Outside, there’s a pandemic. We’re being asked to stay indoors, shelter in place, and avoid social contact. Conferences are cancelled, live trainings are out of the question. Some businesses are closing (hopefully temporarily) and there are unfortunate layoffs and furloughs across the board. It’s a tough time.
Rather than dwell on the negative, focusing on something else can help you get through this mentally. Learning something or growing your skills can both help take away from the anxiety of the situation and also help you come out of this a better person. Whether you’re just getting started in security or looking to advance your career, or just looking to become more security-aware as an individual, there are some great options for learning from home. My lists below are by no means comprehensive – there’s more content than I can shake a stick at. However, these are intended to be good for beginners and have a diverse set of content. If you know of something I should have included, please reach out.
Some of these options are free or freemium – if you have the means, I’d strongly encourage you to pay for access and support those who are putting it together.
- PentesterLab has a number of free exercises, and dozens available with a paid PRO subscription. ($35 for 3 months for students, or $20/month for professionals.) The exercises in this environment are very well laid out, including things like basic Unix skills all the way up to complex crypto challenges. Each challenge is well-documented and works reliably, and the challenges are arranged in “badges” helping you find the right progression for your skills.
- Hack The Box is the premiere site for hosted hackable VMs. They provide a VPN connection to an environment with a number of challenge servers, each of which has a “User” and “Root” flag to be captured. I’ve played through 26 of their boxes as well as 22 challenges. They definitely have content for every skill level if your interest is penetration testing. If you plan to take the OSCP, these boxes are very similar in “spirit” to the OSCP lab boxes. Free tier gets access to all current boxes, pro gets you less busy servers as well as access to retired boxes.
- Stanford University has made CS 253 - Web Security available online for free. It includes slides, video, readings, and 3 of the course assignments, accessible to anyone who would like to do this.
- CryptoPals is a set of Cryptography challenges hosted by NCC Group. These are a progressive set of challenges to break various broken cryptography implementations, and require no pre-knowledge of crypto or advanced mathematics. (Some math is required, but it’s described as 9th grade level mathematics.)
- CryptoHack is similar to CryptoPals, but with a CTF-style flair to it. This is another “learn crypto by breaking it” opportunity.
- Exploit.Education is a set of challenges for vulnerability analysis/discovery, predominantly of memory corruption vulnerabilities. These are intended as a progressive set of VMs to attack and work your way through. Includes opportunities for ARM and ARM64 exploitation.
- Why not take the opportunity to build your own home lab? I’ve been playing around in mine quite a bit in the evenings and weekends while working from home. My Windows domain skills have atrophied quite a bit, and I’m trying to reconcile that. Hopefuilly I’ll succeed. :)
- Get in some reading time. eBooks require no shipping, so instant gratification. I can recommend almost anything from No Starch Press. At the moment, I’m looking at Black Hat Go, and just recently read Real-World Bug Hunting.
- SANS continues to offer their online trainings. Additionally, they’ve launched a bunch of virtual CTF challenges, including many free opportunities. I played in the Virtual Mini-NetWars Mission 1, and it was a lot of fun and the content was absolutely great. It was like playing a hacking RPG.
- Offensive Security has their online trainings as per usual. This includes both the very well-known Penetration Testing with Kali Linux (OSCP), as well as Cracking the Perimeter (OSCE), and Advanded Web Attacks and Exploitation (OSWE). I’ve done both OSCP and OSCE in the past, and can highly recommend both of them.
- Check out a CTF on CTFTime.
No matter what you end up doing, make sure you take some time from yourself and disconnect from all the bad news. It’s so easy to become overwhelmed with everything going on. Focus on something you can control and reaching your goals.
This post contains Amazon Affiliate links.