What Is This?

This quick blog post is designed for someone interested in getting into penetration testing by someone who has made the jump. This is just my opinions from my experience, so results may vary. My advice would be to read other blogs like this one and combine what you learn with your own situation and determine the best course of action. I’ll also point out that I do network penetration tests and not red teaming or code testing.

Training

Having a college degree is a good start, especially if you want to go the government route, but most companies are looking for certifications these days. There’s a ton of great guides and charts out there on certs (this one for example), but I’ll throw in my two cents since you’re here. For starting out, I highly recommend the Security+ as a basic level cert. This isn’t necessarily a penetration testing certificate, but it proves you know the basics about security.

The jump from there is up to you. I got my CEH and I still see it on a lot of job postings, but if I could go back, I’d choose something else. It’s a really poorly written certificate that’s very overpriced. I also have my GPEN, and found it to be well structured but very overpriced. I do see job postings for both of these, so I can’t say to stay away from them, but if possible, try to get work to pay for these.

I don’t have personal experience with the eJPT but from what I’ve seen on it, it would be a great stepping stone after the Security+. I also haven’t taken the Pentesting+, but if it’s as good as the Security+, that would definitely be worth looking into, and again, it wouldn’t be such a big jump to something like the OSCP.

As for the OSPC, it would obviously be a great one for penetration testing, but I’ve worked for 2.5 years as a penetration tester and still don’t have mine, so it’s definitely not a requirement to get started.

I also recommend doing some capture the flag type events (I always liked the ones at my local B-Sides event, but whatever you can find is good!) and/or using a service like Hack the Box or Try Hack Me. Some of those allow you to use their VM, which is handy if you have a very old laptop or you’re on a tablet, but as you get going, I highly recommend spinning up your own Kali or Parrot box and learning how to connect to the VPN.

There are a ton of bundles out there, most of them with a “deal” every month or so, but I personally haven’t found a ton of value in that. Instead, I’d recommend watching videos (like from IPPSec) and reading study guides for the certificates you’re interested in. As you go, your experience will start filling in the baps.

Experience

What type of experience do you need to be a penetration tester? Honestly, that greatly depends on what type of testing you want to do.

In short: Do you want to test code? If so, I’d recommend getting as much coding experience as possible. Do you want to do network penetration testing? Then I recommend getting as much experience as you can with networking. Do you want to do cloud testing? Get some cloud experience.

How you get that experience depends on your situation. I’d highly recommend getting a job working with what you’re interested in. I’ll use networking as an example, since that’s a field I’m more familiar with than coding. I got a job as a junior network engineer and worked my way from there over to being a network security engineer. I had the good fortune to be able to work on many different networks for customers over that time and got to see what a good network looks like and what a bad network looks like. I learned about VLANs, next-generation firewalls, and IPS. I also learned about many of the shortcomings of networks, like how many features on firewalls may be turned off to increase bandwidth or the rampant re-use of passwords. All of these can be used to your advantage during a test.

Regardless of what you plan to pen test, I highly recommend getting familiar with a Unix based system, even if it’s just Kali. It can be daunting at first, but the more you use the command line, the more you’ll get familiar with it, and that is mainly what you’ll find yourself working out of.

I’m not one to gatekeep, but I believe that you do need at least some industry experience before you start penetration testing, even if it’s just a couple of years. During those years you’ll be learning all about the strength and weaknesses while also giving yourself an opportunity to accumulate those certificates.

Hardware

I’ve seen people ask about what they need to get started in terms of hardware. Early on, you don’t need more than your phone can handle. Reading, watching videos, and attending events is a great start. As you go on, it is good to get some experience with VMs. You can spin these up in the cloud or on whatever computer you have available. Cloud costs can run away from you, so if you’re not familiar there, I’d stick with a local VM to start.

If you want to setup just a simple Kali VM, you won’t need very many resources. Honestly, even a single core with 2GB of RAM would be sufficient, but you may eventually want to bump it up to a few cores.

You won’t need to setup a full lab at the start, but as you get going, it’s important to setup at least a few VMs that you can attack. This has the bonus of helping you learn how the technology is configured and what the default settings are too, which can all be important to look for on actual penetration tests. Once you have a Kali VM and Windows workstation VM, if you go the route of attacking Active Directory, you’ll want to learn how to build out a domain controller, which is going to take a bit more juice. Depending on what version of Windows Server you go with, you’ll need to give it at least a few cores and 4GB of RAM - if not more - otherwise it’ll take an eternity to do anything and you’ll spend most of your learning timing sitting and waiting.

Some people have asked me about video cards. I wouldn’t worry at all about getting a beefy GPU at the start. You only need those for password cracking and that’s not a skill you need to work on, so instead, I would aim for CPU and RAM.

So starting out, you don’t need a ton of hardware, but as you go along, you’ll want to start increasing those specs a little bit. It doesn’t have to be expensive or super fast, I have a server from 2010 running my lab and it’s doing just fine for super cheap.

Summary

Getting into penetration testing can be very difficult. I feel that there are a ton of introductory courses out there that more or less cover the basics, but from there it seems like you’re on your own until you’re reading for a higher level certificate like the OSCP. I would recommend going from those introduction courses into hands on experience through labs and/or CTF events, and finding what interests you, then learning more about those types of exploits. Setup vulnerable machines in your lab and then test out those latest exploits to learn what that process is like.

Overall, don’t rush it. It can be very tempting to try to cram in as much knowledge as you can and jump straight in, but I’m very glad I spent a few years developing my skills before I started penetration testing.

I hope this short guide was helpful for you. As always, if you have questions or feel I should add something I missed (it’s a big topic!) feel free to reach out to me on Twitter and Discord!