Learning Paths

These are the fundamentals every pentester needs, regardless of specialization. Cover these first — the books and videos on this site assume you have most of this knowledge or are actively building it. If a video discusses something you don’t understand, this checklist tells you where the gap probably is and where to fill it.

You don’t need to be expert in every item. You need to be functional. The goal is to be able to follow a conversation, read a tool’s output, and not be lost when something unexpected happens.

• 1. Operating systems
• 2. Networking
• 3. Protocols & services
• 4. Programming & scripting
• 5. Web fundamentals
• 6. Security concepts
• 7. Practical tools
• 8. Pentesting methodology

1. Operating Systems

You’ll spend roughly half your time in Linux and half in Windows. Comfort in both is non-negotiable.

Linux

• Command-line basicsNavigation (cd, ls, pwd), file ops (cp, mv, rm, touch), viewing files (cat, less, head, tail), permissions (chmod, chown).OverTheWire Bandit · LinuxJourney · Cisco NDG Linux Unhatched
• Text processing on the command linegrep, sed, awk, cut, sort, uniq, wc, tr, tee. Pipes and redirection.Software Carpentry: Unix Shell
• Users, groups, sudo, and the permission modelHow /etc/passwd and /etc/shadow work. Sudoers. SUID/SGID. Why these matter for privilege escalation.TryHackMe Linux Fundamentals
• Processes, services, and the boot processps, top, kill, systemd, init scripts, cron jobs.LinuxJourney: Processes
• File systems and storageMount points, fstab, common file system layouts, where logs and configs live.Filesystem Hierarchy Standard

Windows

• PowerShell and cmd basicsGet-* / Set-* cmdlets, pipes, common one-liners, execution policy.Microsoft Learn: PowerShell 101
• Windows internals at a working levelProcesses, services, scheduled tasks, the registry, user contexts, tokens.Sysinternals documentation · TryHackMe Windows Fundamentals
• NTFS permissions and ACLsHow Windows permissions differ from Linux. icacls. Inheritance and effective permissions.Microsoft: Access Control
• Authentication basics: local accounts, NTLM, KerberosHow each works, when each is used, what each leaks.Microsoft: Kerberos overview

2. Networking

Networking is the substrate everything in pentesting runs on. If your networking knowledge is shaky, every other skill is too.

• The OSI and TCP/IP modelsWhat each layer does. Which protocols live at which layer. Where you operate as a pentester.Cisco Skills For All: Networking Basics
• IPv4 addressing and subnettingCIDR notation, subnet masks, calculating ranges in your head. Private vs. public.Subnetting Practice
• TCP/UDP — handshakes, flags, statesThe three-way handshake at the packet level. SYN/ACK/FIN/RST. Why some scans work and others do not.RFC 9293 (TCP) · Wireshark TCP page
• DNSRecord types (A, AAAA, MX, TXT, NS, PTR, CNAME), zones, recursive vs. authoritative lookups, zone transfers, DNS as an enumeration target.How DNS Works (comic) · RFC 1035
• Routing, NAT, and firewallsHow packets find their destination. What NAT changes about that. How firewalls decide what to allow.Cisco Networking Academy
• Reading packets in WiresharkCapture, filter, follow a stream. Identify protocol, source/dest, payload. This skill makes everything else clearer.Wireshark User Guide

3. Protocols and services

Every protocol you understand is a service you can enumerate and potentially exploit. For each one: know the default ports, the common commands, the typical misconfigurations, and what each version leaks.

• SSHPort 22. Authentication methods. Key types. Port forwarding. Common version banners. Authentication brute-forcing.OpenSSH manuals · HackTricks: SSH
• HTTP / HTTPSPorts 80/443. Methods, headers, status codes, cookies, TLS basics. This deserves its own section — see “Web fundamentals” below.
• FTP and SFTPPort 21 (FTP), 22 (SFTP). Anonymous access. Active vs. passive mode. Where each still gets used.HackTricks: FTP
• TelnetPort 23. Mostly legacy, but still found on network gear and IoT. Cleartext. Useful for banner grabbing on any service.HackTricks: Telnet
• SMB / NetBIOS / RPCPorts 139, 445. The Windows file-sharing and IPC stack. Massive attack surface. Worth deep study.HackTricks: SMB
• SMTP / POP3 / IMAPPorts 25, 110, 143 (and TLS variants). Email infrastructure. User enumeration via VRFY/EXPN. Open relays.HackTricks: SMTP
• SNMPPort 161. Default community strings (public/private). Leaks user lists, processes, network interfaces. Underrated info source.HackTricks: SNMP
• LDAPPort 389 (636 over TLS). The directory protocol behind Active Directory. Anonymous binds. Search filters.HackTricks: LDAP
• RDP and VNCPorts 3389 (RDP), 5900 (VNC). Remote desktop. Brute-forcing, BlueKeep-era vulnerabilities, NLA bypass.HackTricks: RDP
• NFSPort 2049. Unix file sharing. Showmount. Unauthenticated exports are still common.HackTricks: NFS
• Databases — MySQL, PostgreSQL, MSSQL, MongoDBPorts 3306, 5432, 1433, 27017. Default credentials. SQL injection from network position. Stored procedures as attack vectors.HackTricks: MySQL · HackTricks: MSSQL

4. Programming and scripting

You don’t need to be a software engineer. You do need to read existing exploits, modify them, and write small tools. Python first, then bash. Other languages help but aren’t required upfront.

• PythonThe default language for pentesting tools and exploits. Variables, control flow, functions, imports, file I/O, requests/sockets.Automate the Boring Stuff (free) · Cisco Python Essentials · freeCodeCamp Python
• Bash scriptingVariables, loops, conditionals, functions. Stringing together commands into reusable scripts. Reading existing scripts.Bash Reference Manual · Bash cheatsheet (devhints)
• JavaScript — reading levelYou will read JS constantly during web testing. You do not need to write it well, but you need to understand what you are looking at.MDN JavaScript Guide · freeCodeCamp JS
• PowerShell scriptingFor Windows engagements. PowerShell is the new Bash on Windows hosts. Pipelines, objects, modules.Microsoft Learn: PowerShell 101
• Regular expressionsFor grep, sed, log analysis, and writing patterns in scripts. The single most-leveraged skill on this list.RegExr (interactive) · RegexOne
• Git — at least reading and cloningTools and exploits live in git repos. You will clone, occasionally fork, and read commit history to understand changes.Pro Git book (free) · Learn Git Branching

5. Web fundamentals

Even non-web specialists need a working knowledge of the web stack. Web targets exist in nearly every engagement.

• HTTP at the protocol levelMethods (GET, POST, PUT, DELETE, OPTIONS), headers, status codes, cookies, sessions. Reading raw HTTP traffic.MDN: HTTP
• HTML and the DOMDocument structure, form elements, attributes. Why this matters for XSS, injection points, and content discovery.MDN: HTML
• Browser security modelSame-origin policy, CORS, cookies (SameSite, HttpOnly, Secure), Content-Security-Policy. Why each exists.MDN: Web Security
• SQL — reading and writing basic queriesSELECT, JOIN, UNION, WHERE, comments, common functions. Enough to construct injection payloads without copy-paste.SQLBolt (interactive)
• The OWASP Top 10The most common web vulnerabilities. Know each category by what it actually is, not just by name.OWASP Top 10 · PortSwigger Web Security Academy
• Burp Suite basicsProxy, Repeater, Intruder, Decoder. The fundamental tool for web testing. Community Edition is free.Burp documentation · PortSwigger getting started

6. Security concepts

Vocabulary and frameworks that the rest of the security industry uses. You will hear these terms constantly.

• The CIA triad and the AAA modelConfidentiality, integrity, availability. Authentication, authorization, accounting. The conceptual frame.
• Cryptography fundamentalsSymmetric vs. asymmetric encryption. Hashes. HMAC. TLS handshake at a high level. Common mistakes (weak modes, hard-coded keys, ECB).Cryptopals Challenges · Crypto 101 (free book)
• Common attack categoriesInjection, broken auth, broken access control, deserialization, SSRF, race conditions, business logic flaws. Recognize each.MITRE ATT&CK · CWE Top 25
• CVSS scoringHow vulnerabilities are scored and prioritized. You will assign these in reports.FIRST CVSS 3.1 spec · NVD CVSS calculator
• Ethics, legality, and scopeCFAA basics. Rules of engagement. Why scope matters and what happens when you exceed it.EFF on the CFAA

7. Practical tools

Tools come and go, but these have been the working set for years. Learn each one well enough to read its output critically — not just to copy commands.

• NmapScan types, service detection, NSE scripts, output formats. Read the man page once a year.Nmap Network Scanning book (free) · TryHackMe Nmap
• Wireshark / tcpdumpCapture and analyze traffic. Filters. Following streams. Tcpdump for headless captures on a target.Wireshark documentation
• Metasploit FrameworkModules, payloads, handlers. Useful, but learn what it does so you can do without it.Metasploit Unleashed (free)
• Burp SuiteProxy intercept, Repeater for manual testing, Intruder for fuzzing, the extension ecosystem.PortSwigger Academy
• John the Ripper / hashcatPassword cracking. Identifying hash types. Rule files and wordlists.John docs · hashcat wiki
• Kali Linux (or alternative)Familiarity with a pentest distribution. Kali is standard but Parrot OS and BlackArch work too.Kali documentation
• A virtualization platformVirtualBox, VMware Workstation Player (free), or Proxmox/ESXi if you build a real lab. You need somewhere to run your lab.VirtualBox · VMware Workstation

8. Pentesting methodology

The structured process of moving from outside a target to a useful finding. This is what separates pentesters from people who run scanners.

• The phases of a pentestScoping, reconnaissance, scanning, exploitation, post-exploitation, reporting. What happens at each phase and why.PTES standard
• Reconnaissance — passive and activeOSINT, DNS enumeration, certificate transparency, search engines, social media, technology fingerprinting.OSINT Framework
• Scanning and enumeration as a disciplineWhen to be loud, when to be quiet. What to enumerate at each port. How to structure notes so nothing gets lost.
• Privilege escalation patternsLinux: SUID, sudo misconfigs, kernel exploits, capability abuse, writable cron. Windows: services, token impersonation, unquoted paths, registry permissions.HackTricks: Linux PrivEsc · HackTricks: Windows PrivEsc
• Lateral movement and pivotingSSH tunnels, port forwarding, SOCKS proxies. How to access internal networks from a single foothold.
• Report writingExecutive summary, technical findings, severity rating, reproduction steps, recommended remediation. The deliverable.Public pentest reports (GitHub)

When you can check most of these boxes

You don’t need every item checked to start practicing. Most pentesters fill in gaps continuously throughout their career. But when you can honestly check most of section 1 (operating systems), section 2 (networking), and section 5 (web fundamentals), you have the foundation to start working through real targets — HackTheBox, TryHackMe, VulnHub, and the videos and books on this site.