It goes without saying that being a Professional Penetration Tester is one of the “sexier” jobs in InfoSec. I mean, let’s be honest here - who wouldn’t want to break into buildings, and hack companies like Elliot from Mr. Robot, or carry out crazy hacks against banks and casinos like in the Oceans Series, all while doing it legally?
While it might seem that being a Hacker for Hire is all fun and games after watching a ton of episodes of Mr. Robot - which it is - it also has its downsides like every other job.
Working as a Security Consultant, I get asked a lot of questions on how to break into Penetration Testing, or what skills one must need to achieve such a job. And unfortunately, a lot of those asking me these questions are hoping for a “one shot solution” such as “If you learn this and this you’ll be golden!” Unfortunately, and I hate to break it to you, it really isn’t that easy….
First of all to be a Pentester you need to be willing to continuously learn new things on the fly and or quickly at home. Secondly, you need to have a strong foundational understanding of Network and Web Security, as well as an understanding of at least one coding/scripting language. Third of all, you need decent soft skills - ones that will allow you to communicate with your team and clients, and ones that will allow you to write professional reports. Fourth of all, you need to be willing to accept the fact that sometimes the projects you’ll be doing will be boring or repetitive. Fifth of all… if you’re still here reading this, then I’m sure you got what it takes to be a Pentester, so let’s move into the nitty gritty details of becoming one!
The Technical Skills:
Ah yes, the technical skills, the lifeblood of a Security Professional. Now, being a Pentester doesn’t mean you only focus on one thing - such as Network Pentesting or Web Apps. You actually have to have a breadth of knowledge in multiple technical fields to succeed and even excel as a Pentester. But through my experience two very important technical skills are needed for day to day projects.
“Why two?” You may ask…. Well, in reality, Network Pentests, Red Team Exercises, Physical Security Assessments, and even Hardware Security Assessments don’t come up as much for beginner pentesters and are usually scheduled for much more advanced testers. But that doesn’t mean you won’t be doing them or having the opportunity to do more of them once you learn and prove yourself. At the same time depending on what your expertise is, you’ll probably be doing projects in that field. Overall the most requested assessment is… yup, you guessed it, Web Apps along with some Code Review!
NOTE: Before you continue reading, take note of this. A lot of this is based off of my own experiences. Don’t be discouraged that you might not get to do something as frequently as you like while being a pentester - project workloads vary from company to company. For example, if you work for - let’s say - SpecterOps then you probably will be doing more Red Team Adversarial Assessments, Network Pentests, and Physical Assessments than you would be doing Web Apps.
So overall, if you want to focus on Network Pentesting or something else rather than Web Apps, then by all means, focus on that and learn as much as you can. However, you should still learn other disciplines to become a more “well versed” tester, and since Web Apps are high in demand, it’s good to know how to attack them. You don’t have to be the next Frans Rosen, but you should know enough that when scheduled for a WAPT (Web Application Penetration Test), you’ll kill it! =)
In the following section, I will list a bunch of technical skills that I believe are the most beneficial to becoming a pentester (and are in no particular order). You should opt to know at least 1-2 of these skills (including Web Apps) to be of a junior level, and at least 3-4 of these skills to be at a senior level.
Along with each skill, I will provide a short description of what you might be doing, followed by a list of resources that should be beneficial in either getting you started or in helping you learn more about the topic.
1. Web App Security:
Web Applications play a vital role in modern organizations today as more and more software applications are delivered to users via a web browser. Pretty much everything you might have done on the internet involves the use of a web application - whether that was to register for an event, buy items online, pay your bills, or even play games.
Is it true that these breaches could have been prevented? Yes! But only if the web apps were thoroughly tested either internally or by a consulting firm. Yet even then - such vulnerabilities could have been missed.
Why might that be? Well, honestly it could have been a plethora of things such as unskilled testers, constrictive scope, too large of a scope, too little project time, too many web apps and not enough testers, no source code provided… the list goes on.
Though in the end, a skilled tester who understands web apps, understands how they were built, function, communicate, what libraries they utilize, etc, can easily focus and spot portions of a web app that might seem vulnerable or interesting to an attacker. Will the tester be able to spot everything? No, of course not - we aren’t superhuman, but with experience and a good breadth of knowledge you’ll be able to find enough vulnerabilities that will most likely secure a web app from future attacks.
As a pentester, you’ll be doing WAPT’s on Bank Apps, Internet Platforms, Hosting Services, Online Stores, and more! So you need to understand more than just the basic Web Application Vulnerabilities such XSS, SQli, and CSRF. You’ll need to know vulnerabilities such as XXE, XML/JSON Injection, LDAP Injection, Blind Injection, Code Injection & RCE, Subdomain Takeovers, Open Redirects, SSRF, LFI and RFI, you need to understand specific protocols and their implementations such as OAuth, and SSO, and you also need to understand the usage of different platforms and their vulnerabilities like Jenkins or ElasticSearch.
If you’re currently sitting here and freaking out after reading all of that… don’t! It sounds way more complicated in person then it really is. Just take your time to learn the basics, and everything else will come with practice and experience!
Resources: Below are a bunch of resources that should either (A) help you get started or (B) help advance your knowledge!
- OWASP WAPT Testing Guide
- OWASP Top 10
- Hacker 101
- PentesterLab Bootcamp
- HackerOne Hacktivity
- Bug Bounty Writeups
- James Kettle / albinowax Research
- Detectify Security Blog
- SANS Penetration Testing Blog
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
- The Tangled Web: A Guide to Securing Modern Web Applications
- Apps for Testing & Practice
- SANS 2016 Holiday Hack Challenge
2. Network Security:
A Network Pentest aims to identify and exploit vulnerabilities in corporate or industrial networks as well as in network devices and the hosts/systems connected to them. Such assessments usually simulate a real-world attack if a hacker was to gain access to the internal network of a company.
Now, can a network be 100% safe and secure? Of course not! Nothing is 100% secure! For example, let’s take the Hacking Team Breach. Any sophisticated attacker with enough time, money, and resources can breach a company; but that doesn’t mean it should be easy for them once they are inside the network!
Another example would be of the NotPetya Malware breakout in Ukraine. This is a great example of how hackers with enough time and resource can compromise a company and utilize them to further carry out more attacks against other targets.
As a pentester you are tasked with trying to assess the risk of an actual breach, which isn’t only about getting Domain Admin on the DC but about checking to see what kind of proprietary data is unprotected an out in the open.
During the assesment you should be checking if user accounts and credentials easy to access. Is customer information and credit cards easily accessible? How well are the members of the company trained on security issues such as phishing? Are technologies and protections well placed and properly configured? And more!
To be able to carry out a Network Pentest you need to really understand how networks work, the technologies and communication protocols in place such as TCP/IP, LDAP, SNMP, SMB, VoIP, etc. You need an understanding of Enterprise Technologies such as Active Directory, as well as an understanding of protections in place such as Firewalls, IDS/IPS, Sysmon, Antiviruses, etc. You need to also understand how Windows and Linux internals function, and how you can utilize them to further compromise other users and host systems.
While Network Pentests are complex and require a lot of moving parts, they aren’t that hard to learn about. Once you learn the basic knowledge of how to move around the network, the rest comes with experience - just like everything else!
Resources: Below are a bunch of resources that should either (A) help you get started or (B) help advance your knowledge!
- Windows APIs
- Red Team Tips
- The Hacker Playbook 3: Practical Guide To Penetration Testing
- Adversarial Tactics, Techniques & Common Knowledge
- AD Security
- harmj0y Blogs
- IppSec’s Videos
- Awesome Pentest
- CTF Series: Vulnerable Machines
- Windows Privilege Escalation Fundamentals
- SANS Penetration Testing Blog
- Pen Test Partners Blog
- Penetration Testing Lab
- Pentestit Lab Writeups
- SANS 2017 Holiday Hack Challenge
- Google… Just too much to list!
3. Code Review:
Code review is probably the single most effective technique for identifying vulnerabilities and misconfigurations in applications. A manual review of the code along with the use of automated testing tools can help locate flaws that might have never been found while carrying out a black box pentest - such as logic flaws, authorization issues, encryption misconfigurations and even injection attacks.
The only downside to Code Review is that it’s very time consuming and a single tester might not have enough time to cover the whole application if it’s very large. To combat this, a tester usually tries to focus his attention on known vulnerabilities and the usage of dangerous function calls in the language the application is written in. For example, in C we know that the strcpy() function is known to be vulnerable to buffer overflows, or in PHP, the exec() function if not properly utilized can lead to Remote Code Execution.
Do note that some vulnerabilities are more prevalent in only certain languages, such as Buffer Overflows can be found more in lower level languages such as C and C++ then in Python and Ruby as these are higher level languages. At the same time you probably won’t find much deserialization vulnerabilities in C and C++, unlike in Python, Ruby, and Java.
So all in all, it’s a really good idea to learn a programming language as it will immensely help in your career toward becoming a pentester. It not only will help in source code review and understanding specific vulnerabilities, but it will also allow you to create scripts and exploits that can be utilized during engagements - whether that’s building a Proof of Concept, or just quickly building a fuzzer.
Resources: Below are a bunch of resources that should either (A) help you get started or (B) help advance your knowledge!
- OWASP Code Review Introduction
- OWASP Code Review Project
- 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
- Awesome Code Review
- Awesome Static Analysis
- Static Code Analysis Tools
- Reading the Languages Docs
- Google… like seriously guys!
4. Binary Reverse Engineering:
Ahh yes, Reverse Engineering, the unexplained phenomena where a hacker reads some weird ancient language and for some magical reason creates an exploit or understands how the application functions…. Okay, maybe not really magical, and not an ancient language too!
Binary Reverse Engineering is the process of taking apart an application to see how it works in order to either exploit it, or to find specific vulnerabilities. This practice is now frequently utilized by pentesters when looking for 0days, or during engagements in certain industries, or even when source code isn’t provided. Through reverse engineering, a tester can learn how the application performs certain operations, stores data, or even writes to memory through the use of a disassembler such as IDA Pro, Binary Ninja, and even Radare2.
You might think that Reverse Engineering is mostly used for Malware Analysis, such as in the WannaCry Malware to fully understand how the malware functions, but that’s really not the case! Malware is just another program/application, so in the end you’re still reversing an application… just a malicious one.
Take this for example, the 1-day exploit development for Cisco IOS used reverse engineering and debugging to exploit a vulnerability in Cisco Routers, something that can’t be done through simple fuzzing or black box pentesting.
As a pentester, if you know the basics of reverse engineering, then expect to be put on gigs that will require such knowledge. You’ll usually be using your knowledge for research, to look for 0days and vulnerabilities, and to figure out how applications function when source code isn’t provided, especially in hardware embedded devices (which we will talk about below). You might also be testing BIOS & SMM, Virtualization, Containers, Secure Boot, and more! To do this job well, you’ll need to have an understanding of the x86 and x64 ASM (Assembly) Architecture, as well as knowledge of how the Stack/Heap work along with Memory Allocation. At the same time, a low level knowledge on the inner workings of operating systems is very beneficial!
While the learning curve for this is usually very high, and it does take some time to be proficient in it - once learned, it can be considered as a nuclear bomb in your arsenal… you can then call yourself a full-fledged hakzor!
- Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
- Introductory Intel x86-64: Architecture, Assembly, Applications, & Alliteration
- Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
- Introduction To Reverse Engineering Software
- Introduction To Software Exploits
- Hacking, The Art of Exploitation 2nd Edition
- The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
- HackDay: LEARN TO REVERSE ENGINEER X86_64 BINARIES
- Getting Started with Reverse Engineering
- Reverse Engineering Resources
- LiveOverflow Videos
- Exploit Exercises
- Oh look…. Google!
5. Hardware/Embedded Devices Security:
Following closely in the footsteps of Reverse Engineering is Hardware/Embedded Devices which complements Reverse Engineering really well. Follow that up with knowledge in hardware and electronics as well as some ARM Architecture and you got yourself a new gig tearing apart devices from routers to light-bulbs to even cars.
With the increase in the development of IoT devices there is now a raised interest and controversy about the security for such embedded systems. Let’s take the Mirai Malware as an example, with a ton of insecure devices open on the internet, a company is simply one device away from a breach. Yah, just one device, for example when a casino got hacked through its internet connected fish tank.
As a pentester, if you’re doing any hardware or embedded device security you’ll need to understand stuff such as SPI, reading schematics, FPGA, UART, JTAG, etc. You’ll also need to understand how to use tools like a multimeter, soldering iron, and such. At the same time understanding electronic components like switches, resistors, capacitors, and transistors is always great!
Just like Reverse Engineering, there is a large learning curve, but once you learn the basics the rest comes easy and with time you’ll get experience after doing multiple assessments. Honestly the best way to learn is jumping into the fire and learning as you go.
- Introduction to ARM
- Azeria Labs - ARM Tutorials
- Introduction To Basic Electronics
- How to Read a Schematic
- Reverse Engineering Flash Memory for Fun and Benefit
- Reverse Engineering Hardware of Embedded Devices
- Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices
- DEF CON 24 Internet of Things Village - Elvis Collado - Reversing and Exploiting Embedded Devices
- Embedded Devices and Hardware Security - Introduction
- Coursera: Introduction to the Internet of Things and Embedded System
- LiveOverflow Videos - Riscure Embedded Hardware CTF
- Micro Corruption Embedded CTF
- GreatScott! Videos - Awesome Electronics Tutorials, Projects and How To’s
- EEVBlog Videos
- Hackaday Blog
- Reading Silicon: How to Reverse Engineer Integrated Circuits
- Google…. Like I shouldn’t even have to mention this!
6. Physical Security:
You can have the best security in the world, the most hardened systems, and the best security team there is but all of that is brought to nothing if an attacker can simply carry out your servers through the front door. This is where Physical Security comes in!
It’s something unheard of, hackers breaking into companies… through the FRONT DOOR! *dun dun duuuunnnn* Yah, scary, I know!
But honestly, really take a second to assess this matter. We care so much about the safety of our computer systems, web applications, and networks that we fail to see the vulnerability in the human and physical aspect. Anyone can just walk right into a company that has improper security controls and steal data, plant malware, or even carry out destructive actions.
As a pentester, if you’re doing a physical security assessment you’ll need to understand a wide variety of subjects such as psychology, surveillance, lock picking, lock bypasses, RFID, camera systems and use of universal keys. General assessments will require you to survey a physical location, find out entry/exit points, detail in place security such as guards, cameras, pressure sensors, motion sensors, tailgating defenses, and more.
After that you’ll be required to break into the building via methods like lock picking (if in scope), tailgating, destructive entry (rarely in scope…) and even social engineering. Once inside you usually will be required to carry out certain objectives likes stealing a laptop, or connecting a dropbox, to even sitting at someone’s desk - like the CEO’s!
It’s almost as if you were a full-fledged spy! While this sounds fun, it is rather tricky to pull off. You need to have a good understanding of psychology and social ques as well as how certain locks and protections function to be very skilled in this. If you’re not good with people, or get really nervous when lying, then maybe this isn’t for you, but it’s still cool to learn!
NOTE: Please note, that some of the materials in here, including the psychological resources for manipulation can be rather offensive and insensitive - so I apologize in advanced. I do not condone any of these activities to be used for bad, only for good. I’m also not responsible for the misuse of this information.
- Lockpicking 101
- Lockpicking - by Deviant Ollam
- Awesome Lockpicking
- TOOOL: The Open Organisation Of Lockpickers
- Lock Bypass
- Lock Wiki
- Deviant Ollam Youtube
- RFID Cloning
- UFMCS, “The Applied Critical Thinking Handbook”
- Red Team: How to Succeed By Thinking Like the Enemy
- 10 Psychological Studies That Will Boost Your Social Life
- The Ethics of Manipulation
- Psychological Manipulation Wiki
- Body Language vs. Micro-Expressions
- The Dictionary of Body Language: A Field Guide to Human Behavior
- What Every Body Is Saying: An Ex-FBI Agent’s Guide to Speed-Reading People
7. Amazon Web Services Security:
You hear it pretty much every day, another data breach, all thanks to a misconfigured S3 Bucket! One would have thought that with the increased usage and popularity of AWS, we would see an improvement in security, but were we wrong.
AWS has become pretty popular, and a lot of companies are now moving and even creating new infrastructure in “the cloud” all because it’s more cost and time effective for them. But, just because something is easy to implement, doesn’t mean it’s easy to secure.
Unfortunately, many developers and engineers (including those in security) don’t fully understand AWS and how to properly secure it. AWS Security is hard! Period! There are many things that can go wrong if you don’t understand how to configure your environment securely from the start.
For example, a simple SSRF in a web app can lead to remote code execution, or compromise of the AWS Infrastructure. At the same time, improperly configured IAM Roles or access to services can allow an attacker to gain access to S3 Buckets, manipulate data, or even spin up new EC2 instances.
As a pentester, if you’re doing AWS Security then you’ll need a deep understanding of the AWS Infrastructure, its services, and its configurations. You’ll use this knowledge to verify things like, if all IAM Roles are properly configured, if S3 buckets are secured and don’t allow for public r/w access, if firewall rules are properly in place, and if secure protocols and data encryption methods are properly implemented.
At first this might seem like a daunting task, but in reality, once you understand how the infrastructure is laid out and how everything talks to each other, then securing it won’t be too difficult. I also highly recommend that if you want to do AWS Security, then you should get AWS Certified. Refer to the certification links below in the resources.
- AWS Cloud Security
- AWS Security Resources
- The Beginner’s Guide to Cloud Security
- AWS Security Best Practices
- Securing Amazon EC2 Instances
- How to secure an Amazon S3 Bucket
- AWS Security Fundamentals
- AWS Certified Solutions Architect - Associate
- AWS Certified Security - Specialty
- AWS Vulnerabilities and the Attacker’s Perspective
- An Introduction to Penetration Testing AWS: Same Same, but Different
8. Mobile Security:
With the ever increasing usage of mobile phones such as Android an iOS, smartphones have started to become a hot target for attackers. Everyone stores their whole life on their phones, including pictures, documents, passwords, credit cards, and more! By just simply compromising someone’s phone we have free reign to all their accounts and even their life.
Take this headline for example, “Millions of Android Devices are Vulnerable Right Out of the Box!” Crazy, right? Many of us think that companies such as Google and Apple would make sure that their stuff was secure, that is until we see another headline such as “Google Fixes Critical Android Vulnerabilities“… lovely.
From vulnerabilities such as Android’s StageFright to Apple’s ImageIO to even vulnerabilities in 3rd part vendors like Qualcomm the possibilities are endless! And since such attacks can compromise even the most secure users, Mobile Security has now moved its way up the ranks with endless amounts of research and security assessments being done for vendors, mobile apps, and for the core OS.
As a pentester, if you’re going to be doing Mobile Security then you’ll need to understand ARM Architecture as that’s what you’ll be seeing a lot of when reverse engineering apps and the core OS. For Android it’s best to learn and understand Java and Android Runtime, but for iOS you’ll need to learn Swift and Objective-C.
Day to day you’ll usually either be reverse engineering apps, reviewing source code, doing mobile web app pentests, or even reverse engineering and securing the main OS! You might be also attacking other parts of the phone such as the Bluetooth or Wi-Fi to even the SMS and MMS protocols and implementations!
- Mobile Security Wiki
- Awesome Mobile Security
- The Mobile Application Hacker’s Handbook
- Android Hacker’s Handbook
- iOS Hacker’s Handbook
- iOS Application Security: The Definitive Guide for Hackers and Developers
- Android Security Internals: An In-Depth Guide to Android’s Security Architecture
- Azeria Labs - ARM Tutorials
- Reverse-Engineering iOS Apps: Hacking on Lyft
- Reverse Engineering iOS Apps - iOS 11 Edition (Part 1)
- Beginners Guide to Reverse Engineering Android Apps
- Reverse Engineering APIs from Android Apps?—?Part 1
- Reverse Engineering Android APK’s
Like in every job, your education is important! But in the Information Security realm, experience speaks louder. This doesn’t mean that schooling and certifications are not looked at, it just means that they aren’t heavily used to measure a candidate’s actual skill.
Now before you decide to drop out of High School or College (Uni) because you think it won’t benefit you as much, take a few minutes to hear me out! While a College Degree and Certifications might not really be looked hard upon by an interviewer, they are heavily used by HR and Talent Acquisition and are usually your foot in the door! This also varies from company to company, so in the end, its better that you get that College Degree.
Of course there are those people who never completed or went to College and just have a High School Diploma or GED. For those that fall under that category, all I can say is - don’t worry! While your chances of getting hired are lower than for those with degrees, your experience and certifications will speak for themselves. You will just need to make sure that you have something to show for in the form of a GitHub, Open Source Tools/Projects, CVE’s, Conference talks and even research… but more on that in the Experience section!
1. College Degree:
When it comes to College Degrees, what you study actually matters. Sure, you can study Fine Arts or Finance and still work in the Security field, but you’re going to have to back that up with experience and certs. Overall this portion is more focused toward those who are still in high school or are about to go to college and have no idea what to study.
I suggest that you focus your major on something in the computer field such as computer engineering, computer science, information technology, or computer security. Due to the fact that these degree programs will teach different things completely it’s your responsibility to make sure to take classes that are interesting to you, are relevant in the field you want to work in, and that have supplementing material to expand and refrain what you learned.
So what should you study? Well…
Computer Engineering if you want to learn thing such as C/C++, Assembly, ARM, electronics, design of individual microcontrollers, microprocessors, circuit design, embedded systems, reverse engineering, and be more low-level, software and hardware focused in security.
Computer Science if you want to learn C/C++, Java, Python, Assembly, memory management, networking, computer security and cryptography, and be more software, low-level, and dev-ops focused.
Information Technology if you want to be more generalized and learn things such as Java, Python, C/C++, SQL, databases, networks, Window and Unix administration, and be more high-level with focus on web applications, corporate technologies, and network pen testing. Just do note that for this degree you will need to choose your classes wisely to focus on what you would like to do. For example, instead of taking database management take a class on cyber security or computer engineering.
Computer Security if you want to be directly security focused and learn C/C++, Java, Python, secure coding, cryptography, network security, and some computer hacking. This initially will allow you to be more Web App/Network Pentesting focused, but like in Information Technology just make sure to supplement classes that don’t fit in or that would be more interesting/beneficial to you.
So will a college education teach you everything that you need to know? No! Far from it! Think of college as a stepping stone into your career. While it can provide you with a lot of knowledge and the basics, the rest solely relies on you to supplement your learning with additional material, training, and practice.
This means that when you come home from school do your homework, study for the exams you need, and then go learn something new by reading books, watching videos, practicing in labs, messing with hardware or trying to find an internship to be more hands on and involved in your education process.
The 4 years you spend in college trying to get your bachelors can either make you or break you… I’m being 100% serious! I’ve taught a few graduate level courses at my college and have mentored many students - and I always notice that over 90% of the students don’t even understand the basics. This goes to show that you really need to be passionate about your future career and that you have to spend time outside of the classroom teaching yourself, because in all honesty, no one else will.
You need to be a self-starter, be motivated, and be willing to sacrifice your free time to actually become somebody. And this is where the additional learning, certifications and training come into play.
Certifications are a great additional learning tool, which can excel your career while teaching you something new. Now do note that a lot of people in the Information Security industry are torn between certificates, meaning that some like them, and some hate them - everyone has an opinion about them.
Certifications are also a great addition to your resume, and show a potential employer that you can learn and retain information about certain topics. Just make sure that when you’re doing a certificate it’s because you want to learn, and not just get a few additional letters after your name. So many people pursue certificates thinking it will help them get their foot in the door, only to fail the interview because they never really learned anything… I’m looking at you OSCP cheaters!
At the same time, be careful of what certificates you really take. Take into consideration their reputation, their benefit-cost ratio, student reviews, and curriculum.
One of the certificates that I would avoid would be:
- Why? - It’s overpriced, the training is a minimum viable product with little to no quality control, and some of the answers on the exam are either very wrong or misleading. You can buy the study guide and just read that, but don’t waste your time and money. Sure, it can help get you a foot in the door for a junior security job, but at a self-respecting consulting firm, we will just laugh.
So what certificates do I recommend for pentesting… I thought you’d never ask!
I highly recommend the following:
- Offensive Security Certified Professional (OSCP)
- Offensive Security Certified Expert (OSCE)
- SANS SEC542 - GWAPT
- SANS SEC560 - GPEN
- SANS SEC575 - GMOB
- SANS SEC660 - GXPN
- CompTIA Security+
- Amazon Web Services Certifications - Specifically the CSA and Security Specialty
Just note that these are a few of the certifications I like. This doesn’t mean that you need to go and get them all done, these are there to just give you an idea. Do some research about these certificates and choose what you want, while SANS is expensive, they are good. This blog post is already long as it is, so I rather not ramble.
3. Training & Practice:
Going hand in hand with college, self-learning, and certifications is training and practice. Sure, training can also be part of the certifications, but I believe training to be its own little separate area.
There are a ton of resources out there that can provide you with continues training resources. And since I already provided you a lot of resources above with the technical skills, in this section I want to give you some resources where you can safely practice your hacking skills.
Just note that before I start listing everything, this isn’t an exhaustive list. These resources are supposed to help teach you basics and to help expand your knowledge. If for some reason you don’t know something, want to learn about a new topic, or can’t find a resources, then just Google it! You can’t be a hacker if you don’t practice your Google-Fu!
Anyways, here is a list of resources that will help you practice!
- Hack The Box
- Hack This Site
- Hacking Lab
- Exploit Exercises
- Ringzer Zero Team
- Google XSS Game
- Google Gruyere
- OWASP Vulnerable Web Applications Directory Project
- Pentestit Labs
- Metasploitable 2
So, with a college degree and some certificates under your name, you finally have some experience. But is it enough? How can you get more?
First of all, any relevant course work and certificates are usually good enough to get you a junior position in security, but are definitely not enough to get you hired as a security consultant/pentester without having any prior working experience - unless, that is you are very skilled, have a lot to show, and can slay the interview.
Many of the people that I work with, and those working as pentesters have at least 5-10 years of working experience doing things such as development, system administration, network engineering, security operations (SOC), incident response, and even malware analysis/reverse engineering.
So does that mean you need many year of experience to be a pentester? Not at all! But you do need to have some decent working knowledge. I started my job as a Security Consultant with only about 3 years of security experience under my belt, and technically 5 years of “learning experience”.
Learning experience can be anything from doing CTF’s, reading books, understanding network infrastructure and enterprise technologies, to even practicing in labs. And while such experience is great, the real question is - can you put all that knowledge into practice?
This is where working experience comes into play. Just because you know something, doesn’t mean you’ll know how to do it, or why you could or couldn’t do it. For example, let’s say you’re doing a network pentest and have a shell on a Windows machine. You were able to steal some NetNTLM hashes so you try to use a Pass the Hash attack on another device, but it fails. Why?
If your answer is “I don’t know”, or “I don’t have privileges” - then good luck explaining that to a client. What really occurred is that you had a NetNTLM hash, which are used for network authentication, are derived from a challenge/response algorithm and are based off of the user’s NT hash. You cannot perform a pass the hash on these due to the MS08-068 patch. At the same time, maybe SMB Signing was enabled, preventing you from executing commands in the context of the user.
If you had enough working experience then you might have spotted this early on, and because you carelessly carried out attacks without doing proper intelligence gathering or understanding how an Active Directory environment or even a corporate network is configured, then you could have possibly triggered an alert either in the IDS/IPS, Sysmon, or any other logging tool.
At this point you might be thinking to yourself… “Well how can I learn all that? Where do I go?” and to honestly answer that questions, all I can say is - get a job!
If you really want to learn all there is and be a very well versed pentester then you need to build up knowledge in the area you want to focus in.
Want to be a web/network pentester? Start working as a junior system administrator, network engineer, SOC analyst or as a security analyst for a company. This will allow you to learn how networks are configured, how they are protected, and how they can be bypassed. This will also teach you a lot about enterprise tools, configurations, active directory, etc.
Want to be a hardware hacker? Start working as a junior developer and either do software engineering or hardware system design and development.
If you’re still in school, get an internship! I honestly believe that students who don’t get an internship during college are wasting their time and money. Internships can help teach you many things that college can’t. Also after you graduate, you might even have enough experience and knowledge to become a junior pentester, but you will need to work hard to do so!
Now while you are actively working, don’t stop learning! If there is something new that you don’t understand or want to learn about, then Google it first, read a blog post or two, and then go ask a senior member about it. Want to do something else on the team, like pentest a website, or develop a new tool? Ask! The answer is always no if you don’t ask!
At the same time, you can gain more experiencing by doing work at home and on your personal time. This means actively developing new tools or scripts, setting up your own lab environment, writing blogs, contributing to open source projects on GitHub, joining a CTF team, to even creating vulnerable machines for Vulnhub and Hack the Box.
And while you’re doing all of that, become active in the InfoSec and Hacker community. Go to a local security meetup or hacker space, go to a security conference, get a twitter and follow some big names, interact with them, interact with people on the security reddits, join a slack channel, and many more!
Doing this will allow you to become better known in the community and will allow you to show your work, skill, and passion toward the field. Who knows, maybe someone might offer you your dream job!
The Job Search:
Now that you got some experience under your belt, have a few certs under your name, and are staying active in the community and continuously learning, it’s now time to look for your dream job!
Searching for a job as a pentester can be very daunting at first - seeing as how some companies require more experience than others. At the same time, without a college degree or previous experience, getting a job might be also rather difficult if it’s a prerequisite. But don’t let that discourage you!
There are two paths that you can take to work as a pentester. The “Internal” path and the “External” path.
The Internal Path:
The Internal path while easier, takes a little longer then the external path. On this path you aim to work as part of an Internal Security Team, either doing Red Teaming, or pentesting and security audits for the company only. To attain such a position its best if you look for internships or junior positions at a company that has such a team, or is in the process of building one.
Usually the company will expect you to have a College Degree, a certification or two, and previous working experience as a system administrator or security analyst. Such teams needs you to thoroughly understand how their network is configured, what security protections are in place, and where possible points of failure can occur.
So it’s really best to start off early working for them as a junior to learn all of this, thus making it easier to show that your capable of doing the job. Also, getting promoted or hired for another job internally is a lot easier then applying externally, since people already know you and your skills.
The External Path:
The external path is usually the shorter of the two, as you can get hired pretty quickly if you know what you’re doing and have the skills to back you up. On this path you aim to work as a security consultant as part of a large organization or firm. From here you will be hired out by other companies to test their web applications, networks, hardware, etc. To attain such a position it’s best to look for associate or junior security consulting/pentesting positions at companies like NCC Group.
Usually self-respecting consulting firm with the best work won’t care if you have a degree or not, but they will look to see if you have certifications, previous working experience, and if you have proper skills. Such companies will usually put you through a vigorous hiring process of phone interviews, technical challenges and in person interviews; testing you on everything from web application security, to network pentesting to even reverse engineering of protocols and binary applications.
Once hired the company will always want to train you up, they will provide you with resources, a training budget, test labs, and shadowing opportunities to learn. Just make sure you learn, and fast! Once a company invests money into you, they expect you to be billable on projects within 3 months tops!
My Path to Becoming a Pentester:
Every time someone asks me what I do for a living I tell them that I work as a Security Consultant. Once they find out how old I am and how many years of experience I have, they laugh and always follow up with… “Well that’s impossible!”
Honestly, nothing is impossible if you really put in the effort! What a lot of people don’t see is the amount of time I spent learning and teaching myself new things, the countless late nights I spent reading blogs or hacking boxes in Hack The Box, and the amount of effort I put in to become the best I can be - and I’m still just an amateur!
My path to becoming a pentester all started when I graduate high school. I knew I wanted to be a “l33t hackzor” but I didn’t really know how. That summer I spent a lot of time googling and reading reddit threads on how to become a security expert. At the time, a lot of people were saying that I should work my way up by starting in helpdesk, then going into system administration and then into security.
So that was my plan - go to college, get a job in IT and work my way up. I started college in 2014 and went to obtain my Bachelors in Information Technology, with a concentration in information security. On my second year of college in 2015 I got an IT internship doing client service work, also known as help desk support. During my time there I learned a lot about active directory, networks, how a company functions, how things are configured, learned SQL, PowerShell, Python, and more.
While working in Client Services I met and became friends with one of the Senior Security Analysts, who later went on to become my mentor. I always asked him question about security, and he would always provide me resources to learn. That’s when my curiosity in hacking sparked. After learning a few things I always tried applying what I knew to client services, and suggested more “security” wise procedures.
I would spend countless late nights after school and work reading about security, hacking, malware, and literally anything I could get my hands on. That’s when I learned about Kali, and VulnHub - and took my first steps in learning how to pop boxes.
About a year and a half into my client services internship I learned that my mentor was leaving for another job, little did I know that I would be taking his place. A few weeks before his departure the director of security approached me and asked if I would like to spend a few hours a week working in security to help out with the workload - you know I said yes!
That temporary few hour a week turned out to be a full time internship for me as the director saw that I had a passion for the work I was doing. Once hired on as a Security Intern, I took the time to get my first certificate, the CompTIA Security+ which was honestly the best learning experience for me as it provided me the basics I needed to know.
Once I obtained that certificate I went on to learn more. I bought a lot of books, and began reading them - from Web Hackers Handbook to Hacking, The Art of Exploitation. When I wasn’t reading I was practicing in Vulnhub, HackTheBox and the Pentestit Lab, going through test labs, writing blogs, watching videos, learning new languages like Python, C, PHP, Ruby and Assembly and going to security conferences.
It was during that internship where my boss suggested that I do my first web application pentest. Man was I ecstatic, I was finally going to be doing what I wanted. From there I went on to become the lead DFIR and Pentester for my Security Team and mainly focused on deploying a secure environment, doing incident response, and risk assessments for new applications on our network.
I graduated about a year later, and was hired full time at the company as a Security Analyst. I worked there for about a year and got my OSCP, while still spending late nights learning new things, reading all the books I could, and doing CTF’s.
About a year later I started to burn out. I was in security, I put a lot of effort into it, but I wasn’t doing what I wanted to… and that was pentesting.
So I decided to take the leap and applied to NCC Group as an Associate Security Consultant. The application process lasted about 3-4 months as I went through a very rigorous interview.
After what seemed forever, I got my acceptance letter and took the job. Since then I have been doing some awesome work for an awesome company. And even though I now work as a pentester, I still spend my nights learning new things.
Currently I’m learning more about hardware and electronics as I want to do more automotive and embedded device security. I’m honestly spending my nights soldering, coding, and breaking stuff… so expect new blog posts on that topic soon! ;)
Finally we’re at the end of this blog post! I know that there is a TON of resources and materials here so try not to be overwhelmed by it.
Honestly, I could continue writing more about how to become a pentester as this is only the tip of the iceberg, but I won’t do that. Reason is that I want you to go out there with these resources and learn on your own. Learn to be independent, to look for resources yourself, and to connect the dots.
What I mean by that is, once you understand the basics, the rest will come easy as you’ll know what knowledge gaps you need to fill. I know that many of you want to become a pentester like this instant, but it takes time. Rome wasn’t built overnight, so take the time to learn all that you can. Enjoy the process of learning, and you’ll get to your end goal in no time!
In the end, the answers to your question on “How can I become a pentester?” is - learn all you can, understand the basics of networking, web applications, and security. Practice, practice, practice! Get certified and work in a junior position to learn fundamentals. Interact with the community through Twitter, Reddit, and via security conferences. Build new tools, write blogs posts on your adventures in security, and assist in open source projects. But most important of all, never stop learning!
I honestly hope that this post helps you in some way, shape, or form, and I wish you the best on your road to becoming a pentester.