This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Prerequisites & Skills

Why Do You Need to Know This?

Think of penetration testing like being a digital locksmith—you can't pick locks effectively if you don't understand how they work. Without these foundational skills, you'll be stuck running automated tools without understanding what they do or why they succeed or fail.

Required Technical Knowledge

Security Fundamentals - The "Why" Behind Everything

Before you can break security, you need to understand what security actually protects.

The CIA Triad - Every security decision comes down to these three principles:

  • Confidentiality: Keeping secrets secret (passwords, financial data, trade secrets)

  • Integrity: Ensuring data hasn't been tampered with (bank transfers, medical records)

  • Availability: Making sure systems work when needed (websites, emergency services)

Risk vs. Reality: A critical SQL injection in a test database isn't the same as one in the production customer database. Understanding business impact separates good pen testers from script kiddies.

Common Attack Vectors: Attackers are lazy—they use the same techniques over and over because they work:

  • Social engineering (easiest path)

  • Unpatched systems (why work harder?)

  • Misconfigured services (default passwords anyone?)

  • Insider threats (trusted users going rogue)

System Architecture - How Everything Connects

Modern attacks don't target individual systems—they exploit trust relationships between systems.

The Big Picture:

  • Web servers talk to database servers (attack the web, get the database)

  • Domain controllers manage all Windows machines (compromise one, control everything)

  • Cloud services connect to on-premise networks (new attack paths everywhere)

Why This Matters: When you understand how System A trusts System B, you can use System A to attack System B.

Networking Fundamentals

How Data Actually Moves

Think of networking like the postal system—understanding how mail gets delivered helps you intercept, redirect, or forge it.

TCP vs UDP - The Two Ways to Send Data:

  • TCP: Like registered mail—reliable, confirmed delivery, but slower

    • Used for: Web browsing, file transfers, anything that can't lose data

    • Attack opportunities: Connection hijacking, session replay

  • UDP: Like postcards—fast but no delivery guarantee

    • Used for: Gaming, streaming, DNS lookups

    • Attack opportunities: Amplification attacks, spoofing

HTTP/HTTPS - The Language of the Web:

  • HTTP: Plain text conversations between browsers and servers

  • HTTPS: Encrypted version, but still attackable at the endpoints

  • Why it matters: Most modern attacks happen through web applications

DNS - The Internet's Phone Book:

  • Translates human-readable names (google.com) to IP addresses (172.217.164.110)

  • Attack opportunities: DNS poisoning, subdomain takeovers, information leakage

Ports and Services - The Front Doors of Systems

Every network service listens on a specific port. Knowing which services typically run where helps you prioritize targets.

The Big Four You'll Attack Most:

  • Port 80/443 (HTTP/HTTPS): Web applications—your bread and butter

  • Port 22 (SSH): Secure shell—often not so secure with weak passwords

  • Port 3389 (RDP): Windows remote desktop—attackers' favorite way in

  • Port 445 (SMB): Windows file sharing—notorious for vulnerabilities

Database Ports (where the valuable data lives):

  • 3306: MySQL

  • 5432: PostgreSQL

  • 1433: Microsoft SQL Server

Why This Matters: When you scan a network and see port 3389 open, you immediately know to try credential attacks. When you see port 1433, you know there's a database worth investigating.

Operating Systems Basics

Windows - The Corporate Standard

Most companies run Windows, making it your primary target in corporate penetration tests.

Active Directory - The Crown Jewel:

  • Domain Controllers: The servers that manage everything in a Windows network

  • User Accounts: Every employee has an account—compromise one, impersonate them

  • Group Policies: Rules that control what users can do—often misconfigured

  • Trust Relationships: How different parts of the network trust each other—attack paths waiting to be exploited

Key Windows Skills for Pen Testers:

  • PowerShell: Microsoft's powerful scripting language—harder to detect than traditional malware

  • Services: Background programs that often run with high privileges

  • Registry: Windows' configuration database—tons of persistence opportunities

  • Event Logs: Where Windows records what happens—what attackers try to clear

Real Example: You compromise a regular user account (john.doe) through a phishing email. Using PowerShell, you enumerate the Active Directory domain and discover that john.doe has "GenericWrite" permissions on the "BackupOperators" group. You add yourself to this group, which gives you "SeBackupPrivilege" on the domain controller. You use this privilege to backup the NTDS.dit file (Active Directory database), extract all password hashes, and crack the Domain Admin password offline. Now you control the entire Active Directory forest.

Linux - The Internet's Backbone

Linux runs most web servers, cloud infrastructure, and IoT devices. If it's connected to the internet, it's probably running Linux.

File System Hierarchy - Everything Has Its Place:

  • /etc/: Configuration files (passwords, service settings)

  • /var/log/: System logs (what happened and when)

  • /tmp/: Temporary files (often world-writable—perfect for your tools)

  • /home/: User directories (personal files and SSH keys)

Key Linux Skills for Pen Testers:

  • Bash: The default shell—essential for automation and privilege escalation

  • File Permissions: Who can read/write/execute what (often misconfigured)

  • Processes: Running programs and their privileges

  • Cron Jobs: Scheduled tasks (often run as root with predictable timing)

Real Example: You exploit a web application vulnerability on a Linux web server and get shell access as the "www-data" user. You discover that a backup script in /etc/cron.daily/ runs as root but is writable by the "webadmin" group. You find that the current user is part of this group through a misconfigured sudo rule. You modify the backup script to copy /etc/shadow to a world-readable location, wait for the cron job to run, then crack the root password hash. This gives you persistent root access to the Linux system hosting the web application.

Basic Programming/Scripting

Python - Your Digital Swiss Army Knife

Python is the language of choice for most security professionals because it's simple, powerful, and has libraries for everything.

Why Python for Pen Testing:

  • Readability: You can understand and modify other people's scripts easily

  • Libraries: Want to make HTTP requests? import requests. Need to manipulate network packets? import scapy

  • Cross-platform: Your Python scripts work on Windows, Linux, and macOS

  • Community: Massive collection of security tools and examples

Essential Python for Pen Testers:

  • File I/O: Reading configuration files, parsing scan results, processing log files

  • Network Programming: Creating custom clients, automating web requests, building network tools

  • Regular Expressions: Extracting useful information from messy text data

  • APIs: Automating tasks through web APIs and services

Real Example: During an Active Directory penetration test, you need to check if 500 discovered user accounts are vulnerable to Kerberoasting (a technique where you request service tickets for accounts and crack them offline). Instead of manually testing each account, you write a Python script using the impacket library that automatically requests service tickets for all accounts with Service Principal Names (SPNs), saves the tickets to files, and then uses hashcat to attempt cracking them. The script discovers that 15 service accounts have weak passwords, including one with Domain Admin privileges.

Bash - The Linux Native Language

Every Linux system has Bash installed by default, making it perfect for post-exploitation activities.

Why Bash for Pen Testing:

  • Universal: Available everywhere Linux exists

  • System Integration: Perfect for chaining system commands together

  • Stealth: Bash scripts often look like normal system administration

  • File Manipulation: Excellent for processing text files and logs

Essential Bash Skills:

  • Command Chaining: Using pipes (|) and redirects (>) to connect commands

  • Variables and Logic: Creating reusable scripts with conditional logic

  • System Commands: Integrating with native Linux tools like grep, awk, and sed

Real Example: After compromising a Windows workstation in an Active Directory environment, you need to find all computers where your current user has local administrator access. You write a Bash script that reads a list of computer names from BloodHound output, tests WMI connectivity to each machine, and reports back which systems you can access. This helps you identify lateral movement opportunities without manually testing hundreds of machines.

PowerShell - Windows Automation and Stealth

PowerShell is Microsoft's answer to Bash, but it's object-oriented and incredibly powerful for Windows environments.

Why PowerShell for Pen Testing:

  • Native: Built into every modern Windows system

  • Powerful: Direct access to .NET framework and Windows APIs

  • Stealthy: Often bypasses traditional antivirus detection

  • Post-Exploitation: Perfect for maintaining persistence and moving laterally

Key PowerShell Concepts:

  • Cmdlets: Verb-noun commands like Get-Process, Start-Service

  • Objects: Everything returns structured data, not just text

  • Remoting: Execute commands on remote Windows systems

  • Empire Integration: Many post-exploitation frameworks are built on PowerShell

Web Technologies - Understanding Your Primary Target

Most penetration tests focus on web applications, so understanding how they work is crucial.

HTML/JavaScript Basics:

  • DOM Manipulation: How JavaScript modifies web pages (and how you can abuse it)

  • Event Handling: User interactions that might bypass security controls

  • AJAX Requests: Background communication that might reveal hidden functionality

HTTP Deep Dive:

  • Request Methods: GET, POST, PUT, DELETE and their security implications

  • Headers: Authentication tokens, session cookies, security controls

  • Status Codes: What different responses mean for your attacks

Why This Matters: When you understand how a web application works, you can identify where security controls might be missing or bypassable.

Recommended Learning Path

Phase 1: Foundation

Master the basics: Get comfortable with Windows and Linux daily usage, learn networking fundamentals with Wireshark, and pick one scripting language (Python recommended).

Phase 2: Security Focus

Apply your knowledge: Study OWASP Top 10, practice on vulnerable apps (DVWA, WebGoat), and learn essential tools like Nmap and Burp Suite.

Phase 3: Hands-On Practice (Ongoing)

Build experience: Create lab environments, practice on platforms like TryHackMe or Hack The Box, and gradually specialize in areas that interest you.

Quick Start Resources:

  • Practice: TryHackMe (beginner-friendly), Hack The Box (challenging)

  • Reading: OWASP Testing Guide, "The Web Application Hacker's Handbook"

  • Tools: Kali Linux, VirtualBox/VMware, Metasploitable

Remember: Start with basics, practice constantly, understand how systems work so you can break them creatively.

PreviousIntroduction to Penetration TestingNextLegal & Ethical Foundation

Last updated

Was this helpful?