The Journey of Penetration Testing

November 28, 2016 | Views: 4614

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I just wanted to give you an overview how one can be a Penetration Tester. I’m not gonna talk about career opportunities here since I do believe that a security enthusiast will always be passionate about information security, having a sense of how networks work and systems work. So, this article will shed some light for Quality Assurance, Test Automation engineers, enthusiasts who have a dream to start their journey to becoming a Penetration Tester.

Penetration Testing is a practice of testing a system, network, or Web application to find out the vulnerabilities where an attacker could exploit or sift through a loop hole in the system. Most of the organizations hire penetration testers to be a part their internal security teams, where they can test products or systems for exploitable security flaws and assure security.
Often people ask me how to start with. I know, this is the hardest of all as it is quite tricky to find the source to kick off from the basics. Although there exists tons of books and other sources which will teach you how to perform penetration testing, web application testing. I will start with few cornerstones and essential skills required. I know it would be a bit uncertain when you start reading but to set realistic expectations of what one would expect from a security analyst to my solitary view. Don’t be discouraged if you don’t have all the essential skills which I’ve listed here but rather pop the hood learning them.

Networking Knowledge

One should gain knowledge on Networking Concepts. When I say networking concepts, it’s not just learning the protocols or OSI model. One should learn or get familiar with routers and switches, how the system, load balancers, firewalls, caching servers works. Since we may use many tools or an operating system to test the network security & audits. For example Wireshark, Network Security Toolkit blah blah.There are quite many books, vlogs, blogs out there for you to start with. I will share essential topics to learn in the next post soon.

networking001

Learn Programming

I would say, programming is something that you should not neglect. I can assume novice face but to overcome stumbling blocks you need to learn programming. Maybe you can start with C, C++, HTML, Javascript, Python, Java, C#. Choose anyone initially. Don’t be a “jack of all trades”. I would suggest, if you are a “wannabe” of web application penetration testing, then you must know HTML, Javascript, C/Java/C# language. Having said that, you can learn from Youtube or some other sources.

coding

Linux Fundamentals

If you really would like to love whatever you do, then you must learn Linux Fundamentals. It’s not only fun but also very important in this field. We often use Linux operating systems. Moreover operating systems like Kali Linux, Backtrack, Parrot Security OS are Linux based. It’s not so hard to learn Linux commands. In fact, I have learned from Tecmint and other few sites. And also I would like to suggest that you practice on a Linux OS rather than Windows. You can find many e-books with a simple Google search.

linux

Good knowledge on Databases & APIs

For a web application penetration tester, this is one of the essential skills required. So better learn MySql or SQL server. To test for SQL injections or enumerate databases you need to be adept in Structured Query Language. You need to know HTTP basic concepts like Request, Response, GET, POST etc…To know more about SQL injections click here

Security Concepts, Methodologies & Technologies

Just by learning the above-mentioned skill and diving into the system to break things might not help. Of course, if you’re doing so then you shouldn’t be called “White Hat Hacker” neither should you be called “security analyst”. As a Penetration Tester, you should know the process to be followed to conduct testing. You need to adopt methodology like
Open Web Application Security Project (OWASP)Information Systems Security Assessment Framework (ISSAF). As a web application penetration tester, you need to know OWASP Top 10 vulnerabilities, SANS top 25 cwe. We will talk about that in another post on web application penetration testing. Having said that, one should always eager to know latest technologies, remedies, vulnerabilities etc.. I would say, just keep on updating yourself.

Build your own Pentesting Testing Lab

Just watching tons of videos or reading blogs doesn’t help you. Pull your socks to practice, you need to setup an environment on a virtual box, VMware which would be safe to test the dummy vulnerable applications. It would be fun when you start off with Kali Linux or Parrot Security OS since it has many applications in-built. But keep in mind, you need to secure your own network, first of all, don’t bat an eye. Install VMware, install operating systems like Kali Linux or parrot sec os with iso files. Just Learn By Doing.

parrot-os2

Get familiar with Penetration testing tools

I won’t say, just using tools we can perform penetration testing. Many tools may give you false-positives. So I would say, do not rely on any one specific tool. For web application penetration testing you may find a lot of tools in the market. Tools like NMAP, Nessus, Openvas, Burpsuite, OWASP-ZAP, SQLMap, Nikto, Xsser, Metasploit, and several more help you in vulnerability assessment in no time. But before employing the tools, you must the above-mentioned concepts.
I don’t want you to get crammed. Not only the above-mentioned skills, to excel and to be a security expert you need to learn a lot more concepts like Cloud Computing, Threat Modeling, Wireless network security, Mobile Penetration Testing, Cryptography, Malware Analysis, Reverse Engineering, Network Monitoring, Forensics. Learning languages like BASH, Ruby, Perl, Assembly makes you an expert.

Change your Mindset

*Always accept the challenge
*Should have patience, don’t give up easily
*Do not get disappointed when you’ve lesser skills
*Think more robust solutions, think out of box, thinks for possible ways
*By learning how a hacker thinks and acts, you will protect yourself from attacks
*Always keep learning something new, try to code, try to build own exploits
*Get notified about trending vulnerabilities, virus, trojans, malwares etc..
*Promote security awareness in the company
*Do not practice on the applications which you have no rights
*Do not threaten people, you’re not a hacker
*Remember again that Penetration testing is not ‘hacking’
*Don’t just do it for the sake of doing it or for certifications
*Analyze security breaches to determine their root cause

DISCLAIMER : THE INFORMATION PUBLISHED IN THIS ARTICLE IS FOR EDUCATIONAL PURPOSE ONLY. ANY MISUSE OF THIS INFORMATION WILL NOT BE THE RESPONSIBILITY OF THE AUTHOR OF THE WEBSITE. THIS IS JUST MY LEARNING EXPERIENCE AND EDUCATIONAL BLOG FOR PEOPLE WHO WOULD LEARN FROM MY EXPERIENCE

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
24 Comments
  1. i would’nt parrot,i have been using it for a while now,a lot many tools are missing in parrot.yes it does have a ot many tools but many useful tools are missing from it.second thing is that learning all those programming languages isnt necessary to be a pentester,one must have the basic understanding and the logic they use.But i will definitly recommend the people to have a good knowledge about linux and its security evaluating distros because kali itself is a most powerful tool.Article is good.
    Cheers mate.

    • Thanks Ankur,

      Yea, I do agree, we don’t need learn all those languages but I would recommend to learn or get expertise on any language which helps you in Source code review. As a PenTester, we should also able to elucidate the issue with remedy. As an application pentester, I often review the source code manually and with tools/pligins. Major issues like Buffer overflows could be detected when you tandeem

      I really curious to know the tools which were missing in Parrot Sec OS

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel