Are you looking to get into Penetration Testing, Ethical Hacking, or Red Teaming?

If the answer is yes, then this article is definitely for you!

What is a Penetration Test?

A Penetration Test, or commonly named “Pentest”, is the process of evaluating the
security weaknesses of an organization’s assets, using similar methodologies to the
ones used by real attackers.

Penetration Test = Vulnerability Assessment?

The answer is clearly, NO!

A Pentest is not equal to a Vulnerability Assessment, and a lot of people tend to

confuse the terms. From my experience, I have encountered clients that requested a
Penetration Test, but in reality, they wanted a Vulnerability Assessment, or vice-
versa. So, it is very important for you, as a Security Expert, to explain the
differences between those two terms.

Vulnerability Assessment:

Covers a decent amount of security issues

Exposes low-hanging fruits and probably some risky issues
The quality of results depends on the scanners used
Automated around 90%, and manual work around 10%
Penetration Test:

Covers most of the vulnerabilities

Exposes issues ranging from low severity to critical ones
The quality of results depends on the expertise of the pentesting team
Automated around 10%, and manual work around 90%
Types of Pentests
There are various types of pentests, and you must get familiar with all of them,
but it is recommended to choose one that you will excel into, and become very
comfortable with.

Web Applications Penetration Testing:

OWASP Top 10
Business Logic Vulnerabilities
Default/Weak Credentials
API Testing
WebSockets Testing
Sensitive Information Exposure
Tokens/Keys Security
MFA/2FA/OTP Bypass
CMS Testing: WordPress, Drupal, Joomla, and so on.
E-Commerce Pentest: WooCommerce, BigCommerce, Magento, OpenCart, plus more
Mobile Applications Penetration Testing:

Static Analysis: hardcoded credentials/tokens/keys, vulnerable components,

dangerous imports, and so on
Dynamic Analysis: traffic intercept, file system interaction, best practices,
sessions handling, plus more
Bypasses: certificate pinning, root/jailbreak detection, and so on
+ more
Network & Infrastructure Penetration Testing:

Detection Evasion (IDS/IPS/Firewall Bypass)

Brute-Force, Password Spraying, Credentials Stuffing, and Dictionary Attacks
Default & weak credentials
Abusing misconfigured services
Exploiting vulnerable versions of used protocols
Man-in-the-Middle
Active Directory (AD) Pentest
Domains Takeover
L2/L3 Devices Testing: routers, switches, and so on
IoT Penetration Testing
VPN-based Attacks
DoS/DDoS
Wireless Penetration Testing
Data Exfiltration
Logs Poisoning
+ more
Physical Penetration Testing:

Lockpicking
Dumpster Diving
Tailgating
RFID Tag Hijacking/Impersonation/Spoofing
Shoulder Surfing
Implant Malicious External Devices: Rubber Ducky, LAN Turtle, and so on
+ more
Social Engineering Penetration Testing:

Phishing Attacks
Vishing Attacks
Smishing Attacks
Client-Side Attacks Manipulation
+ more
Red Team:

Combines all of them

How I got into Pentesting
To be honest, my journey started some years ago, but back then, being a
white-hat/ethical hacker wasn’t really a thing, so that was a part of my life that
I’m not so proud of. After that, a lot of new and fresh Capture-the-Flag (CTF)
competitions appeared, so I’ve moved my activity and focus into that area, through
which I networked, met a lot of people, and learned new things. Also, I transited
easily into Bug Bounty, which represented a side income for me.

After some time, I’ve thought that I could possibly make a “legit” career in
Penetration Testing, but my chances were impossible to get a job, because I had
zero prior experience (I don’t think it is a good idea to count inadequate
activities on the resume 😅), and no certifications at all. So, what have I done?

My professional career started basically with freelancing, through which I’ve

worked on various projects in the Cyber Security industry, but fewer of them were
Penetration Tests. My services were underpriced as much as possible. I’ve done that
to build a portfolio, and raise money to pursue certifications because as you know,
most of them are pretty expensive.

After some years of freelancing, I am still a freelancer, and I love it because

I’ve got to a point where 95% of my projects are Penetration Tests, which
represents my initial goal.

What you need to become a Penetration Tester

So, how can you do the same, and get paid to hack into websites and networks? Here
is a list for you of what you need to become a good Penetration Tester.
Loving what you are doing

It is not enough to have a passion or a little drive for this. Remember, most of
the time, passion is temporary, love is forever. You have to think that this will
be your lifestyle. Loving it will make you push harder through those days when you
feel low, without any energy left inside, and it will make you stand up after any
of your disappointments encountered during this journey.

Paying the price

You have to make sacrifices, you have to put in the hard work and the grind, to
become a good Penetration Tester. Practice, practice, and practice!

Sometimes, it will be hard to see all of your friends partying and feeling good on
Social Media, while you are staying home, trying to crack that HackTheBox machine,
practicing for OSCP or learning about SQL Injections, but remember how worth it
will be in the end. Think about the long-term.

Networking

The Cyber Security community is one of the greatest. You can learn so much from a
lot of people, so go on LinkedIn, and ask for suggestions, recommendations,
references, or even storytelling. I am sure that you will find someone who can help
you during your journey.

Certifications for Penetration Testing

Certifications represent a vital component of your career as a penetration tester,
or cyber security professional. So I am going to drop some of them that will help
you get a Pentesting job or project:

CompTIA PenTest+
EC-Council Certified Ethical Hacker (CEH)
EC-Council Licensed Penetration Tester (LPT)
Offensive Security Certified Professional (OSCP)
Offensive Security Experienced Penetration Tester (OSEP)
Offensive Security Exploitation Expert (OSEE)
Offensive Security Web Expert (OSWE)
GIAC Certified Penetration Tester (GPEN)
Mile2 Certified Penetration Testing Consultant (CPTC)
Pentester Academy Certified Red Team Professional (CRTP)
eLearnSecurity Junior Penetration Tester (eJPT)
eLearnSecurity Certified Professional Penetration Tester (eCPPT)
eLearnSecurity Mobile Application Penetration Tester (eMAPT)
eLearnSecurity Web application Penetration Tester (eWPT)
IACRB Certified Expert Penetration Tester (CEPT)
Learning through Practice
The most efficient way to learn Penetration Testing is through practice, but first
I would recommend getting familiar with the following:

Networking Concepts (TCP/IP, Routers, Switches, Firewalls)

Linux/Windows Concepts
Basics of well-known protocols: TELNET, SSH, FTP, HTTP/HTTPS, RDP, MySQL, MSSQL,
SMB, SNMP, SMTP/IMAP/POP3
Common programming languages and frameworks: PHP, JavaScript, ASP.NET, Ruby,
Python, PowerShell, Bash
OWASP Top 10
Kali Linux
NMAP
Metasploit
BurpSuite
PTES (http://www.pentest-standard.org/index.php/Main_Page)
Once you have a knowledge base, you can start practicing on the following platforms
(choose your favorite, and start hacking!):

Metasploitable
Hacksplaining
PentesterLab
HackTheBox
TryHackMe
VulnHub
Root-Me
DefendTheWeb
OverTheWire
Hacker101
How to get your first Penetration Test project or job
Now you have the skills and certifications, but how can you get your first project
or your dream job as a Penetration Tester? It’s easy to apply for a job, but here
we will discuss some techniques that will increase your chances of being hired or
being contacted for a pentest.

Through LinkedIn

Create a LinkedIn profile, and showcase your hard-earned certifications. Network

with people from the community, and ask for recommendations. Create articles about
your experience of studying for some exams, or writeups in which you explain your
way of cracking some vulnerable machines from the list above.

Through GitHub

Do not hesitate to upload your scripts, side-projects, or anything that you can
think will be useful for the community on your public GitHub profile, and share
later on social media.

Through Responsible Disclosure

Some companies have a vulnerability disclosure policy, which means that you can
search for vulnerabilities within their products/applications. Good work will never
be forgotten, so there will be greater chances to be hired by a company that you
have already reported some security flaws to.

Through Freelancing Platforms

There are a lot of people looking for experts with your skills on platforms such as
Upwork, Fiverr, PeoplePerHour, Toptal, Freelancer.com, and more.

Closing
It is a very hard journey that never ends, technology is evolving, and cyber
threats are increasing. If you think that this is not for you, then you are totally
wrong! With a bit of pain and sufferance, you can make it. Do not forget to stay
humble along the road, and give back to the community once you have an opportunity.