Getting Started With Hacking - From Beginner to Junior Pentester
Why Make This?
Lots of people have asked me lately on LinkedIn about how to get started with hacking. It’s an interesting field with a lot of interesting topics and diversity, making it very attractive for people that like to learn and have constant challenge (also the money is a plus). When starting out, it is extremely daunting. There are so many courses and books and different people giving different advise and it is all confusing. I wanted to make this post to give my opinion on how you can go from zero experience to getting a junior job in cybersecurity.
At the bottom of this post I have put links for all the resources mentioned here.
My Story
I won’t go into too much depth here, but I want to give you an idea of where I was and how I moved into cyber security.
Being a pentester is the first job I got out of University. At University I got my degree in Forensic Science, which was mostly chemistry, and then got my Masters in Forensic Chemistry. This involved nothing to do with hacking and did not contribute to my job. During my time at Uni, I spent many evenings and weekends suffering in hacking labs at home. I did various courses online and I even got my CEH qualification (which I regret very much, I do not recommend it at all! Way better to spend your money on other courses mentioned later in the post). I also set up a blog to detail things I exploited, walkthroughs for challenges etc. It was all basic but useful. I spent a lot of time watching talks from DefCon and other conferences to learn more about the world of hacking and I spent a lot of time playing around with Vulnerable Virtual Machines on my own laptop. I also followed lots and lots of walkthroughs and had a VIP HackTheBox membership so I could do retired machines with walkthroughs which helped a lot!
All the time spent was frustrating and confusing, but I remained curious and persistent, and after uni I managed to get a job as a junior Security Consultant and it was a set career from then onwards! I didn’t know how to code, I had no formal training, I had no previous experience, I had no-one coaching me, I had no CVEs at the time etc. I hope this lets you know that it is possible, despite what some people (including pentesters) may say!
Myth Busting
There are lots of common myths within cyber security. The common ones I see are:
- You need to have studied computer science or something related at Uni.
- You need to be able to code.
- You need to have lots of years experience before going offensive.
- You need to have developer experience or blue team experience.
I had none of these things when I started my career as a pentester, so I know you do not need these. These are all things that people say but at the end of the day you just need the skills to do the job and an understanding of the fundamentals.
Starting Point
Getting a job in cyber security will take a lot of effort and frustration. I will detail several helpful resources below, but ultimately you need to put the time in above all else. There will be lots of times where you don’t understand something and that is ok, you need to just accept it for now and as you do more your understanding will start to form more.
The best place to start is to get familiar with the common toolset that you will see everyone using in walkthroughs. For hacking this is Kali Linux. It’s not necessary, but knowing Kali will make it so much easier to follow guides which you will be doing for some time. This essentially is an Operating System (OS) that gives you all the tools you need.
To install Kali you will need to get a virtualisation software. I recommend VirtualBox to start with as it is free and works really well. (On macs it may be a bit slow but at this point it’s not worth paying for licenses just yet). So download and install VirtualBox, then install Kali Linux. There are several guides online on how to do this.
Now that kali is installed, you need to learn the basics of using a Linux OS. To do this I recommend playing the Bandit wargame here: https://overthewire.org/wargames/bandit/
This wargame will teach you various Linux utilities and tricks. Follow a walkthrough like the one below for all the levels: https://jhalon.github.io/over-the-wire-bandit1/
I highly recommend keeping your own private GitBook (gitbook.com) to store notes of all the commands you learn and a little sentence about what they do. This will be invaluable later on as you will need to come back and reference things that you have forgotten.
The Fun Stuff
So now you should have the toolkit and you should know the basics of navigating it. Now we can move on to some more interesting stuff.
Hacking can be broken down into some large fields such as Infrastructure (hacking machines), Web Application (hacking websites), Mobile (hacking mobile apps and systems), Cloud (hacking cloud systems and networks) etc. When starting out it’s best not to spread yourself too thin. For most junior pentesting positions, they will be looking for basic Infrastructure and Web Application skills, although as Cloud is becoming so relevant, they will probably soon want the basics of that as well.
You can do these really in any order that interests you, but I think it is best to do both Web Applications and Infrastructure at the same time. This way you can mix things up when things get a bit dry or you want a new challenge.
Web Basics
There are so many places to learn web security now that it is hard to find great ones. However with all the ones I have tried, I will give you what I feel is the best combo.
Start with Burp Academy here: https://portswigger.net/web-security
Burp is the number 1 tool for assessing web applications and you will become very familiar with it as a pentester. The Academy is completely free and has amazing guides and labs for all the types of vulnerabilities you will likely find. Some of these are harder to grasp than others (such as HTTP smuggling), but all of them are exceptionally useful and things you will encounter in the real world! Take the time to work through all of the labs here.
If you get stuck either try and find a walkthrough or go back to the learning section on the Academy. I would also recommend picking up a copy of this book: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
This is essentially the bible of Web security. If you get stuck on a Burp lab, read the relating chapter within the book and you will have a much better idea of how to tackle the problem. You could also look at walkthroughs for other labs that have the same vulnerability to see how other people handled it.
After you have cleared Burp Academy, you will be in a solid position. I would then move on to OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
This is a real challenge and takes you from beginner level to some pretty advanced attacks. The huge bonus of Juice Shop is that it functions like a modern application that you would be attacking as a pentester, something that very few of these training sites manage.
There is a detailed guide on OWASP Juice Shop made by the creator which has hints and solutions and descriptions of various challenges. I would also recommend finding walkthroughs online if they exist.
If you complete both Juice Shop and Burp Academy, you are golden for Application Security in my opinion as a beginner. You will have a good range of knowledge and experience with finding and exploiting a good range of vulnerabilities.
Again keep good notes in your GitBook!! This is all invaluable knowledge that you get from challenges and you will forget it!
If you are aching for more web challenges then check out the web challenges on https://www.hackthissite.org, https://www.enigmagroup.org and the web applications available on the Metasploitable 2 Virtual Machine.
Another valuable resource is HackerOne’s training environment, https://www.hacker101.com. This is meant to get you from zero to finding real world example bugs in applications and is a great way to see real world vulnerabilities and how they manifest in modern applications.
Infrastructure Basics
When learning Infrastructure hacking, it can be hard to find good resources. Essentially the easiest and cheapest way is to download Vulnerable Virtual Machines (VMs) and hack them on your own computer.
You should know the basics as you have installed Kali Linux. Downloading Vulnerable VMs is similar, however most will just be a case of downloaded and booting. Note: when doing this you should put your Kali and the target machine either in its own network, or both on Bridged Mode (In the networking settings of whatever virtualisation software you are using).
I recommend starting with https://metasploit.help.rapid7.com/docs/metasploitable-2 as the first target machine. This machine is made to show a bunch of different attack paths using Metasploit, which is a hacking framework that can be used to automate lots of tasks. I would recommend also learning how to exploit things manually, as you won’t be able to rely on Metasploit as a pentester a lot of the time, but it’s a fine starting point.
There are several walkthroughs on different ways you can own Metasploitable 2 so I would follow those. Essentially everything on there is vulnerable to something and you should see how many different paths you can find onto the system.
It also hosts some vulnerable web applications on port 80 which you can hack and practise your web application skills against.
After you have done Metasploitable, there are a whole host of other machines to try. There is Metasploitable 3, which is a Windows machine. There are also all the machines on: http://vulnhub.com/
Vulnhub is great for downloading and hacking VMs (called boot to roots typically). The goal is to get onto the target and then to gain administrative or root privileges on it. Usually this is proven by reading a file like /root/flag.txt
for Linux or C:\Users\Administrator\Desktop\flag.txt
for Windows.
Once you have done a selection of these, I recommend trying out some rooms on https://tryhackme.com/. This is a relatively new website on the scene, but for free you can try a bunch of rooms and learn a bunch of community uploaded stuff which is helpful.
If you really want a challenge then try https://www.hackthebox.eu (Note: the signup page is in itself a challenge, so if you are new and curious, you may need to look for a walkthrough. Hopefully you have done the above and have no issues with it! 😉) This is the best for vulnerable VMs in my opinion, however be warned, the active machines will be hard!! Generally for beginners I say to only do HackTheBox if you can first get the VIP membership. Get the VIP Membership for a year and then just work through all the retired machines and follow the videos for all of them made by Ippsec on YouTube. By the time you have done all the retired machines you will have a great understanding of how it works and you will be in a great place to start doing active machines.
Cloud Security
At the moment, I have never seen a company require cloud hacking skills for a junior position, however I think that will change. I certainly think that if you have it, you will stand out and be in a better position.
I recommend doing http://flaws.cloud first, then http://flaws2.cloud as an attacker and defender. I then recommend doing https://github.com/RhinoSecurityLabs/cloudgoat by RhinoSecurity.
After these you will have an understanding of AWS security, which fundamentally will help you with assessing other cloud providers as well.
Again I recommend following walkthroughs and taking notes.
Courses
So now if you have done all the above, you should be have a pretty good grasp on the basics across the board for the general skills needed as a junior pentester. However, what you won’t have is the fundamental knowledge of computers and networking.
For understanding the fundamentals (and showing it on your CV), I recommend getting CompTIA Network+ and then CompTIA Security+. This will give you the fundamental knowledge and will show an employer that you understand how things piece together.
Generally the only Udemy course I recommend are the ones by TheCyberMentor. They are good and include practical challenges. I would heavily advise against using any others, all the others I have seen on there are terrible quality in the content they teach and not useful at all for getting a job.
If you can afford it, then check out eLearnSecurity’s PenTest Student (PTS) Course here. This is a great way to go to get your first practical certification in hacking which will give you more of an edge on your CV.
If you have done all the above and PTS, then check out OSCP by Offensive Security and do that. It will be intense, but with persistance you will make it through. OSCP is the number 1 certification to have for your CV for pentesting. It will definitely increase your chances significantly for a Junior pentest position. However, it is not necessary (I don’t have it), so don’t use it as an excuse to say that you need to spend a lot of money to become a pentester and you can’t afford it.
Books
There are several helpful books for hacking, but finding good ones can be hard.
- The Hackers Playbook 2 and 3 are good resources that walk you through Infrastructure testing and a basic example of Red Teaming. This is handy context to know.
- The Web Application Hackers Handbook is another great resource already spoken about.
- Advanced Penetration Testing is also really good for more red team focused work and understanding how that comes together.
- Hacking; The Art of Exploitation is great for learning the basics of binary exploitation and understanding how code brings in vulnerabilties in software. Don’t pick this up first as it is very in depth.
- Kevin Mitnicks books are good stories about hacking but won’t contain the technical knowledge to perform the techniques. Interesting reads though.
- Ghost In The Wires: My Adventures as the World’s Most Wanted Hacker
- The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
- The Art of Deception: Controlling the Human Element of Security
- The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
- Christopher Hagnady Books on Social Engineering are exceptional and very helpful for anyone looking to go into a role including red teaming.
- Network Security Assessment 3rd Edition is very dry but very good for understanding networks and how it fits together.
- Real-World Bug Hunting is a good book for understanding some basic web app concepts and how bugs are found.
Getting the Job
At this point you should have a good direction on where to go to get the skills you need. Realistically, this is only half the battle. The other half is actually showing to employers that you know this stuff.
I heavily recommend a blog. You can host a blog for free like this one on GitPages. It doesn’t have to be fancy, but it does have to look professional and have a decent format. On the blog upload walkthroughs of challenges you have solved, upload tutorials on different basic techniques, upload things that you got stuck on and solved for the next beginner.
It doesn’t matter about traffic you get or anything, it’s just something the employer can look at to see what you know, how you write, how well you can explain the concepts and how well you know it.
I would also recommend working a lot on your CV, as that will be the first thing employers see. You want to show them that you have passion for it and that you have done all this in your free time. They will appreciate that if they are technical. This combined with a blog to show off skills and you should be in a good place. I don’t want to go into a lot of depth on CVs as I am certainly not a pro on it, but I would recommend putting the things you really want them to focus on (such as home labs and things you have done in free time) at the top of the CV. All the other stuff that is irrelevant should either not be there or at the bottom.
It’s important to remember that if a pentester is reviewing your CV, then they won’t have much time. Pentesting is a very busy job no matter where you work and they won’t spend long looking at your CV. You need to make the important stuff easy to find and at the start to ensure that it gets through and is seen.
I would also recommend dedicating time to looking up CV advise online and working on it. Looking at other people’s CVs is good too! Do note that there are a lot of bad CVs so don’t just blindly copy others. Looking at many of them you should start to see what the competition is like and take things you like from various people. This should be treated as if it’s your best piece of work. A report you are handing to a client for example. Reports are all pentesters have to show clients that they did something worth paying for, so they need to be damn good. Showing you can write clearly is very important.
If you have done all of this then you should be in a really good place to get a job as a junior and shouldn’t have much issue. It may take time to get your first job and that is ok. Once you have it you will be set for your career, just keep learning and growing.
Resources
Linux
- Kali Linux: Download Page
- VirtualBox: Download
- OverTheWire Bandit Wargame: https://overthewire.org/wargames/bandit/
Web
- BurpAcademy: https://portswigger.net/web-security
- OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
- Juice Shop Book: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/
- Hacker101: https://www.hacker101.com
- Web Application Hackers Handbook: The Web Application Hacker’s Handbook: * Finding and Exploiting Security Flaws
- Hackthissite: https://www.hackthissite.org
- Enigmagroup: https://www.enigmagroup.org
Infrastructure
- Metasploitable 2: https://metasploit.help.rapid7.com/docs/metasploitable-2
- Metasploitable 3: https://blog.rapid7.com/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3/
- Vulnhub: https://www.vulnhub.com
- HackTheBox: https://www.hackthebox.eu (Note: the signup is a challenge, you may need a walkthrough if new to it.)
- TryHackMe: https://tryhackme.com/
Cloud
- Flaws: http://flaws.cloud
- Flaws2: http://flaws2.cloud
- CloudGoat: https://github.com/RhinoSecurityLabs/cloudgoat
Courses
- CompTIA Network+: CompTIA Network+
- CompTIA Security+: CompTIA Security+
- eLearnSecurity PTS: https://www.elearnsecurity.com/course/penetration_testing_student/
- Offensive Security OSCP: https://www.offensive-security.com/pwk-oscp/
Books
- The Hackers Playbook 2: The Hacker Playbook 2: Practical Guide To Penetration Testing
- The Hackers Playbook 3: The Hacker Playbook 3: Practical Guide To Penetration Testing
- Advanced Penetration Testing: Advanced Penetration Testing: Hacking the World’s Most Secure Networks
- Hacking - The Art of Exploitation: Hacking: The Art of Exploitation
- Kevin Mitnicks books:
- Ghost In The Wires: My Adventures as the World’s Most Wanted Hacker
- The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
- The Art of Deception: Controlling the Human Element of Security
- The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
- Christopher Hadnagy Books on Social Engineering:
- Network Security Assessment 3rd Edition: Network Security Assessment: Know Your Network
- Real-World Bug Hunting: Real-World Web Hacking: A Field Guide to Bug Hunting