How to get started with pentesting?

When people ask me about how to get into pentesting, the first I say is that practice is essential. But how to practice pentesting on your own? How to get started with virtual machines?
In this article i am going to explain, how to create a virtual attacking machine. With this machine, you will be able to practice on platforms that have « boxes ». Boxes are vulnerable machines that can be hacked. I will then present some of the website you can use for practice.
On another part I will share how to use vulnerable virtual machines and set them up in your lab
Practicing this way is very helpful because it is the closest way to understand pentest (it is not realistic but you will get the core techniques used for pentest)

How to get started ?

Create your virtual attacking machine with Kali Linux

Download Virtualbox and install it: https://www.virtualbox.org/
Download Virtualbox and install it from here
Download the lastest kali linux virtualbox image (it is going to be our attacker machine) Make sure to take the virtualbox image and not the vmware one:

Kali

Install Kali:

Go to virtualbox and click on « File » > « Import Appliance… »
Click on the yellow folder and navigate to the image of kali you downloaded, select it and click on open
Click on next and then click on import. It will take a little while… And then launch it for the first time. Username should be kali and password kali but you can find this info on their website or on the description of your machine in virtualbox

Import

What website can you use?

Some great starters

First i would recommend to create an account on tryHackMe here, it’s free! Then you will have to download your configuration file and access to the VPN so you can start hacking away on their machines.

What is awesome about tryhackme is that you even have box to learn how to get started on their platform here. This other box will tell you everything about OpenVPN and how to access the boxes. So it will not only be useful on tryhackme but also on other platforms and in your daily practice as a pentester (we do sometimes need a VPN to access our customer system to test).

If you are not familiar with VPN here is a wikipedia article explaining what it is. But simply put you can see a VPN as a tool that will give you access to another computer or environment remotely. TryHackMe and other website for pentesting practice will require a VPN so that you can access your practicing environment, usually a vulnerable machine hack.

If you are not familiar with linux, TryHackMe has a box that explains it very well, you even get a cool badge by completing it! You can also practice on overthewire.org, this website is a wargame you will be able to learn about linux and security concepts. If you want a little more explainations on concepts you should definitely go on linuxjourney.

After this you can have a look at the box on TryHackMe that introduces you to pentesting: basic pentesting.

Here is a list of great box (all free) on tryhackmefor beginners:

Learn Nmap
Learn the web fundamentals
Learn about active recon, web app attacks and privilege escalation on Vulniversity
Learn how to research efficiently on search engines
Get familiar with Metasploit
Learn about Google Dorking
A fun way to learn the basics of pentesting in a christmas theme. Stay tuned they make one every year!
Walkthrough on exploiting a Linux machine with Kenobi
A crash course on various topics in penetration testing
Learn Cyber in 25 days
Advent of cyber 2019
Advent of cyber 2021
Advent of cyber 2022
Avdent of cyber 2023

There are plenty more, I really recommend you to have a look around.

How to use vulnerable VM to practice

Once your have your kali installed, you can also take vulnerable machines to practice on them.
The idea here is to connect your kali with this machine so that you can hack it from your kali.

Where to find vulnerable machines

IMPORTANT NOTICE: These are vulnerable machines so use with caution. Also always check and research about a machine before installing it

How to connect your kali with another machine

Once you have chosen the machine you wish to try, and deployed it, you will need to connect it.
In this example I am going to show you how to proceed with Metasploitable 2. You can find it here.

Install Metasploitable 2

Unzip the downloaded file in a folder you will easily find later
Go to virtualbox click on new machine
Give a name to your new machine I will call it Metasploitable
Choose the type Linux and Version Ubuntu
Choose how much ram you need (1go should be enough)
Be careful here to also leave resources to your host and calculate this also with your kali. You will need: enough resources for your host, your kali and your vulnerable machine.
On the next window click on “use an existing virtualdisk file”
- Click on the yellow folder
- Click on add
- Navigate to the metasploitable folder you have just dowloaded and select the .vdmk file
- Select it and then click on choose
- Finally click on create
You can now start the machine for the first time (it should take a few minutes to start login is msfadmin and password is msfadmin)
Shut down the machine

Useful resources on Metasploitable 2

Connect Kali and Metasploitable 2 together

Both machine should be shut down for this process
Go to virtualbox
Click on file > preferences > network
Click on the plus
Rename the network as you like or leave it like this
And click on ok

Click on Metasploitable
Settings
Network
And select Nat Network from the dropdown menu
And then ok
Ensure that Allows VM is selected in promiscuous mode
Do the Same for the kali machine
Launch both the machine
For more information on connection of VM together you can refer to this link

Check if our machines can communicate

In your Metasploitable type ip a and check your ip address
In you kali open the terminal and type ping
- In my case: ping 10.0.2.4
- My kali can access metasploitable
Now type ip a in your kali and ping it from your Metasploitable.
They can connect to each other both ways.

Start to work on our skills

We are ready to go
We can launch an nmap scan
If you want to work only on your web skills you can open the browser in your kali and go to http://<your-metasploitable-ip>. (In my case http://10.0.2.4/)
You should land on this page Mutillidae and DVWA are fun to play with for web skills.

Proper config for Mutillidae

In order for mutillidae to work properly we need to change the config file.
In Metasploitable VM navigate to /var/www/mutillidae
Type, sudo nano config.inc
Change the database name from ‘metasploit’ to ‘owasp10’
Close and save the changes

Mutillidae Exploration

Toggle hints: will activate or dactivate the hints. If you are a beginner you should activate them
Toggle security: Change the level of security of the application. Start at level 0
Reset DB: Will reset the database in case you feel like the app is not working properly or in case you break it :D

DVWA Exploration

Connect to the app with the help of the hint under the form
- Hint: default username is ‘admin’ with password ‘password’
Setup: you will be able to reset the database
DVWA Security: you will be able to change the security for it to make it harder to hack. I recommend starting with low.
The items in the middle are different attacks you can try out.

ENJOY!! :D

Push your skills further with other platforms

You have covered your beginners skills? You want to go further? Here are some useful resources for this.

Practice for certifications (PNPT, HTB CPTS, ECCPT, …) with Rana Kalil’s gitbook and Hackthebox (She made for the OSCP but it works really well for the PNPT)
Join CTF platforms: root-me, ringzer0.
Hack lots of box that you deploy on virtualbox with vulnhub.
Get into bug bounty with Synack, yeswehack, hackerone, bugcrowd.
Do not stay alone in your practice: Join groups like Hackthebox Chapters, OWASP chapters, (ISC)2 chapters, CSNP and so many others you can find ones near you with meetup.com.