So it is not possible to review all of it, this post is just meant to give a rough overview and some examples.
Pentester Academy
As said before, in the courses sections are 40+ courses available. The topics include for example (all from a security perspective, but some are also from a defenders viewpoint): Python, ADS, shellcoding (I made SLAE 2015, helped me also with my OSCE certification), Javascript, web app pentesting, some forensics topics, WiFi and network pentesting, exploitation and much more.
Currently I started the course Traffic Analysis: Tshark unleashed, so this is the short example for this post.
Screenshot from the Tshark course.
What comes really handy is that you can just start the labs in the AttackDefense labs, so you don’t need to setup own VMs only for following the courses:
Screenshot from one of the Traffic Analysis: Tshark unleashed course
What is also great, you can download the videos, so you can also watch them later.
As far as I can say, all the videos are suitable more or less for beginners.
AttackDefense Labs
The labs include a huge amount of topics, including: Webapps, MSF, Pivilege Escalation, Eploiting, Wi-Fi, Forensincs, Reversing, Cracking, Python and so on. Some labs include a small task, but others include for example full blown webapps like juiceshop.
Some examples from the Wab Apps labs.
In this case there was a small issue (for me), the labs are timing out after some time, which might be a bit annoying when having a full web app. For the smaller labs I never had problems.
As advanced labs there are also some CTF style labs available.
Verifiable Badges
With verifiable badges it is possible to verfiy your knowlege to an external source, as I did here:
Network Scanning Basics – Daniel Sauder : Accredible : Certificates, Badges and Blockchain. https://t.co/4R5R5ruN49
“The holder of this badge has successfully completed the Network Pentesting challenge exercises in Pentester Academy’s AttackDefense labs. These challenge exercises test a practical understanding of how to perform remote network reconnaissance of various infrastructure components.” (https://www.credential.net/b5050be1-05c9-41fa-93a9-ea0b5cd8825f#.Xg8KBMQX5XM.twitter)
As far as I could see all badges have three small challenges where you have to find flags (like a small CTF), badges are available for lot’s of topics (19 badges are available at the time of this writing) and most of them can be done after you viewed and worked through the courses.
So here is just a very short one. Always when I have to set up a new pentest machine, I have to look it up again, so here is a small list of browser addons that are usefull for webapp pentesting (using Firefox):
End of August I travelled from Germany to far away Kathmandu in Nepal for visiting threatcon and the browser security workshop by Mario Heiderich and the beautiful country. Here is a short review.
Browser Security Workshop
With the conference I booked the 2 days workshop Offensive HTML, SVG, CSS & Other Browser-Evil. The covered topics:
History of browser security and the browser market
Defense 101
XSS
URL obfuscation
Unicode, character sets
Breaking Filters (WAF)
IE/Edge compatibility modes
mXSS
The presentation includes 255 slides, so in 2 days it was not possible to cover everything, also there was no time for the hands-on parts. XSS is not the big topic anymore, but I was happy I can fresh up my knowlege and also learned some new stuff.
The Conference
The conference was one day with a single track, so contrary to Blackhat & Defcon everything was clearly arranged. On the speaker list were Mario Heiderich, Jim Manico, Georgia Weidman, Vignesh, Yogesh Ojha, Aniruddha Dolas and Prashant Tilekar, you may see some familiar names here.
Between the presentations there was lot of time for networking and discussions, with the business pass I also joint the evening event which came with great drinks & food.
For me the best at conferences, of course, is the networking part. It was a great pleasure to meet and connect with new people and friends.
When you are new to IT security I highly recommend to visit smaller and local conferences if possible, it is much easier to connect and to visit.
Thanks to the organizers of threatcon for a great event.
Visiting Nepal
After the conference I took four days for traveling and sightseeing, this is just a very small impression (I made >1000 shots). I travel a lot, and this was one of the most impressive experiences I’ve had.
What brought you to IT security? How did you get into penetration testing? I started with an apprenticeship as a developer. After that I made my Bachelor in Business Informatics. During this I worked three days a week in the security department of a bigger company in the technology sector. However, during this phase I found out that my part is more in the “offensive” field 😉 . So I met the company I started working as a penetration tester at a small German conference (Backtrack-Day).
You are the owner of Securai, a penetration testing company that is specialized in application security. Why did you specialize? I believe that specialization is the key success factor. IT security is a complex topic, but if you really want to be good at it, you have to focus on one thing.
Do you also look for newbies in the field? Sure, always 🙂 !
What do you expect from applicants? What do you think makes a good penetration tester? They really have to want it. If someone is getting frustrated easily, I would recommend another career. They also should be happy about communicating with other people. Penetration testing is a consulting business, so you have to deal with people a lot. They should have fun learning new things, because this is what you have to do all the time, even after years in pentesting. From a technical perspective we are looking for people with a development background, as I think they can communicate better with devs and as we focus on appsec, we mostly have those types of customers.
What has been the best or worst moment in your penetration testing career? The best moment is, when after hours or days of struggling you finally get an application to fall. This is the fun part about pentesting 🙂 .
What is your thought about certifications? I think they are necessary and sometimes even are fun to do. I personally like the OSCP and we basically use it as a test for new colleagues.
Christoph is Founder and Owner of Securai, a company focusing on application security.
Security Researchers work in the field of bug bounties and exploitation, often they are independent but sometimes they also work as employees. I think that both paths are not easy, but of course it can be done. On both paths you can earn lots of $$$ but I also heard of people who came out disappointed. Some people starting this as a side job and then go independent. If you don’t know some basics look here and here.
The reason why I put both paths in one post is that for me you need a similar mindset. You have to be highly motivated, need to learn a lot before you gain some success (well, at least for most people) and if you go independent you work on your own. For both you need a plan or tactics, you can’t just start hacking and hope to find something.
When you want to participate in bug bounties normally you are using platforms like hackerone or bugcrowd, but lot’s of companies have their own bounty programs. Since most of these programs are public this makes starting easy.
On the other hand, when you want to start as a researcher and do exploit development, you also have some public resources like ZDI or zerodium. But what is more important than in bug bounty, is networking with other researchers and companies. One way is to go at conferences and trainings, have a look at the links section of this article.
Both paths might take months or even years until you get into it, so this article can only be a starting point that I hope is helpful.
As said before, learning new things and networking is really important, so here are some conferences that seem good, you should also consider to take some trainings:
Hands-On Bug Hunting for Penetration Testers Author: Joseph Marshall Content: Go through common bugs in Webapps and introduction to bug bounties Career: Penetration Tester, Bug Bounty Level: Beginner
The Shellcoder’s Handbook Authors: Chris Anley, John Heasman, Felix “FX” Lindner, Gerardo Richarte Content: Exploiting security holes for Windows, Solaris, MacOSX, Cisco. Although from 2007 still worth reading. Career: Penetration Tester, Exploiter Level: Intermediate, Experts
Hacking: The Art of Exploitation Author: Jon Erickson Content: Goes from the first steps in Bash and C to in depth exploitation and debugging on Linux. Career: Penetration Tester, Exploit Developer Level: Beginner, Intermediate, Expert
Hands-On Bug Hunting for Penetration Testers Author: Joseph Marshall Content: Go through common bugs in Webapps and introduction to bug bounties Career: Penetration Tester, Bug Bounty Level: Beginner
The main audience of Bug Hunting for Penetration Testers are coders and penetration testers interested in bug bounties. The book goes through bug bounty programs, penetration testing and the usual web security vulnerabilites like XSS, SQL injections, XEE and so on.
As the title sais, the book was written for people with prior knowledge in penetration testing. So the vulnerabtilies are not explained in depth, but nevertheless it is suitable also for beginners if they are willing to go deeper later and using other sources, after each chapter there are some recommendations for it.
For me the perspective as a bug hunter is pretty interesting, and the book is going into automatisation of some tasks and which vulnerabilites are usually interesting for bug bounty programs and how to report them. For getting an impression about the coding have a look here, unfortunatelly the code base is for python 2.7 and not python 3. The books is also informing about information gathering and bug bounty strategies. What I also like are the end-to-end examples, from finding and exploiting a vulnerability to a short example report. Later reporting is explained into more detail.
If you are interested in Bug Bounty programs you should have a look into this book.
Penetration Testing – “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” (From wikipedia)
The scope of the article is to help to get your first job as a penetration tester. If you have more great links or recommendations please add them in the comments section. Becoming a good penetration tester requires much more skills than described here. It also means that you never stop learning.
If you don’t know the IT- and IT security basics yet, please have a look here. When you want to start a career in Penetration Testing you should know that most of the penetration tests performed today are Web Application tests. Therefore this article is focusing on this topic. Later I will add new posts with Specializiation Paths for more advanced topics like exploitation, red teaming and so on.
As already mentioned in the article Career
Path Security Basics, I strongly suggest that you make a plan what goal you
want to reach. For example playing CTF all the time might be fun for some
people, but if you need the OSCP it might not be helpful to waste too much
time.
Web App Penetration Testing
Port Swigger: Web Security Academy Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs. Career: Penetration Test but I recommend it also for everyone interested in security Level: Beginner Price: Free
OSCP If you want to start a career in Penetration Testing you might consider to make the OSCP certification. But you should have in mind that the OSCP is extremely time consuming and it is not a must have, but definitely a door opener. Therefore I recommend to do the OSCP certification. Here is an article about pros & cons of certifications.
Hands On
Here are some hands on for labs and learning. Some of them are online, others have to be installed and run by yourself.
The Web Application Hackers Handbook Authors: Daffy Stuttard, Marcus Pinto Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit. Career: Penetration Tester Level: Good for beginners, but also useful for experienced penetration testers
Penetration Testing: A Hands-On Introduction to Hacking Author: Georgia Weidman Content: A great introduction into penetration testing. Career: Penetration Tester Level: Beginner
Metasploit: A Penetration Tester’s Guide Authors: David Kennedy, Jim O’Gorman, Devon Kearns, Mati Aharoni Content: Introduction to Metasploit and penetration testing Career: Penetration Tester Level: Beginner, Intermediate
The Hacker Playbook 2 Author: Peter Kim Content: Book for penetration testing, hands on hacking, pivoting, evasion and so on. Career: Penetration Tester Level: All
Network Security Assessment Author: Chris McNab Content: Assessment of various network services. Career: Penetration Tester Level: All
German Book: Hacking mit Metasploit Author: Michael Messner Content: Great introduction to penetration testing and metasploit. Career: Penetration Tester Level: Beginner/Intermediate
The materials and labs exloded over the last months: Web cache poisoning Information disclosure vulnerabilities Insecure deserialization Authentication SQL injection Cross-site scripting Cross-site request forgery (CSRF) XML external entity (XXE) injection Clickjacking (UI redressing) Cross-origin resource sharing (CORS) Server-side request forgery (SSRF) HTTP request smuggling OS command injection Server-side template injection Directory traversal Access control vulnerabilities and privilege escalation Testing for WebSockets security vulnerabilities DOM-based vulnerabilities
The full list of labs is not included here, it is simply too long!
Link: Web Security Academy Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs. Career: Penetration Tester but I recommend it also for everyone interested in security Level: Beginner Price: Free
Web Security Academy
The description from the originial website: “Welcome to the Web Security Academy. This is a brand new learning resource providing free training on web security vulnerabilities, techniques for finding and exploiting bugs, and defensive measures for avoiding them. The Web Security Academy contains high-quality learning materials, interactive vulnerability labs, and video tutorials. You can learn at your own pace, wherever and whenever suits you. Best of all, everything is free!”
For tracking and doing the labs you need to create an accout.
I found the explanations and the labs very suitable for beginners and I think it is a great starting point for web application security.
The team behind it is the same that is behind the Burpsuite and the famous Web Application Hackers Handbook (consider buying it if you want to go deeper into the topic):
The Web Application Hackers Handbook Authors: Daffy Stuttard, Marcus Pinto Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit. Career: Penetration Tester Level: Good for beginners, but also useful for experienced penetration testers
Most people starting a career in IT security have a huge interest in topics like hacking, programming, system administration, networking and so on. When you apply for a junior position, employers normally expect basic skills and huge motivation. In this article you can find some useful resources for learning the basic skills that are useful for all career paths in IT security. More specific articles for specialized career paths like penetration tester, DFIR expert, malware expert and so on, are about to follow.
If you have any ideas or suggestions for additional useful courses, please feel free to leave a reply in the comment section below or just add them to your personal training list.
I suggest to look for suitable courses or certifications, to set yourself a goal and make a plan how to reach your goal.
If you want to read how I started my career in IT security have a look here.
Programming
Depending on your career, you should have knowledge in various programming languages. As a penetration tester, these could be assembly, C, javascript, HTML, python and bash for the beginning. Programming skills are not only useful for penetration testers, but also for other career paths. For example in a blue team, programming skills are very useful for automatization.
In this section you can find some examples for learning basic programming, more specialized examples follow in the career path sections.
Professor Messer’s CompTIA N10-007 Network+ Course Content: Great and free video course for preparing the CompTIA Network+ exam, I recommend to add a book nevertheless. Career: All Level: Beginner Price: Videos are free
All in One CompTIA Network+ Author: Mike Meyers Content: Coverage of the CompTIA Network+ certification exam objectives, goes into the topics in depth. I liked the questions after each chapter. Came with a CD with an exam simulator long ago, now the content is online. Career: All Level: Beginner Buy at Amazon U.S. Buy at Amazon Germany
You may consider to do the certification for the CV.
The Cuckoo’s Egg Decompiled Course Content: Highly recommended course by Chris Sanders, teaching the basics of attacking and defending networks through the lens of the famous “The cuckoos Egg” book by Clifford Stoll. Career: All Level: Beginner Price: Free
Professor Messer’s CompTIA SY0-501 Security+ Course Content: Same as the Network+ course for Security+, I also recommend to read a book additional for preparation. Career: All Level: Beginner Price: Videos are free
Mike Meyers’ CompTIA Security+ Certification Passport Author: Dawn Dunkerley Content: For preparing the CompTIA Security+ Certification this book is recommended. It covers every topic from the exam and also includes review questions as well as a practice exam. Career: All Level: Beginner
You may consider to do the certification for the CV.
Introducion to Cybersecurity Content: Short non technical introduction course for everyone who is curious about cybersecurity. Explains the basic concepts from a higher level. Career: All Level: Beginner Price: Free or with certificate
We learn Security! 