First, you don't need experience as a pentester to become a pentester, you just need security exposure and to be passionated.
I think the best way to get in is to focus on Web application testing. It's where most of the work is these days and the entry cost (being able to find your first bug) is probably the lowest.
Learn, try to understand how computers work. How your browser sends requests. Use a proxy to intercept requests and responses. Read about DNS and understand how it works. Learn SSL. Write simple web applications in PHP, .Net, Ruby on Rails to get a feeling of what a developer feels and what mistakes he can do. There are plenty of security tutorial and vulnerable application to learn from... And I heard PentesterLab's exercises are pretty good ;). Read the security news, what's happening and try to dig deeper for some subject you find interesting... I think one of the thing interviewers like (or at least I like) is people who dig deeper some subjects and get a better understanding of the problems. Pentesting is about getting further that the average persone. You can also learn from our pntstr bot, that asks you a security question every week.
Play CTFs, it's a really good way to learn something new and play with/against others. Furthermore, you may meet people that are already working as pentester... and they will be more than happy to bring you in if they like your skills: the "finder's fee" effect (as a side note, I never understood why companies give more money to recruiters than to their employees for this even if recruiters success rate are way lower...)
Find vulnerabilities, and be smart about it. If you find a bug, there are 4 ways to handle it:
- "OMG, vulnerabilities burn my hands, I need to release it now before someone else finds it". Basically, you found a bug and directly email mailing-list like full-disclosure. If it's a lame bug (likely), it's probably unlikely to get you a pentester job and will be in Internet archives for ever :/
- "Let's email the project", pretty good, you may be linked in the advisory and get some street creds out of it.
- "Let's write a patch to fix the vulnerability and email the project", awesome for publicity, you are really likely to be listed in the advisory and/or changelog. And future employers can see that you can find bugs and patch them correctly.
- "Seat on it"... It's a pretty good way to handle bugs, but you currently need people to see your skills, it's probably not the best move right now.
Most resumes employers will see are people with a lot of certifications, not much skills and shitty advisories (sometimes). If you can find some bugs and help the project to fix them, you are really likely to get past the interview:
- You will be able to show that you can find bugs ("ICANFINDBUGS").
- You will be able to show that you can fix each bugs ("ICANFIXBUGS") and how you dealt with developers. This is basically what pentesting is about: finding bugs, explain them to non-security people and help them patching them. You already understand the job ;)
- You will be able to show that you're passionated, since you're already looking for bugs without working in the field.
Now, what projects to start with... to be honest, you don't want to go with Wordpress/phpmyadmin or big projects already reviewed (in theory) by a lot of people. Go for smaller and active projects (with a version number greater than 0.9) and start reviewing them. I will be surprised if you can't find any bugs.
Keep it simple, don't put too many keywords in your resume. Avoid old security softwares. Don't put that you're an expert in X. If I see a resume with "expert in X", I will ask questions that I expect an expert can answer; if I read that you're "confident in X", the questions will probably be easier and my expectation lower... Don't lie in your resume... just put the truth, guess what... Interviewers have rather being positively surprised. You can read my previous post on what to avoid in a pentester resume.
Ask questions, you didn't get the job after an interview. Ask questions (not at the end of the interview... when you get the answer). Ask what you can improve? what did the interviewer expected? do they have anything/links/resources you can learn from? If they see that you want to improve your skills, they are likely to accept another interview in few months and you can impress them with what you learnt in the meantime.