[ How to Teach Hacker Highschool: Unit 4 ]

Glenn Norman

This is the fourth unit of my course for teachers, which brings together a lot of material I generated while working as Project Manager for the Hacker Highschool v2 Rewrite Project, 2012-2016. This session helps you get started with Day One of hacking class, and exploring Lesson 1.

Here’s the video of Unit 4, with the links it mentions below. Tell me what you think in the Comments, and thanks for taking a look.

Uncut Lessons: http://gnorman.org/2017/05/16/hacker-highschool-download-uncut-lessons/

School for Hackers: https://schoolforhackers.com for Hacker Night School and Hacking 101

Hacker Highschool (http://www.hackerhighschool.org/) is a free, open curriculum from ISECOM (http://www.isecom.org/). Uncut lessons are available at http://gnorman.org/2017/05/16/hacker-highschool-download-uncut-lessons/.

Sites To Practice Hacking: root-me.org

Glenn Norman
This entry is part 2 of 2 in the series [ Sites Where You Can Hack ]

Where HackThisSite.org is about … hacking that site, root-me.org is a whole platform. That means you can work your way through entire categories of Challenges: apps, crypto, forensics, stego, web clients and servers, and so forth.

This is a blast. Don’t take my word for it. Go see.

There’s an active and helpful community with forums sorted by Challenge. But it’s not immediately clear where you’re supposed to start. Let me suggest going to Challenges > Web – Client, and start at the top of the list you get. The initial Challenges really are easy, but things get tricky fast.

I use this site in my security and hacking classes largely because they can get a foothold almost immediately, then learn the process of researching (and asking) their way to solutions to other Challenges.


As always, School for Hackers members, you can let us know how it goes by commenting below. Thanks –

* * *

Sites To Practice Hacking: HackThisSite.org

Glenn Norman
This entry is part 1 of 2 in the series [ Sites Where You Can Hack ]

HackThisSite is the perfect place to start this list of online hacking platforms. It’s been around a long time, and has a really active community. Of course, the specific flavor of hacking you’ll pursue here is web application testing. The domain name doesn’t lie: you’re welcome to try most kinds of mapping, testing and cracking against it. It’s not fair game to DoS the site, because hey, we’re all trying to get something done here, and DoS is for skids.

You will need to create an account. Now is when you’ll want one of those multiple email identities we keep bitching about: Security is a Function of Segregation!

Check it out at the link below. If you’ve got an account on this site, let us know what you think, especially if you crack one of the really hard challenges.


* * *

Get Your Training On With Hundreds of Free College Courses

Glenn Norman

Our whole purpose is educating and training up-and-coming hackers and security people. That’s why I run my CompTIA and EC-Council courses through this site, and add new videos and lessons as I get the chance.

But we don’t try to be everything; instead, we USE everything that’s useful and high-quality in our trainings. I’m always on the lookout for good, fresh material. And here’s a trove of it, not all related to IT or security, but some real gems among them.

Check out Dhawal Shah’s article on Quartz:

If you haven’t heard, universities around the world are offering their courses online for free (or at least partially free). These courses are collectively called MOOCs or Massive Open Online Courses.
In the past six years or so, close to 800 universities have created more than 8,000 of these MOOCs. And I’ve been keeping track of these MOOCs the entire time over at Class Central, ever since they rose to prominence.
In the past three months alone, over 200 universities have announced 600 such free online courses. I’ve compiled a list of them and categorized them according to the following subjects: Computer Science, Mathematics, Programming, Data Science, Humanities, Social Sciences, Education & Teaching, Health & Medicine, Business, Personal Development, Engineering, Art & Design, and finally Science.

Right off the bat I note:

Introduction to TCP/IP from Yonsei University

Linux Server Management and Security from University of Colorado System

TCP/IP and Advanced Topics from University of Colorado System

and a ton more.

Go get it! Have fun. And if you’re registered with this site, let me know what training you find or use there in the Comments below.


Taking the beta CompTIA Pentester+ Test

Glenn Norman

Okay: I’m a “trifecta instructor” of some 20 years, plus a stack of certs and degrees, including the CEH. I’m going in to test this morning after a quick review of scripting languages. Currently teaching Net+ and Sec+ so I’m pretty fresh, but have no real idea what to expect. Have you reviewed the Objectives? They’re huge and wildly all over the place … SOAP and REST? Really? I’ll post thoughts after taking the test this morning (3/10).


Oh, am I ever glad I’ve done a lot of coding/scripting, and reviewed my PHP, Python and Ruby before the test. Right off the bat I got a long series of long, detailed scenario and “drag and drop” questions that I let suck up too much time. One involved dragging lines or blocks of code from a random assortment into working locations in a script. Recognizing the language was instantly critical. Another “interactive” section comprised ten questions where I needed to identify one-liner payloads and the right control to block them. Be sure you’re very clear on the different types of SQL injection and XSS. The multiple-choice questions were, for a relief, pretty normal. Some did make clear to me some of the things I’ve never done: creating a sandbox, and setting up persistence on a target once it’s been compromised. I know the CEH pretty well (I’m on the review board), and no it is not particularly similar to this test. The CEH concentrates on higher-level tools, like gui exploit tools and specific-function apps. The Pentest+ seems much more focused on knowing low-level tools like nc and nmap, sometimes deeply into the switches and syntax. Definitely spend time working/playing with these so the long, complex multiple choices don’t become a blur. I got 120 question for my 165 minutes, plus a lengthy pre-test agreement and a fairly quick post-test review, both off the clock. It was a race all the way, especially with the intricately detailed commands to pick in multiple-choice questions. I only finished 105, racing to the end, though since I got so many questions maybe I’ll get some slack for that. 😉 Notably, I did NOT see any policy, risk calculations, subnetting or crypto, and no SOAP or REST. Reading other people’s experiences, though, I’m betting there’s a huge question pool (that will hopefully get trimmed down) and your mileage will likely differ. Do I think I passed? I practically never think so walking out of a test, but I practically always do pass. Is it a good alternative to the CEH? I’d say it’s more similar than different. Both certs are really much more focused on defense than offense. It still looks like the OSCP is the big dog of real pen testing, and that’s okay. We all need ladders with more rungs above us.