Often during my discussions with college, high school and university students and at times folks who want to switch their career path from development, networking, I’ve been always asked for advice of starting career in Penetration Testing specifically and Information Security commonly. The Information Security is a vast domain which further relies on sub-classes that includes Governance Risk and Compliance, Security Operations, Security in Software Development & last but not the least Awareness. These domains are further divided into categories. The only reason to highlight is Penetration Testing covers and resides under Security and Risk Management and has an important role in building an organization’s security Posture. The following article will only focus and cover the basic requirements for Pentester. While alot has been said about Information Security, Lets dive deep on how to start career as Pentester.
1. Decided to Start. How?
While the decision has been taken by an individual to pursue career as Pentester, one must understand what pentesting is. The definition as per stated in NIST cyber Security Framework (SP 800–53 Rev. 4) Under Penetration Testing:
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.( source : https://csrc.nist.gov/glossary/term/penetration-testing)
So, in order to asses and defeat the security features build in Information System, one must understand how these controls perform or the process through which the security controls have been implemented to work together. The whole testing criteria focuses three main criteria :
Information System while considering security are always built on these fundamentals. As a Pentester, your job will be to ensure the critical data handled by the system is secured and visible to only required audience, the data cannot be modified without data owner’s prior knowledge and that data is always available when required. For experienced individuals coming from Networking and Software Development background, they might understand the importance of Restricted or Admin access, Customer/private access and Public access.
Therefore, in order to test the application or network, one must understand how communication is established and what other ways can be explored to break into it knowing the communication standards and the technology behind it. Although it’s not requirement to learn and have full knowledge of programming (For non-experienced individuals), it can help you in your later course of action during pentesting as well as reviewing source code and understanding business logic behind it.
For example, during your Pentest engagement, you discover the web server uses HTTP Basic Authentication for directory listing. Having this specific knowledge in your mind, you might need to perform a brute-force attack in order to crack the password or if the HTTP communication is plain-text, you’ll try to sniff the credentials if present on-site. But again, that totally depends on how the pentest Scope of Work was decided. So, having both options on the table and the significance of outcome, you can decide which one can be approached and can create a great impact. Following scripting languages can really be helpful in your pentest career ahead :
While we have discussed earlier the importance of programming, we cannot neglect the fact that network plays an integral part of Information Systems and it’s development. Ideally following skills can be very helpful for pursuing career :
- Network Protocols, Knowledge of Networking. OSI Layer-model can be very helpful in understanding network.
- How TCP works and what differentiates TCP from UDP, Routing, DHCP, DNS etc. Without this, you won’t further understand how MITM and ARP spoofing works. While learning networking, I used to map network communication (Starting from Simple Ping towards browsing a web server having SSL/TLS enabled) over OSI layer model and try to understand.
- Operating System. OS plays an important role during pentest engagements too. What privileges do you have, How can you abuse rights assigned to a specific file, folder or process and can escalate your privileges from normal user to admin, If you found RDP credentials of a box, how can you utilize them. Tunneling your traffic. How can you look for linux users credentials, how can you extract them and crack them?.
- How firewall works, what are the ways you can bypass a firewall restriction. How can you abuse Access Control Lists.
2. Done with learning, What’s next?
I’ve often seen people asking on how they can demonstrate the knowledge they’ve attained into real world scenarios. Well, here comes the part where you can actually get your hands dirty in CTFs (Capture the Flag). CTF are machines vulnerable by design. In order to utilize the skills, you can practically demonstrate it in Labs. Some valuable resources for CTF are :
- Hack The Box.
- CTF Challanges arranged by your local InfoSec Community (BSide, DEFCON, etc.).
You might face difficulties while exploring these machines and it’s okay to go through walkthroughs and learn the methodologies on how you can enumerate services, discover what else is happening over the network, find weak links, exploiting them and getting system rights (root/nt authority).
3. Not satisfied, Hungry for More?
There are labs available free for the community which can be utilized for learning perspective. Some of the websites provide premium boxes that are based on real-world scenarios and are good source of learning. Some of the notable websites are :
- Hack The Box
- Pentester Lab (https://pentesterlab.com/)
- Pentest Academy (https://www.pentesteracademy.com/)
4. Know Pentesting, How to verify?
Now when you’ve skills and required knowledge, You may can proceed for certifications. On personal note, certifications will not actually guarantee job however these credentials can help you get to the interview table. Some of the certifications are theoretical based. Others are practical and require you to engage in an isolated lab environment, demonstrate your skills, capture required flags and write a detailed report in order to validate your engagement. Some of the suggested certifications are :
- Offensive Security (OSCP).
- eLearn Security.
There are alot of resources available online which can help in learning pentest. For example, Cybrary is a useful platform that can be utilized to learn pentesting and various ways that are performed in pentesting. Even the resources available on Cybrary can also help you learn basics about networking and programming too. There are tons of free resources available on the internet that are very helpful. I will always suggest to make it your habit and ask yourself what new you’ve learned today. Bug bounty reports can be very beneficial to understand different attacking techniques and I’ll suggest to read them too.
With that, I’d like to wish everyone luck ahead in getting into Information Security as Pentester. Would appreciate your questions/feedback for the detailed write-up or if somebody requires help in any specific domain.