I got hit up on twitter and email about how to get started in security by someone.  The question was pretty generic and since I didn't even receive a thanks back from the guy I'm sharing it with everyone else/archiving it in case I'm asked again in the future.

The question:

I want to become proficient at pentesting on computers and phones. I have a running version of Kali Linux on my computer and am using the "Kali Linux Cookbook" as a reference. What book or online tutorials would you recommend for me to use in order to get better? 

A few things I think you should do to get started.

1. Get rid of Kali. It is a shortcut to learning to have all these tools already there.  You'll learn way more by figuring out what tool you need for a job/task (feel free to use the index of tools in Kali which is readily available) and installing the tool yourself.  Ubuntu is the most supported hacker tool wise but there are other distros. Pick whatever suits you.  Use a VM so you can undo stuff if you break your distro but that's pretty rare these days. Most things apt-get install or  compile from source on ubuntu without issues.


2. You are in luck these days as there are tons and tons of resources available to learn infosec.

-Books I'd start with ( buy or torrent depending on ability)

• The latest Hacking Exposed book. The methodology it teaches is still relevant today and its a 10,000 ft view of different hacking areas
• Pick a basics of pentesting book (or a few)  to start with I've stopped reading the basics books but any of them should wet your appetite.

Some examples (more netsec):

• Penetration Testing: A Hands-On Introduction to Hacking – by Georgia Weidman
• The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy –by Patrick Engebretson
• The Hacker Playbook - By Peter Kim (decent but more of an outline vs teaching)
• Metasploit: The Penetration Tester's Guide - by David Kennedy and Jim O'Gorman

Some examples (webappsec)

• Web Application Security, A Beginner's Guide - by Bryan Sullivan and Vincent Liu (read this, its decent)
• Hacking Exposed Web Applications (current version)
• Web Application Hackers Handbook (more advanced)

Some examples (social engineering)

• Social Engineering: The Art of Human Hacking
• Kevin Mitnicks books
• Social Engineering Penetration Testing: Executing Social Engineering Pen Tests, Assessments and Defense -by Gavin Watson and Andrew Mason

Some examples (Physsec/redteam)

• Unauthorised Access: Physical Penetration Testing For IT Security Teams - by Wil Allsopp and Kevin Mitnick
• Practical Lock Picking, Second Edition: A Physical Penetration Tester's Training Guide - by Deviant Ollam

Lots more here, the list is a bit dated i'll try to update it this week but it IS sorted by category
http://astore.amazon.com/carnal0wnage-20

Exploit dev

• Tons and tons of books/resources.  Unless you are really really interested in writing exploits I wouldn't start here. Understanding the above will give you more opportunities for jobs in the business, writing exploits and automating tasks will come naturally as you progress

3.  Pick a scripting language to work on

• python is probably most supported/popular
• ruby is what metasploit is written in, so there is value in learning that
• javascipt/node.js will be useful going forward as well

4. Online CTFs

• Pretty good list here: http://captf.com/practice-ctf/
• Vulnhub for downloadable images to try  https://www.vulnhub.com/
• Search for downloadable vulnerable images to hack against herot, metasploitable, owasp broken apps

5. Training
Lots out there, plenty is torrentable or pay for it if you feel like it/can (you should if you can afford it -- those people work hard on it).  With the amount of resources you should be able to learn the basics without paying a dime and seek out mentors or ask questions over email/twitter for topics you are stuck on.


Second Question:

Also, what steps did you initially take to become proficient at computer security?

-I was a computer science major in college so I came out knowing some of the basics. My job in the military was communications and I ended up doing a lot of layer 2/layer 3 stuff along with MCSE type tasks.  Its going to be important for you to learn, if you don't already know, A+ type material and Network+/basic CCNA type materials.  Hacking is all about exploiting the mistakes someone made setting things up, abusing protocols, but a lot of finding/identifying/exploiting misconfigurations. This is a lot easier if you understand how to do these basic configurations.

Aside from that, start practicing, reading blogs/twitter, watching talks that interest you. I'd start with a basic ones but also stuff advanced/over your head. Getting your mind blown occasionally helps let you know there really is no limit to the stuff you can do, what you can learn, etc.  http://www.securitytube.net/ has pretty much everything and more content than you will ever be able to consume plus lots of free courses.


That's what I have for starters as you asked a pretty generic question, so hope that helps

Chris

Source