Top 10 Penetration Testing Books for Beginners...and more

In a recent post I asked for book recommendations for offensive security and/or penetration testing aligned certification exams and I received an amazing and somewhat overwhelming response. Thank you! Turns out there are far more books available than I even imagined and I have reading material now for the rest of the year!

For those interested, here's my rack-and-stack of the "Top 10 for Beginners" books. This is my personal view after having reviewed each one of these books for content, quality, and currency. This is not an inclusive list of every book available on this subject. I've read many books, but I most certainly have not read every book out there. I apologize if I've overlooked one of your favorites.

Thank you to all the amazing authors of these books and to those that contributed to building this list. 

May you enjoy your journey into offensive security and penetration testing.

1. Breaking into Information Security (Gill)

• Getting started in an information security career with an emphasis on offensive security
• Fundamental technologies and core information to build on
• The perfect book to start with
• Get it by donating: https://leanpub.com/ltr101-breaking-into-infosec

2. The Pentester Blueprint (Wylie and Crawley)

• Pentesting foundation, basic skills in operating systems, networking, and security
• Training and educational recommendations, including certs and degrees
• Experience tips, including labs, CTFs, and bug bounties

3. Learn Ethical Hacking from Scratch (Sabih)

• Basic computer system knowledge and vulnerability introduction
• Basic exploitation and security assessments
• Pair this with Udemy course

4. Linux Basics for Hackers (OccupyTheWeb)

• Reads like a tutorial with practical tips and application
• Basics on network connections and listening
• Basic proxy, VPN, Tor, and encryption details
• Introductory Bash scripts and other simple tools

5. Penetration Testing: Hands-on Introduction to Hacking (Weidman)

• Hands-on focused core skills and techniques
• Basics on password cracking, wireless, web apps, social engineering, and antivirus bypass
• Enterprise control and post exploitation content
• Even includes notes on writing exploits and mobile hacking

6. Gray Hat Hacking: The Ethical Hacker's Handbook (Harper et al)

• Weapons, skills, and tactics including case studies, labs, and actual commands
• Covers wide range of information including networks, web, mobile, malware, law, and more
• Includes a business view of ethical hacking

7. Hacking: The Art of Exploitation (Erickson)

• Intermediate information
• Heavy in C programming
• Solid buffer overflow details
• Hands-on content focused on exploit development

8. Network Security Assessment (McNab)

• Very structured approach to network assessments
• Focuses on ports, protocols, and associated services
• Includes information on web servers and databases
• Frameworks too, including Rails, Django, MS ASP.NET, and PHP

9. The Web Application Hacker's Handbook (Stuttard and Pinto)

• Focuses on web application testing and attack
• Information on discovering, exploiting, and preventing web application security flaws
• Get the interactive version at PortSwigger: https://portswigger.net/web-security/web-application-hackers-handbook

10. Attacking Network Protocols: Capture, Analysis, & Exploitation ( Forshaw)

• Capture, manipulate, and relay network packets with Wireshark
• Dissect traffic and reverse engineer code focusing on the inner workings of network protocols
• Intermediate content on memory corruption, authentication bypass, and DoS attacks

Bonus. These aren't exactly the types of books you read cover to cover, but they are essential references to keep next to you while on keyboard:

• Hacker Methodology Handbook (Bobeck)
• Hash Crack: Password Cracking Manual (Picolet)
• Red Team Field Manual (Clark)
• The Operator Handbook (Picolet)

Want more? Here's the books that didn't make my Top 10 list but are still quality reading material worthy of adding to your library:

Runner Ups:

• Basic Security Testing with Kali Linux (Dieterle)
• Blue Team Field Manual (White & Clark)
• Ethical Hacking and Penetration Testing Guide (Baloch)
• Hacking for Dummies (Beaver)
• Penetration Testing: A Survival Guide (Halton et al)
• Professional Penetration Testing: Creating and Learning in a Hacking Lab (Wilhelm)
• The Basics of Hacking and Penetration Testing: Made Easy (Engebretson)
• The Hacker Playbook Series, Books 1-3 (Kim)
• Red Team Development and Operations: A Practical Guide (Vest and Tubberville)

Apps and Web:

• A Bug Hunter's Diary (Klein)
• Exploiting Software: How to Break Code (Hoglund and McGraw)
• Hands-on Web Penetration Testing with Metasploit (Singh and Sharma)
• Hunting Security Bugs (Gallagher, Landauer, and Jeffries)
• Professional Pen Testing for Web Applications: Programmer to Programmer (Andreu)
• Read-World Bug Hunting: A Field Guide to Web Hacking (Yaworski)
• Seven Deadliest Web Application Attacks (Shema)
• SQL Injection Attacks and Defense (Clarke et al)
• The Art of Software Security Assessment (Dowd, McDonald, and Schuh)
• The Tangled Web: A Guide to Securing Modern Web Applications (Zalewski)
• Web Penetration Testing with Kali Linux (Najera-Gutierrez and Ansari)

Linux:

• Hacking Exposed Linux (ISECOM)
• Kali Linux Revealed: Mastering the Penetration Testing Distro (Hertzog and O'Gorman)
• Linux Command Line and Shell Scripting Bible (Blum and Bresnahan)
• Linux Shell Scripting Cookbook (Flynt, Lakshman, and Tushar)
• The Linux Command Line: A Complete Introduction (Shotts)
• Wicked Cool Shell Scripts (Taylor and Perry)

Network Focused:

• Aggressive Network Self-Defense (Wyler, Potter, and Hurley)
• Hacking Exposed: Network Security Secrets & Solutions (McClure et al)
• The Hacker's Handbook: Breaking Into & Defending Networks (Young and Aitel)
• Silence on the Wire: A Field Guide to Passive Recon and Indirect Attacks (Zalewski)

Programming and Scripting:

• Bash Guide for Beginners (Paneczko)
• Black Hat Python (Seitz and Arnold)
• Black Hat Go (Steele, Patten, and Kottmann)
• Coding for Penetration Testers: Building Better Tools (Andress and Linn)
• Gray Hat Python: Python Programming for Hackers and Reverse Engineers (Seitz)
• Violent Python: A Cookbook (O'Connor)

Tool Guides:

• Learning Nessus for Penetration Testing (Kumar)
• Metasploit: The Penetration Tester's Guide (Kennedy)
• Metasploit Penetration Testing Cookbook (Teixeira, Singh, and Agarwal)
• Nmap Network Scanning: The Official Nmap Project Guide (Fyodor)
• Nmap 6 Cookbook: The Fat-Free Guide to Network Security Scanning (Marsh)
• Penetration Tester's Open Source Toolkit (Faircloth)

Specialized:

• Android Hacker's Handbook (Drake et al)
• Google Hacking for Penetration Testers (Long, Gardner, and Brown)
• Hacking Exposed Cisco Networks: Cisco Security (Vladimirov et al)
• iOS Hacker's Handbook (Miller et al)
• Practical IoT Hacking (Chantzis et al)
• Securing the Smart Grid: Next Generation Power Grid Security (Flick and Morehouse)
• Shellcoder's Handbook: Discovering and Exploiting Security Holes (Anley)
• Social Engineering: The Art of Human Hacking (Hadnagy et al)
• The Car Hacker's Handbook: A Guide for the Penetration Tester (Smith)
• The Database Hacker's Handbook: Defending Database Servers (Litchfield et al)
• The Hardware Hacker: Adventures in Making & Breaking Hardware (Huang)
• The Mac Hacker's Handbook (Miller and Zovi)
• The Mobile Application Hacker's Handbook (Chell)
• Unauthorized Access: Physical Penetration Testing for IT Security Teams (Allsopp)
• WarDriving and Wireless Penetration Testing (Hurley et al)

Dig Deeper:

• A Guide to Kernel Exploitation: Attacking the Core (Perla and Oldani)
• Advanced Penetration Testing: Hacking the World's Most Secure Networks (Allsopp)
• Advanced Penetration Testing for Highly-Secured Environments (Allen and Cardwell)
• Advanced Persistent Threat Hacking: The Art & Science of Hacking (Wrightson)
• Applied Machine Learning/Neural Networks: Offensive Security (Atkins)
• Managed Code Rootkits: Hooking into Runtime Environments (Metula)
• Ninja Hacking: Unconventional Penetration Testing (Wilhelm and Andress)
• Rootkits and Bootkits (Matrosov, Rodionov, and Bratus)

If you're looking for a bit more story telling, here's one more list:

Evenings by the fire:

• Countdown to Zero Day: Stuxnet (Zetter)
• Dark Territory: The Secret History of Cyber War (Kaplan)
• Dissecting the Hack: The F0rb1dd3n Network (Street, Nabors, and Baskin)
• Fatal System Error: Hunt for the New Crime Lords Bringing Down the Internet (Menn)
• Ghost in the Wires: My Adventures as the World's Most Wanted Hacker (Mitnick)
• Hackers & Painters: Big Ideas from the Computer Age (Graham)
• How to Hack Like a Pornstar: Breaking into a Bank (Sparc Flow)
• I, Robot (Asimov)
• Inside Cyber Warfare: Mapping the Cyber Underworld (Carr)
• Kingpin (Poulsen)
• Neuromancer (Gibson)
• Nineteen Eighty-Four (1984) (Orwell)
• No Place to Hide: Snowden, the NSA, and the U.S. Surveillance State (Greenwald)
• The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (Stoll)
• The Girl with the Dragon Tattoo (Larsson)
• The Hitchhiker's Guide to the Galaxy (Adams)
• The Lure (Schroeder)
• Zero Day: The Threat in Cyberspace (The Washington Post and O'Harrow)