3. Learn Offensive Security
At this point you should be level 2 or 3 in whatever security job you chose. You know all the security lingo, you can program, you can develop security policies and perform risk analysts etc. You are comfortable and an above average user on any operating system. You should also have at least two to four certifications. So lets get into the nitty gritty of popping shells. Once you start really digging into security testing you will understand why you had to learn so much other information first. Imagine attempting a reverse shell from a friends computer to your local host, and nothing happens. You don't understand, the software worked in your personal lab so whats wrong? Well that is where networking knowledge comes in. Maybe the program does not have the correct permissions, maybe an AV is blocking it, there are many possibilities and if you lacked the above knowledge you would be stuck, probably writing a post on HF asking for help. But because you followed this tutorial and you studied hard for the last few years, you can easily troubleshoot the problem. Now it is time to learn about the art of hacking.
How to Prepare (in no particular order):
** Highly recommend reading "Web Application Hackers Handbook". Know it inside and out.
* Pick up a book on the basics of hacking. The material will be very out dated but it will provide you solid knowledge.
* Use YouTube and other sources to learn about: getting shells such as php shells, reverse shells, bind shells, etc.
* Learn about enumerating a host, port scanning, manual and automated methods of searching for security vulnerabilities.
* Learn how to exploit well known vulnerabilities, such as MS08-067 and MS17-010.
* Learn basics of privilege escalation methods, both manual and automated.
* Learn how to enumerate hosts in a network, capturing packets in wireshark, doing broadcast scans with nmap, using netbios and smb to enumerate hosts etc.
* Learn how to research for vulnerabilities.
* Be able to modify scripts to fit your needs. And be able to troubleshoot older exploits to work with more modern libraries.
Truly there is a lot that I didn't cover. This section is more about organic learning then a strict regiment. You will bounce from topic to topic. As you learn more about one subject you will find something you don't understand and you will study that as well. For a more controlled learning environment I would suggest some online courses. They are expensive but they will provide a more comprehensive and structured form of learning. The PWK is good for those who are already advanced with the core hacking subjects. While elearnsecurity is very good for those who need a bit more hand holding to learn the same (and more) skills that the PWK teaches. Your goal now is to get the OSCP but you can get something like PPTP first to help prepare you for PWK.
4. Practice Practice Practice.
Now its time to put all that information to practical application. Time to practice your skill set. There are a couple of methods to practice legally.
1. Build your own lab.
2. Use an online lab.
In this day and age there is no reason not to use online labs except if you want to be familiar with how to set up a virtual lab. There are many free labs online including "hackthebox.eu" and "hackthissite.com" as well as others. Then there are paid for labs which are very beneficial such as "pentesterlabs.com". You can also look into Vulnhub.com to find pre-made insecure vm images to practice on. The point is, you should be actively practicing security testing in lab environments, this is the best way to learn.
Steps 3 and 4 will take you at least one year, especially if you are actively working full time. Once you have a couple of advance certs like the OSCP, it is time to move on.
Time to Become a Penetration Tester
If you followed the steps I provided then going from a complete noob (knew nothing about security, networking etc) to penetration tester will take around 5 to 7 years. This time will obviously be shorter if you are already in the IT field, have gone to college for computer science or related field etc. So if you start at the age of 16 you can probably get a penetration tester job by 23 or so, not bad. I started much later in life and it took me about 6 years from starting college to getting hired as a penetration tester. By now you will be very versed in infosec and related technologies. Your resume will be great, multiple certs, multiple jobs showing a clear climb in expertise and desire to improve yourself. You will be more qualified then most people who are applying to Penetration Tester jobs. 100% if you apply to enough places you will get a job.
I recommend applying to places that are entry level friendly. Because even with the jobs you had and the expertise you have in labs...that is not practical experience. You will start as a level 1 (or whatever they call it) for at least the first year. But once you have one year of real experience you are golden. If after two years you are not making $100k, look for a new job because you are worth it.
Conclusion
I never expected the post to be so long, it was some task summarizing a road-map to becoming a penetration tester. For all of you that stuck to it and read the entire post, my hats off to you, and I believe you have what it takes to succeed. Researching will be long and arduous, you will be baffled, confused, and read stuff so dry that that every distraction would be welcomed. But that is what it means to be a professional and not just a hobbyist.
Please leave questions below and I will be happy to answer them. As always, when you feel like its too hard, Try Harder.
At this point you should be level 2 or 3 in whatever security job you chose. You know all the security lingo, you can program, you can develop security policies and perform risk analysts etc. You are comfortable and an above average user on any operating system. You should also have at least two to four certifications. So lets get into the nitty gritty of popping shells. Once you start really digging into security testing you will understand why you had to learn so much other information first. Imagine attempting a reverse shell from a friends computer to your local host, and nothing happens. You don't understand, the software worked in your personal lab so whats wrong? Well that is where networking knowledge comes in. Maybe the program does not have the correct permissions, maybe an AV is blocking it, there are many possibilities and if you lacked the above knowledge you would be stuck, probably writing a post on HF asking for help. But because you followed this tutorial and you studied hard for the last few years, you can easily troubleshoot the problem. Now it is time to learn about the art of hacking.
How to Prepare (in no particular order):
** Highly recommend reading "Web Application Hackers Handbook". Know it inside and out.
* Pick up a book on the basics of hacking. The material will be very out dated but it will provide you solid knowledge.
* Use YouTube and other sources to learn about: getting shells such as php shells, reverse shells, bind shells, etc.
* Learn about enumerating a host, port scanning, manual and automated methods of searching for security vulnerabilities.
* Learn how to exploit well known vulnerabilities, such as MS08-067 and MS17-010.
* Learn basics of privilege escalation methods, both manual and automated.
* Learn how to enumerate hosts in a network, capturing packets in wireshark, doing broadcast scans with nmap, using netbios and smb to enumerate hosts etc.
* Learn how to research for vulnerabilities.
* Be able to modify scripts to fit your needs. And be able to troubleshoot older exploits to work with more modern libraries.
Truly there is a lot that I didn't cover. This section is more about organic learning then a strict regiment. You will bounce from topic to topic. As you learn more about one subject you will find something you don't understand and you will study that as well. For a more controlled learning environment I would suggest some online courses. They are expensive but they will provide a more comprehensive and structured form of learning. The PWK is good for those who are already advanced with the core hacking subjects. While elearnsecurity is very good for those who need a bit more hand holding to learn the same (and more) skills that the PWK teaches. Your goal now is to get the OSCP but you can get something like PPTP first to help prepare you for PWK.
4. Practice Practice Practice.
Now its time to put all that information to practical application. Time to practice your skill set. There are a couple of methods to practice legally.
1. Build your own lab.
2. Use an online lab.
In this day and age there is no reason not to use online labs except if you want to be familiar with how to set up a virtual lab. There are many free labs online including "hackthebox.eu" and "hackthissite.com" as well as others. Then there are paid for labs which are very beneficial such as "pentesterlabs.com". You can also look into Vulnhub.com to find pre-made insecure vm images to practice on. The point is, you should be actively practicing security testing in lab environments, this is the best way to learn.
Steps 3 and 4 will take you at least one year, especially if you are actively working full time. Once you have a couple of advance certs like the OSCP, it is time to move on.
Time to Become a Penetration Tester
If you followed the steps I provided then going from a complete noob (knew nothing about security, networking etc) to penetration tester will take around 5 to 7 years. This time will obviously be shorter if you are already in the IT field, have gone to college for computer science or related field etc. So if you start at the age of 16 you can probably get a penetration tester job by 23 or so, not bad. I started much later in life and it took me about 6 years from starting college to getting hired as a penetration tester. By now you will be very versed in infosec and related technologies. Your resume will be great, multiple certs, multiple jobs showing a clear climb in expertise and desire to improve yourself. You will be more qualified then most people who are applying to Penetration Tester jobs. 100% if you apply to enough places you will get a job.
I recommend applying to places that are entry level friendly. Because even with the jobs you had and the expertise you have in labs...that is not practical experience. You will start as a level 1 (or whatever they call it) for at least the first year. But once you have one year of real experience you are golden. If after two years you are not making $100k, look for a new job because you are worth it.
Conclusion
I never expected the post to be so long, it was some task summarizing a road-map to becoming a penetration tester. For all of you that stuck to it and read the entire post, my hats off to you, and I believe you have what it takes to succeed. Researching will be long and arduous, you will be baffled, confused, and read stuff so dry that that every distraction would be welcomed. But that is what it means to be a professional and not just a hobbyist.
Please leave questions below and I will be happy to answer them. As always, when you feel like its too hard, Try Harder.