Much like learning how to do a backflip or training to become a firefighter, you can’t just practice hacking anywhere — you need a safe and controlled setting, otherwise you could cause harm to yourself and others.
Ethical hacking is when a programmer has permission to use their technical skills to intentionally break into computer systems and access sensitive data to find common vulnerabilities within code that other people have written. The difference between ethical and unethical hacking usually comes down to consent and intent; a malicious hacker would use these same skills (without permission) to steal information or assets for financial gain or cause other harm.
To be clear, accessing data in a system without authorization is illegal, and one of the key principles of ethical hacking is to obey the law. So if you’re interested in having a career that involves hacking, like a Penetration Tester or Security Analyst, you might be wondering how you can get hands-on practice without, you know, breaking the law.
Here are some (definitely legal) resources that you can use to gain hands-on ethical hacking experience without putting yourself or others in danger.
Learn the techniques
It’s essential to understand the technical skills that are used in ethical hacking before you dive in. Our new course Introduction to Ethical Hacking covers some of the common tools and techniques that hackers use, including vulnerability analysis, exploitation, and packet- sniffing. Plus, this course will outline the differences between ethical and unethical hacking, so you won’t have to second-guess whether you’re violating the law.
Want to develop even more cybersecurity skills? Check out the rest of our cybersecurity courses, like Defending Node Applications from SQL Injection, XSS, & CSRF Attacks and Scan Systems with Nmap.
Explore virtual machines
Virtual machines that you download and run locally on your computer are ideal for practicing hacking, explains Austin Turecek, a Senior Application Security Consultant who contributed to Codecademy’s Intro to Ethical Hacking course. With a self-contained virtual machine, you can do whatever you want to a program, without worrying that you’re going to overstep.
“It’s a lot more forgiving,” Austin says. “If you break something in these boxes, you just delete it and start over. But if you delete the wrong thing in a company's environment, even though your intentions may have been good, you could always cost the company large amounts of money.”
Start with VulnHub, which is a collection of sites that are vulnerable by design. “These systems are set up so you can run them locally on your machine to learn the tools, thought-process, and skills associated with hacking,” he says. Hack the Box is another platform where you can play around with gamified pentesting labs — they’re always adding new labs based on the latest vulnerability techniques. And PortSwigger, the company that makes the web security testing software Burp Suite, also has lots of labs covering vulnerabilities like SQL injection, cross-site scripting, and authentication.
Get involved with bug bounty programs
As you get more experienced with ethical hacking, you might consider participating in bug bounty programs, where organizations give hackers permission to discover vulnerabilities or weaknesses in their systems for a monetary reward. You can find active bug bounty programs on sites like HackerOne and Bugcrowd.
Keep in mind: These are live and real systems, so you must stay within the scope of an organization’s bug bounty program and follow their rules around disclosing the vulnerabilities. “Make sure you have at least a little bit of knowledge about the different types of vulnerabilities out there before jumping in,” Austin says. “If you don't, you're probably not going to find anything. And if you do, you might go about it in a potentially dangerous way.”
Join capture the flag competitions
Remember the playground game “capture the flag”? In cybersecurity, capture the flag (aka CTF) competitions are events where hackers team up to uncover “flags” or vulnerabilities within a program.
There are a few different types of CTFs: In Jeopardy-style CTFs, for example, participants have to complete tasks in categories like forensics, web exploitation, cryptography, and reverse engineering. Attack-defense CTFs, on the other hand, tend to be more complicated because they involve launching attacks and defenses against another team using a vulnerable server.
You can find a lengthy list of upcoming CTF competitions and read write-ups from past competitions on the website CTFtime. Not only are CTF competitions fun ways to get hands-on hacking experience, they’re also a way to network with other people in cybersecurity.
The bottom line
If you have any qualms about whether or not an action is ethical or legal, stop what you’re doing, and take a step back. “If you're really not confident about something, generally it's best to avoid doing it until you feel more comfortable or you have a better understanding of it,” Austin says. “Hacking is one of those areas where it's very easy to cause damage to other things and yourself.”
Ready to get hacking? Start with our beginner-friendly Introduction to Ethical Hacking course to learn the fundamental skills that hackers use. If you’re considering a career in cybersecurity, be sure to explore the in-demand skills that employers are looking for in a security professional, advice for writing a cybersecurity resume, and more tips for breaking into the exciting field.