of talk. Find the people who actually know what they are talking about and listen to them. Take EVERYTHING (including this post) with a grain of salt! The classic motto is "Trust but verify". This applies to everything. The security industry is ... interesting ... Think of it as a cross between the mafia (Pay us for protection ... or else), "tinfoil hattiness" (Comes with the territory -- you see a lot more than the average person, so it skews your view on certain subjects... not all of which you can even talk about), and the classic balance between privacy and security (ranges from surveillance state and anarchy) ... Politics play a HUGE part.
- Always be learning. Show this to prospective employers. Don't just talk, do.
Sorry, this turned into a bit of an essay. I'm just one opinion out there, but hopefully you get something out of this. As always, "trust but verify".
[edit: a word]
This is a good book. Focus is 32-bit x86. Includes C and Assembly. https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 I know your target may be MIPS; however, the principals are good as a foundation.
The intro to the book doesn't get technical.
See here: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441#reader_1593271441
On the left side, click Table of Contents, then click Introduction
I think Hacking: The Art of Exploitation is a great book worth reading: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/
Are you referring to this book;
http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
I see in the description that it says it's not a big deal if you don't know programming. Do you find this to be true?
I've also had
http://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
Recommended to me. The description talks about html etc. do you need to know these languages before you dive into these book? Or is it more like they teach you just what you need to know about a specific language / vulnerability inside of a language/piece of code.
Thanks
Web applications hacker hand book is the best book I've read on web application security. Goes very in depth in the types of exploits in web applications, how to exploit them, what to use, and how to prevent them. If you have atleast a basic understanding of programming and are willing to read and understand this book (~1000 pages) you'll get up to speed pretty quick.
Here's the book: https://g.co/kgs/upO3q
Edit: Not as focused on web applications but in my opinion another top contender: Hacking: The Art of Exploitation, 2nd Edition https://www.amazon.com/dp/1593271441/ref=cm_sw_r_cp_api_zuDpxbSFKDHB1
Wow, it's really encouraging to see people new to hacking actually following the right path. Far too many people disassociate hacking with what it truly is, but you're not one of them; I see that you've got your answer already, but l feel it's necessary to keep pushing you in the right direction. Good luck in your endeavours :)
Some neat resources for someone interested in Binary Exploitation:
And a few books:
Hacking: The Art of Exploitation
I've got both of these books and a few on ASM, so I can vouch for them (as can their reviews and ratings).
Happy Hacking
http://www.amazon.com/Hacking-The-Art-Exploitation-Edition/dp/1593271441 is another good one. Old but if you don't know the basics it's a good place to start.
Do the opposite of this book
This site lists a bunch of sites for practicing CTF:
http://captf.com/practice-ctf/
A site to add to that list is microcorruption, which teaches binary exploitation. I highly recommend this site as it sort of walks you through some beginner concepts.
Another site to add to that is picoctf, which was developed by Carnegie Mellon students to let middle/high school students hack. There are two games right now: 2013 and 2014.
There are a bunch of good tutorials at hackforums.net.
There's also a really good book called Hacking: The Art of Exploitation, which has a great tutorial for C. You can find the PDF online, but I suggest getting the book, so that you can practice with the LiveCD.
For CTF purposes, you should also be familiar with some common/obsolete cryptosystems like RSA, xor, Elliptic Curve, md4, etc. Read the RSA paper by Rivest, Shamir, and Adleman.
Know python and C. I'm not that much of a fan of python, but its really useful for decrypting passwords since its variables don't have a maximum size limit. C is just useful because a lot of CTFs like to write code in C. Be familiar with x86 assembly.
Also know MySQL and be familiar with how PHP works. You will use that for SQL injections. Knowing javascript for cross site scripting (XSS) is not too necessary. Of course it's good, but you can get by with knowing common XSS exploits.
I've heard that Hacking: The Art of Exploitation has become dated (lack of real information on basic concepts like ASLR, etc.); is there a better source for someone just getting started in information security or is it still worth reading?
Additionally, do you have any suggestions for practical experience? For example, Microcorruption seems to be a great resource for getting used to debugging/ASM.
Low level h4cking.
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
I'm always advocating hak5.org for newbies on here. Though I'd also toss in this: http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=sr_1_1?ie=UTF8&qid=1324017233&sr=8-1
One thing to remember as you're getting started: don't expect to become a 1337 hax0r in one tutorial or over a few days. It's going to take time, effort, and lots of reading.
Popular alternatives to Hacking: The Art of Exploit...
Code: The Hidden Language of Computer Hardware and Software
Introduction to Algorithms, 3rd Edition (The MIT Press)
