Becoming a Penetration Tester
Author: HollyGraceful Published: 19 October 2020 Last Updated: 03 November 2022
Breaking into Penetration Testing can be a daunting career move; so in this article we talked about ways you can make your first move towards a career in this industry. To be clear, this isn't a definitive guide to the industry - it's just our opinion on what has worked for our team and what we like to look for when hiring. So, when interviewing for a position as a junior penetration tester - what makes you stand out from the crowd?
Whilst it's certainly useful to know how to use common security testing tools, it's better if you can understand what's going on under the hood. It's also just as important to know how to remediate the issues found. For example, knowing which flags to use when executing Responder is good; but it's better if you can talk about the underlying protocols such as Link Local Multicast Name Resolution and why it can lead to significant vulnerabilities.
Fundamentals can cover broader knowledge which is useful as a tester, such as understanding networking and subnets, or having some knowledge of software development or system administration. Different people gain this fundamental knowledge in different ways, for some a degree in Computer Science is a good path and for others working in an IT Team, such as helpdesk, is a good path.
We publish articles here to help our customers, but also just those interested in the field. So whether short articles work for you or if you prefer paper books, reading is a great way to widen your knowledge.
If you're looking for a place to start, try these:
- The Web Application Hacker's Handbook
- Metasploit: The Penetration Tester's Guide
- Nmap Network Scanning
- The Hacker Playbook
- Penetration Testing: An Introduction to Hacking
We mentioned it above, but understanding common tools is a benefit too. A reliance on tooling is a bad thing, but knowing your way around your chosen toolkit is a benefit. Whether it's the Zed Attack Proxy, SQLmap, or Metasploit tooling is a great way to automate the boring. If you can talk about what the tool is doing under the hood - that's even better.
Being able to apply theory knowledge to real world issues is an important and therefore practise is important. People who have been in the industry for a long time will talk about how this used to be difficult - but now we have simulated network environments, vulnerable virtual machines, capture the flag events, and bug bounties. If you're looking for a practise environment then there's the OWASP Broken Web Applications or Metasploitable.
Bug Bounties let you get a more realistic view as real companies let you take a look at their live systems, so consider something like HackerOne or BugCrowd.
The ability to program isn't essential from day one of your career in Penetration Testing, but the earlier you can pick up the skill the better. Whether it's just automating steps you frequently repeat or it's something closer to a full application - programming is a great skill to have. If you're looking for small projects to get you started with programming, then look at the tasks you often repeat when working and see if you can put together something simple to solve the problem.
For example, can you take a list of common passwords and add common suffixes? Can you take that list and automatically fire it at a login box? What about spidering an application to find login boxes? Automation helps you work more efficiently, helps you to stop spending time on the boring things, and help you to free up brain space to work on the interesting problems.
Whether you're looking at learning Bash, Python, C#, or something else then there are lots of systems out there to help you get started - like CodeAcademy.
Conferences and Community
Getting involved with the community is a great way to learn more about the different roles in the industry, to pick up experience, and to demonstrate your skills. Whether it's replicating and fixing bugs in open source projects, speaking at community meetups in your area, or attending conferences - it can all help. For conferences there are 44Con, BSidesLDN, le Hack, and more.
Certifications are a great way to demonstrate the knowledge and skills. They're not all equal and some can be very expensive, but there are many options such as the PenTest+, GIAC GPEN, OSCP, or CREST Exams. Certifications can help in a lot of ways, such as proving you have achieved a certain skill level, giving you structure for your studying, or even just looming exam dates giving you a deadline to work to. In fact, I did an episode of Core Issues dedicated to Cyber Certifications!
Find your Passion
If you've made it this far down this post, you've probably realised that Information Security is a huge field. From forensics, to penetration testing, to reverse engineering and malware analysis - but you don't have to become an expert in them all. There's a huge range of roles out there depending on what you want to be working on. Find what is the most interesting parts to you. If you're like us, you'll aim to work hard on the interesting parts and automate the boring ones, and you'll find your place somewhere great.
I wish you the best of luck.