Learning Offensive Security Legally
"How do people figure this out without getting arrested?" Great question. The learning curve is steep, but there are entirely legal paths to mastering these skills.
"I was just testing their security" does not hold up in court. Without explicit written authorization, accessing any system you don't own is illegal regardless of intent. The techniques in this guide are powerful—use them only in authorized environments.
Building a Home Lab
The safest and most flexible learning environment: your own infrastructure. Attack your own boxes all day long—totally legal.
Basic Lab Architecture
┌─────────────────────────────────────────────────────────────────────────────┐
│ HOME LAB SETUP │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Your Main Machine Isolated Lab Network │
│ ════════════════ ═══════════════════ │
│ ┌─────────────┐ ┌─────────────────────────────┐ │
│ │ Host OS │ │ Virtual Network │ │
│ │ (macOS/ │ │ (NAT or Host-Only) │ │
│ │ Windows/ │ ────────────────────►│ │ │
│ │ Linux) │ VMware/VBox │ ┌─────────┐ ┌─────────┐ │ │
│ │ │ Bridge │ │ Attacker│ │ Victim │ │ │
│ │ VMware │ │ │ VM │ │ VM 1 │ │ │
│ │ Workstation│ │ │ │ │ │ │ │
│ │ or │ │ │ Kali │ │ Windows │ │ │
│ │ VirtualBox│ │ │ Linux │ │ Server │ │ │
│ │ │ │ └────┬────┘ └────┬────┘ │ │
│ └─────────────┘ │ │ │ │ │
│ │ │ Attack │ │ │
│ │ └─────►──────┘ │ │
│ │ │ │
│ │ ┌─────────┐ ┌─────────┐ │ │
│ │ │ Victim │ │ AD DC │ │ │
│ │ │ VM 2 │ │ VM │ │ │
│ │ │ │ │ │ │ │
│ │ │ Windows │ │ Windows │ │ │
│ │ │ 10/11 │ │ Server │ │ │
│ │ └─────────┘ └─────────┘ │ │
│ │ │ │
│ └─────────────────────────────┘ │
│ │
│ IMPORTANT: Lab network is ISOLATED from your real network │
│ No risk to your actual systems or to external networks │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Recommended VMs
| VM Role | Operating System | Purpose | RAM |
|---|---|---|---|
| Attacker | Kali Linux | Pre-installed offensive tools | 4GB |
| Victim 1 | Windows 10/11 | Typical workstation target | 4GB |
| Victim 2 | Windows Server 2019/2022 | Server target, can be DC | 4GB |
| Victim 3 | Ubuntu Server | Linux target | 2GB |
| Domain Controller | Windows Server + AD DS | Practice AD attacks | 4GB |
Setting Up the Lab
# Option 1: VMware Workstation Pro (paid) or Player (free)
# Download from: vmware.com
# Option 2: VirtualBox (free, open source)
# Download from: virtualbox.org
# Option 3: Proxmox (free, bare-metal hypervisor)
# Great if you have dedicated hardware
# Kali Linux - pre-built offensive VM
# Download from: kali.org/get-kali/
# Windows Evaluation VMs (free, 90-day eval)
# Download from: microsoft.com/en-us/evalcenter/
# Vulnerable VMs (pre-configured targets)
# Metasploitable 2/3: rapid7.com
# DVWA: github.com/digininja/DVWA
# VulnHub: vulnhub.com (hundreds of VMs)Lab Exercises to Practice
- Network Scanning: Use nmap to map your lab network
- Vulnerability Scanning: Run Nessus or OpenVAS against targets
- Exploitation: Use Metasploit against vulnerable VMs
- Post-Exploitation: Practice persistence, lateral movement
- C2 Setup: Deploy Sliver or Havoc, test beaconing
- AD Attacks: Kerberoasting, AS-REP roasting, DCSync
- Defense: Set up Splunk/ELK, try to detect your own attacks
Capture The Flag (CTF) Competitions
CTFs are legal hacking competitions. Organizers set up challenges, you solve them by finding "flags" (hidden strings). Great for learning specific techniques.
Types of CTFs
| Type | Description | Best For |
|---|---|---|
| Jeopardy | Individual challenges in categories (web, crypto, pwn, reverse, forensics) | Learning specific skills |
| Attack-Defense | Teams attack opponents while defending their own servers | Realistic red/blue team experience |
| King of the Hill | Compete to maintain control of a target | Persistence, quick thinking |
Practice Platforms
HackTheBox
Industry standard. Active machines, retired machines, and Pro Labs for enterprise scenarios.
TryHackMe
Guided learning paths. Great for beginners. Browser-based attack boxes available.
VulnHub
Free downloadable vulnerable VMs. Run in your own lab. Hundreds of challenges.
PortSwigger Academy
Free web security training from Burp Suite creators. Excellent for web app pentesting.
OverTheWire
SSH-based wargames. Bandit for beginners, Narnia/Behemoth for binary exploitation.
PicoCTF
Beginner-friendly CTF from Carnegie Mellon. Great starting point for newcomers.
CTF Event Calendar
Live CTF competitions happen every week. Check CTFtime.org for upcoming events, team rankings, and writeups from past competitions.
Certifications
Certifications validate skills to employers and clients. The best ones include practical exams—not just multiple choice.
Offensive Security Certifications
| Certification | Focus | Exam Format | Difficulty |
|---|---|---|---|
| OSCP | Penetration Testing | 24-hour hands-on exam | Intermediate |
| OSEP | Advanced Evasion | 48-hour hands-on exam | Advanced |
| OSED | Exploit Development | 48-hour hands-on exam | Advanced |
| OSWE | Web App Exploitation | 48-hour hands-on exam | Advanced |
| PNPT | Practical Pentesting | 5-day practical + report | Intermediate |
| GPEN | SANS Pentesting | Proctored exam + lab | Intermediate |
Defensive/Blue Team Certifications
| Certification | Focus | Best For |
|---|---|---|
| BTL1 | Blue Team Level 1 | SOC analysts, incident responders |
| GCIH | Incident Handler | IR teams, threat hunters |
| GCFA | Forensic Analyst | Digital forensics, malware analysis |
| CySA+ | Security Analyst | Entry-level blue team |
Start with hands-on platforms (HTB, THM) to build skills. Get OSCP for pentest credibility. Add specialized certs (OSEP, OSWE) based on career focus. SANS certs are expensive but respected—often employer-sponsored.
Bug Bounty Programs
Get paid to hack—legally. Companies authorize security researchers to find vulnerabilities in exchange for rewards.
Major Platforms
HackerOne
Largest platform. Programs from DOD, Google, Microsoft, startups. Wide range of targets.
Bugcrowd
Second largest. Strong triage team. Good for beginners with VRT guidance.
Intigriti
European focus. Growing platform with good payouts.
Synack
Invite-only red team. Higher payouts, vetted researchers only.
Bug Bounty Best Practices
BUG BOUNTY SUCCESS FACTORS:
READ THE SCOPE:
├── What's in scope? (domains, apps, APIs)
├── What's out of scope? (employee systems, DoS)
├── What vulnerabilities qualify?
├── What's the payout structure?
└── STAY IN SCOPE - out of scope = legal risk
START SMALL:
├── Begin with VDPs (Vulnerability Disclosure Programs)
├── No bounty, but legal safe harbor
├── Build reputation before chasing payouts
└── Learn methodology without pressure
DOCUMENTATION:
├── Screenshot everything
├── Record video of exploitation
├── Write clear reproduction steps
├── Note impact and severity
└── Professional reports = faster payouts
COMMON FINDINGS:
├── IDOR (Insecure Direct Object References)
├── XSS (especially stored XSS)
├── Authentication bypasses
├── Information disclosure
├── SSRF (Server-Side Request Forgery)
└── Subdomain takeoversCareer Paths
Security skills lead to multiple career paths. Offensive and defensive roles often cross-train.
SECURITY CAREER PATHS:
OFFENSIVE (Red Team):
├── Penetration Tester - Test client security
├── Red Team Operator - Adversary simulation
├── Exploit Developer - Find and weaponize vulnerabilities
├── Security Researcher - Discover new attack techniques
└── Bug Bounty Hunter - Freelance vulnerability research
DEFENSIVE (Blue Team):
├── SOC Analyst - Monitor and triage alerts
├── Incident Responder - Handle active breaches
├── Threat Hunter - Proactively find attackers
├── Malware Analyst - Reverse engineer threats
├── Detection Engineer - Write detection rules
└── Security Architect - Design secure systems
HYBRID (Purple Team):
├── Security Engineer - Build and break
├── AppSec Engineer - Secure development
├── Cloud Security - AWS/Azure/GCP security
└── GRC - Governance, risk, compliance
LEADERSHIP:
├── Security Manager
├── CISO - Chief Information Security Officer
├── vCISO - Virtual/consulting CISO
└── Security ConsultantLegal Considerations
The Computer Fraud and Abuse Act (CFAA) in the US, Computer Misuse Act in the UK, and similar laws worldwide criminalize unauthorized access. "Authorization" means explicit written permission, not implied consent.
What Requires Authorization
ALWAYS REQUIRES EXPLICIT AUTHORIZATION:
NETWORK TESTING:
├── Port scanning (yes, even "just" nmap)
├── Vulnerability scanning
├── Exploitation attempts
├── Traffic interception
└── Wireless network testing
APPLICATION TESTING:
├── Fuzzing inputs
├── SQL injection attempts
├── Authentication bypasses
├── API enumeration beyond docs
└── Scraping beyond robots.txt
SOCIAL ENGINEERING:
├── Phishing employees
├── Vishing (phone attacks)
├── Physical access attempts
└── Pretexting calls
WHAT'S GENERALLY SAFE:
├── Your own systems (home lab)
├── CTF competitions (explicit rules)
├── Bug bounty in-scope targets
├── Penetration tests with signed contract
└── Employer systems with written permissionRules of Engagement (ROE)
Professional penetration tests require a Rules of Engagement document that specifies:
- Scope: Exactly what systems/networks can be tested
- Timing: When testing can occur
- Methods: What techniques are allowed
- Contacts: Who to call if something breaks
- Reporting: How findings will be documented
- Data handling: What happens to sensitive data found
Verbal authorization is not enough. Always get signed documentation before testing. "My boss said it was okay" won't help if their boss calls the police. See the Disclaimer for more.
Additional Resources
Books
- The Web Application Hacker's Handbook - Stuttard & Pinto
- Penetration Testing - Georgia Weidman
- Red Team Development and Operations - Joe Vest
- The Hacker Playbook 3 - Peter Kim
- Black Hat Python - Justin Seitz
Online Resources
- HackTricks - Comprehensive technique reference
- GTFOBins - Unix binary exploitation
- LOLBAS - Windows living off the land
- MITRE ATT&CK - Adversary technique framework
- Red Team Notes - Practical red team techniques