Introduction
So you want to be a white hat hacker? Get paid six figures to break into computers,networks,web applications, and be completely legal? Do you want get paid to take security courses, attend conferences, expand your knowledge and work with some of the best minds in Information Security? Then becoming a penetration tester is what you want. This article will cover the knowledge and experience needed to become a penetration tester.
A bit about me, without doxing myself. I have a Master's degree in Information Systems and Security. I have multiple security related certs including OSCP, PPTP, CEH, and CHFI. I am a professional penetration tester, I work for a company that provides everything from basic vulnerability assessments and compliance review, to Red Team engagements. My day to day includes going from basic network access to full Domain Admin. We test web applications, internal and external network testing, APIs, wireless technology, and physical break in methods. While I am certainly not an expert on all those fields I do have at least above average knowledge on each of them.
I will attempt to provide the knowledge you will need to attain at least an entry level position as a penetration tester. The information I will provide below will not teach you how to be a super hacker, black hat malware writer, or how to run a RAT. Instead I will provide a road-map of goals that should assist you in becoming a professional penetration tester. Being a professional is not for everyone, do you have what it takes?
First Steps Down a Lengthy Road
A pentester must know a lot about a lot, while specializing will be a goal after you are hired, you must be a general expert in many fields of study. It can be very daunting for a budding infosec student or hobbyist to look at everything a pentester should know. A lot I.T people will fantasize about being a pentester, but most of them won't even start the process because it seems very difficult and time consuming. And they are correct. If you don't absolutely love security testing, talking about security subjects, learning new techniques, and having to spend hours (if not days) to figure out a problem, then this is not for you.
Still here? Alright lets dig into what subjects make up the core knowledge an entry level pentester should be very well versed in.
1. Networking
One of the most essential skills for a penetration tester to learn is how computers talk to each other. Learn the ins and outs of TCP/IP, 3-way handshakes, protocols and packet inspection. Get to the point where you can go to a white board and map out a network communication using the OSI module and write in depth how it all works. Don't just know each level of the OSI module, fully understand each level, know every protocol associated with each level. This is crucial because analyzing traffic through packet dumps you will need to analyze every wrapper, every address, etc. An expert will be able to read and manipulate network traffic on the packet level, once you have that sort of understanding you are solid.
How to prepare:
* Study Network+, CCNA Security, read TCP/IP Illustrated Part 1.
* Practice with Wireshark, inspect traffic, understand how packets are created and transmitted.
* Study HTTP, know it inside and out. "HTTP The Definitive Guide" is a great resource.
* Use Burpsuite (more on this later) to proxy and inspect web traffic.
2. Understanding the Internet
In the networking section I mentioned HTTP and Burpsuite, so lets discuss that next. Most people think they understand the internet, they are wrong. Can you write out a full HTTP request and response? Do you know every HTTP verb? Do you know the difference between HTTP 1.0 and HTTP 1.1 and HTTP 2.0 or HTTP 0.9 without having to research it? Do you know most of the HTTP response codes, not just general information but specific codes. Do you know how a CDE works? Ok lets assume the answer to most of that is no because most people don't actually study how the internet works. When you are performing web application testing, code review, and API review, you will need to know how it all works.
How to prepare:
* Read "HTTP The Definitive Guide"
* Read "The Tangled Web"
* Be familiar with RFC 2616 and other related RFCs.
* Practice inspecting web-traffic with both Wireshark and Burpsuite.
3. Operating Systems
As a pentester you will have to test all operating systems. You don't get to choose only Windows environments running only Windows 7 and below. You will run into many different types of environments, running Linux and Macs as well and Windows. You should be comfortable with all types of operating systems and how to enumerate information, use of command line (CMD, Powershell, Bash), and how to download/install and execute programs. Looks simple but that is a lot of knowledge. If you got access to Windows Server 2012, could you change roles, add a new admin, push updates etc? If you got on a Ubuntu Box as a webuser, can you enumerate to find insecure files or permissions? Of course you don't need to memorize everything, Google is your friend, but you should have a general knowledge of how to do everything and use Google as a backup for the fine details.
How to prepare:
* Create a VM of at least one Linux distro and one Windows Server. A Mac VM would be handy, but it is similar enough to Unix that knowing Linux commands will at least help. With those VM's or using them as hosts, attain admin level knowledge of their functionality. There are many web courses, books, and websites that will provide you with great knowledge.
I Have the Core Knowledge, Now What?
Congratulations, if you attained all the core knowledge listed above, you are no longer a noob. That is a lot of knowledge to have about technology and with it you can probably get a decent entry level tech job. Now it is time, if you haven't already, to get a job. Most pentesters come from varying backgrounds such as Network Admin, I.T Helpdesk, Security Analyst, Web Development, Programmers, and more. The point is, get a job in technology, doesn't need to be security related immediately though that is a bonus. At this point you should also look at getting a few certs, Network+ and CCNA would be great for getting into a networking job. MCSA is good for geting into a System Admin role. If you mastered the core knowledge then you should have no issues getting a few of the entry level certs.
You may be asking, why wasn't programming listed as core knowledge. There is a good argument that it should be but I think programming should be part of the next step. Mastering everything in the first section will take at least a year or two depending on how fast you can learn, your current background in technology, etc. Adding programming on top of that immediately will take up even more time, and if you don't have a reason to learn coding yet then you are likely to forget a lot.
Ok so now you have a job in I.T, it pays shit but it looks good on the resume. Every job you have from now on will be a stepping stone. Don't expect to remain at any one job for more then two years because the way to the top is a ladder and getting complacent will get you stuck on a lower rung. Of course if you do find that you really enjoy being a Network Admin, System Admin, Security Analyst and don't feel like pursuing Penetration Testing, that is perfectly fine. Those jobs are great and will provide you with a good future.
Now though, for those who want to keep climbing the ladder, we start to dig deep into security.
How to Become a Hacker?
1. Learn Defensive Security
Probably one of the most asked questions on HF is how to become a hacker. Well to start off if you mastered those core topics you are well on your way. Now we can apply security to each of those core topics. I find it best to learn Blue Team (Defensive Security) before jumping into Red Team (Offensive Security). Because while studying defensive security first you will also learn about offensive security. And any pentester should know what kind of defenses may be in place to prevent a reverse shell, code execution, logging, standard AV behavior and more. Also going down this route can lead to a security analyst position which is a great lead into penetration testing. Of course you can skip this step if you want, learn the advance subjects listed later, and you probably can still get into penetration testing. This is only my recommendation.
How to Prepare:
* Study: Security+ and CISSP (don't have to get cert but at least study).
* Understand common defense techniques such as how Anti-Virus works, how Web Application Firewalls work, how Firewalls/IDS/IPS work and where they are installed in networks.
* Create your own lab setup, play with setting up Splunk and other free security tools.
* Study compliance such as HIPPA, PCI DSS, and FedRAMP. Study standards such as ISO 9000 and NIST.
At this point you should be able to design, at least on paper, a fully secured network and understand each type of security device you put in place for the layered security. You also should be able to write a Security Policy and understand different security controls based on the compliance or security standard any company may want to utilize.
If you are not a Security Analyst or on an I.T Security team at this point, start applying. You now have the knowledge to get at least a level 1 security position.
ICQ745 661 753
So you want to be a white hat hacker? Get paid six figures to break into computers,networks,web applications, and be completely legal? Do you want get paid to take security courses, attend conferences, expand your knowledge and work with some of the best minds in Information Security? Then becoming a penetration tester is what you want. This article will cover the knowledge and experience needed to become a penetration tester.
A bit about me, without doxing myself. I have a Master's degree in Information Systems and Security. I have multiple security related certs including OSCP, PPTP, CEH, and CHFI. I am a professional penetration tester, I work for a company that provides everything from basic vulnerability assessments and compliance review, to Red Team engagements. My day to day includes going from basic network access to full Domain Admin. We test web applications, internal and external network testing, APIs, wireless technology, and physical break in methods. While I am certainly not an expert on all those fields I do have at least above average knowledge on each of them.
I will attempt to provide the knowledge you will need to attain at least an entry level position as a penetration tester. The information I will provide below will not teach you how to be a super hacker, black hat malware writer, or how to run a RAT. Instead I will provide a road-map of goals that should assist you in becoming a professional penetration tester. Being a professional is not for everyone, do you have what it takes?
First Steps Down a Lengthy Road
A pentester must know a lot about a lot, while specializing will be a goal after you are hired, you must be a general expert in many fields of study. It can be very daunting for a budding infosec student or hobbyist to look at everything a pentester should know. A lot I.T people will fantasize about being a pentester, but most of them won't even start the process because it seems very difficult and time consuming. And they are correct. If you don't absolutely love security testing, talking about security subjects, learning new techniques, and having to spend hours (if not days) to figure out a problem, then this is not for you.
Still here? Alright lets dig into what subjects make up the core knowledge an entry level pentester should be very well versed in.
1. Networking
One of the most essential skills for a penetration tester to learn is how computers talk to each other. Learn the ins and outs of TCP/IP, 3-way handshakes, protocols and packet inspection. Get to the point where you can go to a white board and map out a network communication using the OSI module and write in depth how it all works. Don't just know each level of the OSI module, fully understand each level, know every protocol associated with each level. This is crucial because analyzing traffic through packet dumps you will need to analyze every wrapper, every address, etc. An expert will be able to read and manipulate network traffic on the packet level, once you have that sort of understanding you are solid.
How to prepare:
* Study Network+, CCNA Security, read TCP/IP Illustrated Part 1.
* Practice with Wireshark, inspect traffic, understand how packets are created and transmitted.
* Study HTTP, know it inside and out. "HTTP The Definitive Guide" is a great resource.
* Use Burpsuite (more on this later) to proxy and inspect web traffic.
2. Understanding the Internet
In the networking section I mentioned HTTP and Burpsuite, so lets discuss that next. Most people think they understand the internet, they are wrong. Can you write out a full HTTP request and response? Do you know every HTTP verb? Do you know the difference between HTTP 1.0 and HTTP 1.1 and HTTP 2.0 or HTTP 0.9 without having to research it? Do you know most of the HTTP response codes, not just general information but specific codes. Do you know how a CDE works? Ok lets assume the answer to most of that is no because most people don't actually study how the internet works. When you are performing web application testing, code review, and API review, you will need to know how it all works.
How to prepare:
* Read "HTTP The Definitive Guide"
* Read "The Tangled Web"
* Be familiar with RFC 2616 and other related RFCs.
* Practice inspecting web-traffic with both Wireshark and Burpsuite.
3. Operating Systems
As a pentester you will have to test all operating systems. You don't get to choose only Windows environments running only Windows 7 and below. You will run into many different types of environments, running Linux and Macs as well and Windows. You should be comfortable with all types of operating systems and how to enumerate information, use of command line (CMD, Powershell, Bash), and how to download/install and execute programs. Looks simple but that is a lot of knowledge. If you got access to Windows Server 2012, could you change roles, add a new admin, push updates etc? If you got on a Ubuntu Box as a webuser, can you enumerate to find insecure files or permissions? Of course you don't need to memorize everything, Google is your friend, but you should have a general knowledge of how to do everything and use Google as a backup for the fine details.
How to prepare:
* Create a VM of at least one Linux distro and one Windows Server. A Mac VM would be handy, but it is similar enough to Unix that knowing Linux commands will at least help. With those VM's or using them as hosts, attain admin level knowledge of their functionality. There are many web courses, books, and websites that will provide you with great knowledge.
I Have the Core Knowledge, Now What?
Congratulations, if you attained all the core knowledge listed above, you are no longer a noob. That is a lot of knowledge to have about technology and with it you can probably get a decent entry level tech job. Now it is time, if you haven't already, to get a job. Most pentesters come from varying backgrounds such as Network Admin, I.T Helpdesk, Security Analyst, Web Development, Programmers, and more. The point is, get a job in technology, doesn't need to be security related immediately though that is a bonus. At this point you should also look at getting a few certs, Network+ and CCNA would be great for getting into a networking job. MCSA is good for geting into a System Admin role. If you mastered the core knowledge then you should have no issues getting a few of the entry level certs.
You may be asking, why wasn't programming listed as core knowledge. There is a good argument that it should be but I think programming should be part of the next step. Mastering everything in the first section will take at least a year or two depending on how fast you can learn, your current background in technology, etc. Adding programming on top of that immediately will take up even more time, and if you don't have a reason to learn coding yet then you are likely to forget a lot.
Ok so now you have a job in I.T, it pays shit but it looks good on the resume. Every job you have from now on will be a stepping stone. Don't expect to remain at any one job for more then two years because the way to the top is a ladder and getting complacent will get you stuck on a lower rung. Of course if you do find that you really enjoy being a Network Admin, System Admin, Security Analyst and don't feel like pursuing Penetration Testing, that is perfectly fine. Those jobs are great and will provide you with a good future.
Now though, for those who want to keep climbing the ladder, we start to dig deep into security.
How to Become a Hacker?
1. Learn Defensive Security
Probably one of the most asked questions on HF is how to become a hacker. Well to start off if you mastered those core topics you are well on your way. Now we can apply security to each of those core topics. I find it best to learn Blue Team (Defensive Security) before jumping into Red Team (Offensive Security). Because while studying defensive security first you will also learn about offensive security. And any pentester should know what kind of defenses may be in place to prevent a reverse shell, code execution, logging, standard AV behavior and more. Also going down this route can lead to a security analyst position which is a great lead into penetration testing. Of course you can skip this step if you want, learn the advance subjects listed later, and you probably can still get into penetration testing. This is only my recommendation.
How to Prepare:
* Study: Security+ and CISSP (don't have to get cert but at least study).
* Understand common defense techniques such as how Anti-Virus works, how Web Application Firewalls work, how Firewalls/IDS/IPS work and where they are installed in networks.
* Create your own lab setup, play with setting up Splunk and other free security tools.
* Study compliance such as HIPPA, PCI DSS, and FedRAMP. Study standards such as ISO 9000 and NIST.
At this point you should be able to design, at least on paper, a fully secured network and understand each type of security device you put in place for the layered security. You also should be able to write a Security Policy and understand different security controls based on the compliance or security standard any company may want to utilize.
If you are not a Security Analyst or on an I.T Security team at this point, start applying. You now have the knowledge to get at least a level 1 security position.
ICQ745 661 753