One of the most frequently asked question is \"how do I become a penetration tester\".<\/p>\n
Depending on whom you ask this question, you may get different results or may be told to take a specific approach. \u00a0With this post, I am trying to formulate my views on this question (with a focus on the process and not so much on the technical aspect), in an attempt to hopefully provide a good starting point for those that find themselves in a similar situation.<\/p>\n
For the record, I am not a penetration tester... but I try to apply common sense (seasoned with a touch of plain logic) to challenges and pretty much all situations in life. Don't hesitate to provide feedback, suggest changes or tell me to STFU and GTFO. \u00a0Any motivated additions or changes to this post are more than welcome, and I'll update this page as needed.<\/p>\n
Where to start ... or ?<\/h2>\n
There are a couple of approaches to getting started with information security. \u00a0Approaches change as time flies by, technology changes, new platforms are designed & implemented, etc... All of this influences what is supposed to be the latest \"hot\" topic to dive into. \u00a0 Before doing so, regardless of the approach you take, there are 2 fundamental questions you should ask yourself:<\/p>\n
1. How much effort (time, ...) am I willing to put into this?<\/h3>\n
I have been working on exploit development for many years. \u00a0Truth is that I don't have an advanced background in systems programming, not been trained in latest technologies. \u00a0All it took was a lot of time & dedication, a strong will to learn and absorb new things. \u00a0 You can learn as fast as your brain is able to process and remember, and practise is able to lock down into your mind, converting the knowledge into experience. \u00a0 Some people learn fast, others need more time. \u00a0Nothing wrong with both approaches, but being self-aware, self-conscious about your abilities and being realistic about the time you're able & willing to invest into supporting the learning process is important. \u00a0Another factor to take into consideration is your balance between the various powers that play in life. \u00a0If you have a family, make sure to talk with your family members and find a good balance between spending time with them, and spending time on this learning experience. \u00a0 Even if you're alone, get out from time to time. \u00a0Don't rush into things, but try to dose and apply a healthy time-consumption model. \u00a0Let your brain process, think, and take your time.<\/p>\n
This \"time\" factor brings us to the second point:<\/p>\n
2. What is my goal?<\/h3>\n
People set goals all the time. \u00a0Goals can be far away in terms of knowledge & experience needed, they can be even so far away that they look more like a dream than anything else. \u00a0The good news is that it is OK to be ambitious and to have dreams. \u00a0However, from my experience, it will be easier to achieve your ambition by breaking the dream into smaller objectives, into smaller goals. \u00a0 So, my (quite limited) definition of a goal or target is something realistic, something you can achieve, using one or more steps (actions). \u00a0 \u00a0We can discuss about semantics, words and definitions, but that's not the point of my statement. \u00a0Let's apply the dream\/goals\/targets logic to the topic of this post. \u00a0Let's assume it is your dream to become a pentester. \u00a0 The concept of being a pentester is quite exciting, but it's quite vague at the same time. \u00a0 What exactly do you want to do? \u00a0What type of pens .. errr.. targets do you want to test. \u00a0Why do you want to do it ?<\/p>\n
If you don't have the answer yet, it might be useful to talk to pentesters and ask what type of work they do, and see if you are interested. \u00a0 Let's say your ideal scenario involves testing the overall security level of corporate networks, perform audits against web applications and do something with \"mobile devices\" because that's what people told you. Perhaps it's social engineering. \u00a0It doesn't matter what you select, those are your goals. \u00a0 They are part of the \"pentester\" definition, but you've just broken down the dream into goals & targets.<\/p>\n
Why am I being so philosophical about it? \u00a0Well, becoming a pentester who is specialized in all types of audits may not be realistic after all. \u00a0Technologies change so fast that it may not be possible to become an expert at everything, right away. \u00a0Trying to understand & master everything would not be a realistic goal. \u00a0It might still be a dream though, and you might eventually get there. \u00a0 It all depends on how much effort you're willing to invest. \u00a0Taking this one step further, don't be discouraged nor too enthousiastic by what other people say. \u00a0Timings are personal, there is no good or bad. \u00a0The god news is : you can do whatever you want, some things will take more time than others. \u00a0It's not about \"IF\" you can do it, it's about \"WHEN\", and how realistic this \"WHEN\" is.<\/p>\n
Being a pentester does not mean being good at using tools either. It's about being able to understand how things work, how things are configured, what mistakes people make and how to find those weaknesses by being creative. \u00a0Being a pentester is not about launching Metasploit against the internet.<\/p>\n
A couple of years ago, I got interested in photography. \u00a0After taking many pictures using my smartphone and being encouraged by family members that kept repeating how great my pictures were, I decided to buy a DSLR. \u00a0Guess what. \u00a0Buying a better camera or lens doesn't make me a better photographer. \u00a0In fact, it made things worse because I didn't understand how light works, how a camera can be tuned to deal with the light and how we can influence light to get better pictures. \u00a0Smartphones are designed so you wouldn't have to think about it. \u00a0Beginners mistake. \u00a0The reality is that learning how things work is time consuming, frustrating... but it will be rewarding in the end. \u00a0I'm still not a good photographer, but I don't mind admitting it either. \u00a0I consider this to be a journey and at least I'm determined to understand the fundamentals first; to try and to make mistakes a lot; and not to be afraid to ask for help.<\/p>\n
So, this brings me back to the original question: \"Where to start\". \u00a0It should be clear by now that perhaps you should try to answer \"where do you want to end\" first, as this will tell you where to start. \u00a0Don't worry, even if you make mistakes, even if you find out that you picked the wrong (\"less exciting\") targets, you still win. \u00a0Any knowledge you gain is valuable to a certain extent and can be helpful along the way.<\/p>\n
There is a second way to look at the \"goal\". \u00a0You can also define your goal as \"your ability to generate an income\". \u00a0 Let's assume, for the sake of this post, that you would like to make money as a pentester. This means that you may have to select certain technical objectives (knowledge) that will provide economical value. \u00a0This could be driven by popularity of certain types of technology (web apps, for example); or relatively new areas (Internet Of Things, Mobile, ...). \u00a0 So, even if you want to do many things (and should be looking at a broader perspective), there is a big chance that you will have to specialize in specific areas.<\/p>\n
Before continuing, I'd like to @thelightcosine<\/a> quoting HD Moore<\/a>: \"If you don't think you're a n00b, you're not trying hard enough\". \u00a0 Challenge yourself. Try to learn more about something, try to gently push your limits, but do it in a realistic way. Never give up. It's a painful, long, but very rewarding journey.<\/p>\n Assuming you know where you want to end, and you have a realistic plan that involves dedicating time and efforts; what should you do with your time?<\/p>\n Before talking about possible roads, I'd like to briefly mention something that will become the most important part of your journey. \u00a0It's YOU & your attitude & mindset. \u00a0You'll be the one doing the work. \u00a0You're the one that sets goals and wants to start working. \u00a0You're the one that will make this work. \u00a0 But it requires a specific attitude to do so. \u00a0It's the so-called \"hacker\" attitude. \u00a0 There are many definitions of the word hacker; but most of them boil down to this: \u00a0A desire to understand how things really work, so you can optimize\/change the behaviour, or apply the understanding to bend the rules of the game. Hackers tend to break stuff; penetration testers tend to break stuff too. The goal should be to break stuff in order to come up with solutions on how to improve it. \u00a0If the purpose is to break stuff so you can prove you can break stuff, and systems\/people have flaws... \u00a0Newsflash: we already know that. \u00a0 You're wasting your time. You're a breaker, not a hacker. \u00a0If you truly want to be a hacker, break stuff because you want to fix it, make it better. \u00a0 The word hacker can be applied to many disciplines. \u00a0It doesn't need to be tied to computers, it can be applied to science in general as well. \u00a0In fact, without hackers, we would not have medicines, or technological evolutions.<\/p>\n Be critical about what you see. Try to understand what you see. Ask questions and don't accept the \"I don't know, that's how it works, that's what someone told me, \u00a0just accept it and move on\". Ask yourself the question \"what would I do if I had to design X or Y\". Putting your thought process into the mindset of someone else will help you understand why things work the way they work, how they were designed, and how people use them the way they use them. \u00a0Using empathy & understanding that other people have different views will broaden your understanding of things, which in return will help you to discover strengths and weaknesses.<\/p>\n Being a hacker is not technical. \u00a0It's a mindset, it's psychology. \u00a0It's beautiful. \u00a0It's very powerful. \u00a0(Sidenote: I am truly blessed to be able to spend time with extremely intelligent hackers all over the world. \u00a0Each of us has the potential to change something, to improve something. \u00a0We can even change the world; if we would organize ourselves in a better way. Maybe it's time for selecting a new \u00a0dream, a dream that involves hacking the world. Anyways... )<\/p>\n Hold on. We're almost there. \u00a0Before giving you some hints on how to approach your journey, I'd like to share some thoughts on asking questions. \u00a0 In fact, unless you're born with all the answers already, you'll probably end up asking questions. \u00a0Even if you know what your ultimate goal is, you may not know how to get there, or what is needed to get there. \u00a0The only way to figure out is by asking questions. \u00a0Interestingly enough, the way you ask a question and the type of questions you ask, will determine whether you get the answer you need or not.<\/p>\n I often hang out in various channels on IRC and I\u2019ve been subscribed to a bunch of mailing lists for a long time. \u00a0I see people asking questions and other people trying to answer questions on a daily basis. You would think that asking or answering questions is a trivial thing, but interesting enough, people get yelled at, kick-banned from IRC channels, or humiliated in public just because they were trying to find the answer to something they don\u2019t know. \u00a0Lots of people end up frustrated because they failed at getting a satisfactory answer, and other people get frustrated because they felt they were wasting their time.<\/p>\n What exactly causes this conflict and how can both parties be more effective at asking and answering questions, and hopefully avoiding painful situations? \u00a0Most of the items below are based on cases where direct interaction is possible (IRC, Instant Messaging, and so on), but they can be generalized very easily and are applicable to any form of communication (email, support form, forum).<\/p>\n Asking questions is very easy. Asking a good question seems to be far from easy. \u00a0What does it take for a question to elicit a valuable answer and how can you avoid that people will start throwing tables, bicycles and elevators at you because you just wanted to get an answer? \u00a0I\u2019ve tried to gather some ideas on how to be more efficient at asking questions and increasing your chance on not only getting an answer, but also getting a helpful answer. \u00a0A few years ago, I did a small survey on Twitter to discover what people believe are the ingredients of a \u201cbad\u201d question. \u00a0The results included:<\/p>\n There are a couple of things you can do to avoid common pitfalls and getting your question labeled as \u201cbad\u201d.\u00a0For starters, I don\u2019t think bad questions exist. \u00a0There\u2019s always a reason for a question, or logic behind a question. \u00a0It just may not be clear what it is exactly, because of poor communication or other reasons, but that doesn\u2019t make the question bad. \u00a0I'm listing some ideas below, in no particular order.<\/p>\n Avoid the obvious answer. <\/span><\/p>\n Think about your question. \u00a0How easy would it be to find the answer online, on Wikipedia, via a simple Google search or by reading product documentation? \u00a0If you\u2019re lazy, don\u2019t expect people to show appreciation for that. \u00a0Trust me, being honest about your laziness, won\u2019t help either. \u00a0If you get kickbanned from IRC because you are lazy and you advertise or admit it, you probably deserve it.<\/p>\n Show that you deserve an answer and anticipate. <\/span><\/p>\n Do your homework. \u00a0See what you can find about your problem on the Internet, try a few things yourself and document what you did. \u00a0Be prepared to show what you did. \u00a0Be honest and accurate. \u00a0People are more likely going to help if you show that you have tried and willing to try more. \u00a0 As soon as people sense that you just want to be spoon-fed, your support channel is going to blow up in your face. People might ask you to reproduce the steps you took to end up in your current situation, so you can anticipate to that. \u00a0Put your documentation and procedure on Pastebin or Pastie before asking the question and be prepared to provide a link to your documentation when needed.<\/p>\n Don\u2019t leave out vital information or be embarrassed about something you did even if you think you shouldn\u2019t have done it. \u00a0It might very well be part of the problem and if you want a solution, you\u2019d better be honest. Be as factual as possible in describing your problem and don\u2019t let your thought process take over. Describing the symptoms and the exact steps needed to reproduce the symptoms will work better than explaining what you think the problem is. \u00a0You may have missed something obvious and if you don\u2019t share all the facts, people may not be able to discover what really went wrong.<\/p>\n If you\u2019re trying a procedure or a tool and you get an error message, there\u2019s a chance that other people have encountered the same situation. Google for the error message (leaving out specific parts such as IP addresses, and so on) and see what you can find yourself.\u00a0Make sure to construct your question in a way that would make people believe you just want a gentle push in the right direction. \u00a0Instead of asking \u201cI don\u2019t understand how this works\u201d or \u201cI want to hack Gmail\u201d you could also ask \u201cWhat would you recommend I should learn to do this or that\u201d, or \u201cDoes anyone have any recommended sources about SQL injection against an Oracle database\u201d? \u00a0 You\u2019re trying to achieve the same goal and you\u2019re pretty much asking for the same thing, but you\u2019re shifting the focus to the process of learning and finding a solution instead of drawing attention to the problem or goal itself. \u00a0It\u2019s perfectly fine to ask for \u201csome pointers in the right direction\u201d.There\u2019s a famous Chinese proverb that says \u201cGive a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime\u201d. \u00a0If you have a problem, you may choose the fastest and easiest path and get someone to fix it for you by giving you the solution right away. \u00a0If you\u2019re taught how to troubleshoot a problem, you may be able to increase your insight and improve your ability to prevent and fix future issues yourself. \u00a0The more you focus your question on what you can do and should do yourself, the easier it will be to convince someone to help you out.\u00a0What also often helps is to explain your problem to a friend first. \u00a0In some cases, explaining the problem and allowing a friend to try to understand the problem might also expose the solution. \u00a0This has happened to me and helped me in numerous cases. In short, the more work you put into finding a solution yourself, the more precise your question will be and people will appreciate that.<\/p>\n Break things apart and be critical to yourself. <\/span><\/p>\n Before asking a question, break down your question into technical layers and components. \u00a0Do you fully understand the other components or prerequisites needed to reproduce your problem? \u00a0If you are asking a question about attacking a remote computer, make sure you understand the networking layer and have checked that everything is set up correctly between your device and the remote computer. \u00a0If you don\u2019t know enough about networking, you shouldn\u2019t be attacking something that uses the network.<\/p>\n Don\u2019t forget or ignore that others had to go through the same learning experience as you did and had to work to for it. \u00a0If your question suggests that you just want to skip learning fundamental knowledge, people may be offended because you\u2019re basically disrespecting the hard work hey have done in the past.<\/p>\n Consider there is a possibility that you still have a long way to go, and that \"understanding\" something doesn't necessarily mean you are applying it in the right way. \u00a0Instead of asking why a certain technique for a certain case doesn\u2019t work, you may need to wonder whether you fully understand the technique or not.<\/p>\n Don\u2019t start with an apology. <\/span><\/p>\n There\u2019s no need to apologize for not knowing something. \u00a0It usually only makes people raise an eyebrow for a brief moment and move on. \u00a0You should only apologize to yourself for not asking proper questions or for not being prepared to work or learn. \u00a0 Don\u2019t apologize for your lack of speaking or understanding English. People don\u2019t care. \u00a0If it\u2019s bad, they\u2019ll notice it\u2019s bad. \u00a0You have the opportunity to improve your English by reading documents, interacting with people, so you might as well do something about it. \u00a0If you\u2019re unsure, prepare your question in advance and relax. \u00a0If you\u2019re asking a good and well-prepared question, nobody will even notice. \u00a0Of course, if support is available in your native language, that should be your first option. \u00a0I\u2019m not trying to say that apologizing is a bad thing. It\u2019s a token of maturity and respect, and can be very powerful in conflict situations and negotiations. \u00a0I\u2019m just not convinced it will help you getting an answer.\u00a0Don\u2019t hide behind the fact that you don\u2019t speak a language very well in order to insult people. I\u2019ve seen this happen before: somebody walks into an IRC channel, starts by apologizing for his bad English, and then blatantly insults everyone in the room. Bad idea. \u00a0Excuses are not a magic patch for stupidity.<\/p>\n Be nice, polite and don\u2019t be impatient. \u00a0<\/span><\/p>\n Even if your question is urgent, if you decide to rely on community support, you also have to realize and accept that people have lives too and may have other priorities than answering your question. \u00a0Asking \u201cwhy\u201d you\u2019re not getting an answer after 10 minutes may trigger people to ignore you, so don\u2019t do that. \u00a0Maybe you need to rethink your question instead, or find another source of information or support. \u00a0Public forums and IRC channels are not private support channels. \u00a0Don\u2019t expect the entire world population to care about your problem, so make sure not to flood the channel with your issues. \u00a0Although IRC and Instant Messenger tools allow for direct communication, it doesn\u2019t guarantee that the communication will take place when you want it and at the speed you want it. Timezones are real and the people that have the answer may be asleep. Accept it.<\/p>\n Even if you think a tool is terribly broken, focus on what you may potentially have done wrong. \u00a0Others will appreciate if you ask \u201cwhat I have done wrong\u201d or \u201cwhat you should do different\u201d even if it\u2019s a genuine bug in an application or tool. \u00a0If you start by saying you believe a certain tool is broken or ask \u201cwhy\u201d a tool is broken, you\u2019re going to draw attention to yourself in a bad way. \u00a0One bug in a tool doesn\u2019t make the tool bad, so don\u2019t disrespect the work of many people who may be reading your comments.You\u2019re the one to open a discussion, and you\u2019ll never get a second chance to make the first impression. \u00a0The tone for the rest of the discussion is going to be set as soon as you initiate the communication, so be nice and respectful.<\/p>\n Only make jokes if you\u2019re sure others will understand and appreciate the joke, and won\u2019t be offended by it. \u00a0You don\u2019t know who\u2019s behind the computer at the other side, so avoid anything that is potentially offensive, sexual oriented, inspired by religion. Understand that there are different cultures, different points of view, different people. None of them are good or bad, better or worse. A lot depends on how well you know the people you are addressing. (Sidenote: this is also why a \"hacker culture\" doesn't really exist. \u00a0We're all individuals, with different backgrounds, cultures, beliefs. It doesn't matter what you look like, what language you speak, what clothes you wear. or what the color is of your skin. You're a hacker by the things you do, and why you do them.)<\/p>\n Jokes about yourself or your situation are an exception of course, and are often perceived well. \u00a0Complaining about your crappy Internet connection and how it makes you consider sending faxes again, or make a comment about how the fact that your dog is so fat that it interferes the Wi-Fi signal in the house are just a few examples on how to help set a friendly tone.<\/p>\n Be creative, don\u2019t overdo and choose your timings carefully. \u00a0Maybe you are impressed by the skills of the people you\u2019re going to address when asking your question. \u00a0Don\u2019t start yelling how \u201cl33t\u201d or \u201cpro\u201d you think they are, and how easy it would be for those people to answer your question. \u00a0This may set off some red flags and make people think you\u2019re a troll. \u00a0Be yourself, act normal, be polite and you\u2019ll be fine.<\/p>\n Make it easy to answer.<\/span><\/p>\n If your question is too broad or contains too many elements that are open for interpretation, ambiguous, questionable or vague, don\u2019t expect anyone to take a few weeks of holidays to show you around.<\/p>\n Choose your audience. <\/span><\/p>\n What would be the best place to find an answer to your question, and who would be the right person to answer your question? Forums and IRC channels often focus on a certain topic, so try to pick the right medium and channel to ask your question. \u00a0If your question is related with the use of a tool, it might be a good idea to find other users instead of sending your questions to the tool developers right away (or use the support mechanisms they made available).<\/p>\n Ask the question. <\/span><\/p>\n Don\u2019t start by asking if you can ask a question. There\u2019s no need to ask if someone is online or available to answer your question. Just ask the bloody question. \u00a0If someone is online and if your question makes sense, you\u2019ll get an answer. \u00a0Unless you are picking up where you left off from a previous discussion, don\u2019t target a specific person. Other people might ignore your question if you\u2019re suggesting that only a particular person can answer the question. \u00a0If you want to get an answer, make sure it is perfectly clear what the question is. If you simply state \u201cI have a problem with X or Y\u201d, \u201cThis tool doesn\u2019t work\u201d or \u201cMy exploit got detected by Antivirus\u201d, you\u2019re technically just making a statement and not asking a question. \u00a0Asking what you did wrong or what you can do to make something work (better) is more likely going to get you what you want. Even if you have to explain the context of your problem, try to keep it short, to the point and move to asking the question as soon as you can.<\/p>\n Listen, interact and seek clarification if needed.<\/span><\/p>\n Try to understand the answer and don\u2019t reply to it right away. \u00a0If someone tells you to investigate something else, do it. \u00a0Don\u2019t keep hammering away, ignoring advice that was given to you. \u00a0\u00a0If an answer is not clear, ask for clarification, but do it in a way that suggests you\u2019re trying to learn (process) and not trying to be spoon-fed (solution). \u00a0As explained earlier, the better you are at setting the right tone and suggesting you only want some hints in the right direction, the higher the chance someone will help you. When asking for clarification, try to formulate it in a way that explains what you did and didn\u2019t understand. \u00a0Rephrasing or summarizing certain parts often helps to show what part of the answer was clear, and what requires further clarification. \u00a0Rephrase\/Consider starting a new question with:<\/p>\n In the event you didn\u2019t understand the answer at all, don\u2019t be afraid to say so. \u00a0Ask if that person could rephrase, explain something in a different way or elaborate on a certain part of the answer, and do it in a polite manner.<\/p>\n Be grateful & give back when you can. <\/span><\/p>\n If someone tried to help you, tell that person you appreciate the help, even if it didn\u2019t fully answer your question. \u00a0Realize that a lot of people have other things to do than answering questions. \u00a0If they are trying to help, it\u2019s because they want to help, despite tight schedules, deadlines at work and other priorities. Credit them for taking the time. Do it in a short, clear and efficient way. Mention how the answer was helpful. \u00a0If you have the impression the question you asked is a very common question, and your gut feeling says that the person who answered the question is actually getting sick and tired of having to address the issue over and over, you may want to consider lending him a hand. \u00a0Document your question and the solution and put it online somewhere. It will help you to understand the cause and the solution, you can ask the person who helped you to verify your document to make sure it\u2019s accurate, and you can help other people by simply pointing them to your online document. \u00a0It demonstrates you want to learn, you\u2019ve listened and you want to give back. \u00a0Don't wait to share until you have all the answers. \u00a0Guess what, you'll always find another question.<\/p>\n Asking good questions is definitely an art that requires a bit of preparation. Answering questions, if you really want to help someone, is not trivial either. \u00a0Although some cases may suggest the opposite, there\u2019s no such thing as dedicated askers and dedicated answerers (not sure if that is even a valid word). No matter how experienced you are, you might still find yourself at both sides of the story from time to time. When you\u2019re in the position to be able to answer a question, you really are in a unique situation. \u00a0Think about it, you have the power to decide whether you want to answer the question or not, and on top of that, you can choose how to answer the question, which will have a direct impact on whether the answer will be valuable or not. \u00a0If you decide to take the time to answer a question with the intent of helping somebody, you might as well do things right. Maybe some of the following guidelines may be of assistance:<\/p>\n Be nice.<\/span><\/p>\n There is a reason why the question was asked in a certain way. \u00a0You should be able to sense the difference between somebody who\u2019s after a quick win and somebody who is genuine, who really wants to learn, but doesn\u2019t know how to communicate well. \u00a0When you\u2019re not sure, grant the person the benefit of the doubt, you can still yell at him later.\u00a0There\u2019s an easy way to help someone if they were too vague or didn\u2019t make themselves clear. Simply rephrase the question and ask if that is what they want to know, or just tell him his question didn\u2019t make any sense and ask that person to be more specific. It will make sure you properly understand the question and it will show the person how to properly phrase a question next time. \u00a0 There\u2019s no reason to make fun of someone or make him\/her feel bad. \u00a0He or she already admitted being in the dark about something.<\/p>\n Think before you answer, ask for more info.<\/span><\/p>\n Do you really understand the question? \u00a0Is your answer going to be helpful?\u00a0Ask for clarification if the question is not clear. \u00a0Rephrase; ask for an example. \u00a0Try to reproduce the steps needed to come to a problem and ask for more details and documentation.<\/p>\n Don\u2019t answer because you have to.<\/span><\/p>\n Only answer a question because you want to help, and have the time to help. \u00a0Although the first question may seem reasonable, it might get worse very easily. \u00a0If you decide to step in to help someone, at least you\u2019ll have to try to get the asker onto the right path, and it\u2019s hard to estimate how much time you\u2019ll need for that upfront.If you do things right and understand the question well, it shouldn\u2019t be too difficult or time consuming to answer the question right away, or point the asker to the correct resources.<\/p>\n Reply with a question.<\/span><\/p>\n Tricky one. Some people enjoy doing this all the time, which can totally freak out people and destroy normal communication, so make sure to use this technique in specific cases only. \u00a0There certainly is a lot of value in replying with a question, providing that the question suggests a solution, or aims at getting more information. \u00a0Let\u2019s take a look at a quick example:<\/p>\n Question: \u201cI ran an exploit against a target computer and the exploit says I was not able to get a reverse shell.\u201d<\/p>\n Many things could be wrong with this scenario, making it hard to answer the question in just a few words. \u00a0Asking a few short questions might put the guy back at work, trying to get more details on why his procedure didn\u2019t work. You could for instance ask if both hosts are able to connect to each other. \u00a0This suggests that there might be a network related issue. It shows that you understand the individual layers related with the act of exploiting a remote computer, and you help him using a structural approach to troubleshooting this kind of problems. \u00a0Asking questions about the question itself might reveal underlying reasons and motives. \u00a0Sometimes people are too embarrassed to admit something, because they can almost sense they are doing it wrong, or perhaps they know they are doing something illegal. \u00a0By asking specific questions about why they want to do something, or suggest them to do things differently (in a way that wouldn\u2019t involve potential illegal activity), might give you some helpful information about that person and if his intentions are legit or not. \u00a0 If someone is having problems running an exploit against a machine on the Internet, you may want to suggest him to simulate the procedure in a private lab. If the person chooses to ignore your suggestion and insists he wants to do it over the Internet, you\u2019re almost positive he\u2019s up to no good.Try to discover what the person is trying to do. \u00a0If someone asks if it would be possible to do a certain thing, ask him what he\u2019s trying to achieve. Ideally, it will force the person to explain and reveal any underlying motives.<\/p>\n Be honest.<\/span><\/p>\n If you\u2019re not sure about the answer, just say so. \u00a0There\u2019s nothing wrong with admitting you don\u2019t know something for sure. \u00a0Guessing is acceptable, as long as you make clear you are guessing. \u00a0It may suggest possible solutions and perhaps put the person on the right track already.<\/p>\n Stimulate, don\u2019t burn.<\/span><\/p>\n You can demonstrate your skills by providing a helpful answer, not by showing off, emphasizing how smart you are. \u00a0Based on how specific the question is, and how it reflects the level of knowledge possessed by the inquirer, you can adjust the level of detail of your answer accordingly.\u00a0If you need to explain that something is wrong or bad, don\u2019t forget to explain why it is wrong or bad and give pointers on how to avoid or fix the issue. \u00a0You don\u2019t need to answer questions in detail, as if you\u2019re reading a tutorial to them. \u00a0A gentle push in the right direction is often good enough to stimulate the learning process. \u00a0It\u2019s ok to put someone on the right path and point him to the resources he should study if he wants to make progress in the future, but don\u2019t just throw URLs at him. \u00a0If the other person understands why he needs to learn something, it will be easier to convince him to take the effort to do so.\u00a0Of course, if the same person just continues to ask questions and doesn\u2019t want to take the time to learn things properly, your answers are obviously not going to help anymore, and that person probably doesn\u2019t want to be helped. \u00a0He just wants someone to do the work for him. \u00a0In that case, there\u2019s no value in trying. Wait until the person has figured out he needs to work for it, and ignore him until he proves it.<\/p>\n Language.<\/span><\/p>\n English is an important language in international IT or Infosec communities. \u00a0However, that doesn\u2019t mean everybody is a native English speaker or even remotely close to that. \u00a0The use of common and universal terminology is perfectly fine, but try to keep your sentences as simple as possible. We don\u2019t want to make the poor guy suffer more than necessary, do we? \u00a0 If you notice during the conversation that the other guy didn\u2019t really understand your answer, challenge him and verify that he understood what you said. \u00a0Try to figure out if it\u2019s a language issue or knowledge issue. If it\u2019s the first time both of you are talking, it might be acceptable to just ask the asker if he understood what you said, so you can adjust your vocabulary if needed. See if you can give an example to clarify, or just ask a question about your explanation. \u00a0If you\u2019re in a kind mood, you could say something that would suggest that it\u2019s ok to ask more questions if needed, which should break the ice if the inquirer is a bit shy.<\/p>\n Spot the troll.<\/span><\/p>\n Surely, there are people with too much time on their hands, without a real life, trying to waste everyone\u2019s time by asking a combination of stupid and intelligent questions, just for the fun of it. \u00a0A small minority of these so-called trolls actually master the subtleties involved very well and might make it sound like they have a real question, and then continue to combine silly questions with good questions. \u00a0If done well, these folks might actually keep you busy for a while. Luckily, most trolls have bad ninja skills and can be easily recognized. \u00a0Wasting the time of brave volunteers and people who really want to help is not very nice. \u00a0Getting kickbanned, they should.<\/p>\n Provide feedback.<\/span><\/p>\n If nothing worked and you have a few moments of time, explain why a certain question or remark didn\u2019t work. Maybe the asker said something disrespectful or suggested that he doesn\u2019t really want to learn things properly. \u00a0Worst case, he\u2019ll ignore your advice and you can choose to ignore him too. \u00a0Best case, he\u2019ll learn from your feedback and approach things differently next time.<\/p>\n Update: Check out http:\/\/xyproblem.info\/<\/a><\/p>\n I don't really care whether you prefer to stand up, or to lay flat when learning new things. \u00a0What I mean with the \"horizontal or vertical\" title is: should you focus on learning a broad variety of things first (horizontal), or should you dive directly into the area you're interested in (vertical)?<\/p>\n Good question. \u00a0There are definitely pros and cons in both scenarios, there are more opinions than people. \u00a0Yours truly has been blessed with opinions as well, so I'll share my personal view. \u00a0 Understanding the big picture first is useful. If your goal is to become a web application pentester, it would probably make sense to learn all layers involved, ranging from operating systems, networking, web server & application technologies, commonly used database platforms and common development languages. This is a big animal. \u00a0The amount of information you're interested in, usually depends on what you need. \u00a0At the same time, the better you understand how things work, the easier it will be to understand how to bend the rules. \u00a0 My recommendation is : try to understand as much as you can about the various layers first. \u00a0 Don't be impatient and dive into the nitty gritty details of finding bugs or exploiting right away. \u00a0 Especially the availability of tools will make your hands itchy and lowers the hurdles to start attacking systems right away. \u00a0Always keep in mind that tools are not magic. They simply automate things. The better you understand what they do, the easier it will be to use them. \u00a0Don't get me wrong, tools are useful. Just don't use them until you understand what they do, how to configure them, how to use them properly.<\/p>\n So, I believe there is a lot of value in trying to understand the system engineering aspect of systems. \u00a0 Understand how things communicate, how things are set up, secured, operate. Don't overdo either. \u00a0You don't need to be an IP expert that understands all the RFC specification. \u00a0You probably need more than what you need to abuse it. You'll need enough to use it and abuse it.<\/p>\n Furthermore, understand that you can take a phased approach. You don't need to be a BGP routing expert to perform web application testing. It doesn't hurt if you are, but \u00a0you can still learn it when you're ready to expand your horizon and dive into other aspects of security audits. \u00a0Be realistic in the goals you set, and try to accurately determine the prerequisites needed to get there. \u00a0Ask multiple opinions if you're not sure and don't be afraid to learn too much rather than not enough.<\/p>\n There are many ways to learn new things, some of them are quite personal (= as in: they only work for some of you, and not for others). Some people are able to learn new things by reading a book or blog post. Some need to visualise things, and others need someone to explain things in a video or face-to-face setting. \u00a0There are solutions for every methodology. \u00a0 You can buy books or read publications online. \u00a0You can take classes (online or in real life), and you can find lots of online challenges to practise your new skills.<\/p>\n There is nothing wrong with any of these approaches, as long as you understand what works best for you, so you can adapt your strategy accordingly. \u00a0 \u00a0The common aspect of all of these learning methodologies is to get practise. \u00a0Trying out things for yourself (guided or non-guided) will make it easier to remember and to eventually transform the knowledge into understanding & experience.<\/p>\n In any case, having up a virtual lab environment can be extremely useful. Nowadays, Virtualization technology is now available for most common platforms, it's cheap\/free and allows a great deal of flexibility. \u00a0VirtualBox, VMWare, Parallels, Xen, Hyper-V are just a few examples.<\/p>\n Although this is not a catch-all advise, you'll get a long way by installing a Windows and a *Nix\/Linux system. \u00a0Of course, understanding how to manage & operate these systems is fundamentally important. \u00a0You don't want to spend your time fighting the tool that are supposed to support your learning experience.<\/p>\n Spoon-feeding sounds like something we do to babies, right? \u00a0If you ask experienced people whether spoon-feeding is right or wrong, I bet most of them will tell you it's bad. \u00a0I believe the answer is not black & white. \u00a0It depends. \u00a0First of all, we've all been spoon-fed. (Or at least most of us). \u00a0This is what our parents did when we were not able to feed ourselves. \u00a0This is what teachers do when you are entirely new to something. \u00a0This is what we should be doing to put people on the right track. \u00a0 \u00a0 We've all been told certain things to allow us to practise, get better, and get to the next phase. \u00a0There is a thin line between stimulating in a supportive way, and leaving people behind with no help whatsoever.<\/p>\n In \"Leadership and the One Minute Manager - Increasing effectiveness through situational leadership II\", Ken Blanchard explains 4 different \"development levels\". \u00a0One of these levels is defined by a high commitment and low competence. \u00a0 This may be the place where you are right now. You're quite excited about learning something new, but you have no idea on where to start. \u00a0For scenario's like this, some spoon-feeding can be useful. \u00a0It doesn't mean that someone else will do all of the hard work for you, but simply being told to \"go figure it out\" without giving directed pointers or hints is not useful either. \u00a0 As soon as you learn more (and become more competent), you'll discover that there is much more to learn. \u00a0At this point, you may find yourself becoming less committed, because you're starting to realise there is still a long road ahead (which can be quite demotivating). \u00a0This is normal too. \u00a0At this point, spoon-feeding won't help. In this case, coaching is more appropriate. \u00a0Asking the right questions will force people to think, to apply the knowledge they already have, and look for answers. \u00a0If they're stuck after all, and have no way to discover answers themselves, perhaps it's time to take one step back and get some detailed help after all. \u00a0 So - please be careful when being negative about spoon-feeding. \u00a0The situation (development level) determines whether it's the right approach or not.<\/p>\n No, not really. \u00a0Thanks for asking. \u00a0Time to start drawing the tree that will become your journey.<\/p>\n I would suggest to start by learning how systems work and communicate. \u00a0Try to get a good understanding of TCP\/IP, OSI layers, ephemeral & server ports, routing, port forwarding, NAT, firewalling, etc. \u00a0 You'll need it when trying to connect to targets, you'll need it to use tools, and you'll need it to configure your environment to allow your security audits to be successful.<\/p>\n You'll also need to be able to manage & operate common operating systems. \u00a0Together with networking, this should be your primary starting point. \u00a0Most of us are familiar with one operating system, but it \"doesn't hurt\" (=understatement) to understand how to use and configure both Windows and Linux\/Unix. \u00a0You should become fluent in setting up networking configurations, basic security features & implementations, using both command line utilities and GUI tools. \u00a0Start to use these systems as your main desktop, use them on a daily basis in order to force you to become familiar with them.<\/p>\n I know, I know, you'd like to start attacking systems right away, without spending too much \"overhead\", right ? I fully understand that it sounds very exciting to start using portscanners or other tools right away, but what's the point in using the tools if you don't know what the output of the tools mean? \u00a0Even worse, you could easily cause damage if you don't know what you're doing.<\/p>\n Next, try to get a broad understanding of the attack landscape. \u00a0 Maybe you already made up your mind about becoming a web application pentester, but it still doesn't hurt to understand what else is out there. \u00a0 There are many resources on this topic, but I decided to list the most important ones (at least the ones that cover a wide spectrum of skills):<\/p>\n (If you feel an important resource is missing, let me know. \u00a0Oh, and to the publishers\/authors: if you would like to provide our readers with a discount coupon code, please contact me \ud83d\ude42 )<\/p>\n Aside from getting a better view on the landscape, you'll learn a few things about pentesting methodologies & approaches, including the difficult art of translating technical findings into something a customer or business can use and understand. \u00a0Being a pentester does involve paperwork too. Just sayin'. \u00a0 \u00a0 Again, apply the true hacker mindset. \u00a0Break stuff because you want to make it better, not because you want to break it. \u00a0Without truly trying to \u00a0\"make things better\" in reality, you're just a breaker. \u00a0(So - don't complain about mistakes others made. Think & fix. Add value. Learn how to secure, harden and protect as well.)<\/p>\n No matter how long you look at it, you'll end up using scripts and tools that automate certain things. \u00a0You may even want to change existing tools or write your own to make your life easier. After all, that's what scripts are for. \u00a0They are a tool, not a goal. \u00a0 Becoming familiar with scripting languages such as python and ruby is a must. \u00a0You don't need to be an expert, you'll get better as you start to use them. \u00a0Understanding some C \/ C++ can be useful too, as some people tend to write tools in lower-level languages (mostly for performance reasons). \u00a0In any case, understanding what a tool does is more important than writing your own. \u00a0Writing your own can be useful, because it proves that you understand what needs to be done.<\/p>\n This is probably a good time to start using a so-called \"penetration distro\", a pre-configured system that contains a large series of security assessment tools. \u00a0Trying to create your own system from scratch can be helpful, it's also time consuming and probably not necessary until you fully master the ones that already exist. \u00a0Kali Linux is one of the most commonly used\/popular distributions. It has a large userbase and is well supported by most tool developers.<\/p>\n In addition to the more attacker-oriented tools, it's also a good idea to expand your lab environment and include local and online systems that are designed to be vulnerable, allowing to test your knowledge, using the tools available. \u00a0If you're into web application security, a good place to start is https:\/\/www.pentesterlab.com\/exercises<\/a>\u00a0or\u00a0http:\/\/www.amanhardikar.com\/mindmaps\/PracticeUrls.html<\/a>. \u00a0You'll find more links on the websites listed below.<\/p>\n Only when you're ready, pick the target or targets you want, and create a realistic action plan to achieve the goal. Some topics will take days, others will take weeks, months, maybe years to understand. \u00a0 Take your time, one step at a time. \u00a0For each type of target, you'll find specific resources (books, online publications, classes, virtual labs, etc).<\/p>\n Some good resources include the websites listed here:<\/p>\n (Don't forget to ask questions as you work your way through resources & materials.)<\/p>\n Although I encourage everyone to find their own area of expertise, if you are serious about becoming a professional pentester, you will have to learn a thing or two about web application security. After all, a lot of companies use web application services to serve applications to their employees, customers, partners, suppliers, etc. \u00a0Since web applications need to be exposed to the outside world in a lot of cases, they are also an important target (and a way in for criminals). \u00a0 Understanding how HTTP works, how web applications are developed, secured, and how underlying database platforms work, will make up a big part of the journey. \u00a0 Your mission, if you choose to accept it, is to find the dependencies and prerequisites that are required to dive deeper into the area you would like to focus on, and to translate those into an action plan. \u00a0Again, simply ask questions whenever needed.<\/p>\n Use social media to follow influencers, people that have inspired others, and just more experienced people in general. \u00a0Engage with people, be nice. Ask questions and help as you learn.<\/p>\n If you have the opportunity to attend Infosec conferences\/seminars: please do so. \u00a0It's a great way to meet more experienced people and talk with them. Ask them what they are working on. Share what you are doing and ask for tips. \u00a0Ask them who they look up to, or were inspired by and check them out too. \u00a0Become part of the community. \u00a0(Oh btw - conferences are great places to find a new job too)<\/p>\n Open a website\/blog, share your findings. Sure, you may not be the first person to go a particular road... but you won't be the last either. \u00a0Environments & technology change, so as you apply your newly acquired knowledge, try to keep track of your progress & document how it applies to latest technology. \u00a0In fact, you'll probably end up taking notes as you learn anyway. \u00a0You might as well structure them and put them online for others to see. \u00a0Potential employers may not be so interested in *what* you post, but rather focus on how you structure your notes, your thoughts, and your potential innovative approach to things. \u00a0\u00a0Make your work visible and teach it to others.<\/p>\n Don't be afraid to make mistakes. You'll get there. All it needs is time and efforts.<\/p>\n Good luck.<\/p>\n Unless you're attacking your own system, or you have obtained proper permission to do so, attacking a system (on a network, locally, physically, etc) is a crime. \u00a0Don't be stupid.<\/p>\n In all honesty, it may not be so easy to break into information security and get a job as a pentester. \u00a0In fact, it's pretty hard to get into that area professionally (unless you have a desire and business plan that justifies becoming self employed). \u00a0In general, companies tend to prefer hiring experienced pentesters. \u00a0After all, most companies want to get \"return on investment\" as fast as possible, which means they don't really want to invest too much time in training you and becoming more experienced first before they can rely on you to take on assignments.<\/p>\n Not all is lost though. Some companies may offer (summer) internships or may give junior profiles a break... but nothing beats experience. \u00a0Agreed, it sounds like a catch22 situation. \u00a0 I guess the key is to find a way to gain more \"experience\", or \"credible ability\".<\/p>\n You can gain experience by playing CTFs, by testing your skills in simulated environments and\/or get certified. \u00a0Becoming an \"Offensive Security\" certified penetration tester or passing SANS exams can be a good investment, as it is well regarded in the industry... and there are certainly other similar \"titles\" you can earn while you're at it. \u00a0I agree, proven experience\/knowledge is more important than a title (and some titles don't even guarantee knowledge), but unfortunately you may not be able to get a seat at the job interview table without a title in the first place.<\/p>\n So, to encourage companies to speak up, I decided to tweet this<\/a>:<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n so... if you're reading this post and you work at a company that is willing to hire (relatively) inexperienced pentesters (at least, without a lot of professional experience), please let me know (i.e. get me a formal statement, a link to your website that contains more information) and I'll add the link to this post. \u00a0 If you have a (summer) internship program, please let me know too. \u00a0Any help is much appreciated.<\/p>\n In fact, I strongly believe that companies tend to underestimate the true power of having a junior profile in the team. \u00a0Benefits include a fresh view on challenges (fresh = less impacted by routine), pushing everyone to stretch their comfort zones, and encouraging senior profiles to share their knowledge and experience. \u00a0Everybody wins.<\/p>\n So far, the following people\/companies responded & allowed me to post a link here (or tweeted their policy on the matter):<\/p>\n (Check out the twitter thread, there may be some other companies that haven't agreed on posting a link yet, or just don't want me to post a link here).<\/p>\n Warning: Before getting too excited & sending messages to all of the above, think about it for a moment. \u00a0These companies won't have unlimited seats. \u00a0They're not looking forward to processing millions of applications either. \u00a0Be creative. What will you do to make sure your profile will get the attention it deserves? What added value will you bring to the company? \u00a0Put in some efforts, make sure your message stands out amongst the others.<\/p>\n Also, please keep in mind that the offers may be limited in time and number of people. \u00a0On the other hand, there may be other companies out there that might want to give you a break. \u00a0Use social media, use your network. \u00a0Don't give up.<\/p>\n Finally, don't contact me to help you find a job. I am not a recruiter, and don't want to become a middle man either. I'd like to encourage companies to speak up and for you to take some initiatives too. \u00a0You can do this. \u00a0Be smart.<\/p>\n Well... I don't know, I'm not a pentester \ud83d\ude42 ... but I wouldn't expect to be able to hide in a basement for years. \u00a0Depending on your geographical location and your customer base, you'll probably end up having to travel to clients, have meetings (remote, on location), write reports, articulate technical findings into actionable information, present findings, work with clients to fix issues ...<\/p>\n Exciting times ahead ! \ud83d\ude42<\/p>\n Reddit has some threads related with infosec and hiring:<\/p>\n I am certainly not the only person who would like to share a view on getting a job in infosec. \u00a0In fact, hacks4pancakes<\/a> posted an article which pretty much deals with the same topic (but maybe presents a different\/new angle): http:\/\/tisiphone.net\/2015\/10\/12\/starting-an-infosec-career-the-megamix-chapters-1-3\/<\/a>\u00a0 \u00a0 Go check it out, I believe our posts complement each other well.<\/p>\nOk, got it. So, where to start ?<\/h2>\n
Ok Ok, cut the crap, where to start?<\/h2>\n
Asking questions<\/h3>\n
\n
\n
Answering questions<\/h3>\n
Sigh. Ok. Please, where to start ?<\/h2>\n
Horizontal or vertical ?<\/h3>\n
How to learn?<\/h3>\n
Spoon-feeding<\/h3>\n
Anything else?<\/h2>\n
1. Networking & operating systems<\/h3>\n
2. Multi-purpose resources<\/h3>\n
\n
3. Scripting & Tools<\/h3>\n
4. Dive deeper<\/h3>\n
\n
5. Listen, engage, help<\/h3>\n
6. Don't be stupid<\/h3>\n
What's next?<\/h2>\n
What to consider when trying to get a job as pentester<\/h3>\n
![\"Screen](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-13-at-06.22.47.png\" "\\"Screen")
<\/p>\nEurope<\/h4>\n
\n
USA<\/h4>\n
\n
Russia<\/h4>\n
\n
Various locations<\/h4>\n
\n
What to expect as part of your life as a pentester<\/h3>\n
Reddit<\/h3>\n
\n
Outro<\/h2>\n
\n","protected":false},"excerpt":{"rendered":"