Learning Path To Become a Pentester
Getting into cybersecurity is quite an adventure. It may look fascinating and convincing to many ordinary people; however, it requires a lot of hard work, patience, and continuous learning of new technical aspects of the application that you need to be working on. To become a hacker, or to be more precise, becoming a Pentester, is something that many newbies look forward to.
This article will start with comprehending the learning paths that need to be followed to become a Pentester.
As it is always said — Clear Your Basics. The first step always starts with clearing out your basics. The base of your learning has to be very strong, and this forms a strong pillar for getting into penetration testing. One should be very clear about the facts behind having security. Data is a massive thing in today’s internet world, and an organization has to take care of all security measures necessary to maintain the safety of their data. Understanding the CIA ( Confidentiality, Integrity, Availability) Triad helps you get acquainted with the whys of security for an application.
There are several topics that a security enthusiast should be acquainted with. They are networking, OS, Protocols, Basic programming, Linux, Google Hacking Database, to name a few. These will be required in any domain you wish to be moving to for performing penetration testing — be it a web application, mobile application, hardware, IoT, Blockchain, DevSecOps, and many more.
For a beginner, it is imperative to read about different kinds of vulnerabilities and the attack scenarios that are very common. For starters, the individual can go through the old attack scenarios, first of all theoretically, to understand the flow. Once the individual has clarity on the theoretical concepts, they can solve some intentionally vulnerable applications. It is crucial to remember that a penetration tester finds the flaws and then the vulnerabilities of an application and should be able to exploit it.
Not every individual is aware of the kind of applications they want to be working on. And also, not every individual can learn all the aspects of every application present. What is required at this stage is to explore more, read more and find your area of interest. It will, of course, be very vague in the beginning. Still, you can always follow the process of elimination. Once you are well acquainted with basics at a reasonable level, start eliminating the domains you are not interested in. This will help you focus on your area of interest more. Even if you don’t figure out your area of interest at this stage, that is completely fine. You can keep exploring. And while studying, use your theoretical knowledge to perform hands-on attacks on vulnerable applications.
You can always start with solving labs readily available like Hack The Box, TryHackMe, RootMe, Vulnhub, and more. Even their walkthroughs are available. You can start with going through the walkthroughs but solving the machines independently. While going through the walkthrough, try to understand how and why the attacker followed the given steps. You need to learn how to google correctly to clear your doubts. Google Hacking Database is one platform that can provide you immense knowledge about the vulnerability and the corresponding exploit. This is one go-to tool for a penetration tester. While solving a lab, try to learn both the manual and the tool-based approach. You can try to write your own script while going through the walkthroughs. This will give you more ideas on the subject and gradually you will start getting acquainted with the work.
At this stage, you may be aware of the kinds of vulnerabilities, the attack scenarios, the exploits, and all other methodologies. Still, a penetration tester is aware of the test cases they should perform on a specific application. The individual should ask themselves — why only one specific vulnerability can be tested against an application even though several different vulnerabilities exist. For example, if an application uses NoSql, there is no usage of trying typical SQL injection test cases against it. And what do we need to do to examine this? The individual should perform a lot of enumeration before performing any test scenarios. This marks the very initial and most crucial step in penetration testing. They should be aware of the technologies used for running an application and based on that, different test cases can be followed accordingly. The individual should understand how the application is working at all levels — as far as possible.
You may use your learnings to gain some certifications as well. Some certifications that you can aim for, as a beginner, are CEH, OSCP, CompTIA Security+, ECSA. Of course, your knowledge will speak for you, but certifications will label your learning and make it easier for you to get selected while looking for a job or internship.
While concluding, it is essential to understand that becoming a Pentester requires continuous learning and patience. You can not expect to become a penetration tester unless you know the back and forth of the application, have gathered all necessary information, and know how to google them. It does take time, but you definitely learn something new with every step. And if you are passionate about learning, it will be a lot of fun for you.
Check out our course on Web Application Penetration Testing which covers most basics you need to kickstart your journey as a penetration tester . Use Code WEBART30 during checkout to get 30% discount on the course
