From Zero to your first Penetration Test

(Source: Unsplash)

Are you looking to get into Penetration Testing, Ethical Hacking, or Red Teaming? If the answer is yes, then this article is definitely for you!

What is a Penetration Test?

A Penetration Test, or commonly named “Pentest”, is the process of evaluating the security weaknesses of an organization’s assets, using similar methodologies to the ones used by real attackers.

Penetration Test = Vulnerability Assessment?

The answer is clearly, NO!

A Pentest is not equal to a Vulnerability Assessment, and a lot of people tend to confuse the terms. From my experience, I have encountered clients that requested a Penetration Test, but in reality, they wanted a Vulnerability Assessment, or vice-versa. So, it is very important for you, as a Security Expert, to explain the differences between those two terms.

Vulnerability Assessment:

  • Covers a decent amount of security issues
  • Exposes low-hanging fruits and probably some risky issues
  • The quality of results depends on the scanners used
  • Automated around 90%, and manual work around 10%

Penetration Test:

  • Covers most of the vulnerabilities
  • Exposes issues ranging from low severity to critical ones
  • The quality of results depends on the expertise of the pentesting team
  • Automated around 10%, and manual work around 90%

Types of Pentests

There are various types of pentests, and you must get familiar with all of them, but it is recommended to choose one that you will excel into, and become very comfortable with.

Web Applications Penetration Testing:

  • OWASP Top 10
  • Business Logic Vulnerabilities
  • Default/Weak Credentials
  • API Testing
  • WebSockets Testing
  • Sensitive Information Exposure
  • Tokens/Keys Security
  • MFA/2FA/OTP Bypass
  • CMS Testing: WordPress, Drupal, Joomla, and so on.
  • E-Commerce Pentest: WooCommerce, BigCommerce, Magento, OpenCart, plus more

Mobile Applications Penetration Testing:

  • Static Analysis: hardcoded credentials/tokens/keys, vulnerable components, dangerous imports, and so on
  • Dynamic Analysis: traffic intercept, file system interaction, best practices, sessions handling, plus more
  • Bypasses: certificate pinning, root/jailbreak detection, and so on
  • + more

Network & Infrastructure Penetration Testing:

  • Detection Evasion (IDS/IPS/Firewall Bypass)
  • Brute-Force, Password Spraying, Credentials Stuffing, and Dictionary Attacks
  • Default & weak credentials
  • Abusing misconfigured services
  • Exploiting vulnerable versions of used protocols
  • Man-in-the-Middle
  • Active Directory (AD) Pentest
  • Domains Takeover
  • L2/L3 Devices Testing: routers, switches, and so on
  • IoT Penetration Testing
  • VPN-based Attacks
  • DoS/DDoS
  • Wireless Penetration Testing
  • Data Exfiltration
  • Logs Poisoning
  • + more

Physical Penetration Testing:

  • Lockpicking
  • Dumpster Diving
  • Tailgating
  • RFID Tag Hijacking/Impersonation/Spoofing
  • Shoulder Surfing
  • Implant Malicious External Devices: Rubber Ducky, LAN Turtle, and so on
  • + more

Social Engineering Penetration Testing:

  • Phishing Attacks
  • Vishing Attacks
  • Smishing Attacks
  • Client-Side Attacks Manipulation
  • + more

Red Team:

  • Combines all of them

How I got into Pentesting

To be honest, my journey started some years ago, but back then, being a white-hat/ethical hacker wasn’t really a thing, so that was a part of my life that I’m not so proud of. After that, a lot of new and fresh Capture-the-Flag (CTF) competitions appeared, so I’ve moved my activity and focus into that area, through which I networked, met a lot of people, and learned new things. Also, I transited easily into Bug Bounty, which represented a side income for me.

After some time, I’ve thought that I could possibly make a “legit” career in Penetration Testing, but my chances were impossible to get a job, because I had zero prior experience (I don’t think it is a good idea to count inadequate activities on the resume 😅), and no certifications at all. So, what have I done?

My professional career started basically with freelancing, through which I’ve worked on various projects in the Cyber Security industry, but fewer of them were Penetration Tests. My services were underpriced as much as possible. I’ve done that to build a portfolio, and raise money to pursue certifications because as you know, most of them are pretty expensive.

After some years of freelancing, I am still a freelancer, and I love it because I’ve got to a point where 95% of my projects are Penetration Tests, which represents my initial goal.

What you need to become a Penetration Tester

So, how can you do the same, and get paid to hack into websites and networks? Here is a list for you of what you need to become a good Penetration Tester.

Loving what you are doing

It is not enough to have a passion or a little drive for this. Remember, most of the time, passion is temporary, love is forever. You have to think that this will be your lifestyle. Loving it will make you push harder through those days when you feel low, without any energy left inside, and it will make you stand up after any of your disappointments encountered during this journey.

Paying the price

You have to make sacrifices, you have to put in the hard work and the grind, to become a good Penetration Tester. Practice, practice, and practice!

Sometimes, it will be hard to see all of your friends partying and feeling good on Social Media, while you are staying home, trying to crack that HackTheBox machine, practicing for OSCP or learning about SQL Injections, but remember how worth it will be in the end. Think about the long-term.

Networking

The Cyber Security community is one of the greatest. You can learn so much from a lot of people, so go on LinkedIn, and ask for suggestions, recommendations, references, or even storytelling. I am sure that you will find someone who can help you during your journey.

Certifications for Penetration Testing

Certifications represent a vital component of your career as a penetration tester, or cyber security professional. So I am going to drop some of them that will help you get a Pentesting job or project:

  • CompTIA PenTest+
  • EC-Council Certified Ethical Hacker (CEH)
  • EC-Council Licensed Penetration Tester (LPT)
  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Experienced Penetration Tester (OSEP)
  • Offensive Security Exploitation Expert (OSEE)
  • Offensive Security Web Expert (OSWE)
  • GIAC Certified Penetration Tester (GPEN)
  • Mile2 Certified Penetration Testing Consultant (CPTC)
  • Pentester Academy Certified Red Team Professional (CRTP)
  • eLearnSecurity Junior Penetration Tester (eJPT)
  • eLearnSecurity Certified Professional Penetration Tester (eCPPT)
  • eLearnSecurity Mobile Application Penetration Tester (eMAPT)
  • eLearnSecurity Web application Penetration Tester (eWPT)
  • IACRB Certified Expert Penetration Tester (CEPT)

Learning through Practice

The most efficient way to learn Penetration Testing is through practice, but first I would recommend getting familiar with the following:

  • Networking Concepts (TCP/IP, Routers, Switches, Firewalls)
  • Linux/Windows Concepts
  • Basics of well-known protocols: TELNET, SSH, FTP, HTTP/HTTPS, RDP, MySQL, MSSQL, SMB, SNMP, SMTP/IMAP/POP3
  • Common programming languages and frameworks: PHP, JavaScript, ASP.NET, Ruby, Python, PowerShell, Bash
  • OWASP Top 10
  • Kali Linux
  • NMAP
  • Metasploit
  • BurpSuite
  • PTES (http://www.pentest-standard.org/index.php/Main_Page)

Once you have a knowledge base, you can start practicing on the following platforms (choose your favorite, and start hacking!):

How to get your first Penetration Test project or job

Now you have the skills and certifications, but how can you get your first project or your dream job as a Penetration Tester? It’s easy to apply for a job, but here we will discuss some techniques that will increase your chances of being hired or being contacted for a pentest.

Through LinkedIn

Create a LinkedIn profile, and showcase your hard-earned certifications. Network with people from the community, and ask for recommendations. Create articles about your experience of studying for some exams, or writeups in which you explain your way of cracking some vulnerable machines from the list above.

Through GitHub

Do not hesitate to upload your scripts, side-projects, or anything that you can think will be useful for the community on your public GitHub profile, and share later on social media.

Through Responsible Disclosure

Some companies have a vulnerability disclosure policy, which means that you can search for vulnerabilities within their products/applications. Good work will never be forgotten, so there will be greater chances to be hired by a company that you have already reported some security flaws to.

Through Freelancing Platforms

There are a lot of people looking for experts with your skills on platforms such as Upwork, Fiverr, PeoplePerHour, Toptal, Freelancer.com, and more.

Closing

It is a very hard journey that never ends, technology is evolving, and cyber threats are increasing. If you think that this is not for you, then you are totally wrong! With a bit of pain and sufferance, you can make it. Do not forget to stay humble along the road, and give back to the community once you have an opportunity.

Cyber Security Enthusiast, Freelancer, Researcher, Bug Bounty Hunter and InfoSec Writer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store