![[FCO]FreeCoursesOnline](https://onehack.us/uploads/default/original/3X/b/4/b4d2fc8468becec1e9976784dba394e5a378ec81.jpg){kind=small}
While specialization will be a goal after you are hired, a pentester needs to be an all-around expert in many different fields of study. Looking at everything that a pentester should know can be very intimidating for a beginning infosec student or enthusiast. Many IT professionals have fantasies about becoming pentesters, but the majority of them never even begin the process because they believe it to be extremely challenging and time-consuming. And they’re right. This is not for you if you don’t love security testing, discussing security topics, picking up new skills, and needing to spend hours or even days trying to solve an issue.
- Establishing connections
Understanding how computers communicate with one another is among the most important things a penetration tester can learn. Discover the ins and outs of packet inspection, protocols, three-way handshakes, and TCP/IP. Reach the stage where you can use the OSI module to map out a network communication on a white board and write a detailed explanation of how it all operates. Know every OSI module level—not just the ones you can’t get by without knowing every associated protocol as well. This is important because you will need to examine each wrapper, each address, etc. when examining traffic through packet dumps. Once you have that kind of understanding, an expert will be able to read and manipulate network traffic at the packet level.
How to get ready: *Read TCP/IP Illustrated Part 1; study Network+ and CCNA Security. * Use Wireshark to examine traffic, practice creating and sending packets, and gain an understanding of how they work.
- Read up on HTTP; become well-versed in it. The book “HTTP The Definitive Guide” is an excellent source. Use Burpsuite to inspect and proxy web traffic (more on this later).
- Recognizing the Internet
I touched on HTTP and Burpsuite in the networking section, so let’s talk about them now. The majority of people are mistaken in their understanding of the internet. Can you fully describe an HTTP request and response in writing? Know each and every verb on HTTP? Are you aware of the distinctions between HTTP 1.0, HTTP 1.1, HTTP 2.0, and HTTP 0.9 without having to look it up? Do you know the majority of HTTP response codes—that is, specific codes as opposed to just general information? Know the workings of a CDE? Alright, so let’s assume that the majority of those are unanswered because most people don’t genuinely research internet functionality. When conducting code reviews, API reviews, and web application testing, you will require.
To get ready, read “The Tangled Web” and “HTTP The Definitive Guide.”
- Recognize RFC 2616 and other relevant RFCs. Practice using Burpsuite and Wireshark to inspect web traffic.
- System Operating Frameworks
You will have to test every operating system as a pentester. You are not limited to selecting Windows environments that are limited to Windows 7 and lower. You will encounter a wide variety of environments running Windows, Linux, and Macs. You should feel at ease using all varieties of operating systems, gathering data, utilizing the command line (Powershell, CMD, and Bash), downloading, installing, and running programs. It may seem easy, but that knowledge is extensive. Could you push updates, add a new admin, change roles, and other things if you had access to Windows Server 2012? Could you list all the files and permissions on an Ubuntu Box if you were a web user? Naturally, you don’t need to know all
How to get ready: * Make a virtual machine (VM) with a Windows server and at least one Linux distribution. Though Mac and Unix are similar enough that knowing Linux commands will be helpful even without a Mac virtual machine. Learn all the features of those virtual machines (VMs) at the administrator level before using them as hosts. You can learn a lot from the numerous books, websites, and online courses available.
Happy learning!