When people ask me about how to get into pentesting, the first i say is that practice is essential. But how to practice pentesting on your own? How to get started with virtual machines?
In this article i am going to explain, how to create a virtual attacking machine. With this machine, you will be able to practice on platforms that have « boxes ». Boxes are vulnerable machines that can be hacked. I will then present some of the website you can use for practice.
Practicing this way is very helpful because it is the closest way to understand pentest (it is not realistic but you will get the core techniques used for pentest)
How to get started ?
Create your virtual attacking machine with Kali Linux
- Download Virtualbox and install it: https://www.virtualbox.org/
- Download Virtualbox and install it from here
- Download the lastest kali linux virtualbox image (it is going to be our attacker machine) Make sure to take the virtualbox image and not the vmware one:
- Install Kali:
- Go to virtualbox and click on « File » > « Import Appliance… »
- Click on the yellow folder and navigate to the image of kali you downloaded, select it and click on open
- Click on next and then click on import. It will take a little while… And then launch it for the first time. Username should be kali and password kali but you can find this info on their website or on the description of your machine in virtualbox
What website can you use?
Some great starters
First i would recommend to create an account on tryHackMe here, it’s free! Then you will have to download your configuration file and access to the VPN so you can start hacking away on their machines.
What is awesome about tryhackme is that you even have box to learn how to get started on their platform here. This other box will tell you everything about OpenVPN and how to access the boxes. So it will not only be useful on tryhackme but also on other platforms and in your daily practice as a pentester (we do sometimes need a VPN to access our customer system to test).
If you are not familiar with VPN here is a wikipedia article explaining what it is. But simply put you can see a VPN as a tool that will give you access to another computer or environment remotely. TryHackMe and other website for pentesting practice will require a VPN so that you can access your practicing environment, usually a vulnerable machine hack.
If you are not familiar with linux, TryHackMe has a box that explains it very well, you even get a cool badge by completing it! You can also practice on overthewire.org, this website is a wargame you will be able to learn about linux and security concepts. If you want a little more explainations on concepts you should definitely go on linuxjourney.
After this you can have a look at the box on TryHackMe that introduces you to pentesting: basic pentesting.
Here is a list of great box (all free) on tryhackmefor beginners:
- Learn Nmap
- Learn the web fundamentals
- Learn about active recon, web app attacks and privilege escalation on Vulniversity
- Learn how to research efficiently on search engines
- Get familiar with Metasploit
- Learn about Google Dorking
- A fun way to learn the basics of pentesting in a christmas theme
- Walkthrough on exploiting a Linux machine with Kenobi
- A crash course on various topics in penetration testing
There are plenty more i really recommend you to have a look around.
Push your skills further with other platforms
You have covered your beginners skills? You want to go further? Here are some useful resources for this.
- Get your OSCP certification with Rana Kalil’s gitbook and Hackthebox
- Join CTF platforms: root-me, ringzer0, find lots of other CTF platforms in my resources article here in the section learning by doing.
- Hack lots of box that you deploy on virtualbox with vulnhub.
- Get into bug bounty with hackerone, bugcrowd, (find other bug bounty platform in my resources).
- Do not stay alone in your practice: Join groups like Hackthebox Ottawa, OWASP chapters, (ISC)2 Toronto chapter, CSNP and so many others you can find ones near you with meetup.com.