Cracking the Code: How to Become a Pentester
We had the pleasure to attend a fantastic talk at Hacker Halted, presented by Phillip Wylie, Lead Curriculum Developer at Point3 Federal. Phillip is also an Ethical Hacking & Web Application Pentesting Adjunct Instructor with 23 years of experience in IT and InfoSec, and more than 8 years in pentesting. Here are some key insights from Phillip’s discussion, diving into steps you can take to become a pentester.
Pentesting is a very popular area of cyber security, with lots of technical resources widely available on the subject. But understanding how to initially start a pentesting career is less clear. Phillip aims to fill that gap by sharing his experience to help others enter the field. If you’re interested in a pentesting career, you likely have an understanding of what it entails, but let’s start by covering the basics.
What’s Pentesting / Penetration Testing
Phillip shares it’s, “Assessing security from an adversarial perspective, attempting to exploit vulnerabilities to gain unauthorized access to systems and sensitive data (aka hacking).” Pentesting is synonymous with ethical hacking, offensive security, and adversarial security.
While regulatory compliance brought about a need for pentesting, it’s become a fun job with a lot of opportunities. Roles that entail penetration testing span Security Consultants, Analysts, and Engineers. Pentesters can also sometimes work in threat and vulnerability management teams. But pentesting skills are also helpful in other areas too.
For example, if you’re a SOC Analyst or Network Security Analyst, being able to determine malicious traffic makes you better at your job. Or if you understand attacks better, it helps your investigations in Digital Forensics and Incident Response roles too. “The more you understand the enemy, the better defender you’ll be,” says Phillip.
Key Knowledge Areas
With all these exciting career opportunities waiting, how do you actually become a pentester? Let’s take a look at three knowledge areas that are necessary to acquire on your journey to a penetration testing career.
1. TECHNOLOGY KNOWLEDGE
First, you’re going to need technological knowledge in these areas:
- Operating Systems (especially Windows and Linux)
Phillip adds that you want to have a Sysadmin level knowledge of both Windows and Linux operating systems, because most of your internet-facing stuff is going to be Linux and your enterprise stuff is going to be Windows. For instance, if you understand the command line of Windows or Linux, you’re going to go a lot further and quicker on your pentests.
2. HACKING KNOWLEDGE
You also need hacking knowledge—as you might easily assume since pentesting is also known as ethical hacking. On Phillip’s journey to pentesting, he had experience with vulnerability scanners and security experience, but he didn’t know how to hack. So he worked on his OSCP certification for about a year to pick up some hacking skills.
Phillip suggests taking classes and going to conferences, meetings, and meetups. Self-study is another effective way to gain hacking experience. Take the initiative to create a home lab, watch videos, and study tutorials. Twitter is also a great resource to find blogs and articles on the subject.
3. HACKER MINDSET
Beyond hacking knowledge, you also need the mindset. This is the ability to think like a hacker and be able to find ways to exploit vulnerabilities. Phillip further explains the Hacker Mindset is a culmination of creative and analytical thinking. While there are other areas of cyber security that require creativity, this is one area where you most definitely have to be creative, to chain together different vulnerabilities, exploit, and gain access to systems.
What’s the best way to develop this mindset? Time and repetition with hands-on hacking. Just like any other skill you develop, the more you work with it, the better you get.
Develop a Plan to Fill the Gaps
Phillip proposes the blueprint, or formula, to becoming a pentester requires:
Technology Knowledge + Security Knowledge + Hacker Mindset
To successfully follow the formula, you need to develop a plan. Start by doing a gap analysis on what you know, compared to what you need to know. Phillip shares three examples of developing a plan in this way:
1. No IT Experience – If you’re in college and wanting to go into IT or security, but you don’t have IT experience, you need to learn operating systems, hardware, and networking. Start with these basics to fill in the gaps.
2. IT Experience – If you’re already in IT, learn Linux, Windows, security, and networking. You might be a Linux Administrator, but not know Windows. You need to understand both operating systems to be a successful pentester, so learn whatever you’re not using.
3. InfoSec Experience – At this stage, continue to fill in the gaps of any basics you’re missing and start learning pentesting/hacking. If you’re a Network Security Analyst, managing systems on Linux and Windows, you have an understanding of those skills and networking, but you need to learn the hacking skills next. This can be learned through capture the flags (CTFs), bug bounties, and in your home lab.
Build Experience With a Home Lab
Phillip urges you to build a home lab, no matter what level you’re on. Whether you’re new to pentesting or highly experienced, everyone should build a lab. Phillip explains that experienced pentesters can use home labs to test proof of concept code. It’s a good idea to test an exploit you want to use in your home environment first, to test for any adverse reactions before using something in production.
Home labs are extremely beneficial from a learning perspective too. Here are three different kinds of labs to consider:
1. Minimalist Lab – This is Phillip’s favorite kind of lab, because it’s portable. You can have it on a laptop and get in some time studying even when you’re traveling. Use some kind of virtualization software like VMWare, VirtualBox, or Hypervisor, and then run an attack VM or use the host OS of that system as your attack platform.
2. Dedicated Lab – Your dedicated lab is going to be a standalone system. It’s a computer dedicated to lab purposes that has vulnerable VMs you’re going to attack and try to hack into.
3. Advanced Lab – This type of lab is going to be as close to an enterprise network as your budget can afford. You might retire a computer to use as a server or set up individual computers and Raspberry Pis. You can even build routers, switches, and firewalls.
Once you’ve set up one of these labs you’ll need an attack platform—somewhere that you can run your attack tools from. Phillip suggests considering Kali Linux, Parrot OS, Ubuntu with the Pen Tester Framework, or Windows 10 with Commando VM.
You’ll also need targets—something to hack. For this step, you can download purposely-vulnerable VMs from VulnHub.com. Phillip also recommends starting with Metasploitable 2 and 3, because there are a lot of walkthroughs showing how someone else was able to exploit those vulnerabilities. Or you can create your own VM Targets with vulnerable software from Exploit-DB.com.
Get Your Foot in the Door
How do you make yourself marketable when looking for a pentesting job? Phillip suggests certifications are important when starting out as a pentester, because they can help you get your foot in the door. He says it’s possible to get a job without them if you’re really good, but it’s going to be more difficult. For instance, consulting companies are going to want you to have them because they need to show they’re qualified.
Here’s a breakdown of applicable certifications to consider:
- CEH – EC-Council
- PenTest+ – CompTIA
- GPEN – SANS/GIAC
- OSCP – Offensive Security
- GWAPT – SANS/GIAC
- GXPN – SANS/GIAC
- OSCE – Offensive Security
Phillip says companies are going to want intermediate and advanced certifications—most jobs are looking for your Offensive Security and SANS certifications. But CEH is a good one to get started with. It’s one of the first pentesting certifications and it’s also on the list of DoD certifications. As you go after any of these certifications, Phillip urges you to really take the time to learn, so you don’t have to relearn on the job. Apply yourself so that you understand the material versus just learning how to pass a test.
The other components of landing a pentesting job, apply to any job search. First and foremost, make sure you’re networking and involved in your professional community. Phillip got his last four jobs because he knew people that worked at the company. It’s easier to get your resume in their hands if you know someone there, and a reference can get you to the top of the stack.
And finally, as you populate your resume or LinkedIn profile, Phillip reminds you to list things that you really know how to do. Questions are going to come up in your interviews, and you’re going to want to be able to explain the basics. Be prepared to know the OWASP Top 10 and 3-way TCP handshake and OSI Model.
If you combine technology knowledge, security knowledge, the hacker mindset, and get hands-on experience in your home lab, you’ll be poised to join the pentesting ranks and look forward to a very exciting career.