Ethical Hacking Roadmap

Welcome to the ultimate guide for becoming an Ethical Hacker – all for free! Feel free to share this roadmap with your friends and fellow enthusiasts.

If you're a complete beginner and not sure where to start, don't worry. I've prepared a comprehensive roadmap for you, complete with learning resources and free courses. There are many paths to choose from, but this roadmap is specifically tailored for those aiming to become professional bug bounty hunters and penetration testers.

My Hacking Learning Resources

• TryHackMe - Best place to start Ethical Hacking
• HackTheBox Academy - use this as reference
• EC-Council Free Courses
• TCM Security Courses
• Portswigger Academy - for Web Security Learning and Practise
• Game Hacking
• Exploit Database - searchable archive of exploits
• VulnHub - Vulnerable machines for practice

Ethical Hacker Zero To Hero

This roadmap may not be suitable for everyone. It's designed primarily for those interested in network hacking and web application/API hacking. If you want to learn game hacking, mobile hacking, malware analysis, or other specializations, you'll need to pursue additional research in those areas.

This roadmap might appear overwhelming at first glance. Realistically, it will take 1-2 years to complete. Take your time and enjoy the learning journey rather than just focusing on the end goal.

You Must Do these :

• Network with other Hackers / Cyber security Researchers via Twitter and LinkedIn.
• Watch Other Hackers Podcasts.You can learn lot's of things that you cannot learn in a paid course also.Still I Do these things.
• Be curious about new technologies,New Updates
• Create accounts in tryhackme.com ,academy.hackthebox.com and portswigger.com If you are comfortable with Tryhackme content.just continue that learning paths

My Personal Advice / Suggestions :

• To become a great hacker, maintain that curious mindset that constantly questions how things work. Everyone has that inner curiosity—don't let it fade away.
• Some people say "You don't need programming for cybersecurity." I disagree. You need some programming languages to automate tasks and create tools tailored to your needs. Programming helped me accelerate my learning journey.
• Don't worry though, we'll learn programming when it becomes necessary. Until then, we won't focus on it.
• You don't need to spend thousands of dollars on paid courses. With some research, you can find many courses available completely free.
• Stay active on LinkedIn because many professionals share free courses, tips, and tricks there as well.
• Consistency is crucial, but that doesn't mean you need to learn hacking all day, every day.
• When you feel burned out, it's perfectly okay to take a break. Take a few days for fun activities, then get back to learning with renewed energy.

Follow this TryHackMe Learning Paths :

there are some rooms that only for premium subscribers .just google search the lesson's title name and you can find some write ups of that. that's how I do those for free. If you can spend some bucks to tryhackme .It is absolutely worth for money.(by the way , I am not affiliated with any of those organizations .I learn by them ,I'm just suggesting for you)

• Introduction To Cyber Security
• Pre Security
• Web Fundamentals | Complete Beginner | Jr Penetration Tester < Choose a one

Keep these in your Bookmark List

• techyricks
• Hacktricks
• OWASP Top 10
• ExplainShell - Helps understand command-line arguments
• GTFOBins - Unix binaries that can be exploited
• CyberChef - Swiss Army knife for cyber operations

Don't Be like Spoon feeden

This field is vast and constantly updating. It's hard to provide a complete roadmap from start to finish. You'll need to learn things daily throughout your career.

• If you get stuck on a problem, try these steps:
  • Search on Google - this is your best friend
  • Use ChatGPT or similar AI tools
  • Search on YouTube for tutorials

Most of the time, a good Google search will give you the answer. Learning how to search effectively is a crucial skill in this field.

Don't Skip The fundamentals :

• Introductory Researching
• Networking Basics
  • OSI Model and TCP/IP Model
  • IP Addressing and Subnetting
  • Common Network Protocols
  • Network Architecture
• Linux Basics
  • Command Line Navigation
  • File System Management
  • User and Permission Management
  • Process Management
  • Basic Shell Scripting
• How The Web Works
  • HTTP Request/Response Cycle
  • Cookies and Sessions
  • Web Caching
  • Content Delivery Networks
• Web Application Basics
  • HTTP/HTTPS protocols
  • Client-server architecture
  • Web technologies (HTML, CSS, JavaScript)
  • Modern web frameworks
  • RESTful APIs
• DBMS Basics (Database Management System) - { Optional } learn something like mySQL ,this will helpful when we learn about Database Injections Like SQL injection

Learn These simultaneously with fundamentals :

I would say ,learn these things simultaneously while you learning fundamentals. If you want ,It is OK to learn after the fundamentals.

• Basics of cyber security
  • CIA triad
  • Types of malware
  • Types of Penetration testing
    • Black Box Penetration testing (no prior knowledge of target)
    • Gray Box Penetration testing (limited knowledge of target)
    • White Box Penetration testing (complete knowledge of target)
  • Penetration Testing Methodology
    • Planning and Reconnaissance
    • Scanning and Enumeration
    • Gaining Access
    • Maintaining Access
    • Covering Tracks
    • Analysis and Reporting

I suggest you to learn the Network hacking and Web Hacking Simultaneously.Because that is the easy way to start CTFs. It's all up to you.

Introduction To Network Hacking

• Network Protocols
  • TCP/IP
  • UDP/IP
  • HTTP
  • FTP
  • DNS
  • SMTP
• Networking Tools
  • Ping
  • Traceroute
  • WHOIS
  • Dig
  • Netstat
  • Nmap
  • Wireshark
• Network Services Enumeration
  • FTP
  • SSH
  • Telnet
  • SMB
  • IMAP
  • NFS
  • RDP
  • SMTP
  • SNMP

Introduction To Web Hacking (Web Hacking 101)

• Hacking Web Applications - TCM Security (new)
• Hacking Web Applications - TCM Security Full Course
• Tryhackme Complete Beginner Module's-> Web Hacking Fundamentals
• Common Web Vulnerabilities
  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • XML External Entity (XXE)
  • Insecure Direct Object References (IDOR)

Some videos might be old ,but it is worth than gold.Old videos doesn't mean the content is outdated.You can Still learn those concepts.

Hacking Courses

• You don't need to pay for the premium course. just use these free YouTube tutorials.
  • TCM Security Ethical Hacking in 15 hours part 1
  • TCM Security Ethical Hacking in 15 hours part 2

Play CTF's to practice

• tryhackme.com

easiest Boxes List:

Remember : There is a privileged escalation part in some boxes .you can't understand that.but it's OK .Just Follow the video.If you feel like it is damn hard to do ,just stop the box.

• Hackthebox Starting point Boxes -> {Do the Free boxes with CryptoCat Videos}
• Tryhackme - PickleRick -> {use john hammond video for this}
• Basic Penetration Testing-> {john hammond video}
• Vulnversity -> {john hammond video}

Intermediate Hacking Content :

You may ask me that ,why didn't you included the windows part before.As before I said.this road map is made in my way. so I planned to learn windows part after finished the Linux privileged escalation course.

• Linux Privilege Escalation use this resources as well

  • https://tryhackme.com/jr/introtoshells
  • https://tryhackme.com/jr/linuxprivesc
  • GTFOBins for Linux privilege escalation techniques

• Active Directory Hacking:

  • windows fundamentals 1
  • windows fundamentals 2
  • windows fundamentals 3
  • Active Directory Basics
  • Active Directory - TCM Security
  • Attacking Active Directory - TryHackMe

• Windows Privilege Escalation

  • TryHackMe - Windows Privilege Escalation
  • LOLBAS - Living Off The Land Binaries and Scripts

• Web Hacking 201 - Follow the portwigger Learning Path

  • Advanced Web Vulnerabilities
  • API Security Testing
  • Modern Authentication Attacks
  • Single Page Application (SPA) Security
  • Client-Side Attacks

General Purpose Hacking Stuffs :

• Cryptography Basics
  • Hashing - Cryptography basics
  • John The Ripper
  • Public Key Infrastructure
  • Encryption vs Encoding vs Hashing
• OSINT OSINT is a Recon skill. Try this Google dork to find some challenges.

    OSINT challenges site:twitter.com
  

• Social Engineering
  • Phishing techniques
  • Pretexting
  • Baiting
  • Vishing
• Wireless Network Security
  • WiFi security protocols
  • Cracking WPA/WPA2
  • Evil Twin attacks

This road map is not suitable for me. What should I do?

obviously this will not suitable for all.so make your own one.

but How ??

• watch hackers podcasts and interviews ,that's how I made my own one. I recommend you to watch these all Videos

  • john hammond and networkchuck Interview
  • john hammond and networkchuck Interview 2
  • Rana khalil Interview With David Bombal
  • TCM security Roadmaps
  • https://youtu.be/4JZjj_H4ei4?feature=shared
  • Nahamsec Interview With Networkchuck

• Do some chatGPT prompting.It can generate a course for you.

Your Roadmap Sucks.Gimme some paid Courses.

If you planned to Buy some courses.These are my suggestions.As usual I Don't get any single buck by recommending these.

• TCM Security 25+ hours Hacking Course.
• TCM Security Bug Bounty Course.
• TCM Security Linux Privilege Escalation Course .
• TCM Security Windows Privilege Escalation Course .

Now TCM Security offer a monthly subscription plan that can access all of the courses for 30$ /month.I am a huge fan of TCM-Security Courses because I learn By them so I Can't even think about a better place for paid or free courses.

• Twitter: https://twitter.com/4Krishanthan/

• LinkedIn: www.linkedin.com/in/ramakrishnan-krishanthan-8a6864241

I wish you the best of luck on your incredible journey. Happy Hacking! 😊