The best way to learn how to hack is to do it. There are several practice sites and capture-the-flag exercises to teach you how to break security.
List of practice sites
- Cryptopals - Cryptographic programming challenges
- Enigma Group
- Game of Hacks
- Google Gruyere - Vulnerable web app
- Google XSS Game - Cross-site scripting for beginners
- Gruyere - Vulnerable web app
- Hack This Site
- Hellbound Hackers
- Juice shop - Vulnerable web app
- Microcorruption - ARM disassembling
- Over The Wire wargames
- OWASP WebGoat 1.2
- RingZer0 Team Online CTF
- Root Me
- Typhoon vulnerable VM
- XSS Challenge Wiki
Besides these practice sites, there are some other ways you can legitimately hack software:
- Deploy a program on your own computer. Using docker or virtual machines it can be pretty easy to get software running on your own computer. Then, you won’t have to ask anybody permission to hack it.
- Hack a router or other device. Some devices are little Linux boxes all by themselves. This can present unique challenges, and if you mess up you can just hit the reset button.
- Participate in a bug bounty program. Some programs allow you to hack companies as long as you stick to certain rules.
Not everything is a CTF
A CTF is a puzzle thought up by someone. There is always one obvious vulnerability, and the goal is often to gain root. This is pretty different from the real world, or what would be asked of you if you have a job as ethical hacker. While they do teach you valuable hacking skills, keep in mind that these are more games than real scenarios.