A question I often get asked is, "how do I become a pen tester?" It is a tricky question because there is no one path to follow. The path I took is different than the path my co-workers took, but in the end, we all reached the same endpoint.
In this post, I will go over some of the ways that I learned about security and penetration testing, websites that came in handy, and other resources that helped me learn along the way. This guide will primarily focus on free or low-cost options, as I don't believe that you should have to pay thousands of dollars to learn the basics of penetration testing and becoming an ethical hacker. This post is meant to serve as a guide to get beginners started. As a note, this path may not be for everyone and if something else works better for you, like a bachelor's degree, I encourage you to pursue that path instead; again, there is no ‘one path' to becoming a penetration tester or offensive security certified professional.
On your way to becoming a successful penetration tester, it is essential to have a good grasp of the basic concepts of computers, information security, networking, programming, and a basic ability to use the command line. By having a solid foundation of these fundamental topics, it will become easier to understand more advanced topics later, typically this will come from a few years of experience. You will also spend less time searching for answers to basic IT questions and will be able to focus more on the topics of penetration testing, cybersecurity, and hacking. These topics do not have to be started one after another and can often overlap as you begin your learning journey down your career path to becoming a security professional or security consultant.
There is a lot to learn about how computer systems work. I learned by building my PC then getting a job at a help desk and also by working at a computer shop where I built several hundred desktop computers. I understand most people don't have the time to take a few years to learn the basics of computer science (and I don't recommend it if your goal is to become a pen tester), instead, check out the How Computers Work from Khan Academy or How PCs Work by How Stuff Works.
One of the most important things about learning to program is finding resources that match your learning style. If you need to eliminate distractions, try a book. If you are a visual learner, try videos where they draw out the problem. If you need more of a coaching approach, try a boot camp. Just make sure to always keep programming and taking an active approach, you cannot become a good programmer by passively watching videos or reading books.
As far as networking goes, a good understanding of the basics can help you go far in your career. For starters, it helps to understand the OSI model and where different networking protocols can work when trying different attacks on a network. Knowing this could be the difference between sneaking past security tools or getting caught in your tracks. Again, there are lots of resources out there to learn networking; if you are just beginning you could check out Professor Messer's CompTIA N10-007 Network+ Course, plus once you finish the course you can take the free CompTIA Network+ certification which will look good on a resume. If you want to go one level further than the Network+ you could look at the free Cisco CCNA course at Cybrary, but completing the CCNA is usually not necessary for a career in penetration testing.
Lastly, as far as fundamentals go, a basic understanding of the command line can go a long way. If you are running Windows 10 you can install the Windows Subsystem for Linux (a Microsoft program); if you are running MacOS then you can use the built-in terminal and the same goes for gnu/Linux. It is important to understand the command line as many pentesting tools are solely command-line based. There are no buttons to click or web pages to interact with, so having an understanding of the command line will allow you to become more comfortable and efficient when starting out. There are several resources for learning how to use the command line. You could check out the command line crash course at Vikings code school or learn the shell from Linuxcommand.org to get started. Another fun way to learn the command line and hacking is to check out the wargame Bandit from Over The Wire, it is a command line game where you have to find out where a flag is hidden by only using command line tools.
Now that we have talked about fundamentals it is time to get to the fun part, hacking (ethical hacking). I also want to remind you that you can learn the fundamentals and hack at the same time. This way as you are learning programming and command line you can look at how a specific tool is written, how it works, and possibly change it to fit your needs. This will only further drive home the different areas of knowledge and make you a better pen tester.
When starting on the path to learning how to conduct a pentest, I recommend learning how to do basic web apps first. The reason I recommend this first is because beginners probably interact with websites daily and can easily navigate around them and look into them, so it seems like a natural starting point. To begin, make sure you have an understanding of how the web works, if you need a refresher you can check out How Does The Web Work from Project Odin or read this article from Mozilla, hopefully, you still remember all the networking knowledge you have been learning from before. A great place to start learning about web hacking and different vulnerabilities related to websites is over at OWASP. OWASP stands for Open Web Application Security Project, you can learn more at OWASP. OWASP has a list of the top 10 web vulnerabilities that you will find referenced all over the web. Additionally, OWASP has projects that help you learn how to hack web apps, one of the more popular ones is called JuiceShop which can be found at OWASP Juice Shop. This vulnerable web app can be hosted for free, and you can play around with it as much as you would like. Additionally, if you would like to follow along with videos on how to complete the challenges, while learning from a top-tier instructor you can check out the YouTube playlist WebAppSec Class contains over 3 hours of web app security training.
After you are comfortable with web apps, or while you are still learning web application hacking, you can move on to system hacking, or even dive into social engineering. By system hacking, I mean looking at an operating system and trying to exploit it and/or elevate your user privileges to root or admin. My favorite way to learn this is to just jump right into it. Two of my favorite resources are VulnHub and Hack The Box.
VulnHub is a collection of virtual machines that have different goals to teach about digital security and hacking. If you are just starting then find a vulnerable machine that sounds interesting, boot it up in a virtual environment, and start playing around. If you get stuck, try searching for a tutorial or reach out to the creator of the box and get some hints on what to try. I also recommend taking good notes when starting, you may need to come back to your notes often as you get used to using different tools and techniques. A good list of vulnerable VMs to work through can be found at OSCP, like Vulnhub VMs.
Hack The Box is different than Vulnhub in that HackTheBox hosts live machines on a network that you have to connect to using OpenVPN. This gives the users a little bit more of a real-world feel. You will find other users that are also on the same network you are working on and may run into issues where you have to reset a machine or have to work around someone else. HackTheBox also does a good job tracking your progress as you move your way up in their rankings. Each week a new machine is introduced and an old one is retired, if you were unable to solve the machine that was retired, you are then able to look up tutorials on it and figure out what you did or did not do correctly and learn from it. HackTheBox also comes with additional challenges such as crypto challenges, steganography challenges, web hacking challenges, and more. There is also a paid tier where you get access to more retired machines along with a more private network, so you do not have to compete with as many people trying to hack the same machine at the same time.
Another great resource that I have recently started using is called Pen Tester Academy. It is a paid resource, but at just $39.99/month you get an amazing amount of material. It comes with thousands of hours of educational videos on different topics of informational security, and 1000+ preconfigured labs, where with a touch of a button you are dropped into a working environment that allows you to put your skills to the test. This has recently become one of my favorites because when I need to refresh on a certain skill I can click a button and start working right away, where in the past I would spend 2+ hours just configuring a virtual machine and get it up and running before I could start working.
If you are a visual learner or would like to follow along with an instructor then I would recommend the free Advanced Penetration Testing course from Cybrary. This course also has a book called Penetration Testing: a Hands-On Introduction to Hacking that I also highly recommend. Just remember to follow along and do all the exercises yourself, you can't become successful by just watching videos.
Finally, if you have gotten through all of those resources then you can look into any of the following resources to increase your skills towards becoming a certified ethical hacker:
I hope that with this post you can gain a solid foundation to build on your IT security career, give you a solid base of hacking and penetration testing knowledge that will lead you on the right path to becoming a pen tester and finding a solid security team to work with. Remember, there are no shortcuts. If you want to become successful you need to put in the time at a keyboard and actively learn in a way that best suits you.
Disclaimer: It is illegal to conduct a penetration test or hack of any system or environment that you do not have explicit mutual consent. It is your responsibility to follow all applicable local, state, and federal laws. RedTeam Security assumes no liability for any actions taken by knowledge gained from this site.