So you want to be a pentester?
The other day I posted on Twitter that my DMs were open to anyone who needed advice in their Cyber Security journey. Turns out there are a lot of you looking for advice. After receiving 200+ DMs I noticed that the majority of them are asking similar questions. As a result, I figured it’d be best to write a blog post to answer these questions since it’ll take me forever to answer everyone individually, and this way I can provide high-quality answers to all.
So without further adieu, let’s get into it.
General Progression
Before we get started with progressions, I want to stress that when it comes to learning security, it’s extremely important to understand how the things you’re trying to hack work. Just learning a list of vulnerabilities and how to test for them may work for you for a while, but when thrust into real-life situations not understanding how things work can really hinder your efforts.
To this end, I highly recommend learning about the technology you want to hack, then learn about some ways to attack it, and doing some practical labs where possible. If you encounter a security issue that you do not understand, go back and try and learn about how the parts of the technology that create the vulnerability (or the impact) work.
This methodology for learning is well illustrated in PentesterLabs Bootcamp syllabus which is linked below.
Furthermore, I’d like to stress that there is no such thing as the wrong information (within reason). Pretty much anything related to technology you learn will help you in some way when it comes to penetration testing. This is especially true when it comes to tackling practical labs. When you first start out, you may struggle a lot, it may take you hours to solve your first HackTheBox machine or even the subsequent ones. However, this is not a bad thing. I’ve probably learned the majority of what I know from researching things which turned out to be the wrong solution for the challenge at hand. Most of the time though, the knowledge I gained, as a result, was applicable later in life and helps you build a better understanding of the technologies out there. So if you’re struggling, remember that no knowledge is gained in vain.
Finally, I personally believe that one of the most valuable skills for a penetration tester is the ability to find solutions to problems you encounter efficiently. While you may have followed syllabuses, done online courses, etc, there will always come a time when you are faced with technologies you haven’t encountered before or have to employ tools and techniques previously unknown to you. Obviously, this gets easier with practice and is also made easier by amassing a good background knowledge, or at least awareness of common technologies.
For example, by reading about technology and its security concerns when searching for the solution to a CTF, you may not remember everything you read, but you will obtain awareness regarding what technologies exist, what they can be used for, and how they can be abused. Furthermore, learning to code will help massively when it comes to trying to debug things that aren’t working. The debugging process you will develop when learning to code transfers well to other areas of technology where you can fix problems that you may face when exploiting issues, or using tools.
Overall, general computing experience is extremely transferable to security, and developing the skills required to self-teach is extremely valuable down the line, even if the journey may be more painful when you don’t have the answers laid out in front of you. This is what I believe to be the reasoning behind the controversial “Try Harder” slogan used in Offensive Security’s courses. If ever you find yourself completely stuck when trying to complete practical labs, it is ok to ask for help, but ensure you have spent at least a few hours “trying harder”, as this is often where the most growth occurs, and you hone your skills for finding solutions to problems independently.
I want to stress that what I’m saying here is by no means the best way to do get into security, and I recommend you review the follow articles as well which have covered this topic in more depth:
Building a successful Infosec Career (Daniel Miessler)
Your five-year path to Infosec success (BlackHills)
Beginner
So, you’re a complete beginner, basically never touched a computer before, or have some preliminary computing knowledge but not a massive amount. Well, this section will provide a path for you to follow to skill up.
First things first, I’d recommend learning to code in at least one language. Personally I started learning C when I was in high school, but then pivoted to Python where I had much more success. In terms of learning programming, I highly recommend starting with this course from WiBit.net which covers core programming concepts without worrying about syntax and all more specific language details:
Learn to code from the ground up
Once you’ve got the basics of a language down, you might find it more interesting to continue learning programming through the lens of offensive security as opposed to writing random programs. To this end, I recommend the books “Black Hat Python”, and “Black Hat Go” from no starch press.
Personally, while I started out learning Python and C, I now prefer Golang by far. Its syntax is very simple which makes it easy to learn, and its language features (concurrency, static binaries, cross-platform) make it very well suited to writing security tools. Pick whichever language you like first, as once you can code in one language it’s super easy to learn another.
Python is probably your safest bet as you have less things to worry about, and you’ll get cool stuff working faster.
The main resource which I’d recommend for your first steps in cybersecurity is the PentesterLabs Bootcamp. It follows the formula I mentioned before of learning about a technology, then learning to hack it. It covers introductory Linux usage, basic scripting and web development, spinning up servers and hosting websites, core networking concepts, some cryptography, etc.
Intermediate
Nice one, you’ve finished the PentesterLabs Bootcamp, you can make a basic web app, know how to use Linux to a decent degree, and understand some of the core technologies which underpin the internet. Now we can move on to some more in-depth knowledge.
I’m going to split this up into two categories based on what you’re most interested in, however, I’d recommend you take the time to learn a bit of both where possible, however it’s definitely okay to spend more time on the one you find most interesting for now. I’m only covering the two fields I’m most familiar with, if you are interested in other areas of security I’m sure you can find decent resources online.
Before we get into these individual categories I’d like to highlight just how important hands-on practical experience is. While you may be able to read the books mentioned in this section within a reasonable amount of time, it is also critical that you take the time to apply it. Pentesting is a very practical skill, just like programming, or construction. This is why good offensive security courses contain large volumes of practical labs to help you hone your skills and methodologies. For example, the OSCP labs have 60 machines that really drill in the theoretical aspects taught in the course. Fortunately, there are free (or very cheap) resources available that provide similar quantities of labs.
The more you practice against vulnerable systems and apps, the more you’ll learn by researching things that never turned out to be the solution, and the more you’ll hone those ever-important skills of finding solutions to problems independently I discussed earlier.
Wep Application Security
My primary recommendation here is the Web Application Hackers Handbook, and PortSwiggers Web Application Security Academy. As it stands now, the Web Application security academy is a very high-quality resource and has great practical labs, but it is missing some areas covered by the Web Application Hackers Handbook.
Conversely, the Web Application Hackers Handbook hasn’t been revised in a while, and as a result, is missing some great information contained in the Web Security Academy. So it’s important to take a look at both. I’d start with the Web Security Academy, and then read the Web Application Hackers Handbook, potentially skipping areas you feel comfortable with.
If you’re looking for more practical labs, I’d recommend PenTesterLabs and OWASP Juice Shop. Additionally, you should start joining some CTFs online (which can be found here). Depending on the CTF, they may be very hard, and you might not get any flags. But that’s totally fine, if you try your hand at some challenges and then read the writeups published by those who completed them after the CTF, you will learn.
The book Web Hacking 101 is also worth your time if you’re looking for a more concise overview of vulnerabilities, along with real-world examples from bug bounty write-ups.
Infrastructure/Network Security
There are a lot of exceptionally high-quality resources out there these days for infrastructure security. While Web Application security is about vulnerabilities contained in Web Applications (no shit), infrastructure security tends to cover assets in their entirety (network services, web apps, network security, (mis)configurations, privilege escalation, etc). There is often overlap between these two fields of security.
Regarding books for this section, I’d recommend looking at The Hackers Playbook Vol 2, as well as HackerFantastics new book, Hands on Hacking. I’ve not finished the latter yet, but it seems very good so far.
When it comes to labs, you have two main options. These are TryHackMe and HackTheBox. TryHackMe is generally easier and more beginner-friendly, with labs providing a more guided learning experience, whereas HackTheBox typically does not provide any hints regarding where to start.
If you pay for a HackTheBox subscription, you will get access to a large number of retired boxes where users are authorized to publish tutorials. If you’re struggling to get started, you should follow along with some writeups or ippsec videos. However, I would try and wean yourself off of these resources once you have a general idea of what is required as having solutions on hand really robs you of knowledge gained through researching things which are not required to complete the challenge at hand, and experience finding solutions to problems through research. This is just my opinion though, others may disagree. You may find this resource, and this resource useful in your journey.
Obviously, if you are looking for demonstrations of specific vulnerabilities, it is ok to review these resources, however, I would stay away from them when attempting to hone your skills and methodologies.
Finally, it is important that you complete challenges on both Windows and Linux boxes. Do not shy away from areas you are weak on, it is good to struggle. Additionally, due to the prevalence of insecure Active Directory configurations within organizations, it is highly recommended you complete as many Active Directory focussed HackTheBox machines as you can. Once you have got the hang of HackTheBox, I’d highly recommend their “Pro Lab” Offshore, which covers Active Directory security in depth.
To graduate from this stage, I’d say you should be able to achieve “Hacker” to “Pro Hacker” rank on HackTheBox. Of course, you should also consider how comfortable you feel with your abilities, as this will vary from person to person.
Job Hunter
So you’ve made it this far, congratulations, you’re now considering applying for your first pen-testing job. It is worthwhile to note that (in the UK anyway), most pen-testing roles will expect you to have a reasonable knowledge of both Web Application security and Infrastructure/Network security.
If you’ve been studying a computer science degree, or a cyber security degree, that’s great, you can probably bash together a CV and start applying, and hopefully you’ll have learned enough from your course and the materials listed in this blog to pass an interview and land your first pen-testing gig. Of course, some places do graduate schemes which involve training periods which may allow you to join with slightly less background knowledge.
If you’ve not attended University for a computing course, your situation will be a little different, but certainly viable. If you’ve followed the steps in this guide, you should have a HackTheBox profile with a decent rank that can attest to your skills. In some instances, this may be enough to land you an interview, however, it is probably worthwhile pursuing OSCP. If you’ve done a bunch of HackTheBox, then you should manage OSCP within 30-60 days depending on how much free time you have. For more info on preparing for OSCP, see the section towards the bottom of this article.
If you’re getting interviews but struggling to land a position, consider which questions you are struggling with, and review those.
The post by Daniel Miessler linked towards the beginning of this post has some much more comprohensive information on landing your first role.
Advice for X
Lots of the DMs I received on Twitter were saying, I’m X, how can I get into security. This section aims to provide some more tailored advice for these common scenarios.
High-School Students
You’re in high-school, you’ve got lots of time to learn stuff before you’re looking to start working (assuming you’re going to university). Follow this guide all the way through, and feel free to pursue whatever else takes your interest in the mean time.
Computing Science Students
You can likely skip the beginner section of this blog, however it’s probably still worth reviewing the PentesterLabs Bootcamp to ensure you’ve not got any knowledge gaps there. Once you’ve done that, you’re at the stage where you can start applying your knowledge. Start reading at least one of the books listed in the intermediate section and jump into labs. If you put decent time into doing HackTheBox, and the PortSwigger Web Security Academy, you be well on your way. This is important even for those studying Cyber Security at University as these courses often fall short of the required amount of practical experience to really get a feel for what you’re doing.
If possible, try and obtain an internship as a pen-testing during your time at University as this can provide valuable connections within the industry.
As you tend to have long(ish) breaks in between semesters, this is a good time to do OSCP as you can dedicate lots of time to it within the shorter lab periods. You can probably get a job with just a degree and no OSCP, but it never hurts. I did my OSCP in the winter break of my final year at University and started working part-time at OnSecurity before I graduated.
Non-Computing Students
This is a bit more tricky as you’ll be balancing studies in two potentially very different fields, However, don’t let that discourage you, it just might take you a bit longer to get to where you want to be. I’d still recommend following the path laid out within this guide.
Complete beginners
Follow the progression in this post ;)
Hobyists
This assumes you dabble in offensive security, but you’re not a professional yet. I’d recommend solidifying your skills on HackTheBox, and PortSwigger Web Academy and then applying for pen-testing roles. Consider doing OSCP if possible as it certainly helps.
Aspiring Bug Hunters
If you’re starting from zero here, follow this post until you’ve finished the intermediate section on Web Application Security. Then, there are a few more resources you may find useful more targeted towards bug bounties. Obviously, Bug Bounties are not limited to only Web Application Security but as this is the area I’m most familiar with these resources will mostly focus on that:
- Bug Hunters Methodology
- So you want to be a web security researcher
- Portswigger Research
- Bug Crowd LevelUp talks
- Hakluke’s YouTube channel
- Bug hunting with vim
There are probably more great resources here that I’ve missed, but these should be enough to get you started.
Looking for career change
Starting working on the progression listed within this post, it may take some dedication since you may have less free time to work on hacking, but you can do it if you keep trying.
Got OSCP and/or a degree, still job hunting
Ensure you’ve got your fundamentals nailed, consider what areas you’re weak on in interviews, and review those. Additionally, it may help you to start a blog and publish some write-ups of CTF challenges you’ve solved, newly retired HTB machines, or things you’ve been learning and working on. Attend conferences and get involved with the community.
Certs
This section will give a brief overview of common certs for offensive security as I’ve had numerous questions about these.
OSCP
In my opinion, OSCP is one of the only certs worth getting for pen-testing if you’re the one paying for the cert. It has a decent (and recently updated) syllabus, good course materials, and the labs are huge. It’s great value for money overall. As its a widely recognized cert, it is very helpful for landing your first role as it serves as an industry-standard benchmark (at least in the UK anyway). It’s a bit expensive but certainly worth it if you can get the cash together.
If you want to ensure you are decently prepared for OSCP so you can opt for the 30-day version of the labs, I’d recommend taking a look at this list of OSCP like HackTheBox machines and reviewing TJ Nulls guide to OSCP prep.
CREST
CREST certs are typically obtained once you work in the industry, they are rather prevalent in the UK so you will likely have to do one once you get your first job. The syllabus for them is rather broad so they can be annoying to prepare for. HackerFantastic’s new book which was mentioned in the intermediate section of this guide has sections that will be very beneficial for those looking to undertake these exams, give it a read.
If you have OSCP, then you can get CRT equivalency automatically, however, you will still need to do the CPSA multi-choice exam.
CEH
I’d advise against spending money obtaining CEH, save it for OSCP. There is almost no value in having this cert for people looking to land a pen-testing job unless you have literally nothing else. This is exactly why you should save your money and do OSCP, as getting CEH just means you need to spend more money before you end up with a decent cert.
The end?
Well you’ve reached the end of this post, but this is only the beginning of your story. The only thing left to do now is start, so what are you waiting for, get out there and go for it.