I’ve been meaning to create a write-up on how to get into the industry and certain resources to check out for different skill sets. So here it is, there are lots of different routes into Pentesting however there are two main things to keep in mind.
Firstly who you know and second what you know, these are both very easy to achieve. Addressing the first point, the easiest and best approach to this is to get involved with the security community both locally by attending meetups and around the country by going to conferences. Whilst at events it is important to mingle and gain contacts, some people will see this as more of a challenge than the technical aspect however in this industry it is very important to be able to network and talk to people. By doing so you can acquire business cards and industry contacts, this will stand you in good stead for the future as you never know when you might need to call upon a contact.
In regards to the second aspect of things to keep in mind: Technology, it’s important to actually know what you are doing and how to approach things, here is a short list of resources to check out and some general hints and tips for getting started in learning and application of the particular skillsets required.
- OWASP Web Goat
- OWASP List of Vulnerable Web Applications
- Damn vulnerable web app
There are more but certainly these are a good start, in terms of other materials, if you can stretch to it I’d suggest the following books to get your teeth into.
- Web Application Hackers Handbook 2
- The Hacker Playbook 1
- The Hacker Playbook 2
- Red team Field Manual
- Blue Team Handbook
- Metasploit: The Penetration Tester's Guide
- NMAP Cookbook
- Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition
The physical books are nice to have however you can source them on the internet using advanced Google searches, but I’ll leave that up to you.
Alongside the resources it is also useful to familiarise yourself with the standard tool-sets which are usually manual testing with Burp Suite and using Linux command line, the OS of choice as an industry standard is Kali Linux.
Other than the resources listed above there is also the option to test against live targets in the form of Bug Bounty hunting, I did a post earlier this year about this which can be found in the post below. I have also started a series for beginners called Learning the Ropes 101. The intro for this can be found below too!