Over the past few months we have been speaking to people who want to join our team and become a Penetration Tester. These include computer science graduates, experienced application developers and systems administrators, as well as candidates from other disciplines.
Many of these people ask similar questions.
How do I become a Penetration Tester?
Should I sit certain exams such as CEH?
What practical tasks are best to prepare for penetration testing?
We have answered these questions so many times that we have created a short piece with some points to think about…
First up… really think about what a Penetration Tester does.
For us, being a tester means being presented with a variety of networks and applications and being asked to find weaknesses.
We are given target information such as IP addresses, web applications and APIs. From this we start to understand what technologies are being used.
At this early stage of testing, an array of tools can help us understand the landscape in a faster time. However, once we have this knowledge, things get a little more interesting. Now, we require the knowledge and manual testing skillset of the tester.
Exploring the different application and operating system layers of the test environment. Manually crafting tests based on what is found.
This is very different from an automated vulnerability scan. It is relying on the tester to follow dynamic paths that have been opened as the test is being performed.
How do I get these skills?
There is no set badge or qualification. The people that excel are those who really have a curiosity for technology. They can visualise the application and network architecture. They are problem solvers and really find it difficult to walk away from unanswered questions. In this business, tenacity is a virtue.
People who have previously been responsible for building networks and applications often perform well as they use development skills, but in reverse. They can second-guess how an application is working, then deconstruct it and understand where weaknesses might exist.
Of course, practice makes perfect. The more tests that a person performs, the more efficient and effective they become.
So… where to start to be a Penetration Tester?
We look for personal drive and deep involvement in technology and security.
Does the candidate have a custom home network? What is their involvement with the on-line cyber security community? Do they have a practical accreditation to support their knowledge – such as OSCP?
Be wary of theory-only training. This should always be regarded as background knowledge. Remember that penetration testing is very much hands-on. It is not about relying on scripts and automated tools. It is about being able to explore technology to find weaknesses.
Does he or she have related testing experience? Great starting points are events such as ‘capture the flag’ and ‘hackathons’. These are fantastic taster sessions that follow penetration testing disciplines in a controlled environment.
Vulnhub is a great resource for aspiring pen testers. It provides access to a variety of vulnerable virtual machines which can be downloaded and tested.
Hack The Box is an on-line pen testing lab and community. It has free and paid-for options and a ranking system to chart your progress.
Understanding the Linux command line, or Bash prompt, is vital. Many tools run on Linux, making this a rich source of scripting languages, shells and applications for penetration tests.
Windows Powershell brings extensive scripting capabilities to the Windows platform. As such, it is useful to know from a personal perspective and as a tool for exploitation in the Windows world.
Kali Linux is a pen test specific distribution that contains many tools pre-loaded. We recommend that you take the time to learn from all of the sources we list and not rely solely on the easy-to-use GUI aspect of Kali. The stuff under the covers is where the real fun starts!
If you want to be a Penetration Tester, please visit our recruitment page here: https://www.ambersail.com/penetration_testing_jobs/
Useful background information here: