Resources for penetration test beginners
Recently I went to a recruiting event for my day job and spoke to MANY students at the university about penetration testing as a career. There were varying levels of experience and varying levels of understanding about what penetration testing is and how to get started. I had some good, thought provoking discussions with these students and decided to make this into a quick blog post. Here are some of the resources I use frequently to either learn new things, keep sharp on my current skills, or review prior to tests to do my best.
Recently I went to a recruiting event for my day job and spoke to MANY students at the university about penetration testing as a career. There were varying levels of experience and varying levels of understanding about what penetration testing is and how to get started. I had some good, thought provoking discussions with these students and decided to make this into a quick blog post. Here are some of the resources I use frequently to either learn new things, keep sharp on my current skills, or review prior to tests to do my best.
This is intended to be a living blog post. So all of us can come back to this and reference it from time to time. (oh the dreaded ‘living’ document)
A couple of notes: In these resources I am emphasizing practical, hands on skills rather than theory. For beginning penetration testers hands on skills will be of most use right away and we'll have to focus on the theory second. Once basic skills have been developed we should work on understanding not just how to run the tools, but how they work under the surface.
Resources:
Learning sites
Pentester Academy - SecurityTube
Hack the Box
Certifications
While certifications are a hot button and area of much debate as to their value, I would say you can get great benefit from them if you put in the effort. Also, certifications gained on your own time show drive and interest in the field which can be the difference between an opportunity at a job or none.
SANS - specifically focus on the GPEN, GWAPT, GAWN, and GXPN certifications
Offensive Security - the OSCP certification remains a respected certification for penetration testers that will not only teach you tools and techniques, but the thinking processes needed to succeed in the field.
CREST - CREST is a UK certification that is similar to the OSCP and provides similar benefits of tools and techniques
Vulnerable machines
Pre-built vulnerable machine images are useful to try techniques and just go through challenges to keep sharp or learn new techniques that don’t come up in the day to day assessments for customers. These are commonly virtual machines that can be run using VMWare or VirtualBox. The advantage here is that you can run them locally on your computer along with your attacking machine to practice anywhere, even without a network connection.
VulnHub
CTFs
First things first, DO NOT be afraid of CTFs. You will most likely find a LOT of things you can't do and also find things you don't understand. Getting used to this feeling is essential to succeed at penetration testing. Capture the Flag events are a bit different than vulnerable machines. Commonly these are "jeopardy" style challenges where a snippet of code or a small program are provided and then points are awarded by answering various questions about the provided challenge. Frequently these challenges are difficult, however they can be useful to show gaps in your skills and guide further learning.
captf - Practice CTF list
PicoCTF
Over the Wire - Wargames
CTF Time - List of upcoming CTFs
Competitions
These are more for university or high school students as they are frequently for groups from schools. However for getting started experiencing a broad overview of security and hacking. All skills learned during these competitions would be valuable for beginners working toward a career in penetration testing.
National CCDC - this is the national level Collegiate Cyber Defense Competition. Qualifiers are regional and involve teams from colleges and universities. I have linked the Mid Atlantic region below as it is the one that I have participated in on the red team.
Mid-Atlantic CCDC - the Mid Atlantic qualifier for NCCDC
CyberPatriot - this is a high school level competition that involves defense and another nasty red team testing your skills
Conferences
We computer enthusiasts tend to be more on the introvert end of the spectrum generally, that said conferences are a great way to meet people with similar interests, hear interesting talks, explore areas of the field to see what you may be interested in, and have a good time while doing it. Here are some good options in the mid-atlantic area.
Security BSides - If you are not in the mid-atlantic area and don't want to travel, take a look at the BSides mothership. There is bound to be one of these conferences near you and they are always affordable and frequently free to attend!
DerbyCon - This is a really good conference in Louisville, KY that is not impossible to get tickets to. It's getting more popular, but there are LOTS of opportunities for learning and networking here.
ShmooCon - An excellent conference in Washington, DC. Tickets are very hard to get but the networking opportunities are excellent.
Applications
Old Apps - older versions of many applications for use during testing
Blogs/YouTube
Harmj0y - Security researcher, developer of PowerShell Empire - lots of good attack advice here
Enigma0x3 - Security researcher, some really good advice and technical detail on Windows exploitation techniques
PwnWiki - LOTS of good one line commands for Linux, Windows, and OSX to use during tests
Mubix - the infosec tree hugger, also lead of MACCDC
carnal0wnage - LOTS of good stuff in this blog
Hak5 - for those of us who like video there are excellent guides and information here, make sure to check out Snubs tutorial videos!
Security moves so fast that 140 character short posts work well for communicating everything quickly. There are hundreds of experts on twitter in every focus and area. I have found the following accounts to be good sources of overall information for me and I save their tweets often to keep up to date.
@binitamshah
@hackaday
@kfalconspb
@SecurityTube
@SANSPenTest
@jeffmcjunkin
@vysecurity
@Hak5
@nostarch
@PyroTek3