In a blink of an eye, it has been five years since I started to learn security in my junior year, and I have a certain understanding of penetration testing. The official account is preparing to release some introductory tutorials, mainly based on practical operations, hoping to help those who want to get started with penetration testing. white. If you find it useful, you can support me at the end of the article as a motivation for me to write down.
1. What is penetration testing
Penetration testing is to simulate the attack methods of real hackers to conduct a comprehensive security assessment of the target website or host. Unlike hacking attacks, the purpose of penetration testing is to find as many security holes as possible, while real hacking attacks only need to find one intrusion. Click to enter the target system.
An excellent penetration test engineer can also be considered a powerful hacker, and can also be called a white hat.
It must be noted that before conducting a penetration test, the authorization of the target customer is required. If not authorized, do not perform a penetration test on the target system. Please refer to the "Network Security Law" for consequences. At the same time, we must have good professional ethics and not do illegal things.
2. Why learn penetration testing
The benefits of learning penetration testing are nothing more than the following:
• Psychological satisfaction. It's cool, it's like watching hacker movies as a kid and becoming them myself.
• Have a decent income. You can check the salary of this position on the major recruitment websites. You can also do part-time jobs and participate in public vulnerability testing in your spare time, and you can earn a relatively generous income.
• Not so voluptuous. In the era of software development and financial industry, the competition in the network security industry can be said to be quite small, because there are too few talents in this field.
3. Learn the prerequisite skills of penetration testing
In fact, the most important thing in learning penetration testing is to be interested, to have a curious mind, a thirst for knowledge, and enough perseverance, which can support us to keep learning on this road.
Of course, learning penetration testing is still a bit of a threshold. If you are a computer professional, you can easily get started and get started within a month or two. If you are in other majors, or if you are a computer novice, then it is still more difficult, but don't worry, there are many big names around me who have zero foundation in the industry, so the interest is still the most important.
Here are some basic prerequisite knowledge required for penetration testing:
• Basic knowledge of HTTP protocol. The HTTP protocol belongs to the knowledge of computer networks, because penetration testing is basically to modify the request data of the website to find loopholes, so it is essential to understand the format of the HTTP protocol request.
• cmd / shell operations. The cmd operation mentioned here refers to using the cmd command line window of the Windows system to execute some common commands, press win + R keys, enter cmd and press Enter to open the cmd window. There is to be able to use linux to execute some common shell commands.
• Linux operating system use. Since many penetration testing tools can only run on the Linux operating system, we need to know how to use the Linux system. We can install the Ubuntu linux virtual machine through the VMWare virtual machine software for practice, or install Kali Linux directly for practice.
What I mentioned above is some basic knowledge, and the following is some optional knowledge. You can do penetration testing without this knowledge, but the limitations will be relatively large.
• The python programming language. As a script boy, knowing the python language can help us develop some tools to reduce the usual workload, use python to do some repetitive tasks, such as automatic information collection, and the most important thing is to write some exploit tools.
• Java/PHP programming language. Penetration testing is done on websites most of the time. Most of these websites are developed using Java or PHP language, and some are developed using some open source systems. We can audit the code of these open source systems and Find bugs in code.
4. How to learn penetration testing
Back to the topic of the article, how to learn penetration testing.
The first step is to determine the direction to learn
Before learning penetration testing, you can first understand the directions of penetration testing, because the scope of penetration testing is still relatively wide. According to the direction, it can be roughly divided into Web penetration, APP penetration, intranet penetration, Internet of Things penetration, and industrial control penetration. . Sorted by difficulty, I think the order of difficulty is Web penetration < intranet penetration < APP penetration < Internet of Things penetration = industrial control penetration. Ideally, everything will be the best, but everything needs to be done step by step. You can start with the simplest web penetration, and when you master the web penetration, you can expand to other directions.
Why is it sorted like this, let me explain my reasons:
Web penetration is mainly to find website vulnerabilities. You only need to understand some basic computer network knowledge, that is, the knowledge of the HTTP protocol, and then use some tools. The rest is to understand some common Web vulnerability testing methods.
Intranet penetration refers to conducting a penetration test on the internal network of the target company after we obtain the authority of the web server through web penetration or use phishing emails to obtain the authority of the target intranet host. Among them, more computer network knowledge is required, such as subnet division, network topology diagram, and various network protocols. Also understand Windows domain knowledge, privilege escalation technology, lateral movement technology, privilege maintenance technology, anti-kill technology. The content to be learned is not too difficult, so as long as you are willing to spend time, you can master it. Since there are more knowledge points than Web penetration, it is more difficult than Web penetration.
APP penetration can be understood as an extension of Web penetration, mainly for Android APP and iOS APP penetration testing, APP also needs to interact with the server background data, this part of the test is the same as Web penetration. In addition, it is also necessary to test the vulnerabilities of the APP itself, which requires the ability of reverse analysis, and reverse analysis is actually a general direction of security. We need to master some unpacking techniques, dynamic debugging techniques, the use of decompilation tools, and the Java programming language. , C/C++ programming language, assembly language, Swift programming language, Object-C programming language. In terms of programming languages, we don't need to be as proficient as software developers, but at least we need to be able to understand code. Because APP penetration requires reverse analysis capabilities, and learns more underlying computer knowledge, APP penetration is more difficult.
IoT penetration and industrial control penetration are actually similar. The difference is that IoT devices need to be connected to the Internet, while industrial control devices are generally in an isolated network. The same thing is that they all need to contact physical devices. Different from the various penetrations above, you only need to have a network to start. If you don’t have the Internet of Things and industrial control equipment, you can’t start at all, or you can only do part of the test. Whether you can get in touch with the equipment will stop many people. Learning in this area requires money to buy hardware, or the company invests in purchasing hardware. In terms of skills, in addition to reverse analysis, you also need to understand various hardware knowledge, electrical knowledge, industrial protocols, and Internet of Things protocols, so the difficulty is the highest.
The second step is to understand the framework and knowledge points of the direction you are studying.
It is more important to understand the framework and knowledge points of the direction of study, so as not to blindly learn unimportant knowledge points. To get started with penetration testing, start with the simplest web penetration. I think the entry-level web penetration knowledge framework can be divided into three parts.
1. Information collection process.
Such as subdomain collection, filing query, github sensitive information search, etc., the more ways you know, the more information you collect.
Second, the use of common tools for penetration testing.
For entry-level penetration testing, it is basically enough to use nmap, Burpsuite, Kali Linux, and sqlmap.
3. Web penetration common vulnerability testing.
For entry-level penetration testing, you can first master the OWASP Top 10 vulnerabilities, such as the most common SQL injection vulnerabilities, XSS vulnerabilities, file upload vulnerabilities, unauthorized vulnerabilities, weak passwords, etc.
After confirming the three major knowledge frameworks, we need to use search engines to find the knowledge points in these three aspects. I only recommend using Google for search engines (how to use Google to find information by yourself), Baidu has too many advertisements, search them out Things are far less valuable than Google.
The third step is to learn the knowledge points of penetration testing
After a general understanding of the framework and knowledge points of penetration testing, the next step is how to learn these knowledge points.
The first is self-study, which is suitable for entry-level penetration testing when you don’t want to spend money or spend very little money. It is more suitable for college students or people with more free time.
Self-study needs to use Google to search and learn various knowledge points. There are also some penetration testing guidelines abroad, which you can follow.
For example, the Penetration Testing Execution Standard, which will introduce some theoretical knowledge of penetration testing. There are more lateral theories. It is not recommended for beginners to read. Here is just a mention. The website is as follows: http://www.pentest-standard.org/index
. php/Main_Page
There are also some practical guides, but most of them are in text, and the content is all in English. If English is not good, you can use the web page translation of the chrome browser to view it.
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
There is also the OWASP Web Security Testing Guide Project, which contains some testing steps for vulnerabilities, which can be viewed as an introductory guide
https://owasp.org/www-project-web-security-testing-guide/stable/
In addition to reading some foreign penetration testing guides, you can also buy some penetration testing books to read. I have read some good books including "In-depth Analysis of Web Security" and "Hacking Attack and Defense Technology Collection: Web Practical Combat". If reading
books is boring, you can also find some video tutorials. There are also many penetration testing tutorials on bilibili, but I haven't seen it much, so I can't make a recommendation, I need to judge by myself based on the evaluation.
Of course, in addition to self-study, you can also participate in training courses, which are suitable for beginners with certain financial capabilities. There are also many big stars around me who got started through training courses. Since I have never participated in it, I can't recommend it. I can find some friends who have participated in it to recommend.
The fourth step, practical operation
According to the knowledge points learned in the third step, carry out practical operations, and practice after each knowledge point is learned. For practical operations, you can find some virtual machine shooting ranges specially designed for vulnerability testing. After downloading the shooting range, use VMWare virtual machine software to open You can access it for testing. Some ranges are listed below:
owaspbwa: The Open Web Application Security Project (OWASP) is a group of vulnerable web applications distributed on virtual machines in VMware format. This virtual machine shooting range is recommended, which integrates a large number of vulnerable websites, such as Webgoat, DVWA, bWAPP. The download address is as follows:
https://sourceforge.net/projects/owaspbwa/
Metasploitable :
Metasploitable is an intentionally vulnerable Linux virtual machine. This virtual machine can be used for security training, testing security tools, and practicing common penetration testing techniques. This virtual machine is also good, and there are some host vulnerabilities, such as vsftp vulnerabilities. The download address is as follows:
https://sourceforge.net/projects/metasploitable/
Pikachu:
Pikachu is a Chinese vulnerability shooting range
https://github.com/zhuifengshaonianhanlu/pikachu
Vulhub:
Vulhub integrates a lot of vulnerable docker images, and you can use docker to start various vulnerable environments. The address is as follows:
https://vulhub.org/
After downloading the shooting range, you need to learn how to use the BurpSuite proxy tool. This tool is a must-learn tool for penetration testing. It is a commercial software, and the price is not cheap. There are cracked versions on the Internet. You can view the official documentation of BurpSuite for learning and use, the address is as follows:
https://portswigger.net/burp/documentation/desktop/getting-started
BurpSuite also officially provides vulnerability testing tutorials and online shooting ranges, as well as videos. You can learn penetration testing directly on the official website. The address is as follows:
https://portswigger.net/web-security/getting-started
If you don’t know how to use virtual machine software, you can also find some online vulnerability shooting ranges to practice
Web Security Academy:
https://portswigger.net/web-security/getting-started
hackthebox:
https://www.hackthebox.com/
web for pentester:https://www.pentesterlab.com/exercises/web_for_pentester/course
After learning some common vulnerability testing methods and the use of the burpsuite tool, you need to go to a real website for actual combat. You can go to some vulnerability platforms for actual combat, such as patching platform, vulnerability box, and SRC of major Internet companies. When performing vulnerability mining on these platforms, you must clearly see the rules of each platform and strictly follow the rules. Here is another reminder, don't test without authorization! Do not test without authorization! Do not test without authorization! Say important things three times, and for the consequences, please check the "Network Security Law".
This is the introductory introduction to penetration testing. I will publish some tutorials when I have time later, so stay tuned~~~
In a blink of an eye, it has been five years since I started to learn security in my junior year, and I have a certain understanding of penetration testing. The official account is preparing to release some introductory tutorials, mainly based on practical operations, hoping to help those who want to get started with penetration testing. white. If you find it useful, you can support me at the end of the article as a motivation for me to write down.
1. What is penetration testing
Penetration testing is to simulate the attack methods of real hackers to conduct a comprehensive security assessment of the target website or host. Unlike hacking attacks, the purpose of penetration testing is to find as many security holes as possible, while real hacking attacks only need to find one intrusion. Click to enter the target system.
An excellent penetration test engineer can also be considered a powerful hacker, and can also be called a white hat.
It must be noted that before conducting a penetration test, the authorization of the target customer is required. If not authorized, do not perform a penetration test on the target system. Please refer to the "Network Security Law" for consequences. At the same time, we must have good professional ethics and not do illegal things.
2. Why learn penetration testing
The benefits of learning penetration testing are nothing more than the following:
• Psychological satisfaction. It's cool, it's like watching hacker movies as a kid and becoming them myself.
• Have a decent income. You can check the salary of this position on the major recruitment websites. You can also do part-time jobs and participate in public vulnerability testing in your spare time, and you can earn a relatively generous income.
• Not so voluptuous. In the era of software development and financial industry, the competition in the network security industry can be said to be quite small, because there are too few talents in this field.
3. Learn the prerequisite skills of penetration testing
In fact, the most important thing in learning penetration testing is to be interested, to have a curious mind, a thirst for knowledge, and enough perseverance, which can support us to keep learning on this road.
Of course, learning penetration testing is still a bit of a threshold. If you are a computer professional, you can easily get started and get started within a month or two. If you are in other majors, or if you are a computer novice, then it is still more difficult, but don't worry, there are many big names around me who have zero foundation in the industry, so the interest is still the most important.
Here are some basic prerequisite knowledge required for penetration testing:
• Basic knowledge of HTTP protocol. The HTTP protocol belongs to the knowledge of computer networks, because penetration testing is basically to modify the request data of the website to find loopholes, so it is essential to understand the format of the HTTP protocol request.
• cmd / shell operations. The cmd operation mentioned here refers to using the cmd command line window of the Windows system to execute some common commands, press win + R keys, enter cmd and press Enter to open the cmd window. There is to be able to use linux to execute some common shell commands.
• Linux operating system use. Since many penetration testing tools can only run on the Linux operating system, we need to know how to use the Linux system. We can install the Ubuntu linux virtual machine through the VMWare virtual machine software for practice, or install Kali Linux directly for practice.
What I mentioned above is some basic knowledge, and the following is some optional knowledge. You can do penetration testing without this knowledge, but the limitations will be relatively large.
• The python programming language. As a script boy, knowing the python language can help us develop some tools to reduce the usual workload, use python to do some repetitive tasks, such as automatic information collection, and the most important thing is to write some exploit tools.
• Java/PHP programming language. Penetration testing is done on websites most of the time. Most of these websites are developed using Java or PHP language, and some are developed using some open source systems. We can audit the code of these open source systems and Find bugs in code.
4. How to learn penetration testing
Back to the topic of the article, how to learn penetration testing.
The first step is to determine the direction to learn
Before learning penetration testing, you can first understand the directions of penetration testing, because the scope of penetration testing is still relatively wide. According to the direction, it can be roughly divided into Web penetration, APP penetration, intranet penetration, Internet of Things penetration, and industrial control penetration. . Sorted by difficulty, I think the order of difficulty is Web penetration < intranet penetration < APP penetration < Internet of Things penetration = industrial control penetration. Ideally, everything will be the best, but everything needs to be done step by step. You can start with the simplest web penetration, and when you master the web penetration, you can expand to other directions.
Why is it sorted like this, let me explain my reasons:
Web penetration is mainly to find website vulnerabilities. You only need to understand some basic computer network knowledge, that is, the knowledge of the HTTP protocol, and then use some tools. The rest is to understand some common Web vulnerability testing methods.
Intranet penetration refers to conducting a penetration test on the internal network of the target company after we obtain the authority of the web server through web penetration or use phishing emails to obtain the authority of the target intranet host. Among them, more computer network knowledge is required, such as subnet division, network topology diagram, and various network protocols. Also understand Windows domain knowledge, privilege escalation technology, lateral movement technology, privilege maintenance technology, anti-kill technology. The content to be learned is not too difficult, so as long as you are willing to spend time, you can master it. Since there are more knowledge points than Web penetration, it is more difficult than Web penetration.
APP penetration can be understood as an extension of Web penetration, mainly for Android APP and iOS APP penetration testing, APP also needs to interact with the server background data, this part of the test is the same as Web penetration. In addition, it is also necessary to test the vulnerabilities of the APP itself, which requires the ability of reverse analysis, and reverse analysis is actually a general direction of security. We need to master some unpacking techniques, dynamic debugging techniques, the use of decompilation tools, and the Java programming language. , C/C++ programming language, assembly language, Swift programming language, Object-C programming language. In terms of programming languages, we don't need to be as proficient as software developers, but at least we need to be able to understand code. Because APP penetration requires reverse analysis capabilities, and learns more underlying computer knowledge, APP penetration is more difficult.
IoT penetration and industrial control penetration are actually similar. The difference is that IoT devices need to be connected to the Internet, while industrial control devices are generally in an isolated network. The same thing is that they all need to contact physical devices. Different from the various penetrations above, you only need to have a network to start. If you don’t have the Internet of Things and industrial control equipment, you can’t start at all, or you can only do part of the test. Whether you can get in touch with the equipment will stop many people. Learning in this area requires money to buy hardware, or the company invests in purchasing hardware. In terms of skills, in addition to reverse analysis, you also need to understand various hardware knowledge, electrical knowledge, industrial protocols, and Internet of Things protocols, so the difficulty is the highest.
The second step is to understand the framework and knowledge points of the direction you are studying.
It is more important to understand the framework and knowledge points of the direction of study, so as not to blindly learn unimportant knowledge points. To get started with penetration testing, start with the simplest web penetration. I think the entry-level web penetration knowledge framework can be divided into three parts.
1. Information collection process.
Such as subdomain collection, filing query, github sensitive information search, etc., the more ways you know, the more information you collect.
Second, the use of common tools for penetration testing.
For entry-level penetration testing, it is basically enough to use nmap, Burpsuite, Kali Linux, and sqlmap.
3. Web penetration common vulnerability testing.
For entry-level penetration testing, you can first master the OWASP Top 10 vulnerabilities, such as the most common SQL injection vulnerabilities, XSS vulnerabilities, file upload vulnerabilities, unauthorized vulnerabilities, weak passwords, etc.
After confirming the three major knowledge frameworks, we need to use search engines to find the knowledge points in these three aspects. I only recommend using Google for search engines (how to use Google to find information by yourself), Baidu has too many advertisements, search them out Things are far less valuable than Google.
The third step is to learn the knowledge points of penetration testing
After a general understanding of the framework and knowledge points of penetration testing, the next step is how to learn these knowledge points.
The first is self-study, which is suitable for entry-level penetration testing when you don’t want to spend money or spend very little money. It is more suitable for college students or people with more free time.
Self-study needs to use Google to search and learn various knowledge points. There are also some penetration testing guidelines abroad, which you can follow.
For example, the Penetration Testing Execution Standard, which will introduce some theoretical knowledge of penetration testing. There are more lateral theories. It is not recommended for beginners to read. Here is just a mention. The website is as follows: http://www.pentest-standard.org/index
. php/Main_Page
There are also some practical guides, but most of them are in text, and the content is all in English. If English is not good, you can use the web page translation of the chrome browser to view it.
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
There is also the OWASP Web Security Testing Guide Project, which contains some testing steps for vulnerabilities, which can be viewed as an introductory guide
https://owasp.org/www-project-web-security-testing-guide/stable/
In addition to reading some foreign penetration testing guides, you can also buy some penetration testing books to read. I have read some good books including "In-depth Analysis of Web Security" and "Hacking Attack and Defense Technology Collection: Web Practical Combat". If reading
books is boring, you can also find some video tutorials. There are also many penetration testing tutorials on bilibili, but I haven't seen it much, so I can't make a recommendation, I need to judge by myself based on the evaluation.
Of course, in addition to self-study, you can also participate in training courses, which are suitable for beginners with certain financial capabilities. There are also many big stars around me who got started through training courses. Since I have never participated in it, I can't recommend it. I can find some friends who have participated in it to recommend.
The fourth step, practical operation
According to the knowledge points learned in the third step, carry out practical operations, and practice after each knowledge point is learned. For practical operations, you can find some virtual machine shooting ranges specially designed for vulnerability testing. After downloading the shooting range, use VMWare virtual machine software to open You can access it for testing. Some ranges are listed below:
owaspbwa: The Open Web Application Security Project (OWASP) is a group of vulnerable web applications distributed on virtual machines in VMware format. This virtual machine shooting range is recommended, which integrates a large number of vulnerable websites, such as Webgoat, DVWA, bWAPP. The download address is as follows:
https://sourceforge.net/projects/owaspbwa/
Metasploitable :
Metasploitable is an intentionally vulnerable Linux virtual machine. This virtual machine can be used for security training, testing security tools, and practicing common penetration testing techniques. This virtual machine is also good, and there are some host vulnerabilities, such as vsftp vulnerabilities. The download address is as follows:
https://sourceforge.net/projects/metasploitable/
Pikachu:
Pikachu is a Chinese vulnerability shooting range
https://github.com/zhuifengshaonianhanlu/pikachu
Vulhub:
Vulhub integrates a lot of vulnerable docker images, and you can use docker to start various vulnerable environments. The address is as follows:
https://vulhub.org/
After downloading the shooting range, you need to learn how to use the BurpSuite proxy tool. This tool is a must-learn tool for penetration testing. It is a commercial software, and the price is not cheap. There are cracked versions on the Internet. You can view the official documentation of BurpSuite for learning and use, the address is as follows:
https://portswigger.net/burp/documentation/desktop/getting-started
BurpSuite also officially provides vulnerability testing tutorials and online shooting ranges, as well as videos. You can learn penetration testing directly on the official website. The address is as follows:
https://portswigger.net/web-security/getting-started
If you don’t know how to use virtual machine software, you can also find some online vulnerability shooting ranges to practice
Web Security Academy:
https://portswigger.net/web-security/getting-started
hackthebox:
https://www.hackthebox.com/
web for pentester:https://www.pentesterlab.com/exercises/web_for_pentester/course
After learning some common vulnerability testing methods and the use of the burpsuite tool, you need to go to a real website for actual combat. You can go to some vulnerability platforms for actual combat, such as patching platform, vulnerability box, and SRC of major Internet companies. When performing vulnerability mining on these platforms, you must clearly see the rules of each platform and strictly follow the rules. Here is another reminder, don't test without authorization! Do not test without authorization! Do not test without authorization! Say important things three times, and for the consequences, please check the "Network Security Law".
This is the introductory introduction to penetration testing. I will publish some tutorials when I have time later, so stay tuned~~~