Any penetration testers out there?

DJ85

DJ85

DJ85

Associate
Joined
14 Dec 2017
Posts
2,040
Location
Aberdeenshire
So I’ve made a big decision and started looking towards a career change. I have always been interested in everything computers and have had a few years work experience with them, although my current job isn’t.
I looked into doing this over a year ago but chickened out. Now I’ve came back to it again and ready to give 110%.
My hope is to finally become a pen tester and I have enrolled in a few courses to get me on my way. A+, Network+,Security+,CEH.
Like I said I have looked in to this career path for over a year and I think I would really enjoy it and actually be happy at work (unheard of these days:p)
So what I’m asking is;
Are there any pen testers out there who can give some friendly advise, pointers on any other courses to look into, a day in the life sort of stories? Where to start/where you started job wise etc?
I know this is not a fast starter and could take a while. I have a 18 month plan for my courses alone.

Many thanks in advance!
 
Day in the life of a Pen Tester?

Hmm..

Turn up to customer site with a multiple laptops. Bonus points for being one of the following - significantly scruffier than every employee, under the age of 12, long haired grease ball, foreign accent.
Fire them all up, using a really visual tool, sniff as much wifi traffic as you can. Don't bother trying to crack it, but make sure everyone knows "I've owned the wifi".
Go looking for network points and plug in there because its DHCP and just bloody works.
Run as many open source tools and linux scripts as you can so it looks like you're doing something really tricky.
Drink coffee. Keeping an eye on every window as it scrolls passed.
Practice scowling and odd glaring facial expressions.
Drink more coffee.
Cryptically say "Oh my god" and "Really?? They've done what" just loud enough to be heard but quietly enough to discourage questions from anyone.
Repeat as necessary.
Bonus points for not engaging with a single employee in conversation all day.
Conspicuously pack up mid afternoon, laughing and muttering "wow".

A few days later do one of the following - send in a really generic report full of possibles, maybes, theoreticals and other things you can't be sued for - or - send in a really really really technical report written using terms and explanations (and smatterings of hex dumps) that no one else in IT can understand or even begin to explain to a business person without someone falling asleep or considering emigrating.

Sit back and wait for the invoice to be paid while perusing the porsche online catalog.
 
skyripper said:
Day in the life of a Pen Tester?

Hmm..

Turn up to customer site with a multiple laptops. Bonus points for being one of the following - significantly scruffier than every employee, under the age of 12, long haired grease ball, foreign accent.
Fire them all up, using a really visual tool, sniff as much wifi traffic as you can. Don't bother trying to crack it, but make sure everyone knows "I've owned the wifi".
Go looking for network points and plug in there because its DHCP and just bloody works.
Run as many open source tools and linux scripts as you can so it looks like you're doing something really tricky.
Drink coffee. Keeping an eye on every window as it scrolls passed.
Practice scowling and odd glaring facial expressions.
Drink more coffee.
Cryptically say "Oh my god" and "Really?? They've done what" just loud enough to be heard but quietly enough to discourage questions from anyone.
Repeat as necessary.
Bonus points for not engaging with a single employee in conversation all day.
Conspicuously pack up mid afternoon, laughing and muttering "wow".

A few days later do one of the following - send in a really generic report full of possibles, maybes, theoreticals and other things you can't be sued for - or - send in a really really really technical report written using terms and explanations (and smatterings of hex dumps) that no one else in IT can understand or even begin to explain to a business person without someone falling asleep or considering emigrating.

Sit back and wait for the invoice to be paid while perusing the porsche online catalog.
Click to expand...
I've just completed a contract for pen testing, app testing and vulnerability scanning for my company. We got rid of the last company because they did exactly as you described above.
 
As much fun As that was to read, I was looking for a more serious reply.
this will be my life/livelihood once I have finished my exams and became fully certified, and started looking for a job!
Along with my final course(CEH) I will be entering into the bugcrowd community. Do companies take this for Work Experiance towards becoming an employee?
 
David Flett said:
As much fun As that was to read, I was looking for a more serious reply.
Click to expand...
It was more fun to write when I should have been working.

On a more serious note, good pen testers have mastered the art of being totally technical and able to talk networking in depth as well as able to both explain and demonstrate exploit flaws they report on.

You've got various different types of pen-test, off the top of my head they'd be
  • remote scanning of internet facing sytems
  • on site scanning [with full cooperation of the application/system owner]
  • red-teams that simulate (or even carry out an approved) attack on a system or organisation, this can often involve recon, on-site, social engineering and underhand tactics as much as the technical side. Reports from these guys are normally both hilarious and hair-raising.
  • providing advice to application or system owners pre-implementation of something big/expensive/critical
  • research and white-hat hacking of public / open-source systems
  • measuring the effect of DDOS attacks and advice on mitigating/reducing it
If you're looking for skills to concentrate on (beyond "can you handle a network packet sniffer") would be
  • in depth knowledge of networking down to the packet inspection layer
  • a decent stack of resources to lookup known flaws/bugs/service packs and default settings/accounts
  • knowledge of multiple OS's, database platforms, web server platforms, routers, firewalls, intrusion detection systems etc. (pretty much the whole stack of any big infrastructure)
  • scripting, scripting and more scripting - in multiple languages/OS's
  • be meticulous with your analysis and reporting
  • a healthy dose of scepticsm for any sysadmin who says "oh we already patched against that"
They don't have to be able to explain to a business person what a session token hijack is - but they need to be able to explain it to an IT guy who will understand the impact of it and why he should get a developer to sort it out.

If you're really lucky a real pen-tester will add to this above. The above is from a customer view.
Or watch Mr Robot on Amazon Prime video :D
 
David Flett said:
As much fun As that was to read, I was looking for a more serious reply.
Click to expand...

it is still informative though in that those companies do exist...

I'll keep my reply short as this isn't my area but I will just throw in that a former colleague of mine decided to switch careers into a security analyst type role at the consultancy arms of one of the big 4 accountancy firms, some of the work was related to pen testing in a very lose sense - he didn't stay long and his story wasn't too far removed from the long post above albeit he'd turn up as a "consultant" from [well known brand name] in a suit... though most of what he did on site was run some scripts and, then this is the silly bit, send stuff to a third party company essentially sub contracted by [well known brand name] if anything remotely technical needed to be done.

So anyway the impression I was left with was the industry is a bit of a mixed bag, there clearly must be some professional companies out there but some of them are perhaps rather small/unknown and some of the big brands who claim to offer clients everything actually outsource stuff.

Lastly if you're doing some research on this area and were going to try and get particularly technical then one approach I'd perhaps try is to look into startups/small companies founded by/associated with university researchers or recent PhD graduates from university research groups in this field (assuming they exist) - I think that that could perhaps be a good way to avoid the people who are seemingly LARPing at this stuff. Perhaps worth considering a taught masters degree yourself - UCL and Royal Holloway offer security related masters degrees.
 
skyripper said:
A few days later do one of the following - send in a really generic report full of possibles, maybes, theoreticals and other things you can't be sued for - or - send in a really really really technical report written using terms and explanations (and smatterings of hex dumps) that no one else in IT can understand or even begin to explain to a business person without someone falling asleep or considering emigrating.
Click to expand...

You missed out ...
- include in your report the fact that certain security settings are not set but these turn out not to be valid for the OSes of the systems that you scanned (extra points for having issues with Windows settings when you scanned a Linux system).
- scan completely the wrong systems
- report against a baseline that in out of date and has been updated at least 3 times since the version you are using changing numerous elements.

Yes, we have had refunds due to how poor a lot of "penetration testers" out there are (and our internal ones are not much better so we do our own testing when creating the internal OS builds and are a lot harsher than any tests we've seen). It's amazing how many there are out there who don't know what they are doing at all and think an online course in penetration testing will be enough. Get one of those who has just started a new job and wants to prove themselves and you are looking at a report where you'll have to waste best part of week tearing it to shreds ...
 
You have to be fresh out of university with a cheap suit and able to click "go" on Nessus, then format the report with the branding of your company. The vast majority of the industry is full of charlatans.
 
dowie said:
that could perhaps be a good way to avoid the people who are seemingly LARPing at this stuff.
Click to expand...

I love this sentence. The number of so called experts who turn out to be nothing but hot air and a fancy CV is too damn high.

I've been LARPing as an IT professional for over 20 years.
 
skyripper said:
I love this sentence. The number of so called experts who turn out to be nothing but hot air and a fancy CV is too damn high.
Click to expand...

That’s why I was looking to see if there was actually anyone in the job that could give me sound advice so that I would be doing I through the right channels and courses.
The courses I picked are CompTia aproved courses.
Is there an actual qualification to gain?
I wouldn’t want to agree or disagree with any of the above yet.
 
I had a brief stint as a pen tester a fair while ago before ending up in another area of security, still think about going back to it if/when I get fed up with what I’m doing now :)

From my experience there were plenty of testers with different qualities. Some were red hot on web app testing, others infrastructure, some who were technical geniuses but hopeless at communicating anything to the client.

Echoing what’s been said above, being that person who can be the bridge between the deep techy stuff and the business is a really valuable skill to have.

Sec+ and CEH will give you some security basics and fundamentals, but neither will turn you into a pen tester from the off, but for someone new to security they’ll both help. Hopefully to get a foot in the door and get that first position which is the biggest challenge!

I recently ended up taking the CEH exam as had a free voucher for it, content was ok but nothing that complicated and a fair bit of it was remembering their workflows and processes etc.

As far as pen testing certifications go, long term you want to really be looking towards stuff that gives you CHECK status, so look at stuff like CREST, Cyber Scheme or Tigerscheme.

Can be useful though to check out the sorts of things they entail to get an idea of things, but they are very much certifications for people with experience.

Whilst not affiliated to CHECK at all the OSCP certification is usually pretty well regarded as well.

There are plenty of cowboys out there, have seen many a vulnerability assessment passed off as a pen test. Nothing wrong with vuln assessments, just don’t sell it as a pen test ;)

Anyway that’s my mini brain dump, probably missed loads but it’s a start! Pretty sure there were a few testers on here.

panthro said:
I've just completed a contract for pen testing, app testing and vulnerability scanning for my company. We got rid of the last company because they did exactly as you described above.
Click to expand...

I would love to know who that was, and who you moved to ;)
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom