How to Learn Penetration Testing: A Beginners Tutorial

Katerina Borodina on March 15, 2019

Disclaimer: Hacking is a difficult skill to learn. You will not become a good pentester by just doing a few online courses. You will not become a... [Read Full]
markdown guide

Great article! Many useful tools listed.
That Civ5/real country analogy made me chuckle, so true.
Too often on HackTheBox labs you find something conveniently hidden in plain sight that contains plaintext password, or weak password hash from the top of rockyou.txt wordlist in Kali.
Haven't had this much luck with real world environments so far.


Thanks Alexander! :)
Yeah I was a little iffy on whether to add HTB at all but I figured it was probably good for beginners, to at least build up confidence.
I was definitely in for a shock when I went from ctfs to the real world!


I just turned 31 and have been doing internet marketing (mostly SEO) for the last 10+ years. I’m ready for a career change.

I’m fascinated by this kind of stuff but it feels like I’m too late and too old to start now. Any advice?


No way you are NOT too old!! Hacking might seem like an intimidating field to enter, especially because so many of the "pros" have been doing it since they were kids. But there's just as many amazing pentesters who entered the field later in their career.

Plus, security is such a diverse area, with so many people from different backgrounds. Having experience in internet marketing could give you a totally different, very valuable perspective that others don't have.


I have found my SEO experience has made me particularly good at OSINT.


I’m interested in ethical hacking and this was a really great intro piece. Thanks for taking the time to do it!


OWASP Juice Shop is a great intermediate between "ok I've done Webgoat and some OverTheWire servers" and "let me at the ctfs." It's ctf-style but it's hints give more guardrails. And you get infinite time to play on it. I'm sure you're aware of juice shop but I was surprised it wasn't mentioned here.


What I would add is that all of this exercise and tool knowledge is also very useful for every single web developer who builds customer-facing applications.


Absolutely! I think security is a pretty neglected side of development. Then again, if web devs followed security practices, I probably wouldn't have a job.

code of conduct - report abuse