So you want to test pens?

Sit down, stay awhile and listen.

The following is a high level overview for those asking “I would like to be a Penetration Tester (Pentester) but how do I get into the industry? How do I get started?”.

Here is a great blog to start with, it was written by my colleague Nathan who moved from being a System Admin to a Pentester. I understand that it implies you have already been in the IT industry but I think it still gives a good overview of the journey to becoming a penetration tester.

“The five years experience for an entry level position” paradox

Breaking into computer security is hard, it is even harder to get into penetration testing. The following are some recommendations for building skills and certifications that won’t break your bank, help get your CV past a recruiter and can help demonstrate your skills during interviews.

I will break this section into two parts, infrastrucure testing (internal networks and Internet facing infra) and web application testing. These tend to be the two main areas that you focus on when starting out as a pentester.

Infrastructure

I would recommend reading the following write up on hacking Active Directory, done by my Director Alexei. It will give you some insight on the types of tools, techniques and practicalities of internal testing.

Courses

The following are a list of courses / providers that I recommend for beginners to start on building their familiarity with infrastructure tools and techniques:

- Metasploit Unleashed, nice easy and free guide to using Metasploit Framework: <https://www.offensive-security.com/metasploit-unleashed/>
- TCM Security, these dudes do amazing courses at amazing prices, they are practical, up to date and teach you a lot. There is also several certifications if you want to pursue certifications: <https://academy.tcm-sec.com/courses>
- Their PNPT course is a great place to start and covers infra and web testing, at time of writing the course can be streamed for free: <https://academy.tcm-sec.com/p/pnpt-live>

Tools

Here is a quick list of tools that you can start to look at that are useful for instrastructure testing:

Resources

The following are some nice places to get examples of techniques and tools:

Web Applications

Courses

The following are a list of courses / providers that I recommend for beginners to start on building their familiarity with infrastructure tools and techniques:

Tools

Guides

Note: There are no guides, web apps are an arcane science and I dont care for them.

What are some good resources for security in general?

I enjoy watching the videos of the following people:

Hope that gives you a bit to sink your teeth into.

If any of this piques your interest then we will make a pentester of you yet.