Where to start…
So, When it comes to Cyber Security Careers, the possibilities are endless, as they are in most sectors. Some people choose to work as SOC analysts. Others opt for management positions. Penetration testing is a prominent career pathway in the world of Cyber Security. If you are considering a Penetration Testing Career, this post is for you.
What is Penetration Testing?
Penetration Testing is the act of simulating cyber attacks against a digital asset, or infrastructure. This can be through, mobile, web application, cloud, infrastructure, or API penetration testing. Mastering each of these is a vast undertaking and penetration testers more often than not, chose to specialise in a specific area.
What skills are necessary to become a penetration tester?
This is often the most overlooked area when it comes to Penetration Testing Careers. To put it bluntly, there is a lot to learn. People often opt to complete a degree in a computer science-related field. While this is not often necessary, having a solid foundational understanding of how computers and networks work will give you knowledge you can build upon. Although a degree is not necessary, a Penetration Tester will need to grasp a disciplined approach to learning in order to advance in their career.
Core subject areas a penetration tester will have to understand, regardless of their specialism.
- Thorough understanding of Computer Networks. (Network Protocols, OSI Model, Wireless Networks)
- Understanding of network hardware, what they do, and common misconfigurations with them. (Routers, Firewalls, Switches)
- How the internet works, and the underlying technologies that makes the internet function. (DNS, Routing, Web Servers)
- Common vulnerabilities. (Think OWASP Top 10)
- The common operating systems and how to use their command line interfaces. (Windows, Linux, MAC)
- Penetration testing requires a thorough understanding of how computers, servers, and network appliances operate. If you have experience in hardening and configuring a server, you will have a much better understanding of where to look for misconfigurations.
- Understanding of at least one programming or scripting language. (The most popular being Python and BASH)
- Understand your tools. During a penetration test, whether it’s infrastructure, web, mobile or API testing, understanding what tools to use and when, is critical to becoming a proficient penetration tester. You don’t need to understand how every tool works on a programming level, but you should understand the switches/flags and what they are doing.
- Ability to interpret the results of vulnerability scanners. Nessus, OpenVas, Burpsuite’s scanners all report false positives. Can you recreate the issue identified by the scanner and rule out a false positive?
- A penetration tester must be able to act on their own initiative and think independently.
- Thinking like an attacker. Okay, so you can follow a methodology, but can you think like an attacker does? If you can pop an alert box on a system. Can you demonstrate that you can steal insecure cookies?
- The ability to lease with clients is crucial. If you have a penetration testing scope, can you communicate with the client any issues and concerns you have about the scope?
- CVSS scoring: The industry standard for categorising and scoring a vulnerability is CVSS scores. Not all clients will ask for this, but you should be able to demonstrate to a client what the impact of a vulnerability is.
- In today’s remote working world, you will need to be able to take calls from a client. Usually this is via some video conferencing software. The reason for the call is often scoping issues, debriefing on findings (Which the client may not understand), or more often than not. It could be an application overview to understand the web-application before you go out and test it.
- The ability to document technical findings in plain English (English is not a requirement). Generally, each vulnerability will have a title, risk rating (CVSS), description, evidence, remediation and references that may help the client remediate the issue identify.
That’s a lot to learn. But if somebody is serious about a Penetration Testing Career. Having a good understanding of the above will go a long way. Soft skills are something that comes with experience. A Graduate or Junior Penetration Tester will not be likely to understand all of the above, and the soft skills will take some time to learn. A penetration testing company will be able to identify the potential of a person during the interview process.
What tools do Penetration Testers use?
This is like asking what ingredients a chef uses. It is all dependent on the recipe. The tools for attacking web applications are different from the tools for attacking infrastructure. I’ve listed some tools below which you should learn to begin with, along with our insights on each penetration testing tool.
- NMAP “Network Mapper”: This tool is the bread and butter of a penetration tester, NMAP is several decades in the making. You can utilize NMAP to scan TCP/UDP ports, alongside the plethora of NMAP scripts which can automate the process of identifying common misconfigurations.
- Wireshark “Sniffing tool”: Wireshark has been running since 1998. Its main function is for debugging, identifying and investigating any form of computer network. You don’t need to be a Wireshark expert, but you should be able to use basic filters to identify the traffic you are investigating.
- NESSUS “Vulnerability Scanner”: Generally, the commercial/professional versions of Nessus is a favourite of penetration testing companies. However, Nessus also supports a free version, Nessus Essentials.
- Burpsuite “Professional/Community”: If you are going to be testing web applications on a commercial level, you are almost certainly going to be using Burpsuite. Burpsuite has several configurable tools which it is vital to learn as a penetration tester, such as the Intruder, Repeater, Comparer and Decoder tools. You can also use OWASP Zap if you on a limited budget, Zap is an open-source tool which has much of the functionality of Burpsuite.
There are so many other tools and listing these in this post would make it very convoluted and it would seem very daunting. If there was one resource on the internet I could direct your attention to, it’s almost certainly HackTricks. This repo has been compiled over a long period of time, it contains so much information that can be absolutely vital to learning to become a proficient penetration tester. If you want to launch your penetration testing career. Take a look at the HackTricks gitbook.
HackTricks – The Holy Bible.
Payload All The Things
I cannot stress enough how reading through this git repo is going to help you. There are many nuggets of information to absorb. It has wordlists, files, and several great pieces of information on many attack vectors when it comes to various forms of testing. Download the repo here. Then open it in your favourite text editor, we like to use sublime. But each to their own.
‘SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.’– Daniel Miessler
What certifications are required to become a Penetration Tester?
While certifications are not an absolute requirement to starting a career in penetration testing. Certifications will help prove to a potential employer that you can walk the walk, and not just talk the talk. What certifications do employers look for? This is very country-specific. Most western countries will look for well-established certifications that don’t just test your theoretical skills. They also test your practical skills in finding, exploiting, and documenting vulnerable assets. Having practical-focused certifications can prove to an employer you have skills to find, exploit and document security issues.
Common Certifications employers ask for.
- Offensive Security Certified Professional (OSCP)
- CREST Practitioner Security Analyst (CPSA)
- CREST Registered Tester (CRT)
- eLearnSecurity Junior Penetration Tester (eJPT)
- eLearnSecurity Certified Professional Penetration Tester (eCPPT)
- CREST Certified Web Application Tester (CCT-WEB)
- CREST Certified Infrastructure Tester (CCT-INF)
Where can I practice Penetration Testing?
There are several places on the internet where you can practice your penetration testing skills. Gone are the days of setting up a Virtual Environment (Vmware, Virtualbox). So many businesses and start-ups have capitalised on the increasing populating of Penetration Testing Careers. Some of these are listed below, we implore you to check out these resources.
A penetration testing career can be a lucrative, rewarding career. It requires persistence, tenacity and gallons of caffeine. Although it can be daunting at first, once you become proficient in several areas, the confidence builds and the imposter syndrome starts to fade. Of course, we are slightly biased considering this post has been written by a penetration tester, and for the budding penetration tester. The security community is a tight-knit, supportive community. If you have questions about a specific topic, or you need some guidance. There will be many people who will help you along your path to becoming a penetration tester.
Frequently Asked Questions
Graduate or junior penetration testers can expect to earn between £20,000 and £30,000 as a starting salary. With experience, you can earn between £40,000 and £65,000, with senior and team leader roles often paying up to £70,000 +
In the United States, the average penetration tester income is $119,000 per year, the starting salary for entry-level positions is $97,500 per year, with most experienced individuals earning up to $156,000 per year.
Having a degree is not necessary to become a Penetration Tester, however, a degree can give you a solid foundation in computer science which will help you when learning penetration testing. Many people trying to break into the industry seek out professional penetration testing certifications, such as CREST and OSCP.
A penetration testing career is a very rewarding career, with great salary expectations. Many people involved in penetration testing are at the cutting edge of security research. Studying to become a pentester opens up your career options to other areas of the security industry.