Penetration testing Path

jfussion

may someone suggest a path to become a Pen tester? what certification should I take? Thank you very much!

cyberguypr

Welcome aboard. Give us an idea of your background so we can provide suggestions.

shaqazoolu

Assuming you know nothing like I did when I started, I would start with a networking base. Go for CCNA and study the Wireshark book. When you feel comfortable with that material, I'd go after Linux+/LPIC-1, eLearn Security and a Microsoft cert of your choosing...probably in that order. If someone else is paying for it, you could also pepper in the GPEN somewhere. That should keep you busy for a couple years. Stick around here and by the time you get to that point, you will know more than enough to take it from there on your own.

YuckTheFankees

I was in the same position as you in April. I just found out about pentesting and I thought it would be the coolest thing in the world to do and have as a career. With no prior IT/ computer experience or knowledge. I started studying cert books and buying any/all hacking/security books on amazon.

In the past 4 months I have been able to achieve my CCNA, CCNA:S, A+ and security. So if you have the drive, you can definitely gain the knowledge. But dont under estimate the knowledge you need to know for pentesting. Having those 4 certs have only laid a basic foundation. I still need to learn (or get a good grasp) linux, programming (python, perl, assembly), security tools and how to use them (there are many of them).

Once I gain more knowledge in those area's, my goal is to obtain the CEH, OSCP, OSCE, GPEN, GWAPT, GIAC, and CISSP (later down the road). I hope to finish my BS/MS in the next 18 months, and hopefully stat getting some experience soon. Finally after all of the certs, education, and hopefully experience...on paper I feel I'll look pretty damn good. But that's just me. Its definitely going to be a fun ride.

Also, to go along with the education and certs..I have bought over 20 books in hacking/security/programming. Its nice to read something other than cert books, you can get a feel of secuirty/hacking from so many other angles.

Good luck

jfussion

thank you for all of your replies!

cyberguypr wrote: »

Welcome aboard. Give us an idea of your background so we can provide suggestions.

sorry I forgot to give you my background.. I am a noob.. still studying here in Philippines.. taking BS Computer engineering.. no certs at all.

I wonder if it's a good idea of getting a cert before I graduate so that I can choose a job that deals with network/security.. what entry level certification do you suggest? A+, Security+, Network+, or whatsoever?

by the way...I want unix over MS

thanks again!

bigmantenor

I would suggest that you study the Network+ material first if you are not pretty familiar with network devices/protocols. If this is not an issue, then you could start with Security+ and go from there. These could potentially aid you in finding that first job. As far as learning Unix goes, I personally would download a Linux distro and learn to manage that system via the CLI. Lots of people have learned their way around a *nix machine by doing just this, and diligently reading the right texts (e.g. the Sobell book).

mattlee09

jfussion wrote: »

thank you for all of your replies!



sorry I forgot to give you my background.. I am a noob.. still studying here in Philippines.. taking BS Computer engineering.. no certs at all.

I wonder if it's a good idea of getting a cert before I graduate so that I can choose a job that deals with network/security.. what entry level certification do you suggest? A+, Security+, Network+, or whatsoever?

by the way...I want unix over MS

thanks again!

Now Entry-level is something I'm an expert in....

Definitely a good idea to get a proverbial 'foot in the door' at a job, even if it only initially means you get to drool at the networking/security appliances (read: ASA 55xx). I'd look through the available job postings for your area and see if they mention having A+/Net+/Sec+ certs. Like Yuck mentioned, with some drive and determination you can knock stuff out in no time, especially those you mentioned. Having one might be the ticket to getting you the interview that'll allow you to impress them with your aspiration and positive attitude.

docrice

Mandatory for any would-be pentester (or any operations type infosec professional): a home lab. You'll need at a minimum:

• a firewall (if you don't know to use CLI-based interfaces for open source solutions like iptables or pf, there's always pfSense, m0n0wall, SmoothWall, Untangle, Vyatta, etc.)
• a managed switch (Cisco 2950s are cheap off of eBay these days)
• virtual machines (VirtualBox is free and works fine, although if you want to bump it up a notch, get a beefy box with ESXi running your VMs)
• a router (Cisco 2600s are also very cheap off of eBay)
• lots of restless nights breaking things and frustrating lack of hand-holding / figuring it out yourself
• Googling skills
• persistent attitude / robust determination

I realize this answer isn't cert-related, but while A+ / Network+ / CCNA studies will take up a lot of your time if you go down this route, you'll also need to pursue this far beyond what the books and the certifications provide you. Make sure you really understand the fundamentals of systems and networking, otherwise your pentesting efforts will fall short very quickly.

mattlee09

docrice wrote: »

Mandatory for any would-be pentester (or any operations type infosec professional): a home lab. You'll need at a minimum:

• a firewall (if you don't know to use CLI-based interfaces for open source solutions like iptables or pf, there's always pfSense, m0n0wall, SmoothWall, Untangle, Vyatta, etc.)
• a managed switch (Cisco 2950s are cheap off of eBay these days)
• virtual machines (VirtualBox is free and works fine, although if you want to bump it up a notch, get a beefy box with ESXi running your VMs)
• a router (Cisco 2600s are also very cheap off of eBay)
• lots of restless nights breaking things and frustrating lack of hand-holding / figuring it out yourself
• Googling skills
• persistent attitude / robust determination

I realize this answer isn't cert-related, but while A+ / Network+ / CCNA studies will take up a lot of your time if you go down this route, you'll also need to pursue this far beyond what the books and the certifications provide you. Make sure you really understand the fundamentals of systems and networking, otherwise your pentesting efforts will fall short very quickly.

+1 docrice

I just mentioned a similar sentiment in another thread. It's amazing how in all of these topics, only after you start studying do you realize the depth of what we're into. You haven't lived until you've been labbing something out at 1 AM and end up reading the entire RFC until dawn, lol.

JDMurray

Start by reading my blog article: Review: BackTrack 4: Assuring Security by Penetration Testing | TechExams.net Blogs

grauwulf

why do you want to be a pen tester?

just curious.

JDMurray

grauwulf wrote: »

why do you want to be a pen tester?

just curious.

Because filling out yards of reports and paperwork is lots of fun!

swild

Pen testing is the sector of IT security that I have decided to work towards as well. Yes, there is always paperwork, but I enjoy finding loopholes and flaws and get personal satisfaction out helping people.

I have 4.5 years of IT experience: 2 years managing the IT at a small doctor's office and then 2 (horrible) years doing dial-up ISP end-user support on the graveyard shift. About a year ago, I decided that I had to get out of that job. I went out and got A+, Network+ and Security+ certified all in about 4 months, then I started applying for jobs.

In my current job, IT Support, I was one of 50+ individuals that were interviewed. Of all of those, I was the only one with certs. It's just me and the IT Manager that support 200 users in a very complex environment. As there is no local room for promotion, the IT Manager has decided to move on, so I found out that I am getting promoted after only 5 months in the job. About a month before that, I started studying for the CISSP. I tested on July 22, and received word that I passed about a week ago. That will come in handy in my salary negotiations for my new position next week.

I am currently working on my CCNA, Linux+/LPIC-1, and CEH. I have acquired a small home lab for my CCNA that I plan to expand on my way to the CCSP and then to the CCIE: Sec. I found the official CEHv7 courseware on eBay for a steal, so I will be focusing on that for a while.

My goals are LPIC-3, CCSP, and LPT in the next 2 years. Then find a security focused job and hopefully get a pen testing job in about 5 years. I think that 10 years of IT experience is where someone should be to be taken seriously for pen testing.

Just thought I would share my path and plans. Comments and questions are welcome.

idr0p

So looks like you have all the networking bg you need. from here I would do this.

GEC GPEN OSCP CISA - Maybe GWAPT.

The CISA will definately get you in the door the other certs will give you the knowledge to learn the practice once your in.

Source: I know alot of pen testers.