The best ways to learn pentesting and ethical hacking
Ethical hacking is a wonderful, punishing, thrilling, complex pastime. It requires both a technically advanced brain and a creative mindset. Most people need not apply, and you’re mad to even try.
Which, of course, is why you should. Apart from anything, it’s an incredible amount of fun!
But if you are a beginner or intermediate, where should you start? What are the best ways to learn the skills you need to get a foothold in what is probably one of the most impenetrable areas of computing?
The joy of teaching yourself
So long as you have the requisite self motivation, teaching yourself ethical hacking — or indeed any kind of computing skills — is both immensely satisfying and very effective. There are so many resources available, often for free, and you can go at the pace you need. For myself, I appreciate the ability to branch off to learn other prerequisite skills whenever I need.
Ethical hacking can’t be learnt through theory alone. It requires practical experience. Take learning how to scan a host, for example. It seems easy in theory: perhaps just rote-learn some nmap arguments and you’re good. But in practice one day you’ll be presented with a host that’s behind a certain kind of firewall, and it’ll be beyond the scope of what most educational sites or blog posts discuss. Only intuition gained from practical experience can help you figure out what to do.
So, what’s the best way of gaining that practical experience if you don’t already work as a penetration tester?
CTF = Capture The Flag challenges
CTF challenges are a way of gamifying certain parts of penetration testing. A challenger sets up a host or network which contains certain — sometimes extremely subtle — vulnerabilities, and your goal is to find and exploit them. Once you do, you will gain access to a “flag” (usually a file or database record) which you can extract to prove you’ve completed the challenge.
CTF challenges are usually either available as online virtual hosts, or as virtual host images which you can download and run in, say, VirtualBox.
One of the very best places to find good CTF challenges is tryhackme.com. It’s in fact one of the best ethical hacking resources, full stop, and most of it can be accessed entirely for free.
The challenges are generally well thought through and bug free, and cover a wide variety of skill levels. Almost all of them have walkthroughs which are essential if you get totally stuck.
Game or real scenario?
Beware of CTF challenges which are too gamified; to be of use in the real world, CTFs need to represent realistic scenarios. Make sure you read the descriptions well, as some are set up to represent real problems that genuine ethical hackers have faced when on assignment. Conversely, others are set up like escape rooms or games, and those are generally to be avoided if you want real-world experience.
For example, a surprising number of CTFs include code hidden in, say, images or punctuation (so-called steganography). It’s a fun thing to learn to look for and crack, but it’s of no real-world value. In over a decade in the industry, I have never had to use any steganography concepts in a real penetration testing engagement.
Being stealthy
An overlooked skill is stealthiness. Some techniques which are common and useful in CTFs would immediately raise alarm bells in a real engagement, and CTFs thus engender a false sense of security. Out there in the real world, if something or someone realises they’re being hacked, they can put up the shutters and then your life will be much harder.
For example, in a CTF scenario you might not think twice about using brute-force to try 20,000 passwords, or to scan every port on a machine quickly and invasively. These techniques are usually last-ditch attempts in the real world, or at least need to be performed with care at a much slower rate.
The business of ethical hacking
CTFs can only help you gain technical knowledge. Much as that is a significant part of a commercial penetration testing engagement, it’s not enough for you to start your own ethical hacking business!
A large part of what we do at Conseal Security is around engagement and the management of customer and expectations. This includes:
- Determining the rules of engagement. Agreeing with the customer what’s on- and off-limits, and what they might want to learn from a penetration test. For example, if you found a denial-of-service attack which could be used against a particular production server, the customer probably won’t want you to try it out!
- Agreeing “passes”. If you find a resource that can be used to brute-force a password, say, then that’s a great find, and an adversary could exploit it for sure. But it can take literally weeks to perform that brute-forcing process. It is better, usually, to short-cut the process by asking the customer to provide access as if that process had been successfully completed.
- Explaining to non-technical people what you are going to do or what you’ve found. There is a lot of this!
Finally, the written report of your activities is enormously important. This is in itself worthy of a whole series of blog posts, but suffice to say it should explain everything you find — where good and bad — to both a technical and non-technical audience. Our top tip is to consider customers’ egos, ensuring that you give a full account of any negative finds whilst phrasing delicately to avoid insult to the thin-skinned. Remember your reports are read by real people who are likely greatly invested in what you’re testing.
Learning using courses
There are many good classroom-style courses, both online and in person. Many are guided towards earning a specific qualification, and that will give you a worthwhile leg-up when looking for jobs. Qualifications such as Offensive Security’s OSCP and CREST’s CRT and CCT can be highly prized.
If a classroom-type environment suits your learning style, then this is a worthwhile consideration. And of course there is no substitute for having an expert on hand to answer your questions.
However, their biggest disadvantages of classroom courses are that, generally, they move at a rate which is appropriate to the average of the class, rather than individuals. Different parts may move too fast or too slow for you, depending on the skill level of the group. This is a particular problem for learning ethical hacking, since it depends on many other disparate skills. If you already know, say, basic networking, you might find that a good proportion of your time is spent pointlessly revising this — perhaps even disproportionately so if your classmates don’t have that knowledge.
Generally a course will follow a very fixed syllabus. That may or may not suit your learning style. Personally, I learn things in obsessive depth. I can’t let a teacher tell me the basics about something and move onto the next subject — I want to fully understand the foundations on which it sits.
For ethical hacking, there’s also an issue that the industry moves a lot faster than a syllabus can. For example, when the Log4J vulnerability was discovered last year, it became essential knowledge overnight. Yet some syllabuses still don’t mention it, even now. And CREST’s top-grade “Certified” exams still mention Java applets and Flash, client-side technologies which are beyond obsolete.
In conclusion
Courses suit some people, self-teaching suits others. If you’re one of the latter then my view is that will serve you better.
Make sure you don’t just learn technical skills, because the business of ethical hacking involves much more than that. As soon as possible, try to gain real-world experience where skills like stealthiness matter a lot.
And have fun!
Tom Colvin is CTO of Conseal Security, the mobile app security testing experts; and Apptaura, the app development specialists. Get in touch if I can help with any mobile security or development projects!
