The Penetration Testing Guide I Wish I Had

11 March 2020 - Written by Graham Helton

I am writing this guide because it is something that I wish I would have read when I first started pursuing a job in penetration testing. While I mainly focus on steps you should take to become a penetration tester, most of the concepts are general enough such that you can apply them to any field of cyber security. There are other ways of getting into the field and some people may agree or disagree about one step or another but this is how I would do it if I had to start over. Enjoy.

Decide if security is right for you

It is required that you look like this guy when deciding

Are you in it for the money?

There are lots of people who want to get into the cyber security field because it sounds sexy to be a hacker. While it is true that being a hacker sounds appealing, you should make sure that you are actually interested in cyber security before starting your journey. One way you can determine this is analyze your motivations for getting into the field. Is it because you love computers and you like thinking outside the box? There are many traits that will help you in this field and the more research you do the more you will have a gut feeling as to if this field is right for you. It is hard, frustrating, and competitive but it can be financially and personally rewarding if you’re willing to stick to it.

Do you like learning?

This field (especially pentesting) requires a lifelong commitment to learning. You will need to spend a significant amount of time each week not only reading industry news, but also learning new tools, techniques, exploits, frameworks, languages, and tactics. If you want a quick job that you show up to for 8 hours a day and then completely disconnect, this might not be the field for you. It also takes a commitment to learning new ideas even when you think you’re already knowledgeable enough to be successful.

You need to have the right mindset

Do not get frustrated

One of the most important skills for for a penetration tester is the ability to not get frustrated when things go awry. You need to be able to learn new techniques and constantly have the mental fortitude to apply those techniques to new environments. Each environment you work on is going to be totally unique and may require the learning of totally new skills to move about the network. This can be frustrating as most of the time (especially when starting out) you will run into issues where a technique you used in one network simply does not work in another. It is important for a pentester to be able to adapt to the network they are in and overcome these challenges without getting frustrated.

It is going to take a while

It is going to take a long time to learn how to be a good pentester and even when your skills are there, you will probably still not feel like you’re where you want to be. There is an endless amount of skills you can learn in this field and no one can be a master of them all. Imposter syndrome is so often talked about in this field because it is impossible for one person to know everything about each portion of cyber security. It takes years and years to build up the skills needed to become competent in just one of the domains that cyber security requires you to know and it can be hard to stay focused on the end goal. It should be noted that while it takes a lifelong commitment to the field, once you begin to have a good fundamental understanding of the basics it gets addictive.

Always be learning

It is important that you are able to motivate yourself to do the required prerequisite learning to get into the field. Learning how to use one tool or technique is not enough. You can be a master at using metasploit but what happens when that doesn’t work? What happens when you are an expert at one technique to exploit a machine but the network you are in is protected from that specific technique? You are going to always be learning the new skills and techniques as well as the old ones. The biggest trait you need is to be self motivated to go out there and learn what you don’t know.

Do everything the hard way

One of the best pieces of advice I ever got when it comes to pentesting is do things the hard way when you are learning. That way when you actually need to put your skills to the test you will have a much deeper understanding of how what your learning applies to your current situation. It is much better to learn the hard way when you’re studying than have to learn it the hard way in the field. For example, instead of installing everything using apt-get, compile them yourself and deal with the errors, learn how to use vim before nano, run Linux as your main operating system and when things break learn how to fix them. All of these things will do two things. 1. They will help you better understand the technology at a low level 2. They will help put you in the mindset of figuring out why things do and do not work.

The Fundamentals

Learn the basics of security

It is tempting to start your pentesting career by jumping into Metasploit and running tools you don’t know anything about, but running nmap on everything you come across is not a good way to learn if you don’t even know what a port is (speaking from experience here...). The best way to learn something new is unfortunately usually the most boring way. In this case its learning the mundane stuff such as

  • What is identity and access management?

  • What is risk?

  • What is cryptography

  • What are hashes? How do they work?

  • What is the difference between a virus, a worm, and a trojan?

  • What is a IPS/IDS?

You want to pour yourself a strong foundation for you cyber security career to stand on. Without a strong foundation you will find yourself in a position where you are trying to learn a complicated topic but your lack of foundational knowledge will prevent you from being able to build your skills any up any further.

Learn Linux

If you are new to the field you may have heard of Linux. It is an operating system that is free for anyone to use and is typically open source which means anyone can look at the code .This makes it much more secure as everyone can see if there is a vulnerability. This is why Linux is used for a lot of servers and is used by a lot of security professionals. As a pentester you will use Kali Linux a lot (or parrotOS) and learning how the the Linux command line works is one of the most important skills you need to Learn . How to learn Linux is not really in the scope of this article but there are lots of resources out there for free that will teach you (I have some linked at the bottom of this article). Linux is one of the most important tools in a pentester’s arsenal because it allows you so much freedom to run security tools that are typically only made for Linux (although some tools do exist on windows). Learning how Linux works at a very low level will give you a huge leg up in the security world.

Learn Networking

Learning what a network is, how packets get from one host to another, and how to read a network diagram is crucial. Without learning networking you severely limit yourself as nearly every part of penetration testing is somehow tied to networking. You need a good understanding of the TCP IP / OSI model and how each layer interacts with each other as well as some of the basics such as:

  • What is a subnet?

  • What is the difference between running a nmap scan on 10.10.10.0/24 vs 10.10.10.0/32?

  • What is the difference between a router and a switch?

  • What is a LAN? What is a VLAN?

Of course you will be able to Google something if you forget but this is really information you just need to know off the top of your head.

Learn scripting

A lot of people think that you need to be an expert developer to stand a chance in this field. That is not true at all. What you really need to know about coding is how to read other people’s code. Unless you decide to specialize in exploit development you will typically just be using other peoples exploits you find online, there is an extraordinarily low chance you will need to exploit something and can not find an exploit that someone else has already written for it. That being said, you do need to understand how to modify other peoples code to make it work for your situation, often times this is as simple as changing some IPs in the code. That being said, you should at the very least learn the basics of python and bash as well as some powershell when you are comfortable with scripting. Not so much so that you will be able to write your own exploits but so that you will be comfortable editing other people’s code and automating various tasks. There are lots of great resources online for learning these different scripting languages. My recommendation would be to learn python, then bash, then powershell.

Learn how the cloud works

The cloud is quickly becoming a technology that everyone should know how to use, especially in cyber security. Saying you need to learn how to use the cloud is a lot like saying you need to learn how to use the internet, its very broad. However, you don need to know some of the basics of how the cloud works. What is the difference between AWS and Azure? What is virtual networking? Why does cloud providers change the layout every week? You don’t need to be a master of these concepts, but you should spend some time playing around in AWS and Azure to figure out how they work.

Immerse yourself in security

It is well known that the best way to learn a foreign language is to move to a country that speaks the language and immerse yourself in that culture. The same is true for cyber security. From the outside looking in the world of cyber security can seem daunting, scary, and insane. It is. The only way for you to truly learn about this wild world is to throw yourself in head first. How do you do that?

  • Follow people in infosec twitter

    • Follow a bunch of people (it doesn't really matter who) and just see what they’re talking about. Ask questions, and be involved.

  • Start networking

    • Start following people on linkedin and see what they talk about and post about on there. Does every pentester you see on linkein follow a company like FireEye? Then maybe look into that company.

  • Start subscribing to pertinent people in the community

    • I will add a list in the resources portion of this article of some of the people I follow.

  • Join security groups

    • It seems like everyone has their own security discord or club. Look for these and check out what people are talking about.

  • Go to conferences

    • Security conferences are fun and you can meet a lot of interesting people at them.

  • Give back to the community

    • One of the biggest parts of cyber security is giving back to the community. Learn something interesting? Tell the world about it, there is not shame in reinventing the wheel when it comes to giving people information. Even if someone has covered the same topic, you might help someone who didn’t understand it before by adding your own spin to it (Psss... that is what I’m doing right now with this article).

Immersing yourself in the community will provide you with a much better sense of how things work. What news is important and what is just click bait headlines. Don’t just be looking to get into a cyber role, be looking to become apart of the community.

Do projects

Home labs

One of the terms you will hear over and over again in any “How to get into cyber security” article or video is “BUILD A HOME LAB!1!!11!!!”. What this means is that you should be building networks and systems at home (using virtual machines or physical hardware) to test stuff. This can be as simple as creating two virtual machines and getting the to be able to communicate with each other or as advanced as creating a whole active directory forest to simulate a real network and pentesting it. The sky is the limit when it comes to the amount of labs you can create. Speaking of the sky... you can also get lots of free credits for cloud services such as azure and AWS when you sign up. This is amazing. Play with azure and aws and do projects in them and you will learn so much.

Tryhackme & Hackthebox

Tryhackme and hackthebox are both great platforms that allow you to put your hacking skills to the test. Tryhackme is much more beginner friendly with step by step instructions on how to do each lab and really emphasizes learning the material. Hackthebox is also a gamified version of pentesting but is less focused on teaching you than it is testing your skills. On both sites you connect to their machines and try to exploit them. If you are just getting into the field I would not touch hack the box as it can be hard to figure out what to do since there is not a lot of hand holding. When you do these make sure you are doing so in a way that helps you learn. There is no point in doing a hackthebox machine if you just look up the solution without even trying. You don’t learn unless you struggle a little. Taking notes and doing write-ups is a great way to ensure you have a way to remember what you learned.

Put your projects on Github

When you get to the point where you are working on coding projects, put them on Github and put them on your resume! It does not matter that they are simple, as long as you keep working on your skills you will be able to make better and better projects. It looks great to employers that you are putting your stuff on Github and if you really want to you can go back and revamp some of your old projects.

Make a road map for where you are and where you want to be

One very important step is to have a road map. I have an actual road map written out so whenever I get discouraged or lost I can look at it and see exactly where I am and where I want to be. Your road map will change as your learn more but that’s OK. It is better to have a road map that changes than be stuck and not know where to go. When I learn of a new topic that interests me I like to jot it down in notion. I have a list of all the tools and techniques I want to learn. Chances are I will not get to some of them, but it is helpful to have a curated list that you have created for your goals.

What not to do

Get stuck in the loop of asking people for help instead of learning

Asking for help is great and everyone should do it but if you don’t put in the work, you won’t learn anything. Sometimes people get into the rut of over researching topics and end up making no progress towards actually learning it. I have had this happen to me and I have seen it happen to many others. It does not matter what the best book to learn something is or what course is going to provide the most return on investment, what does matter is that you actually take the time to learn the material. If you buy a book on how to script in powershell, read it. Don’t get a few chapters in and think to yourself “I wonder if there is a more efficient way to learn this, let me stop with this book and try a video course instead”. It may sound like simple advice but you will absolutely catch yourself doing this at some point, so try to avoid it when it happens to you.

Get cocky

One of the most annoying things about this field is that there can be lots of gatekeepers and people telling you that you’re not good enough because you don’t have X certification or you don’t have Y numbers of experience. Don’t listen to these people, if you ask a good question and someone responds with “Try harder” (100% guarantee someone will tell you this) then you should probably just ask someone else. Try not to be one of these people, we don’t need any more in this field.

Next steps

If you finished this, congrats, you know how some steps you can take to getting into this field. Where do you start? Well that is really up to you. You will find that a lot of advice you get about cyber security needs to be applied to your own situation depending on factors in your life. These steps are not meant to be finished in a month, they are meant to be followed over years and added onto/removed when you get knowledge on what exactly you want your career to look like.

Resources

Basics of security

Linux

Networking

Python

Bash

Powershell

People to follow in the community

Get in contact with me

www.grahamhelton.com

linkedin.com/grahamhelton

https://twitter.com/GrahamHelton3