Practice
Introduction
All the theories in the world will be of no use to us if we cannot transfer them into practice and apply our knowledge to real-world, hands-on situations.
Technical skills are only half the battle, however. We also need excellent written and verbal communication skills to be effective penetration testers. This includes seemingly minor things like being able to write a clear and professional email and present and defend our work during a client meeting and through a professional report.
Need to practice leading a kickoff call with a customer? Have a friend or teammate act as a fictitious customer. Use that time to practice asking your initial scoping questions and defining the pentest you expect to deliver. These same actions can be used when practicing delivering your post-engagement report walkthrough briefing for a client.
Practicing Steps
Modules
Here is a good blueprint for tackling a module:
1. | Read the module |
2. | Practice the exercises |
3. | Complete the module |
4. | Start the module exercises from scratch |
5. | While solving the exercises again, take notes |
6. | Create technical documentation based on the notes |
7. | Create non-technical documentation based on the notes |
Retired Machines
When we have completed (at least) two modules and are satisfied with our notes and documentation, we can select three different retired machines. These should also differ in difficulty, but we recommend choosing two easy and one medium machines.
At the end of each module, you will find recommended retired machines to consider that will help you practice the specific tools and topics covered in the module. These hosts will share one or more attack vectors tied to the module.
The order in which we can proceed to practice with the retired machines looks something like this:
1. | Get the user flag on your own |
2. | Get the root flag on your own |
3. | Write your technical documentation |
4. | Write your non-technical documentation |
5. | Compare your notes with the official write-up (or a community write-up if you don't have a VIP subscription |
6. | Create a list of information you have missed |
7. | Watch Ippsec's walkthrough and compare it with your notes |
8. | Expand your notes and documentation by adding the missed parts |
Finally, we should create technical and non-technical documentation again. We will find that this one will likely be more extensive than the previous ones because we are working with many more topics we need to cover and document here.
The most significant advantage of this approach is that we go through the entire penetration testing process, improving the way we capture essential information and have everything we need to prepare our documentation based on our experiences and notes.
Active Machines
After building a good foundation with the modules and the retired machines, we can venture to two easy, two medium, and one hard active machine. We can also take these from the corresponding module recommendations at the end of each module in Academy.
The advantage of this method is that we simulate as realistic a situation as possible using a single host that we have no familiarity with and cannot find documentation on (blackbox approach).
Ideal practice steps for active machines would look like this:
1. | Get the user and root flag |
2. | Write your technical documentation |
3. | Write your non-technical documentation |
4. | Have it proofread by technical and non-technical persons |
Proofreading gives us our first impressions of how the readers receive the two types of documentation. This gives us an idea of which aspects of our documentation need to be improved for both technical and non-technical audiences.
Pro Lab/Endgame
Once we feel comfortable going against singular hosts and documenting our findings, we can take on Prolabs and Endgames.
These labs are large multi-host environments that often simulate enterprise networks of varying sizes similar to those we could run into during actual penetration tests for our clients.
Last updated