Getting Started with Penetration Testing and dealing with everyday Mood and Motivation

It’s all about the right Mindset and Consistency!

I would assume you already know what Penetration Testing is but unsure how and where to get started from?

So, you‘ve decided to dive into the dark side of our Digital World? Presuming its for Ethical reasons only ;-)

Image for post — Photo by Kevin Horvat on Unsplash

When you learn something new alone, you MUST become your own coach first before you become a student!

Because you should motivate yourself.
Because you need to be consistent.
Because you must set a goal and stay focused to achieve it.

Now, let me give you a quick peek into the world of Penetration Testing.

When you are starting new, firstly:

Decide whether you want to do pentesting to: (1.) Learn or (2.) To Earn.
If you are looking to learn only then the I would highly recommend to exploit vulnerable machines on:Vulnhubs and/or HackTheBox.
If you are looking to Earn then Bug Crowd and HackerOne is the place for you. Note: This will be the most challenging as you will be competing against several pentesters to find bugs and earn bounty. But, its doable.
BugCrowd and HackerOne focuses highly on web application pentesting whereas Vulnhubs, HackTheBox is more inclined towards Infrastructure types of testing. HackTheBox is now becoming more generic towards different types of pentesting.

Make a short term goal that is achievable

Now that you’ve decided your platform, before diving straight into the practical side of the testing, I would highly recommend you to read or watch its writeups/walkthroughs first. Understand Owasp Top 10 Vulnerabilities. Make notes and familiarize yourself on how to discover different types of vulnerabilities,what tools have been used etc.

It is important to have basic knowledge around Linux and Windows Operating Systems and understand different programming languages, such as python scripting language, PHP, bash scripting, json, javascript etc.

For Penetration Testing Skills — I would suggest to start off with TryHackMe Challenges.
For BugBounty — I would suggest starting off with the Hacker101 CTF for beginners for real world challenges.

DAILY Learning and Practicing will take you a LONG WAY!

Once you have decided your Pentesting platforms, it is very important to familiarize yourself with the basic methodology used by the users on those platforms to hunt for vulnerabilities.

For Bug Crowd and HackerOne, visit this link for for Bug Bounty Hunter Methodology v3 by Jason Haddix.
For HackTheBox and Vulnhubs, Visit this link for Tutorials on retired machines by @IppSec.
For General Pentesting Methodology, click here.

Practice, Practice and more Practice!!!

Reporting is vital if you’re into bug bounty as you need to produce your report to companies to show what and how you’ve found the Bug. Reporting is also required at work place to produce pentesting report for different project testing. However, report writing is not required for learning purpose unless you want to create a writeup for that particular machine. But it’s important that you must also make notes of the tools you’ve used for those specific vulnerabilities.

and Now…

Create a Report Template to maintain the reports consistency.
Create vulnerability grids for each vulnerability; Research and put it in your own words. Include reference link for validation. Vulnerability Grid will enable you to simply copy/paste the information in your articles where you mention about that those specific vulnerabilities.
During testing, document your work as you go in the report for every small progress you make. Doing this, you will have very little to write in the end in your final report.