Where To Start To Become A Pentester?

Hello everyone, I’m totally new here, just figured out how to join the community. I’m so excited, but the problem is: I’m new to this field, I have no prior experience at all. I’m just a student at a university, my main major is Information Assurance. I’m very interested in ethical hacking right now, but I don’t know where to start, what things I have to learn. I hope you guys can give me some advice, is Udemy is good for learning these stuff? Thank you so much for spending your time with my stupid topic. I’m just a noob :frowning:

@grumpy8464 This is a good question - but I am not a pentester so I might not have any good answers for you.

The reality is the topic you are talking about is so huge, every answer is valid. You can pretty much start anywhere you want.

Some people start with networking, some start with application security, some will look at web protocols etc. Really it’s probably best to start with whatever you are interested in.

Hopefull keeping this bumped for a while will get better answers.

I’m definitely going to be following this post. Only because even with the experience I have and the certs that I currently hold. Even still it’s difficult to find work and sometimes resources in the field.

Focus on learning the root concepts and not specifics. For instance, don’t learn how to use a tool like SQLmap without understanding SQL injection itself and the data structure and implementation of SQL databases along with the nuances between each one.

I feel like a Udemy course on pentesting will try to teach you this rather than the underlying concepts. They will make it seems as though pentesting is a very binary “if x then y” when in reality its very dynamic and the hacker must make things up as the goes along, drawing on the concepts he already knows in order to apply them to the current problem.

So, to answer your question, if taking the Udemy route I would suggest udemy courses on underlying concepts, for instance a course on how linux systems operate or on networking, python, bash, or other fundamentals like that. From understanding the concept you should naturally think of ways to exploit it, thus allowing you to pentest.

@grumpy8464
Welcome to the community.
Start with Networking and How computer hardware works. It will be much useful. :slight_smile:

Thank you all of you so much. Seems like I have a long way to go, this is the biggest field I ever step in. I will try my best and never give up.

I am also in the learning phase in this field.

Start with YouTube video’s for ethical hacking for beginners. You will understand what this field is about. Subscribe any good Udemy course if you can afford.

Once you understand it, start doing hands on. HTB is the very good platform, but there are others as well.

One good thing about HTB and this forum is you will learn something new every time you solve the challenges. Things may seem difficult at first, but once you understand how it’s done, you will build confidence next time.

I would suggest to get VIP on HTB and start with easy retired machines. If found any difficulty, lookup the write-ups. Once solved, have a look at IppSec’s video and learn his approach on targeting the machine. HTB forum is the very helpful community if you require any help. Once you crack a machine, analyze it. Understand the technology on which machine is designed on.

As you are a student, you will have plenty of time which you could invest in learning all these things. Utilize it very well. Plan your work.

Happy hacking.

Thank you so much. I will take a look at VIP membership

@grumpy8464 said:

Thank you so much. I will take a look at VIP membership

With the caveat that HTB is awesome and definitely the best platform, don’t immediately dismiss other ones.

For example, if you want a more guided learning path, there are labs on TryHackMe which can help you practice specific skills. This can help if you feel the HTB boxes are a bit more “sink or swim.”

If you have time, do them all - do rooms on TryHackMe, boxes here, VulnHub, overthewire etc.

nice toppic

Pentesting without a solid background/professional experience in another IT domain (system admin, webapp developper, SOC, etc…) is not reasonnable. You cannot just go straight to it from 0. It’s a bit like going to climbing lesson and saying: “ok, i want to climb mountains solo, what should i do ?”. Setting goals which lie too far away in the future is generally not the best strategy as 95% of people will give up very quickly.

Maybe I am biased, but i feel there is a huge gap in what people will tell you that you need to know to be a pentester, and the reality of the job market that need professionals and will hire people with only basic skills.
Start with web security as it is the highest demand and easy to pick.

To get a job, you would need to :

  • understand the vulnerabilities in the OWASP top ten.
  • practice a few sql injections and xss
  • basic understanding of tcp network (including stuff like proxy)
  • basic practice of linux administration (including firewall rules)
  • basic knowledge of cryptography (what is AES, RSA, how they work. Key size needed and difference between symmetric / asymmetric crypto)
  • practice one simple buffer overflow, and learn what the moderns protections are
  • how to use metasploit and exploits
  • general computer knowledge that you have with your degree

And once you have a job in IT security, it’s easier to keep learning.
Ippsec videos are great once you know the basics, I love liveoverflow on binary exploitation.