Sign in to follow this  
Followers 0
Voodoo2

Are there any PenTesters out there?

8 posts in this topic

Hi Everyone.  I'm new to the forums, but I used to be subscribed to Binrev a long time ago.

 

I'm trying to pursue a career as a pentester.  I was just wondering if anyone had any solid advice on gathering pentesting experience?  I already have a home pentesting lab and I already have my Ethical Hacker certification.  

 

I just wanted to hear what you guys think.  It is frustrating because employers have such unreasable expectations when it comes to pentesting experience.

 

 

 

 

 

 

0

Share this post


Link to post
Share on other sites

Never stop reading and keep asking questions. I would use your home pentesting lab to practice securing/exploiting certain devices so you can gain some hands-on experience. Understanding how devices, networks, and applications function gives you a better understanding on how they can be exploited. 

0

Share this post


Link to post
Share on other sites

Hang out in binrev IRC. There are a few members who are consistently around who work in the IT and security industries.

0

Share this post


Link to post
Share on other sites

I will stop in sooner rather than later.

0

Share this post


Link to post
Share on other sites

Have you thought about just starting your own LLC? Really, you just need to pay licensing fees, build a web-site, and get some clients. Most pen-testing contracts are through "word of mouth" advertising anyway...

0

Share this post


Link to post
Share on other sites

It's a dream of mine to one day have my own security company.  I understand the basic outline of a Penetration test, but I dont think I have enough experience to provide the kind of service yet.  Good news though is that I do have some leads on a pentesting type job.  

0

Share this post


Link to post
Share on other sites

I will recommend this to, if you don't already know: pauldotcom.com

 

It's a community and podcast/videocast ran by two guys who are pro pentesters. I've been listing to it for a few years now.

0

Share this post


Link to post
Share on other sites

Something else to keep in mind... penetration testing is far from being the only option in the security field. Sure, it's the flashy, hot-topic item that everyone wants to do since you get paid to try to break into people's stuff. Who wouldn't want to do that? That's almost as cool as being a video game designer! :)

 

Don't sell the other areas short, though. And realize that, not unlike being a video game developer, there are a lot of other parts to pen testing that may not be very apparent until you're in the field.

 

- Are you sure you're not causing PERMANENT damage to your client's systems? Maybe that nifty new remote root exploit as a nasty side effect of corrupting a system file or resetting those complex permissions on an application.

 

- Are you sure you've tested EVERY SINGLE possibility for external vulnerability? If your client pays you thousands of dollars and then three months later is compromised by something you never mentioned, you can expect (at the very least) a nasty phone call.

 

- Have you provided sufficient documentation about all the vulnerabilities? This is where all those reports you wrote in high school and college will come in handy.

 

- Have you got hands-on programming experience in a lower-level language like C or assembly? Metasploit and other point-and-click tools are good for speeding up the process, but you want to be sure you really understand WHY things are working the way they do. (Protip: go read "Smashing the Stack for Fun and Profit" if you've not. I've never seen a better write-up on how buffer overflows work.)

 

- Do you have experience with Windows systems? Good. How about linux? Ok. How about AIX, HP-UX, or Solaris? Cisco IOS? Multi-platform knowledge is fundamental to getting the big picture. Again, your client will want to know about EVERYTHING you find, not just that you were able to Hax0r their old Windows 2000 web server.

 

I don't work as a pen tester; I never have, and I doubt I ever will. However, I do work in security, so I like to think I have a bit of the mindset that you need. There are plenty of other cool jobs in the field; don't limit yourself. Keep an open mind, especially while young, and you'll benefit from the added experience. You'll find where you fit in.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0