Discover / Ethical hacking & penetration testing / Reading path

Ethical hacking and penetration testing: an ordered reading path into offensive security

@codesherpaBeginner → Expert
9
Books
78
Hours
4
Stages
Not yet rated

This curriculum takes a beginner from zero security knowledge to confident, responsible penetration tester across four tightly sequenced stages. Each stage builds on the last — establishing mindset and fundamentals first, then layering in hands-on exploitation, specialized attack domains (web and network), and finally professional-grade methodology and reporting.

1

Foundations: Mindset, Networking & Linux

Beginner

Understand how networks and operating systems work, develop the hacker mindset, and get comfortable with the Linux command line — the bedrock every later technique depends on.

Study plan for this stage

Pace: 12–14 weeks, ~40–50 pages/day (mix of reading and hands-on practice). Week 1–2: The Hacker Playbook 2 (~80 pages). Week 3–8: Linux Basics for Hackers (~200 pages, slower pace due to command-line practice). Week 9–14: Computer Networking (~250 pages, with labs and packet analysis).

Key concepts
  • The hacker mindset: ethical frameworks, reconnaissance methodology, and the importance of planning before execution (from The Hacker Playbook 2)
  • Linux command-line fundamentals: file system navigation, permissions, users, processes, and shell scripting (from Linux Basics for Hackers)
  • Network architecture: OSI model, TCP/IP stack, and how data flows across layers (from Computer Networking)
  • Common networking protocols: DNS, HTTP, SMTP, and their role in security (from Computer Networking)
  • Packet analysis and traffic inspection as a foundation for understanding network attacks (from Computer Networking)
  • The relationship between operating systems and network communication (bridging Linux and networking concepts)
  • Reconnaissance and information gathering as the first phase of any penetration test (from The Hacker Playbook 2)
You should be able to answer
  • What are the key phases of a penetration test, and why is planning and reconnaissance critical before execution?
  • How do Linux file permissions work, and why are they essential to understand for security testing?
  • Explain the OSI model and how each layer relates to common network protocols and potential attack vectors.
  • What is the difference between TCP and UDP, and when would each be used in network communication?
  • How does DNS work, and what vulnerabilities exist in the DNS protocol that attackers exploit?
  • What is the purpose of packet analysis, and how would you use tools like tcpdump or Wireshark to inspect network traffic?
Practice
  • Set up a Linux virtual machine (Ubuntu or Kali) and spend 1 week practicing basic commands: ls, cd, pwd, mkdir, rm, chmod, chown, ps, kill, grep, find, and piping.
  • Create a simple bash script that automates a repetitive task (e.g., backing up files, listing running services, or checking disk usage).
  • Read through The Hacker Playbook 2's reconnaissance chapter and document a mock reconnaissance plan for a fictional target (without actually attacking anything).
  • Use tcpdump or Wireshark to capture and analyze live network traffic on your machine; identify HTTP requests, DNS queries, and TCP handshakes.
  • Set up a local network lab (using VirtualBox or VMware) with 2–3 VMs and practice routing traffic between them; document the packets exchanged.
  • Write a summary table mapping each layer of the OSI model to specific protocols (HTTP, TCP, IP, Ethernet, etc.) and common vulnerabilities at each layer.

Next up: This stage equips you with the ethical mindset, Linux fluency, and networking fundamentals needed to understand how attacks work at the protocol and system level—preparing you to learn specific penetration testing techniques (scanning, enumeration, exploitation) in the next stage.

The hacker playbook 2
Peter Kim · 2015 · 339 pp

A beginner-friendly, narrative-driven introduction to how real penetration tests are structured; sets expectations and vocabulary before diving into technical depth.

Linux Basics for Hackers
OccupyTheWeb · 2018 · 248 pp

Teaches Linux command-line skills specifically through a security lens — scripting, networking tools, and file permissions — so the reader is fluent in the primary hacking OS before touching any exploit.

Computer Networking, A Top-down Approach Featuring the Internet Book
James F. Kurose · 2000

Provides the solid TCP/IP and protocol knowledge that underpins every network attack and reconnaissance technique covered in later stages.

2

Core Offensive Skills: Reconnaissance & Exploitation

Beginner

Learn the full attack lifecycle — from passive and active reconnaissance through vulnerability scanning and hands-on exploitation — using industry-standard tools like Nmap and Metasploit.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day with hands-on lab work (2–3 hours/week minimum)

Key concepts
  • The attack lifecycle: reconnaissance → scanning → enumeration → exploitation → post-exploitation
  • Passive reconnaissance techniques and tools (OSINT, DNS enumeration, whois, shodan)
  • Active reconnaissance and network scanning with Nmap (port scanning, service detection, OS fingerprinting)
  • Vulnerability scanning and assessment methodologies (Nessus, OpenVAS, interpreting scan results)
  • Exploitation frameworks and payloads (Metasploit architecture, modules, handlers, staged vs. stageless payloads)
  • Manual exploitation techniques and proof-of-concept development
  • Post-exploitation and persistence mechanisms (maintaining access, privilege escalation)
  • Practical attack scenarios and real-world engagement workflows from both books
You should be able to answer
  • Walk through the complete attack lifecycle from initial reconnaissance to post-exploitation. What are the key objectives and tools at each phase?
  • Explain the difference between passive and active reconnaissance. What information can you gather from each, and what are the operational security (OPSEC) implications?
  • How would you use Nmap to identify live hosts, open ports, running services, and operating systems on a target network? What flags and techniques would you use?
  • Describe the Metasploit framework architecture. How do you select, configure, and execute an exploit, and what is the difference between staged and stageless payloads?
  • Given a vulnerability scan report, how would you prioritize vulnerabilities for exploitation and determine which ones are exploitable in your engagement scope?
  • What post-exploitation techniques would you use to maintain access and escalate privileges after initial compromise?
Practice
  • Set up a local lab environment (VirtualBox/Hyper-V) with vulnerable VMs (Metasploitable, DVWA, HackTheBox machines) and document your network topology
  • Perform passive reconnaissance on a target domain: use whois, DNS enumeration, Shodan, and Google dorking to gather intelligence without touching the target
  • Conduct active reconnaissance using Nmap: scan your lab network, identify live hosts, enumerate services, and document OS fingerprinting results
  • Run a vulnerability scan using Nessus or OpenVAS on a vulnerable VM; analyze the results, categorize findings by severity, and document exploitability
  • Execute at least 5 different exploits in Metasploit against vulnerable targets (e.g., EternalBlue, Apache Struts, unpatched services); document payload selection and handler setup
  • Perform manual exploitation of a known vulnerability (e.g., SQL injection, command injection) without using Metasploit; write a proof-of-concept script
  • After gaining initial access, practice post-exploitation: enumerate system information, find sensitive files, escalate privileges, and establish persistence
  • Complete 2–3 full-cycle attack scenarios from HackTheBox or TryHackMe that mirror real-world engagement workflows described in the books

Next up: This stage equips you with the offensive toolkit and attack methodology needed to identify and exploit vulnerabilities; the next stage will deepen your ability to handle complex, multi-stage attacks, evade defenses, and operate in realistic enterprise environments.

Penetration Testing
Georgia Weidman · 2014 · 528 pp

The single best beginner-to-intermediate hands-on guide; walks through setting up a lab, scanning, exploiting, and post-exploitation in a logical, step-by-step order.

The Hacker Playbook 3: Practical Guide To Penetration Testing
Peter Kim · 2018 · 289 pp

Picks up where Book 1 left off with red-team-level techniques; reading it after Weidman's foundations ensures the more advanced tactics land with full context.

3

Specialized Domains: Web & Network Attacks

Intermediate

Master the most common and critical attack surfaces — web applications and internal networks — including OWASP Top 10 vulnerabilities, Active Directory abuse, and lateral movement.

The web application hacker's handbook
Dafydd Stuttard · 2007 · 840 pp

The canonical deep-dive into web application attacks (SQLi, XSS, authentication bypass, etc.); should be read after exploitation basics so the reader can immediately practice each technique.

Hacking
Jon Erickson · 2003 · 384 pp

Builds low-level understanding of how exploits actually work at the memory and network level — essential for moving beyond tool-running to true comprehension of vulnerabilities.

Art of Network Penetration Testing
Royce Davis · 2020 · 280 pp

Focuses specifically on internal network penetration testing, Active Directory, and lateral movement — the skills most in-demand for professional engagements.

4

Professional Practice: Methodology, Reporting & Ethics

Expert

Synthesize all prior skills into a repeatable, professional methodology; learn to write clear, actionable pentest reports; and understand the legal, ethical, and responsible disclosure frameworks that define the profession.

Study plan for this stage

Pace: 4–5 weeks, ~25–30 pages/day, with 2–3 days per week dedicated to hands-on exercises and report writing practice

Key concepts
  • The pentesting lifecycle: reconnaissance, scanning, enumeration, exploitation, post-exploitation, and reporting as an integrated workflow
  • Professional engagement management: scoping, rules of engagement, client communication, and managing expectations throughout an assessment
  • Report writing fundamentals: structure, clarity, audience awareness, actionable findings, and risk quantification for non-technical stakeholders
  • Legal and compliance frameworks: contracts, liability, regulatory requirements (HIPAA, PCI-DSS, SOC 2), and staying within legal boundaries
  • Responsible disclosure and vulnerability management: coordinating with vendors, embargo periods, and ethical handling of zero-days
  • Building a repeatable methodology: standardizing tools, processes, and documentation to ensure consistency and professionalism across engagements
  • Ethics in penetration testing: the distinction between authorized and unauthorized testing, conflicts of interest, and maintaining professional integrity
You should be able to answer
  • What are the key phases of the pentesting lifecycle, and how does each phase inform the final report?
  • How do you scope a penetration test engagement, and what elements must be documented in the rules of engagement?
  • What are the critical sections of a professional penetration test report, and how do you tailor findings for different audiences (executives vs. technical teams)?
  • What legal and compliance considerations must you address before, during, and after a penetration test?
  • How do you handle the discovery of a zero-day vulnerability, and what is your responsibility under responsible disclosure?
  • What makes a methodology repeatable and professional, and how do you document it for your organization?
Practice
  • Write a complete penetration test proposal and rules of engagement document for a fictional company, including scope, timeline, deliverables, and liability clauses
  • Conduct a mock penetration test on a lab environment and produce a full professional report with executive summary, technical findings, risk ratings, and remediation recommendations
  • Create a standardized pentest methodology document for your own practice, including checklists, tool usage, and documentation templates
  • Analyze 2–3 real-world pentest report examples (from public disclosures or case studies in the book) and critique their structure, clarity, and actionability
  • Draft a responsible disclosure policy for your organization, including vendor contact procedures, embargo timelines, and escalation paths
  • Practice presenting pentest findings to a non-technical audience (simulate a client debrief) and refine your communication of risk and remediation

Next up: This stage consolidates all prior technical skills into a professional, repeatable framework and prepares you to lead real-world engagements with confidence, legal compliance, and ethical accountability—positioning you to advance into specialized domains (cloud security, advanced threat simulation, or security leadership roles) with a solid foundation in methodology and professionalism.

The Pentester BluePrint
Phillip L. Wylie · 2020 · 192 pp

Addresses career building, scoping engagements, writing professional reports, and ethical responsibilities — the business and legal layer that transforms a skilled hacker into a trusted security professional.

Discussion

Keep reading

Paths that share books, cover the same subject, or open a related topic.

Shares 2 books

How to learn Cybersecurity

Beginner11books116 hrs4 stages
More on Computer networking

Computer networking: a reading path from packets to protocols

Beginner8books114 hrs4 stages
More on Docker & Kubernetes

Docker and Kubernetes: a reading path from containers to orchestration

Beginner9books84 hrs4 stages