How to be an Ethical Hacker?
1) Basic IT Skills
By this, we mean your standard break/fix help desk skillset. Can you build a computer and identify its parts? Can
you troubleshoot and fix issues? In the certification world, this would be equivalent to the CompTIA A+
certification (current version 220-1101 & 220-1102). If you’re brand new to IT and starting here, we strongly
recommend picking one of the following resources:
FREE (self-promotion) – TCM Security Academy – Practical Help Desk
The 19-hour Practical Help Desk course by TCM Security Academy is a free, hands-on program
designed to prepare students for entry-level IT roles. It covers essential skills needed to excel at a
help desk position, including troubleshooting common technical issues, managing tickets, and
customer service fundamentals. The course emphasizes practical, real-world scenarios to build
confidence in resolving hardware, software, and networking challenges. Ideal for beginners, it
offers a straightforward path to building foundational IT knowledge and experience, making it an
excellent starting point for those pursuing a career in tech.
FREE – Professor Messer – 220-1101 and 220-1102 A+ Courses
Professor Messer’s 220-1101 and 220-1102 A+ courses cover essential knowledge needed for
passing the CompTIA A+ certification, focusing on both hardware and software fundamentals.
The 220-1101 (Core 1) course dives into hardware technologies such as networking devices,
cables, and peripherals, along with virtualization and mobile device management. It emphasizes
practical troubleshooting, from understanding network configurations to managing hardware
components like motherboards and storage systems.
The 220-1102 (Core 2) course shifts focus to operating systems, security, and software
troubleshooting. It includes modules on Windows, Linux, and macOS features, explores physical
and logical security best practices, and provides strategies for tackling malware, social
engineering, and mobile device security. Core 2 also highlights practical IT skills like Active
Directory management and securing SOHO networks.
PAID – Mike Meyers – 220-1101 and 220-1102 A+ Courses
The Total CompTIA A+ Certification courses (220-1101 and 220-1102) by Mike Meyers on
Udemy provide a comprehensive path to passing both Core 1 and Core 2 exams, essential for
earning the A+ certification. Similar to Professor Messer, these courses cover foundational IT
knowledge, with 220-1101 focusing on hardware, networking, and mobile devices, while 220-
1102 emphasizes software, operating systems, and cybersecurity concepts. Both include hands-on
labs, troubleshooting exercises, and practical scenarios, equipping students with real-world skills
for IT roles. With engaging lectures and practice tests, these courses are ideal for beginners
looking to break into IT and pass their A+ exams on the first attempt
2) Networking Skills
Networking is an essential part of penetration testing. Can you describe the OSI model? Do you know what service
runs on port 22? Can you explain CIDR notation or walk through the TCP three-way handshake? If these concepts
�feel foreign, then it’s time to build your networking knowledge. In the certification world, this would align with
the CompTIA Network+ certification (N10-008 or N10-009). If you’re starting here, we recommend the following
resources:
FREE – Professor Messer – N10-008 or N10-009 Network+ Course
Professor Messer offers a free, beginner-friendly course covering the Network+ certification
objectives. It walks you through networking essentials, including protocols, IP addressing, routing,
and troubleshooting. This course is ideal if you’re looking for a solid introduction to networking
concepts without any financial investment. You can choose either the N10-008 or N10-
009 course. Both are good starting points and cover a lot of the same topics. In our opinion,
going with the newer version of a course is almost always more ideal.
FREE – Cisco Networking Academy – Packet Tracer
Packet Tracer by Cisco is a free network simulation tool that provides a hands-on experience with
network configuration and troubleshooting. It allows you to build virtual networks, making it an
excellent supplement to theoretical learning. You can explore Packet Tracer here.
PAID – Mike Meyers – Network+ Course
Mike Meyers’ comprehensive Network+ course on Udemy provides everything you need to pass
the N10-008 exam. The course features detailed lectures, hands-on labs, and real-world examples
to reinforce key concepts. It’s perfect for anyone serious about mastering networking
fundamentals and preparing for the certification exam.
Side note: If you’re already familiar with networking, you might be wondering about the CCNA (Cisco Certified
Network Associate) certification. While CCNA is valuable, it focuses heavily on Cisco’s technologies and
commands. We recommend starting with a vendor-neutral certification like Network+ to build a strong foundation.
You can always pursue vendor-specific certs like the CCNA later, especially if your career path or job role demands
it.
3) Linux Skills
Linux is a cornerstone of ethical hacking—like, a lot of it. Most hackers rely on Debian-based distributions,
with Kali Linux and Parrot OS being the most popular. While some prefer building their own custom Linux distros,
Kali and Parrot remain the go-to choices for many. Fortunately, there are plenty of free resources available to help
you master Linux.
Learning Linux is much like learning a foreign language. You can gain a lot from following an instructor, but full
immersion makes all the difference. Try installing Linux and commit to using it exclusively for a week. The initial
struggle will give way to faster learning and improved confidence in the environment.
FREE (self-promotion) – TCM Security Academy – Linux 100: Fundamentals
This free course introduces essential Linux concepts, including file management, permissions, and
basic scripting. It’s a great starting point for beginners wanting a structured introduction to the
operating system. You can enroll in Linux Fundamentals here.
FREE – Linux Journey
This site offers interactive lessons covering everything from basic commands to more advanced
topics. It’s a great way to ease into Linux at your own pace. You can check out Linux
Journey here.
� FREE – OverTheWire – Bandit
OverTheWire: Bandit Wargame: Bandit is a fantastic series of challenges designed to teach you
Linux through practical problem-solving, helping you build both knowledge and troubleshooting
skills. Explore OverTheWire’s Bandit.
PAID (self-promotion) – TCM Security Academy – Linux 101
For those seeking deeper, structured learning, TCM Security Academy offers Linux 101, which
builds upon the Linux 100 course mentioned above. This course covers the foundations needed to
become comfortable using Linux, with practical exercises that prepare you for real-world
scenarios. Whether you aim to use Linux in hacking or IT administration, this course will build the
confidence you need.
4) Coding/Scripting Skills
In cybersecurity, being able to read and understand code is essential, even if becoming a professional developer isn’t
the goal. While advanced coding skills can make tasks easier, a basic understanding is often sufficient to succeed in
this field. Many professionals, including ethical hackers, thrive with only foundational programming knowledge.
Python is the recommended starting point due to its beginner-friendly syntax and wide adoption across industries.
Many educational institutions now teach Python as the primary language in their introductory courses. It’s essential
to focus on Python 3, as Python 2 is outdated and no longer supported. Below are some recommended resources to
get started:
FREE (self-promotion) – TCM Security – Programming 100: Fundamentals
For those completely new to programming, Programming 100 Fundamentals offers a beginner-
friendly introduction. This course covers the basics of coding with Python, including variables,
loops, and control structures, providing a solid foundation for further programming studies.
FREE – FreeCodeCamp
A hands-on, project-based platform that teaches all sorts of programming languages, including
Python, through interactive coding challenges and videos. You can check out FreeCodeCamp here.
FREE TRIAL (No credit card required) – Codecademy
Offers structured, interactive lessons with guided exercises to help beginners build foundational
Python skills. You can check out Codecademy here.
PAID (subscription) – Team Treehouse
A subscription-based platform with in-depth courses that include projects and challenges designed
to reinforce coding concepts. You can check out Team Treehouse here.
PAID (self-promotion) – TCM Security – Programming Classes
For those interested in taking a deeper dive into programming, TCM Security offers a slew of
programming classes that focus on practical applications for cybersecurity. Those classes
include Python 101 for Hackers, Python 201 for Hackers, C# 101 for Hackers, Rust 101,
and Programming with AI.
5) Security Skills
�Before starting a cybersecurity career, having a solid foundation in security concepts is essential. If there’s one
certification worth pursuing early on, it’s the CompTIA Security+. This certification builds on networking
fundamentals, introducing core security principles like cryptography, risk management, and incident response—
think of it as “Network++.”
A solid understanding of security fundamentals not only ensures long-term success but also opens doors to entry-
level roles, such as a SOC Analyst. Below are top resources to help you prepare for Security+ and gain essential
security skills:
FREE – Professor Messer – SY0-701 Security+ Course
Professor Messer offers a comprehensive Security+ video series covering all exam objectives,
including topics like network security, incident response, and access control. You can check it
out here.
PAID (self-promotion) – TCM Security – Security Operations (SOC) 101
The 30-hour SOC 101 course offers a detailed introduction to Security Operations Centers (SOCs)
and the role of a SOC Analyst. It covers core topics such as log analysis, incident response, and
monitoring tools, providing practical skills to excel in entry-level security roles. Ideal for those
pursuing a career as a SOC Analyst or wanting to learn to become a better hacker by learning how
to defend, this course bridges the gap between theoretical knowledge and real-world operations .
Learning the Basics of Ethical Hacking
Now that you’ve built a solid foundation, it’s time to dive into hacking. For a comprehensive starting point, we
recommend the Practical Ethical Hacking course by TCM Security Academy (self-promotion). This course covers
the essential skills you’ve learned (Linux, Python, and Networking) and takes them a step further into real-world
hacking scenarios including Active Directory and Web Application hacking, which we will expand on in a bit.
The first 15 hours of this course are available for free on YouTube, broken into two parts for easy access:
Part 1
Part 2
Beyond courses, it’s important to practice hacking on intentionally vulnerable machines—systems designed to be
hacked. These machines follow a “Capture the Flag (CTF)” style, teaching the fundamentals, tools, and problem-
solving persistence required to become a successful hacker. Here are three top platforms to practice on:
TryHackMe: Best for beginners, this platform offers a range of free/paid labs and guides you through
hacking techniques, explaining each step.
Hack The Box: An alternative to, and often more challenging than, TryHackMe, this platform offers a
variety of vulnerable machines for intermediate users to hone their skills.
VulnHub: A free platform with downloadable, intentionally vulnerable machines, great for practicing
offline.
If you enjoy CTF-style hacking, you might also want to participate in live CTF events. These competitions are
excellent for improving your hacking skills in a team-based environment. Check out CTFTime for the latest CTF
events and read write-ups from past challenges to enhance your learning. Find CTF events at CTFTime
Once you are feeling comfortable with the basics, there are several additional areas of hacking that you should
familiarize yourself with, especially if you want to be a pentester. Those areas are:
1) Active Directory
�Active Directory (AD) hacking is one of the most overlooked areas by individuals entering the cybersecurity field.
Yet, with more than 95% of Fortune 1000 companies relying on AD for their business environments, it’s a critical
skill to master.
AD hacking frequently comes up in job interviews, especially for security roles. Many candidates with impressive
certifications but limited hands-on experience struggle with this topic, revealing a gap in practical knowledge.
Understanding AD is essential not only for passing interviews but also for excelling in real-world security roles,
where navigating AD environments and identifying vulnerabilities are key components of the job.
For Active Directory, beyond the Practical Ethical Hacking course mentioned above, there are some pretty fantastic
resources.
Here are people (and blogs) you should follow if you’re interested in Active Directory hacking:
@PyroTek3 – https://adsecurity.org/
@_dirkjan – https://dirkjanm.io/
@Haus3c – https://hausec.com/
Additionally, anything by @SpecterOps, @CptJesus, @byt3bl33d3r, @gentilkiwi, and @harmj0y
2) Web and Mobile Application Hacking
Web and mobile application hacking is one of the most in-demand skills in cybersecurity. Many of the high-profile
bug bounty programs revolve around vulnerabilities in web or mobile apps, and entire roles are dedicated solely to
web application penetration testing. If you want to be a pentester, mastering application hacking is essential for
leveling up your skills. Below are some excellent (mostly free) resources to help you get started:
PortSwigger Web Security Academy: A comprehensive platform with labs and tutorials focused on web
security concepts.
Hacker101: Free online training by HackerOne, covering web application security fundamentals and more.
Bugcrowd University: Offers educational content to help you develop the skills needed to succeed in bug
bounty programs.
PentesterLab: A hands-on platform for learning web security through practical exercises and labs.
Self-Promotion:
Since the previous release of this article, TCM Security Academy has released a slew of web application hacking
content.
Practical Bug Bounty – 9.5 hour course – If you’re new to web application hacking, we recommend starting
here. The course covers essential topics of web application hacking and bug bounty programs, including
how bug bounty programs work, finding and reporting vulnerabilities, and the use of key tools like Burp
Suite. It focuses on real-world applications to help students transition from theory to practice, with step-by-
step guidance on identifying common web vulnerabilities and submitting successful bug reports. This
training leads directly to the Practical Web Pentest Associate (PWPA) certification.
Practical Web Hacking – 10+ hour course – Building upon the Practical Bug Bounty course, this course
covers both fundamental and advanced web vulnerabilities, including SQL injection, cross-site scripting
(XSS), authentication flaws, and command injection. Students learn through real-world scenarios, with
practical exercises designed to build confidence in using tools like Burp Suite. This training leads directly
to the Practical Web Pentest Professional (PWPP) certification.
� Practical API Hacking – This course focuses on the growing field of API security, teaching students how to
identify and exploit vulnerabilities in Application Programming Interfaces. The course covers key attack
techniques, including broken authentication, authorization flaws, and injection attacks specific to APIs. It
provides hands-on experience with real-world scenarios, equipping learners with practical skills for
penetration testing and bug bounty hunting involving APIs. This training leads directly to the Practical Web
Pentest Professional (PWPP) certification.
Advanced Web Hacking – Building upon the Practical Web Hacking and Practical API Hacking courses,
this course dives deeper into complex web vulnerabilities and sophisticated attack techniques. This course
covers advanced topics like server-side request forgery (SSRF), XML external entities (XXE),
deserialization attacks, and advanced SQL injection. It’s designed for those with prior experience in web
security who want to refine their skills and tackle real-world challenges in penetration testing and bug
bounty programs.
Mobile Application Penetration Testing – For those interested in hacking mobile applications, this course
offers practical training on securing mobile apps by identifying and exploiting vulnerabilities specific to
Android and iOS platforms. The course covers reverse engineering, insecure data storage, API
vulnerabilities, and mobile-specific security flaws. Through hands-on exercises and real-world scenarios,
students gain the skills needed to conduct thorough mobile app assessments for penetration testing and bug
bounty hunting. This training leads directly to the Practical Mobile Pentest Associate (PMPA) certification.
Additionally, we offer a free course on YouTube for beginner web application hacking
When learning web app security, it’s also helpful to familiarize yourself with the OWASP project. Pay special
attention to the OWASP Top 10 vulnerabilities and the OWASP Web Security Testing Guide:
OWASP Project
OWASP Top 10
OWASP Testing Guide
Finally, reviewing bug bounty write-ups offers valuable insights into real-world vulnerabilities. Many bounty
platforms, such as HackerOne, maintain archives of these write-ups:
HackerOne Hacktivity
3) Wireless Hacking
You can learn to hack wireless networks pretty quick. In fact, a lot of the hackers started out tinkering with wireless
hacking before jumping into other areas of ethical hacking due to the simplicity of it. You can easily pick up the
skillset needed to hack WPA2 Personal by having the right equipment and reading a short blog post, such as this
one.
WPA2 Enterprise is a little trickier, but hey, there are blogs for that too, such as this one.
4) Certifications
The next thing to discuss are certifications, which can be useful for standing out in the job application process.
Below are some of the top entry-level hacking certifications that can be found on job postings, sorted by price. If
you’re interested in taking a certification, we recommend researching each certification individually and finding one
that best suits your journey.
5) Privilege Escalation
�This is a topic many new hackers struggle with. You land on a machine, but you’re not the admin/root user. How can
you elevate your privileges? You’ll find this area tested in many popular certification exams, so it’s a topic you
should know.
TCM Security does have courses on the topic:
Windows Privilege Escalation – https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners
Linux Privilege Escalation – https://academy.tcm-sec.com/p/linux-privilege-escalation
As does @0xTib3rius:
Windows Privilege Escalation – https://www.udemy.com/course/windows-privilege-escalation/
Linux Privilege Escalation – https://www.udemy.com/course/linux-privilege-escalation/
Plus, there are a million guides out there for PrivEsc. We will leave you to your Googling skills to find these,
but here is just one example of a great guide.
Content Creators
Content creators play an important role in educating the next generation of hackers looking to break into this field
and this article would be incomplete if we did not include some of our favorite content creators.
Note: Anyone online can claim to have expertise in a field. Due diligence and research should be performed on any
content creator(s). Below are vetted industry experts that have active YouTube channels.
General Hacking:
The Cyber Mentor (self-promotion) – https://youtube.com/c/thecybermentor
John Hammond – https://youtube.com/c/JohnHammond010
HackerSploit – https://youtube.com/c/HackerSploit
IppSec – https://youtube.com/c/ippsec
Conda – https://youtube.com/c/c0nd4
Tyler Ramsbey – https://www.youtube.com/@TylerRamsbey
Web App/Bug Bounty:
NahamSec – https://youtube.com/c/Nahamsec
InsiderPhD – https://youtube.com/user/RapidBug
Farah Hawa – https://youtube.com/c/FarahHawa
Rana Khalil – https://youtube.com/c/RanaKhalil101
Communities
Being part of a community is essential to becoming a skilled hacker. Communities provide opportunities to ask
questions, share knowledge, and connect with others in the field or those starting their journey. Networking with
like-minded individuals not only enhances learning but can also open doors to new opportunities. A strong
community can accelerate your growth and keep you motivated along the way.
TCM Security Community: Our Discord community, with over 60,000 members, is a vibrant space to
connect, learn, and collaborate. Join here.
VetSec Community: For military veterans, VetSec offers a dedicated community to support your transition
into cybersecurity. Learn more at VetSec.
�Conclusion
This article provides a solid starting point, though it’s by no means exhaustive. The resources shared here have
guided many professionals in their journeys, but every path in cybersecurity is unique. It’s recommended to explore
additional materials and resources along the way. With the content provided, there’s more than enough to keep you
engaged throughout 2025. Stay curious, keep learning, and—happy hacking!
