So, how can I get started in offensive security area?

Sometimes people ask me “how can I get started in offensive security area? (pentesting/red team)”. And I must confess that it has been quite challenging to answer that question. I would love to have a silver bullet for questions like this, but unfortunately I don’t… as we know, offensive security is a broad area, with many ramifications and particularities.

However, when thinking more about it, I could identify some points that can certainly help those who are starting in the area and that, despite being nothing new, are sometimes underestimated or even ignored.

As I’ve always repeated these same points in private messages for this kind of question, why not share them here for anyone who might be interested? 😁

1. Be aware of the fundamentals.

Regardless of your current level: Be aware of the fundamentals. Really understand what you are doing and not just run tools. Fundamentals are essential in information security and especially in pentesting. When I say fundamentals, I mean networking concepts, operating systems, computer architecture, programming. Information security, in general, is considered by many to be a difficult area to start, and I tend to agree. It’s hard for you to talk about Active Directory pentesting if you don’t even understand how an Active Directory works. Why not build an AD lab on a cloud provider? I believe you may learn a lot about AD in the installation process and will definitely help you to exploit it later, for example. When using a tool, always start thinking, “Okay, I’m using this tool… but what does it do and why does it work?”. With that, you magically end up with about +10 tabs open in your browser with new concepts to understand. And this is exactly the learning process that will enrich you. It’s totally okay to take a few steps back and understand the fundamentals/concepts behind a vulnerability, even if your finger is already on the button to launch that public exploit.

2. Study vulnerabilities.

When studying a new vulnerability, apply the rule:

  • Description: how to describe it
  • Identification: how to find it
  • Exploitation: how to exploit it
  • Mitigation: how to fix it
  • Prevention: how to prevent it

Try explaining this to yourself or better yet, to a colleague. Not sure which vulnerabilities to start with? Here are some: XSS, CSRF, SQL Injection, SSRF, SSTI, LFI/RFI/Directory Traversal, OS Command Injection, XXE, Stack and Heap-based overflows, Integer overflows, Broken Authentication, Broken Authorization. Start with understanding the entire OWASP top 10, then move into pentesting process and procedure, network security, Active Directory security, and so on.

3. Learn to code at least one “desktop” and “web-based” language.

Learn to code in at least one “Desktop” language (C, C#, C++, Rust, Golang) and have knowledge of at least one web-based language (ASP.NET, PHP, etc).

You may struggle with many concepts simply because you don’t know how to code. On the other hand, it can be much easier to understand a concept/vulnerability/exploit if you understand the language in which it is applied (or at least the paradigm in which it is applied). Again, you may need to take a few steps back here.

4. Make use of labs/offsec contents available on the web for free.

Make use of labs available on the web for free. For web pentesting, PortSwigger already has an entire free lab, with huge content (https://portswigger.net/web-security). We have HacktheBox labs, we have TryHackMe, we have VulnHub with multiple boot2root VMs, we have many great wargames (w3challs.com, ringzer0ctf.com, smashthestack IO) … Follow channels like IppSec on Youtube, follow big guys in the area and see what they’re studying. The area is very dynamic, and working with offsec is like being in a cat and mouse game… the sooner you consolidate a new concept or a new technique, the greater the chance that you will be under the AV/EDR radar.

5. Create a blog, document your notes!

Create a simple blog and put your writeups (hackthebox/tryhackme/vulnhub), notes, reviews inside it! It would allow an employer to understand some of your methodology and concepts that you are familiar with. Also, writing about what you’ve learned forces you to validate your own understanding. Here I also include mind maps (such as xmind.works).

6. Certifications

Certs! I’m not the type of guy who understands certification as “attestation of knowledge”, but I recognize that many of them will deliver organized content and labs that could take a lot of time and money to maintain. My only recommendation here is to prioritize hands-on and lab-based certifications. Some certifications are on the radar of recruiters these days, like OSCP and eCPPTv2. If you can afford them, go for them. If not, you can easily access their content and study on your own. There are a few lists of free VMs that are “OSCP-like”, I built one myself in a repository (several) years ago: here.

7. Books

Finally, books. I’m suspicious to say, I just love technical books. However, over time, I have preferred books that do not focus so much on tools themselves, but on methodologies/approaches. Again, back to the fundamentals.

… are some good examples.

That is it! Hope it helps folks!

Written on March 3, 2022