So you want to be a penetration tester…

I recently put together a list of recommendations for a potential candidate at work who was interested in penetration testing. I thought I might share it here.

First off, let’s assume you have some basic IT/security knowledge, and you want to move more towards a role in security. Are you sure you want to do penetration testing, instead of another discipline? Lesley Carhart has a very good series of blog posts regarding this topic, including some descriptions of various blue team/red team positions and the type of work they do. It’s a 3 part series which is worth reading, but this is the post I’m referring to. Read it, and if you still think penetration testing is for you, let’s continue.

Download and run Kali linux (https://www.kali.org/ ). Most people will run this in a virtual machine (VMware/Virtualbox). If you aren’t very comfortable with setting up and configuration virtual machines and debian-based Linux distributions, you have some more work to do. If you’re familiar with Ubuntu, then you should be comfortable with Kali linux.

Here are the tools I found myself using a lot as a beginner

  • Nmap (network and vulnerability scanning)
  • Metasploit (exploitation framework)
  • OWASP ZAP/Burp Suite Free (web application testing proxies)
  • Wireshark (packet sniffer/analyzer)
  • Netcat (TCP/UDP networking utility)

You need to practice using these tools and know them inside and out. The best way to do this is the documentation/man pages. For Metasploit, you can complete the Metasploit Unleashed training ( https://www.offensive-security.com/metasploit-unleashed/ )

A good target for practice is Metasploitable (https://sourceforge.net/projects/metasploitable/ ). You will also run this in a virtual machine. If you’re more interested in web application security testing and exploitation, Damn Vulnerable Web App (http://www.dvwa.co.uk/ ) and OWASP Broken Web App (https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project )

After you’ve gutted these machines, go to Vulnhub (https://www.vulnhub.com/). They have many more intentionally vulnerable “boot-to-root” virtual machines that can be imported and attacked, with skill levels ranging from beginner to expert.

If you don’t already know one, you should be pretty good with at least one scripting language (Python/Perl/Ruby). It also really helps to know Bash. Powershell is good to know too, but less useful in the beginning as you will be attacked primarily *nix machines. Ideally, you should be able to read code and understand what it’s doing, no matter the language it is written in.

Some resources to augment your learning can be found in here. You don’t need to buy all the books, but maybe pick a few that interested you, and go through them.

After you’ve done all of this, you’ll want to set your sights on the OSCP (Offensive Security Certified Professional) certification (https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/ ). It can be a little expensive if you’re paying for it for yourself, but it is worth every penny. I’d say if you’re probably ready about 5-10 VMs from Vulnhub.

Some websites to follow for security news (my personal favorites):

The following are not focused on security, but are still good resources for technology news

A few suggestions I got when I was job hunting:

  • Put any code you’ve written for school or personal projects on github, put a link in your resume
  • Write about your current projects on a blog (like this one!). This helps show that you 1) know the tools 2) know the industry and 3) can communicate your knowledge with other people
  • Attend security/hacker meetups in your area (BSides, 2600, DEFCON meetups, OWASP/ISSA chapters, etc)

Some closing suggestions/thoughts of my own

  • Get a twitter, and follow all the big names in information security
  • NEVER attack a machine you don’t own. This is what’s called a “career-limiting move”. Eventually, you’ll be given permission to attack machines owned by somebody else. For now, just stick to machines on your own network that you personally own.
  • Don’t get into this field if you aren’t passionate about security. It’s not a 9-5 job.