Pedro Sosa, Attack Team (NCAT) Manager at Novacoast has compiled this Getting Started guide to help newcomers find a learning track for breaking into the red teaming/penetration testing careers. All of the items provided are free and can be utilized at your own pace.
There are excellent paid options available as well, but we recommend going through all the free resources first. It will give a solid base before spending any money.
Where to Start: The Big Picture
“There are many paths that lead to Rome”, and indeed if you ask different people on the Novacoast Attack Team (NCAT) how they got here, there will be different answers. This guide is general, and may supplement or align with what you are already doing.
Penetration testing is an endeavor that demands constant learning with a lot of trial and error. It takes a bit of grit—you’ll be constantly pushed outside your comfort zone and consistently faced with new challenges. The number of technologies, methodologies, tools, programming languages, software, etc. that you’ll face can be overwhelming.
Before entering the world of security assessments you’ll want to have the following foundation:
- Networking (Understand the OSI Layer, typical protocols, etc.)
- Programming, or some understanding of, preferably Python and a bit of Bash (for scripting and debugging/modifying tools)
- Unix (90% of the time you will be using the Unix terminal to do work, so get comfortable with it.)
Security related, there are two main overarching types of pen tests:
- Infrastructure Assessments (External, Internal, IoT, etc.)
- Application Assessments (Web, Mobile, IoT, etc.)
A first goal should be to get comfortable with the Infrastructure Pen Testing methodology. This is the most popular type of pen testing discussed in books, and it accounts for a large share of the work done in the industry. It is focused on testing large networks to look at different machines, the services they host, how they are configured, and how they interact with one another inside the network.
Following that, target Application Testing, of which the most popular type is Web App Testing. These types of assessments look at how an application works, how it has been programmed, and how it can be abused (from technical issues to programmer logic flaws). Once in this mindset, transitioning to any other type of application testing (mobile, cloud, desktop, IoT, and even source code review) shouldn’t be too hard.
Next are more specific knowledge-oriented assessments such as AWS/GCP/Azure best practices, hardware hacking, router configuration reviews, code reviews, phishing, physical security, wireless assessments, etc. These are the disciplines that really set pen testers apart, as you can aid clients in a more comprehensive way.
This is a process that never stops—there’s really never a point where you say “Okay, I have mastered this type of assessment.” You are, and should always be, learning more and sharpening your skills.
The Actual Steps
Basic Concepts
Here are some great books if you need a refresher (or are completely new to these topics) on some of the core concepts listed above. There are also videos, blogs, and courses that may fit your learning style better.
Networking
Cybersecurity is deeply intertwined with how computers communicate with each other and with end users. Understanding computer networking will be instrumental in cybersecurity endeavors. A great book, used in several college curriculums, is Computer Networking – A Top-Down Approach.
Python
Python is arguably one of the easiest and most versatile programming/scripting languages. Within cybersecurity, it is used heavily to perform reconnaissance, launch attacks, and automate tasks, among many other uses. Two strong books that can assist are Python Crash Course and Black Hat Python.
Unix
Unix or GNU/Linux is the preferred environment of penetration testers, as many toolkits (Kali Linux, Parrot, etc) are Linux-based. Becoming comfortable and proficient using the Unix terminal, Bash shell, and overall operating system structure will facilitate day-to-day work. It is an unavoidable proficiency as a budding pen tester delves into security, programming, networking, and DIY projects with platforms like Raspberry Pi, which can be a really fun way to learn.
For a more structured cookbook, refer to O’Reilly’s Learning the Unix Operating System.
Penetration Testing
If you are ready to dig into the cybersecurity world, you should look into setting a solid base on Infrastructure and web application penetration testing.
Infrastructure Pen Tests
A multitude of information exists in this area in books, tutorials, blog posts, and videos. It is easy stray down a random path without really understanding how they all fit together.
A potential first step is reading Georgia Weidman’s Penetration Testing. You’ll find that the exploits talked about in the book are outdated, however it will teach you the core methodology and mindset behind a typical infrastructure penetration test. This basic knowledge will make it easier to understand how and when to use different tools, attacks, approaches, etc.
After, or while still reading Weidman, put as much into practice as possible. This will help solidify your knowledge. Nowadays there is an ever expanding list of free and paid labs that you can use to practice. Here are some options:
- https://www.hackersacademy.com – Paid Labs
- https://www.offensive-security.com/labs – Paid Labs, Courses, & Certifications
- https://www.hackthebox.eu – Paid Labs
- https://ctftime.org – Free Capture The Flag events
- https://www.vulnhub.com – Free Exploitable Virtual Machines & Walkthoughts
Web Application Pen Test:
For web application testing there really is no better resource than PortSwigger’s Web Security Academy, which has categorized sets of labs and in-depth explanations of several types of attacks. They also offer Burp Certification, a feather in the cap of a new pen tester trying to advance their career.
For practice, most labs have vulnerable web applications, but there are also a few typical ones that people use to sharpen their craft:
Leads for More Specific Areas
Want even more? If you’ve looked through the prior sections and are looking for more, then you probably have a good general grasp on cybersecurity already. This is the point where specializing and digging deeper into areas you find interesting can make you especially effective:
- Hardware Security?
- Phishing?
- Cloud Security?
- Code Reviews?
These days, you can find a book or information about anything you want online. High recommended are titles from No Starch Press, they are all pretty high quality.
You can chase certifications (OSCP, CompTIA’s Pen Test+, UK’s CREST certs, etc.) but note that it’s not necessary to spend much money to gain this information, as most of the real-world hacking info is freely shared online.
Any resources will likely fall out-of-date at some point. A strong technologist is one that knows how to search for information well.
Mobile Hacking
This field has many similarities with regular web app testing. There are a few books that showcase the general tools and methodologies but the fast pace of change in the tech makes information from forums and blogs more useful. It’s a good idea to learn the security features of Android and iOS to understand where native security hot spots lie.
This requires a rooted phone, so it is generally easier (and cheaper) to start with Android. For rooting information you can refer to the following subreddits:
The best way to approach this testing is by leveraging OWASP’s Mobile Security Testing Guide (MSTG) which aside from being a guide, also presents a strong assessment framework.
Tool-wise, get acquainted with Frida, Drozer, MobSF, and Objection, among others. All of these make an appearance on the MSTG, but will require deeper investigations on your own.
To practice there are several specifically-crafted applications:
- Android:
- iOS:
Cloud (AWS/GCP/Azure)
As more and more companies move to the cloud, the security community grows more interested in assessing these environments. There are several providers, but most have similar functionality, so it won’t really matter which one you pick to start learning. In general most cloud environments have published best practices and benchmarks (e.g. CIS benchmarks), but the quickest way to understand these is by actually using the service and becoming familiar with its features.
Example, if you were interested in AWS security, you could start with:
- Mastering AWS Security on basic cloud security theory.
- CIS Benchmarks which will help provide a framework for the key security elements to assess.
- Flaws.Cloud to practice on the actual service or prepared vulnerable environments
IoT/Hardware Hacking
While not the most common type of pen test, it is gaining in popularity as more organizations realize the importance of IoT security. Note that a true IoT environment pen test will likely also involve websites, infrastructure, cloud, and/or mobile hacking as a complement to direct hardware hacking.
A great place to start is with the IoT Hackers Handbook which provides a basis to understand the different attack vectors, recognize different hardware components, fuzz different serial communication protocols (e.g UART, I2C, SPI, JTAG), fuzz wireless communication protocols (Bluetooth, Zigbee, SDR), and perform basic firmware analysis and reverse engineering
Hardware hacking will require some basic investment. At the very least you will want:
- Attify Badge -or- Bus Pirate v3 which communicate with target hardware via serial protocols.
- Soldering kit
- Magnifying glass
- Multimeter
- Electric tape
- Electric wires
- Wire cutters
- Screwdriver set
Depending on which specific technologies you wish to test, you may also be interested in obtaining:
- Jtagulator used for JTAG fuzzing
- Ubertooth used for Bluetooth hacking
- RzRave used for Zigbee hacking
- Proxmark used for RFID hacking
- MSR605X used for magnetic stripe card cloning
Lastly, you’ll want some old or cheap hardware devices that you can break (old routers, cheap security cameras, smart locks, smart scales, or any other “smart” device)
The internet is filled with interesting blogposts on this subject:
- http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/
- http://konukoii.com/blog/2018/02/13/lifting-firmware-with-the-bus-pirate/
- https://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/
- https://blog.senr.io/blog/jtag-explained
- https://www.owasp.org/index.php/IoT_Firmware_Analysis
Social Engineering
The best and most entertaining way to learn social engineering is via stories: Understanding how people achieved physical access to their client’s data center or managed to get the help desk to change their passwords. Some good books on it are:
- “Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert” – Erdal Ozkaya
- “Open-Source Intelligence Techniques” – Michael Bazzell
From a practice standpoint, there are several conferences including DEFCON where one can participate in (or spectate) live vishing (voice phishing) Capture the Flag (CTF) events against real companies. If you can’t be there in person, there are several great talks on Youtube on the subject. For email phishing, you can get familiar with tools such as SET and GoPhish.
Conclusion
At the end of the day, penetration testing is a mindset that seeks to understand how things work, how they can be subverted to work in unintended ways, and the impact such behaviors would have.
This is an exciting and ever-expanding field that plays an important role in ensuring the safety and reliability of the complex digital ecosystems that we rely upon on a daily basis.
We hope this helps you in your journey. Happy Hacking!
More About NCAT
The Novacoast Attack Team (NCAT) team works in highly regulated industries performing a wide range of penetration tests and other adversarial services. They provide multiple types of pen tests ranging from the more typical external and internal infrastructure tests to the more specialized and tailor-made web application pen tests, code and architecture reviews, mobile pen tests, IoT ecosystem assessments, hardware/firmware pen testing, DDoS stress tests, and network configuration reviews…among many others.
