Setting Up Your Environment¶
Before you run a single scan or exploit , you need a working environment
This isn't about having the coolest desktop setup with RGB lighting — it's about having tools that work when you need them at 2AM during a live engagement
Operating System Choice¶
Use Linux
Not dual-boot , not WSL , not "I'll use my Mac" — actual Linux as your daily driver
- ParrotOS — my personal choice , been using it for years It's stable , comes pre-loaded with most tools you'll need , and the Debian base means package management doesn't make you want to throw your laptop out the window
- Kali Linux — fine for pentesting , terrible as a daily driver unless you enjoy things breaking randomly after updates
- Ubuntu/Debian — solid choice if you want to build your own toolchain from scratch Recommended if you actually want to understand what each tool does instead of relying on someone else's menu system
# Verify your distro — if you don't know what you're running , fix that first
cat /etc/os-release
uname -a
Essential Tool Installation¶
Package Managers¶
# Update your package list — do this before installing anything
sudo apt update && sudo apt upgrade -y
# Install core utilities
sudo apt install -y curl wget git vim net-tools nmap ffuf gobuster \
dirb seclists john hashcat hydra medusa sqlmap nikto \
dnsutils whois traceroute whatweb wpscan
Programming Languages¶
You need at least Python and Bash
JavaScript/Node and Go come next
# Python (usually pre-installed , verify version)
python3 --version
pip3 --version
# Install pip packages you'll actually use
pip3 install requests beautifulsoup4 colorama pwntools flask
# Go — needed for a lot of modern security tools
wget https://go.dev/dl/go1.22.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.22.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Security-Specific Tools¶
# Subdomain enumeration suite
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/OWASP/Amass/v3/...@master
go install -v github.com/tomnomnom/assetfinder@latest
# Web fuzzing
go install -v github.com/ffuf/ffuf/v2@latest
# HTTP tooling
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/tomnomnom/waybackurls@latest
# Linkfinding and JS analysis
go install -v github.com/tomnomnom/gf@latest
go install -v github.com/tomnomnom/unfurl@latest
npm install -g js-beautify
Browser Setup¶
Your browser is your primary attack surface for web testing
Set it up properly
# Install Firefox — more extensions , better dev tools
sudo apt install -y firefox-esr
Extensions to install immediately:
- FoxyProxy — switch proxies faster than your target can rate-limit you
- Wappalyzer — technology fingerprinting in one click
- HackBar — quick payload manipulation in the browser
- Cookie-Editor — view/edit cookies when testing auth bypasses
Also configure Burp Suite's CA certificate in your browser so you can intercept HTTPS traffic without certificate errors
Accounts You Need¶
| Platform | Why |
|---|---|
| Hack The Box | Practice with realistic machines |
| GitHub | Store your tools , scripts , notes |
| TryHackMe | Structured learning path for beginners |
| Bugcrowd/HackerOne | Read public reports , learn from others |
Don't make accounts on all of them today
Pick one , start grinding , and you'll naturally need the others later
Environment Checklist¶
Before moving on , verify you have:
- Linux installed as primary OS
- Package manager working (
sudo apt updateruns clean) - Python 3.10+ installed
- Go installed
- nmap works (
nmap -v) - curl and work
- Git configured (
git config --global user.name+user.email) - Burp Suite Community or Pro installed
- Browser with FoxyProxy configured
If any of these are missing , fix them before moving on
You'll thank yourself later when a tool doesn't work at 3AM because you skipped the setup