The path from zero to a skilled pentester (part 1)

For pentester VSEC - BLOG

Perhaps this topic is the one that really impresses me. It’s October, the month that I feel warm and ambitious.

This is the sharing of my personal opinion, so if you have different ideas, please feel welcome to email me to discuss

I started as an IT specialist but security is my passion. I used to be a professional programmer and perhaps, my close friends and teachers at Ha Noi University of Science and Technology encouraged me to this field. It’s true that I hadn’t known anything about security before. So in my third year of university, as the requirement of my major, I joined a company for an internship and met my instructor there. This company specialized in information security, but in a short period of three months, I just got some basic stuff about DVWA (Damn Vulnerable Web App) from my instructor to study and attack. By chance, the company Director let me take a field trip for experience. There, I got acquainted with SIEM, to manage events by QRADA, … for a bank. Every day, I came to check the events and emailed my senior to notify me of any abnormalities. It might be a little boring that I decided to resign, frankly speaking, it was the end of my internship and I resigned. Realizing that it was time for further studying and practicing, I decided to pursue Information Security despite not being so sure of what this field was for.

After reading and researching, I found that IT is the broadest field. Information Security is narrower but still quite wide. Information Security is also divided into many areas. When I applied for an internship at the company where I’m working, I was oriented to Pentest (Penetration testing), and deeper into the website Pentest.

 

First, we need to understand what pentest is. Pentest stands for Penetration Testing, which means “An authorized simulated attack performed on a computer system to evaluate its security”. More simply, pen-testers can be considered as the hackers in black, wearing masks to attack the system. Such an explanation makes it easier to imagine. As far as my knowledge, pentest can be divided into 3 following areas:

  • Evaluation of network infrastructure: network structure, policies (firewall), logging, VPN, Router, Switch,…
  • Evaluation of servers system: Configuration, services update, patches, account and password policies, logging policies, authorization review, reserved capacity, load balancing, distributed database.
  • Evaluation of website apps: evaluation of vulnerabilities such as buffer overflow, SQL injection attack, and XSS,… evaluation of the checking of web source codes in order to identify problems on authentication, authorization, data verification, session management, and encryption. In my opinion, we should call this “apps evaluation” because, besides web apps, there are other ones such as mobile,… 

 

There are 2 concepts that many people may still be confused about vulnerability and threat.

  • Vulnerability: weak points in the system that can be exploited and manipulated to cause damage to the system
  • Threat: behaviors that are potentially harmful to the system,

So, What are the types of pentest?

  • Black box pentest: This is a kind of evaluation from the outside to the inside. Pentesters have no information about the target system other than what has been publicized. This is the most common type of attack.
  • Gray box pentest: Pentesters will be provided some or limited information about the target system
  • White box pentest: Evaluation from inside to the outside, Pentesters will be provided all system and network information such as: network infrastructure, source code, IP address details, OS, and policies,…

 

Next, I will discuss the procedure of an attack which can be summarized in three stages:

Prepare for attack:

  • Reconnaissance/Footprinting
  • Scanning

Conduct the attack

  • Gaining access
  • Maintaining access

Clearing tracks

In details:

Reconnaissance/Footprinting
  • Actions of the attacker to gather information about the system: users, customers, business activities, organizational information…
  • Can be repeated periodically until there is an easier chance to attack
  • Active reconnaissance: Interact with the target
  • Passive reconnaissance: not interact with the target: Social Engineering
  • Search engine: Google, Shodan, Censys
  • Information from social networks: Facebook, Twitter, Linkedin
  • Email reconnaissance: whois/smartphones, Email Extractor
  • Internet connection reconnaissance: traceroute
  • DNS information: dnsenum / nslookup, dnswatch.info
  • File robots.txt: This is the file for… Google
  • What web
  • DNS-enum
  • The harvester: gathering emails, names, subdomains, Ips, and ULRs
  • Email extractor

 

Scanning
  • Scanning to identify information of the system based on information gathered from the reconnaissance stage
  • The attacker will get an in-depth and more detailed view of the system: services provided, open service ports, IPs, OS, and software.
  • Extraction information from this stage allows the attackers to plan details for the attack.

 

Gaining Access
  • The attackers with information gathered from the previous stage will conduct the attack on the system to gain access using web security gaps such as SQLi, RCE,…

 

Maintaining Access
  • Once access has been gained, the attacker will use some techniques to maintain access without relaunching the attack such as creating a back door, opening a network connection,…

 

Clearing Tracks 
  • This is an important stage to clear tracks of your penetration into the system so that no one can detect it. It will be very difficult for the investigator to identify who you are or what you have done as you have deleted the system logs,…

 

Seem like a lot of theories, but it’s the door to Pentester

For myself, first, I did a thorough research about the above contents. Next is to choose the way and I have chosen the mobile and website application Pentest.

In this section, my presentation about the path focuses on the evaluation of website applications.

During the internship at the company, I first learned about the network starting with OSI and TCP/IP reference model, the TCP three-way handshake process, using Wireshark, nmap, hping.

This is the introduction step about the network. Going deeper into the website, you need to understand website technology, Client, Server, HTTP protocol, URL, URI, and what headers in HTTP protocol are used for.

The first book I came across was:

“The Web Application Hacker’s Handbook”.

Theory should be combined with practice to study and install environments such as DVWA, BWAPP (I found it far more interesting and difficult than DVWA),… Finishing BWAPP, you will have the background knowledge because BWAPP follows the OWASP assessment standard, the famous name is OWASP Top Ten. By trying to study these labs and always asking “Why”, you will get a better understanding.

If you don’t want to build a lab, you can learn here, There’s a lab and tutorial, and I think they are quite good:  

https://portswigger.net/web-security

After gaining enough background knowledge, you can take CTF tests to improve your skills.

I personally go straight forward to bug bounty programs instead of taking CTF. These programs offer rewards when you find bugs and report to them. The most important thing here is “money”- which motivated me to fight. Right, when you have high motivation, you will try and fight with all your best. When first joining such programs,  you should choose easy targets for gradual learning. In my case, the company had this kind of program in private form for people to participate. In addition, there are public programs in Vietnam that you can find out for yourself, In the world, some famous programs are:

https://hackerone.com/

https://www.bugcrowd.com/

One more thing, You guys who have been reading my blog can see that I always talk about CVE, right? CVE seemed too luxurious for me before, but I have overcome myself and improved my knowledge to look for it and find open sources to install and run it. The most important thing is to choose my favorite language. I personally prefer PHP,… with CMS like WorldPress, Joomla!, Drupal,…

In addition to CVE, you can pursue more advanced education for such certificates as OSCP, OSCE, AWAE,… or learn about other certificates like GPEN,…

There is a very valuable information source on GitHub:

https://github.com/swisskyrepo/PayloadsAllTheThings

Maybe, it is mind

https://github.com/HoangKien1020/pentest