Jump to content


Photo
- - - - -

Are there any PenTesters out there?


  • Please log in to reply
7 replies to this topic

#1 Voodoo2

Voodoo2

    Will I break 10 posts?

  • Members
  • 6 posts
  • Gender:Male

Posted 04 March 2013 - 10:26 AM

Hi Everyone.  I'm new to the forums, but I used to be subscribed to Binrev a long time ago.

 

I'm trying to pursue a career as a pentester.  I was just wondering if anyone had any solid advice on gathering pentesting experience?  I already have a home pentesting lab and I already have my Ethical Hacker certification.  

 

I just wanted to hear what you guys think.  It is frustrating because employers have such unreasable expectations when it comes to pentesting experience.

 

 

 

 

 

 



#2 phasma

phasma

    Hakker addict

  • Members
  • 527 posts
  • Country:
  • Gender:Male
  • Location:Pennsylvania

Posted 04 March 2013 - 03:14 PM

Never stop reading and keep asking questions. I would use your home pentesting lab to practice securing/exploiting certain devices so you can gain some hands-on experience. Understanding how devices, networks, and applications function gives you a better understanding on how they can be exploited. 



#3 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,623 posts
  • Gender:Male

Posted 04 March 2013 - 06:56 PM

Hang out in binrev IRC. There are a few members who are consistently around who work in the IT and security industries.



#4 Voodoo2

Voodoo2

    Will I break 10 posts?

  • Members
  • 6 posts
  • Gender:Male

Posted 04 March 2013 - 08:16 PM

I will stop in sooner rather than later.



#5 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 08 March 2013 - 09:21 AM

Have you thought about just starting your own LLC? Really, you just need to pay licensing fees, build a web-site, and get some clients. Most pen-testing contracts are through "word of mouth" advertising anyway...



#6 Voodoo2

Voodoo2

    Will I break 10 posts?

  • Members
  • 6 posts
  • Gender:Male

Posted 16 March 2013 - 02:03 AM

It's a dream of mine to one day have my own security company.  I understand the basic outline of a Penetration test, but I dont think I have enough experience to provide the kind of service yet.  Good news though is that I do have some leads on a pentesting type job.  



#7 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 16 March 2013 - 08:46 AM

I will recommend this to, if you don't already know: pauldotcom.com

 

It's a community and podcast/videocast ran by two guys who are pro pentesters. I've been listing to it for a few years now.



#8 Bit Viper

Bit Viper

    SCRiPT KiDDie

  • Members
  • 28 posts
  • Country:
  • Gender:Male

Posted 21 March 2013 - 09:05 AM

Something else to keep in mind... penetration testing is far from being the only option in the security field. Sure, it's the flashy, hot-topic item that everyone wants to do since you get paid to try to break into people's stuff. Who wouldn't want to do that? That's almost as cool as being a video game designer! :)

 

Don't sell the other areas short, though. And realize that, not unlike being a video game developer, there are a lot of other parts to pen testing that may not be very apparent until you're in the field.

 

- Are you sure you're not causing PERMANENT damage to your client's systems? Maybe that nifty new remote root exploit as a nasty side effect of corrupting a system file or resetting those complex permissions on an application.

 

- Are you sure you've tested EVERY SINGLE possibility for external vulnerability? If your client pays you thousands of dollars and then three months later is compromised by something you never mentioned, you can expect (at the very least) a nasty phone call.

 

- Have you provided sufficient documentation about all the vulnerabilities? This is where all those reports you wrote in high school and college will come in handy.

 

- Have you got hands-on programming experience in a lower-level language like C or assembly? Metasploit and other point-and-click tools are good for speeding up the process, but you want to be sure you really understand WHY things are working the way they do. (Protip: go read "Smashing the Stack for Fun and Profit" if you've not. I've never seen a better write-up on how buffer overflows work.)

 

- Do you have experience with Windows systems? Good. How about linux? Ok. How about AIX, HP-UX, or Solaris? Cisco IOS? Multi-platform knowledge is fundamental to getting the big picture. Again, your client will want to know about EVERYTHING you find, not just that you were able to Hax0r their old Windows 2000 web server.

 

I don't work as a pen tester; I never have, and I doubt I ever will. However, I do work in security, so I like to think I have a bit of the mindset that you need. There are plenty of other cool jobs in the field; don't limit yourself. Keep an open mind, especially while young, and you'll benefit from the added experience. You'll find where you fit in.






BinRev is hosted by the great people at Lunarpages!