recon@localhost: ~/learning
0%
recon@localhost:~$

RECON

A hands-on operating system for learning offensive and defensive security — built around real labs, a clear roadmap, and the discipline to practice legally. Boot in, pick a track, break things you're allowed to break.

$
try: help · roadmap · labs · arsenal · whoami
00

Rules of engagement

Read this first, every time. The single thing separating a security researcher from a criminal is authorization. Skills are neutral; how you point them is not. These rules keep you legal, employable, and trusted.

// AUTHORIZATION IS NON-NEGOTIABLE

  • Only test what you own or have explicit written permission to test. Your own VMs, intentionally vulnerable apps, and platforms that grant permission in their terms are fair game. Someone else's site, network, or account is not — regardless of intent.
  • Unauthorized access is a crime. Laws like the US Computer Fraud and Abuse Act, the UK Computer Misuse Act, and Canada's Criminal Code §342.1 carry real penalties. "I was just curious" is not a defense.
  • Practice on consented targets. Deliberately vulnerable labs (DVWA, Juice Shop, Metasploitable), wargames, CTFs, and scoped bug-bounty programs exist precisely so you can attack freely and safely.
  • Stay in scope. On a bug bounty or pentest, the scope document is the law. Out-of-scope testing — even of the same company — can void protections and get you banned or prosecuted.
  • Disclose responsibly. If you find a real flaw in the wild, report it privately through the vendor's channel and give them time to fix it. Don't dump, don't extort, don't exploit.
01

The roadmap

Seven phases, roughly in order. You don't need to finish one to peek at the next, but the foundations make everything above them faster. Colors map to depth: green for groundwork, amber for core skills, coral for advanced offense, teal for the defensive side.

00
foundations · groundwork

Computing & networking fundamentals

You can't break what you don't understand. Learn how data moves and how systems are built before you try to subvert them.

TCP/IP & OSIports & protocolsLinux CLIhow the web worksvirtualization
01
foundations · automation

Scripting & tooling

Automate the boring parts and read other people's exploits. Python and Bash are the lingua franca of security work.

PythonBashregexgitreading code
02
core · most bugs live here

Web application security

The biggest, most accessible attack surface and where most beginners land their first real findings. Master the OWASP Top 10 by exploiting it.

OWASP Top 10SQL injectionXSSauth flawsBurp Suite
03
core · the wire

Network security & recon

Scanning, enumeration, traffic analysis, and the reconnaissance that precedes every engagement. Learn to see a network the way an attacker does.

nmapWiresharkenumerationpivotingMetasploit
04
advanced · offense

Exploitation & red teaming

Chain vulnerabilities into access, escalate privileges, and write it all up like a professional. This is where pentesting becomes real.

privilege escalationpassword crackingActive DirectoryreportingC2 basics
05
defensive · blue team

Defense, forensics & detection

The other half of the field, and where most jobs actually are. Investigate incidents, analyze memory and logs, and build detections.

DFIRSIEMVolatilitylog analysisthreat hunting
06
advanced · specialize

Pick a specialty

Go deep on one thing. Reverse engineering and malware analysis, cloud security, crypto, hardware/IoT, or full-time bug bounty — depth beats breadth from here.

reverse engineeringmalware analysiscloud (AWS/Azure)cryptographybug bounty
02

Hands-on labs

Theory fades; muscle memory sticks. Work through these in roughly the order shown — each one teaches a concrete skill on a target you're allowed to attack. Hit how to start for step-by-step instructions, follow the link to the lab, and tick the box (top-right) to mark it done. Progress saves in this browser.

0 / 0 cleared
03

Build your home lab

An isolated sandbox is the single most important thing you'll set up. It's where you attack freely without touching anything real. The golden rule: keep your vulnerable targets on a host-only network so nothing leaks onto the internet or your home LAN.

// the setup

  1. Install a hypervisor. VirtualBox (free) or VMware Workstation. This runs your virtual machines.
  2. Spin up an attacker VM. Kali Linux or Parrot OS — both ship with the tools pre-installed.
  3. Add vulnerable targets. Metasploitable 2/3, OWASP Juice Shop, DVWA, and machines from VulnHub.
  4. Isolate the network. Set every VM's adapter to Host-Only so attacks can't escape the lab.
  5. Snapshot everything. Take a clean snapshot before each session so you can roll back when you break something.

// first contact

Once both VMs are on the host-only network, find your target and start enumerating:

# find live hosts on your lab subnet $ nmap -sn 192.168.56.0/24 # full service + version scan on the target $ nmap -sV -sC 192.168.56.101 # spin up Juice Shop locally with Docker $ docker run -d -p 3000:3000 \ bkimminich/juice-shop

Then point your browser at localhost:3000 and start hunting.

04

The arsenal

Hand-picked places to learn, practice, and read. Most of the best resources in this field are free — start there before spending a cent on courses or certs.

Learn by doing FREE

Vulnerable targets FREE

Defensive & forensics FREE

Crypto & reversing FREE

Read & reference

  • OWASP Testing Guidefree · the methodology bible
  • Hacking: The Art of ExploitationErickson · low-level classic
  • The Web App Hacker's Handbookthe web pentest canon
  • Practical Malware Analysisdefensive RE deep-dive

Bug bounty & community