My beginner setup and resources
My setup is fairly simple. I use a number of tools and plugins for testing. This page lists out all the tools I use with appropriate links. Here I will also include links from where as a beginner you can start in cyber.
Hardware
Let’s start from the hardware level. This is the setup that is recommended for smooth practice although you can easily get started with specs much lower than the ones shown below
- CPU
- RAM
- Storage
- GPU
- Networking
- Miscellaneous
Laptop
- i5 or Ryzen 5
- 8th gen or newer
- 4+ cores
Desktop
- i7 or Ryzen 7
- 3rd gen or newer
- 8+ cores
Laptop
- 16GB DDR4
- 32GB if running VMs
Desktop
- 16GB DDR4 or DDR5
- 32GB if running multiple VMs
Laptop
- 512GB SSD for Linux
- 256GB SSD for Windows (dual boot)
Desktop
- 1TB SSD for Linux
- 500GB SSD for Windows (dual boot)
Laptop
- NVIDIA GTX 1050 or better
- 2GB VRAM minimum
Desktop
- NVIDIA GTX 1660 or better
- 4GB VRAM or higher
Laptop
- 1 Gbps Ethernet port (recommended)
- Wi-Fi 6 support
Desktop
- 1 Gbps Ethernet port
- Wi-Fi 6 adapter or PCIe card
Laptop
- External USB 3.0 hub (for accessories)
- USB Wi-Fi adapter for packet injection
- Portable external SSD (for extra storage)
Desktop
- Multiple monitor support
- USB Wi-Fi adapter for packet injection
- External HDD for backup and storage
Operating System
For the operating system, I recommend Kali Linux for beginners but you can consider other options as well by simply installing your tools on your preferred OS. Personally I would recommend using a linux based distro or maybe dual booting.
For my setup I have dual booted Linux and Windows. I find arch linux easy to use and has all the tools required for pentesting whilst for report purposes Office works just on windows so I have to run windows as well. You can find below the list of recommeded distros and how to setup chaotic aur and black arch repos in arch and arch based distros.
Note: The Levels Beginner, Intermediate do not represent how easy it is to use or install the distro but how easy it is to begin hacking.
- Debian Based
- Kali Linux (Beginner)
- Ubuntu (Intermediate)
- Linux Mint (Intermediate)
- PopOS (Intermediate)
- Debian (Intermediate)
- Arch Based:
- Black Arch (Intermediate)
- Endeavour OS (Intermediate)
- Garuda Linux (Intermediate)
- Vanilla Arch (Intermediate)
While using arch based distros for pentesting, I find it very useful to install chaotic aur and black arch repos which gives make install tools just one install away.
Chaotic Aur
We start by retrieving the primary key to enable the installation of our keyring and mirror list:
sudo pacman-key --recv-key 3056513887B78AEB --keyserver keyserver.ubuntu.com
sudo pacman-key --lsign-key 3056513887B78AEB
sudo pacman -U 'https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-keyring.pkg.tar.zst'
sudo pacman -U 'https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-mirrorlist.pkg.tar.zst'
Then, we append (adding at the end) the following to /etc/pacman.conf
:
[chaotic-aur]
Include = /etc/pacman.d/chaotic-mirrorlist
Black Arch Repo
BlackArch Linux is compatible with existing/normal Arch installations. It acts as an unofficial user repository.
# Run https://blackarch.org/strap.sh as root and follow the instructions.
$ curl -O https://blackarch.org/strap.sh
# Verify the SHA1 sum
$ echo 26849980b35a42e6e192c6d9ed8c46f0d6d06047 strap.sh | sha1sum -c
# Set execute bit
$ chmod +x strap.sh
# Run strap.sh
$ sudo ./strap.sh
# Enable multilib following https://wiki.archlinux.org/index.php/Official_repositories#Enabling_multilib and run:
$ sudo pacman -Syu
Browser
- Chromium Based
- Firefox Based
Chromium-Based Browsers:
- Ublock Origin - Powerful ad-blocker for enhanced security.
- NightTab - Customizable start page to organize tabs.
- Dark Reader - Dark mode for websites, reducing eye strain.
- Bitwarden - Secure open-source password manager.
- FoxyProxy - Switch between proxies, essential for anonymity and testing.
- Wappalyzer - Detect web technologies for reconnaissance.
- I don’t care about cookies - Removes cookie consent popups.
- Enhancer for YouTube - Ad-blocker and custom player for YouTube.
- Return YouTube Dislike - Restores dislike count on videos.
- Plasma Shell Integration - Connect Chromium with KDE Plasma desktop.
- GS Connect - GNOME integration for file sharing and notifications.
- Shodan - Direct access to Shodan’s search engine for identifying vulnerable devices on the web.
- EditThisCookie - Manage, edit, and delete cookies for testing.
- User-Agent Switcher - Quickly change the browser’s user agent for anonymity testing.
- XSS Rays - Analyze websites for XSS vulnerabilities.
- HackTools - Toolbox for pentesters: XSS payloads, reverse shells, and more.
Firefox-Based Browsers:
- Ublock Origin - Blocks ads and trackers.
- NightTab - Organize frequently visited websites.
- Dark Reader - Dark mode for a better browsing experience.
- Bitwarden - Secure password storage.
- FoxyProxy - Fast proxy switching for security assessments.
- Wappalyzer - Detect website frameworks and technologies.
- I don’t care about cookies - Auto-dismiss cookie prompts.
- Enhancer for YouTube - Control YouTube playback, skip ads.
- Return YouTube Dislike - Bring back the dislike count on YouTube.
- Plasma Shell Integration - Integrate with KDE desktop (if using Plasma).
- GS Connect - GNOME extension for Android integration.
- HackBar - Simplify manual SQL injections, XSS, and other input testing.
- HTTP Header Live - View HTTP headers in real-time for testing.
- Cookie Quick Manager - Quickly modify cookies for testing.
- Tamper Data - View and modify HTTP requests for vulnerability testing.
- HackTools - Useful pentesting tools: payloads, encoders, and more.
Code Editors
- Neovim
- VS Codium
NvChad
Neovim is highly customizable and lightweight, making it ideal for fast coding with minimal distractions.
Plugins:
- TreeSitter: Syntax highlighting and parsing for better code comprehension.
- Telescope: Fuzzy file finder and search tool for quick navigation.
- LSPConfig: Language Server Protocol for auto-completion and diagnostics.
- Mason: Simple installer for managing LSP servers, linters, and formatters.
- Gitsigns: Git integration for showing changes in the code.
- Which-Key: Displays available keybindings in a popup for ease of use.
- Nvim-Tree: File explorer for Neovim, built-in file navigation.
NvChad is designed to be beginner-friendly yet powerful, making it perfect for both new and advanced users of Neovim.
VS Codium
VS Codium is the open-source version of VS Code without telemetry, making it a privacy-friendly alternative.
Extensions:
- Python: Python extension for debugging and code formatting.
- ESLint: Linter for JavaScript and TypeScript.
- Prettier: Code formatter for JavaScript, CSS, and other languages.
- GitLens: Enhances Git capabilities and displays code authorship.
- Bracket Pair Colorizer: Helps visualize matching brackets with colors.
- Docker: Docker integration for managing containers directly from the editor.
- REST Client: Useful for testing and sending HTTP requests directly from VS Codium.
- Code Spell Checker: Catches spelling errors in your code and documentation.
- vscode-icons: Adds file icons to make project navigation easier.
VS Codium offers a broad range of open-source extensions to improve your coding experience without compromising privacy.
Note taking
- Obsidian
- Logseq
- AppFlowy
Obsidian is a powerful knowledge base that works on local markdown files. It’s highly customizable through various plugins.
- Calendar: Adds a calendar view to track your daily notes and events.
- Dataview: Allows querying and displaying your notes as tables or lists based on metadata.
- Excalidraw: A drawing tool plugin that lets you integrate visual diagrams into your notes.
- Git: Enables you to back up your notes to a Git repository for version control.
- Kanban: Adds a Kanban board for task and project management within your vault.
- MathJax: Adds LaTeX support for writing and displaying mathematical equations.
- PDF++: Enhances PDF reading capabilities, allowing annotations directly in Obsidian.
- Pomodoro Timer: Adds a productivity timer with the Pomodoro technique for focused sessions.
- Style Settings: Customizes the visual appearance of your vault through themes and CSS tweaks.
- Table of Content: Generates a table of contents for your notes dynamically based on headers.
- Tag Wrangler: Helps manage tags more efficiently, allowing you to rename, merge, or organize tags.
- Tag Folder: Organizes notes based on their tags inside folders, similar to a file manager.
- Templater: Allows for dynamic templating in your notes to automate repetitive content creation.
- Tracker: Track habits, mood, or any data you want within your Obsidian vault.
Logseq is a privacy-first, open-source knowledge management and collaboration platform based on outliner workflows, ideal for personal wikis, journals, and tasks.
- Supports markdown and org-mode.
- Hierarchical and backlinking system for powerful note organization.
- Graph view to visualize the interconnections between notes.
- Integrates with Git for version control.
AppFlowy is an open-source alternative to Notion, with a focus on data privacy and customization. It provides a clean, block-based workspace for managing projects, writing notes, and task management.
- Privacy-first: All your data is stored locally.
- Open-source and customizable through plugins and themes.
- Supports collaboration with real-time syncing.
Pentesting Tools
I am learning the following tools to improve my pentesting skills and I will be writing various blogs related to these
- Programming Languages
- Port Scanning
- OSINT
- Mobile App Testing
- Webapp Testing
- API Testing
- WordPress Sites
- Social Engineering
- Wordlists
- Exploitation Frameworks
- Privilege Escalation
- Burp Suite (PLUGINS: Autorize, Burp Bounty Pro, Coverter)
- OWASP ZAP
- Nikto
- Feroxbuster
- GoBuster
- SQLMap
- XSStrike
Resources
Learning
- Learning Platforms
- General
- Hacking Resources
- Linux Learning
- InfoSec News
- Cheat Sheets
- Libraries
- Hacklido
- Articles, discussions, and learning resources for security professionals.
- SysExplore
- Explore educational materials for cybersecurity.
- Ivre
- Network scan analysis platform.
- KodeKloud Engineer
- Learn DevOps and cybersecurity skills through practical labs.
- PortSwigger Academy
- Free web security learning platform from the creators of Burp Suite.
- APISec University
- API security learning resources.
- FreeCodeCamp
- Free interactive lessons on coding and security.
- The Odin Project
- Comprehensive full-stack development education.
- Cloud Pentest
- Learn cloud pentesting through practical labs.
- Hacker High School
- Cybersecurity lessons and labs for teens.
- Coursera
- Online learning platform with cybersecurity courses.
- Udemy
- A wide variety of cybersecurity and hacking courses.
- Skillshare
- Learn various topics, including cybersecurity.
- edX
- Free and paid courses on topics including cybersecurity.
- Hacker Forum
- Online forum for hacking and cybersecurity discussions.
- AperiSolve
- Tool that automatically runs various steganography tools.
- John Hammond’s CTF Katana
- Comprehensive repository for solving CTF challenges.
- Awesome CTF
- Cheat sheet for creating and solving CTF challenges.
- OSSTMM
- Open Source Security Testing Methodology Manual.
- BlackHills InfoSec
- Cybersecurity resources and training.
- Antisyphon
- Affordable cybersecurity training.
- Senoia.io
- Threat hunting resources and tools.
- NIST Glossary
- Cybersecurity terms from NIST.
- Linux.die
- Linux documentation and resources.
- Linux Journey
- Beginner-friendly platform for learning Linux.
- Linux Handbook
- Articles and tutorials on Linux for professionals.
- LinuxOPSys
- Linux resources and learning for enthusiasts and professionals.
- Hacker News
- Cybersecurity news and articles.
- Exploit-DB
- Database of exploits and vulnerabilities.
- Shodan
- Search engine for internet-connected devices and vulnerabilities.
- BlackHills InfoSec
- Security news and insights from professionals.
- Cheatsheet.sh
- Command-line cheat sheets for developers and security professionals.
- Roadmap.sh
- Developer and security roadmaps for various technologies.
- Google Dorks Database
- Database of Google Dorks for information gathering.
- HackTricks
- A hacking techniques cheat sheet.
- Pentest Monkey
- Useful resources and cheat sheets for pentesting.
- GTFOBins
- A collection of Linux binaries useful for exploitation.
- PDF Drive
- Free eBooks for a wide range of topics.
- LibraryLOL
- Online library with various resources, including hacking.
Practice
After learning you can practise here
- General CTFs
- Pwn CTFs
- Reversing CTFs
- Web CTFs
- Crypto CTFs
- Cloud CTFs
- Smart Contracts
- HackTheBox
- The OG box site with curated CTF problems and learning courses.
- PicoCTF
- Tons of practice challenges across various domains.
- TryHackMe
- Step-by-step CTF challenges with guided learning paths.
- CTF101
- A great beginner-friendly introduction to CTFs.
- CybersecLabs
- Good collection of CTF-style challenges.
- Root Me
- CTF platform with various hacking challenges for practice.
- HackerTest
- Platform to test and improve your hacking skills.
- VulnHub
- Vulnerable virtual machines for self-hosted practice.
- CTF Challenge
- Realistic web challenges for bug bounty practice.
- pwnable.kr
- Good variety of pwn challenges.
- pwnable.tw
- More advanced pwn challenges.
- pwnable.xyz
- User-uploadable pwn challenges with built-in writeups.
- pwn dojo
- Pwn challenges with educational resources and Discord support.
- nightmare
- Gold standard for pwning C binaries.
- ROPEmporium
- Learn Return-Oriented Programming techniques.
- Phoenix Exploit Education
- Binary exploitation challenges ranked by difficulty.
- challenges.re
- Extensive reversing challenges across many levels.
- reversing.kr
- Reverse engineering challenges for different levels.
- crackmes.one
- CrackMe challenges for reverse engineering practice.
- websec.fr
- Web challenges for various levels of difficulty.
- webhacking.kr
- Archive of web CTF challenges.
- OWASP Juice Shop
- Web application with over 100 challenges.
- DVWA
- Web app vulnerability lab for testing.
- bWAPP
- Buggy Web App for learning and practicing vulnerabilities.
- CryptoHack
- Crypto challenges for all levels.
- cryptopals
- OG crypto challenge site.
- CryptoCTF
- Annual cryptography-based CTF event.
- CloudFoxable
- Walkthrough of cloud-based vulnerabilities using CloudFox.
- Flaws.cloud
- AWS-based challenges related to S3, EC2, and Lambda.
- Capture the Ether
- Smart contract security challenges for Ethereum.