The aim of this post is not to talk about how to perform effective penetration tests, but it’s more around taking the first steps towards a career as a Penetration Tester. I want to talk about the kind of things that I look for in candidates, the kind of skills that I found useful when starting out, and as a candidate what to look at first. Information Security is a huge field and you’ve got a whole career to learn all of the details, but where should you start?
This article isn’t the law, it’s not enforced by government, it’s a few hints and tips that’ll help you out getting started and it offers a good look at my opinion at how to get started. Some things are more important than others, so I’ve placed in the title of each section some points to indicate how important I personally think each piece is in the overall context.
Fundamentals First – Tools Later (+25 points)
Personally I feel that jumping straight in to hacking specifics isn’t going to help long term and will leave you missing a lot of the associated knowledge. A solid foundation in information technology is essential – and there are a few different ways of getting that solid fundamental knowledge. You can work in a related industry like software development, network engineering, or systems administration and make a lateral movement into testing. Alternatively these days there’s the option of a degree in Information Security and even a degree in Ethical Hacking! Whilst these alone are not enough to produce an expert security tester out of the gates, a solid fundamental knowledge is essential to develop a well rounded security tester and consultant regardless of how you get started!
Read (+10 points)
I write posts of Graceful specifically to be little bit sized chunks of information useful to people who work in Information Security, it’s no accident that most of my posts are under two pages of A4 – it’s intentional. The idea being that you can come across them after a Google search or clicking on a tweet and they’ll cover that days “Today I learned” for you. However –
Books on the other hand are structured collections of writing that aim to guide you through from beginning to end. I often find that blogs, article sites, podcasts and books are useful for expanding on my fundamental knowledge all in different ways. When assessing a candidate I don’t mind how they keep learning as long as they do keep learning and striving to build on what they’ve gained so far.
As a side note I’m actually working on a series of book reviews, however whilst I work on that a few books I’d recommend to start with are: The Web Application Hacker’s Handbook, Metasploit, Nmap Network Scanning, The Hacker Playbook. Now the Web Application Hacker’s Handbook is a beast of a document which takes you through everything Web Security and stands alone as a resource for that side of PenTesting. The Metasploit and Nmap books take you under the hood of the most well known tools used for infrastructure penetration testing. The Hacker Playbook is essentially a catalogue of tool options available to testers.
Tools (+5 points)
If you are reliant only upon automated tools then you’ll quickly be branded as a Scanner Monkey, however being familiar with a tools interface is a good thing! If you know your way around Metasploit then that’s great, it’s something you don’t have to learn when you take up your first position as a tester.
Working knowledge of Metasploit, Incognito, Burp Suite, SQLmap or whatever is great. In fact tools are great and they make our lives easier, but look further into what they’re doing and understand a little more about what’s going on under the hood. For example Responder is a simple tool which which will often give an attacker a great deal more access than they should have, but a little knowledge about how it works is something that’ll stand out more in an interview than just being able to invoke the script.
Practise (+15 Points)
Of course one way to show you’ve got some skills and applied knowledge is to try your hand at exploiting a range of different systems. Historically this was difficult because of the whole not-going-to-prison thing we’re all so found of, but now with virtual machines and vulnerable application like WebGoat, Damn Vulnerable Web App, Broken Web App, and Metasploitable getting hands on with application and systems is much easier than it used to be!
When these contrived systems no longer challenge you there’s the option of bug bounties like HackerOne and BugCrowd which offer a framework in which you can legally test real world applications and your skills and gain a little public recognition whilst you’re at it which will no doubt bolster your CV when it comes to turning a hobby into a profession.
Getting hands on with real world applications is a great way to hit fire on all of the tools you’ve read so much about – of course, you’ll get even more points if you can put together your own tools!
Programming (+10 points)
Now it’s important to note that programming certainly isn’t essential from day one, but as a Penetration Tester the ability to automate repeated steps is an incredibly useful skills. We’re not talking about developing and working on Enterprise level applications here, we’re talking about the ability to take a simple task and remove the human element.
For example, can you take a list of passwords and add common suffixes to it? How about taking the resulting list and supplying it to a login box on a web application? What about spidering all of the links in a web application to find login boxes in the first place? If you can automate these tasks you can work more efficiently and free up your brain to concentrate on the things that tools can’t do.
If you’ve got all of the time in the world I’d recommend learning Python, Bash and C. Presumably you don’t have all of the time in the world, so a fast and solid way to get started is to check out https://www.codecademy.com/. Once you’ve been coding a little consider getting involved in community projects!
Community Spirit (+10 points)
Working on open source community projects, or opening up tools that you’ve developed is a good way to show off your programming skills, to show that you can work well with others and to demonstrate your skills. The open source community can be a little scary though, so another option is to open up a couple of your dirty scripts, tools and hacks.
It doesn’t matter if your code isn’t perfect, it might help someone solve a similar problem to what you faced. Alternatively it might just show a potential employer that you followed a problem right through from identification to solution. To be able to talk about skills in an interview is great, but to be able to demonstrate them whilst also helping out the wider community is better!
Conferences (+5 points)
Speaking about the wider community, why not meet them? Attending conferences like 44Con, BSidesLDN, Nuit Du Hack (there’s an awful lot of options!) – whatever location works for you – means that you can not only see some great research being presented, but you can meet other members of the industry and network! Plus a lot of these conferences have “lightening talks” or specific tracks for Rookie speakers to get on stage and have a go at presenting about a topic that catches your attention! It’s another way to put yourself out there and show off what you’ve learned!
Exams (+5 to 15 Points)
Another way of showing off what you’ve learned is to pass an exam or two. Now not all exams are the same, some are longer, some are more expensive, and some are more respected than others. There are a lot of options out there such as Security+, GIAC GPEN, the OSCP, and CREST exams.
I think the best advice, instead of relying on the opinion of a single PenTester like me, is to take a look at the job openings out there at the moment and look for the exams that companies that you want to work for list as desirable! Whatever exam you settle for it’ll give you a great structure for learning more about the wider community and looming exam dates are one way to get the drive to revise and procrastinate a little less.
Find Your Passion (+15 Points)
Ultimately however you’ll want to find the area that gives you drive. You wouldn’t have made it this far down this post if you weren’t pretty darn interested in information security. However as you panic read exam guides, browse through blog posts and fall asleep just trying to listen to one more podcast before bed you’ll no doubt realise that InfoSec is a huge and whatever it is that steals your heart be it web applications, infrastructure assessments, wireless hacking, forensics, malicious software analysis, reverse engineering, exploit development, or something else, grab hold of that passion and let it drag you down into the depths of what I feel is one of the most interesting, most wide reaching and most challenging industries there is.
Now you don’t have to be an expert in each section, yes they’re not all essential, but hopefully by skimming the list above you’ll see a few ideas about how to come across as a stronger candidate when it comes to your first interview to become a penetration tester. If you’re heading towards a career in this field. I wish you the best of luck.