Disclaimer: Use this information only in a controlled manner and only on systems you have permission to use. Any illegal use is your responsibility as is learning the laws in your country, state, province or county and abiding by them.
Another free training program from the mind at The Cyber Union. This free resource is meant for those looking to get into penetration testing and have no idea where to start. The program will contain resources on topics that I believe to be real world applicable.
Like the analyst program this will be continuously built over time as I come across resources on specific topics. Enjoy and let me know what you think.
Like the analyst program this will be continuously built over time as I come across resources on specific topics. Enjoy and let me know what you think.
Certification Road Map
Last Update: 10/23/2021
Based on the exams I have taken or the study guides I have read through, the following path is what I would take if I were to go back in time and start over. Others may suggest different certifications and different orders, which is cool. But for me, this would be the most efficient chain. I will update it as I come across new materials.
Based on the exams I have taken or the study guides I have read through, the following path is what I would take if I were to go back in time and start over. Others may suggest different certifications and different orders, which is cool. But for me, this would be the most efficient chain. I will update it as I come across new materials.
Starting Point
TryHackMe - Complete Beginner Learning Path
In my opinion, TryHackMe is a much easier starting point then HackTheBox. The content creators do a good job of making the skillsets more accessible to beginners with zero knowledge. One warning is that, access to the path is not free but requires you to sign up for the subscription at $10 USD a month. On the upside, you do get a certificate for completing the path. This can be added to your resume to help you land an interview.
In my opinion, TryHackMe is a much easier starting point then HackTheBox. The content creators do a good job of making the skillsets more accessible to beginners with zero knowledge. One warning is that, access to the path is not free but requires you to sign up for the subscription at $10 USD a month. On the upside, you do get a certificate for completing the path. This can be added to your resume to help you land an interview.
Areas of Study
Discovery
This is a simple concept. Figure out what targets are reachable from where you are at. Nmap is your friend for this stage. Simply scan the /24 subnet to get started in a CTF environment. If you are on a real-life engagement, the customer will most likely let you know what your target ranges are.
Sample Nmap Commands
You may run into instances where every host responds back or nothing responds back all though there should be some live hosts. In this case, try running different types of scan such as an Echo Scan.
Profiling
This scan is meant to discover listening services on your live hosts. The reason these are separate steps, is because its faster in my personal experience. When you are running a large scan, such as combining discover and profiling, and something happens, you have to restart all your efforts. This could mean hours of work. If you do them one piece at a time, there is much less work you have to redo.
Some pen testers get pretty crazy with their profiling scan, which is cool but most of the time a simple scan works great.
Some pen testers get pretty crazy with their profiling scan, which is cool but most of the time a simple scan works great.
This scan will enumerate all TCP ports, a handful of UDP ports, the OS, service versions, and disable the ping sweep. Pretty much everything you need. Notice that I fed it a list of live hosts with the -iL switch. I got these hosts from the discovery scan with some simple commandline fu.
You may be saying, "Silverbits, f that. I want to do it with one command." Ok go for it. In your practice lab, there is no reason to split this up.
Services
Understanding services, how they work, and how to connect to them is a fundamental part of any pen testers tool kit. Below are the top services that I look at in customer environments.
SMB/NetBios
Service Message Block (SMB) is one of the most common services in an environment. There will almost always be shares on a network and the associated ports (139, 445) are often open. If you can connect to these, you can gather loads of intel and perhaps gain an initial foothold.
Skills To Learn:
- Connect to share
- Mount share
- Use PsExec
- Null Sessions
- Retrieve password policy
- Password spraying
Practice Labs
HTB-Monteverde
Practice NULL sessions (enum4linux, smbclient, smbmap)Practice NULL sessions (enum4linux, smbclient, smbmap)
HTB-Monteverde
- Practice NULL sessions (enum4linux, smbclient, smbmap)
- Practice password bruteforcing (Metasploit:smb_login)
- Practice mounting shares
- Practice browsing shares using smbclient and smbmap
- Practice Nmap Profiling scan
- Practice NULL sessions (enum4linux, smbclient, smbmap)
- Practice password bruteforcing (Metasploit:smb_login)
Practice NULL sessions (enum4linux, smbclient, smbmap)Practice NULL sessions (enum4linux, smbclient, smbmap)
Kerberos
Kerberos is available in pretty much every business environment today. If you can understand how the service works and how you can manipulate it, you will have a very handy tool in your box.
Skills To Learn:
- Kerberoasting
- AS-REP Roasting
- Golden/Silver Ticket Attacks
- Pass the Ticket
- Skeleton key Attack
- Blood Hound
- Using a ticket in Linux
Practice Labs
HTB-Blackfield
HTB-Blackfield
- Practice checking for preauthentication with Impackets GetNPUsers.py
- Practice cracking the krb4asrep hash with hashcat or JohnTheRipper
- Practice with all the basic Kerberos attacks: Kerberoasting, AS-REP Roasting, Golden/Silver Ticket Attacks, Pass the Ticket, and Skeleton key
Active Directory
Like Kerberos, Active Directory is integral to virtually every business environment you will see as a pen tester. Understanding how to navigate the structure, and interact with users and devices via Active Directory is an amazing skill to have.
Skills To Learn:
- GPO
- BloodHound
- Domain Hierarchy
- Adding/modifying users and group memberships
- Domain Trusts
- GPP Attack
- ZeroLogon
Practice Labs
HTB Track - Active Directory 101
HTB Track - Active Directory 101
- Work through all the boxes in this track
- Don't be ashamed to use walkthroughs. These labs are meant to teach you what is possible. Learn the tricks, document, and try to do it on your own next time you come across it.
Web
Web services are another no brainer to learn. Even if you don't become a master of web attacks, understanding the basics of web services can take you far.
Skills To Learn:
- Directory Bruteforcing
- Web Shells
- Basic XSS
- Basic SQLi
- Command Injection
- Remote Code Execution
- Setting up a web service
- Understanding permissions of web service