Shared thoughts after 6+ years in Pentesting

career
experience
pentesting

( Bushido signifies desperate death.) #1

Hello everyone.

I have made some minor edits since first posting this as to further clarify a couple of points.

I joined this community a while ago; I have/had been a lurker for even longer. A huge part of what made the hacker community what it was (and what it is here) involves a willingness to share knowledge (without spoonfeeding).

I would feel remiss if I gained so much from so many of you and did not give something back on occasion.

What follows are anecdotes, opinions and observations I can share after almost 7 years working professionally in the InfoSec/Netsec field.

Most of my work in this sphere has been anchored in Penetration Testing. Even when my official designation was Network Security Analyst, I spent most of those 3 years in engagements against PCI environments utilized for subcontracting work from Comcast, Verizon, Time Warner, Sprint and AT&T (to name a few of my former employers clients).

Currently, I manage the Cybersecurity Lab of an International company that employees over 200,000 employees. Most of my work in my current position involves Penetration Testing (every type imaginable, including focused blackbox testing against embedded devices and the network/control structures surrounding them).

I am also a lead point of contact for our international teams during remediation and triage of major security threats, incidents and breaches.

For example, I was the my company’s head analyst for the recent Shamoon 2.0 attacks (W32.DisttrackB/W97M.Downloader) last February, as well as the recent Wannacry outbreak.

I also serve in a Security Engineer capacity, as I am regularly asked to evaluate facets of our products and provide feedback and opinions on the security ramifications involved.

I am extremely busy and wanted to give back what I have taken thus far, so this is going to be long…

Here goes nothing:

  1. I am completely self taught (meaning I acquired no college/formal education to get where I am).

That being said, a solid Computer Science degree is invaluable as a base (I would generally avoid Cybersecurity degrees and go for CS ), and even the degree itself will open doors into this business.

Also, I work alongside high-level engineers (CS and Electrical Engineering PhDs); what they can do in a short period of time once they take an interest in InfoSec/NetSec is frightening.

  1. That leads me to this: to be great at anything (including InfoSec/NetSec), I believe that your pursuit must become a sort of lifestyle. Between work and further study/skills building (as well as time I invest in InfoSec/NetSec activities such as my daily reading), I easily invest 80+ hours per week in this pursuit.

And I love just about every minute of it. There is a huge need for InfoSec/NetSec professionals,which I feel is going to lead to a flood of low knowledge, low passion, low skill hiring.

Anyone trying to get into this industry for the cash alone is going to have a rude awakening: there are probably lower pressure, lower work hour ways to earn the same money doing something that actually interests you…

Also, those of us really invested in these arts can pretty easily spot our own.

  1. Learn to study, and learn to love the act of studying. Much of this job is continual study; eventually, when presented with an issue youare ignorant of, you will feel confident in knowing that you can find the answers you need.

Break the issue into small, manageable pieces (goals really), and put the pieces together until you can view the whole answer.

  1. Most of my success in this industry has been due to a willingness to work hard, persevere and never give up. Ever. Most of this job is the creative solving of problems that do not or may not have any easy answer (or any answer at all…yet).

You have to build a no retreat, no surrender, obsessive need to conquer problems.

  1. I specialize in network penetration, though I have become fairly well rounded. To me, network penetration is the art of acquiring advantages.

During an engagement, I am always looking to acquire advantages. I study and train to better recognize and maximize the resources within an environment that allow me to gain those advantages.

Gaining these advantages are more a product of knowledge and experience then an application of tools.

  1. I am also looking to be efficient; the best penetration tests replicate real world attacks. In that vein, each action you take raises the probability that you will be detected.

For hackers and freedom fighters engaged in illegal activity,you may want to consider the latter a bit. Once you make ingress and launch any manner of offensive action, you have escalated the legal ramifications of your trespass by multiple magnitudes.

Also remember that the probability of you getting caught and prosecuted is never 0.00%: you have to be prepared, you have to be careful, you have to be patient and you have to prepare contingencies.

  1. I use a measurement/assessment of risk vs. reward to make each action within the network as efficient as possible; by percentages,losing a queen to take a rook is generally a loser’s bet.

The best way I’ve learned to temper a careful approach is with an old sales slogan (“ Always be closing the deal”, which I modified to “Always be advancing your position(s)”).

  1. I try as much as possible to engage a target as a stalking, ambush predator: I move carefully and try to use the environment to hide myself as I seek to exploit the target/objectives lack of awareness.

I work to remain patient and identify/quantify as many of the variables of the current environment/situation as possible.

Sometimes the best decision you can make is to slow down or hold your current position for a bit; watching Tcpdump or Wireshark while thinking on a better move is still advancing your
position.

  1. To lower the probability of detection (whenever possible) I attempt to attack, enumerate or probe from an obfuscated position.

Configuring your attack host/node for the highest probability of situational anonymity (using tunneling, proxies, encapsulation ,etc.) is infinitely useful in pentesting, hacking and/or general
security/privacy.

Mastering the manipulation of proxy, tunneling and encapsulation protocols (which involves a deep understanding of networking/TCP/UDP) almost lends you quasi-magical invisibility and teleportation powers when involved in network penetration.

Obfuscation itself is one of 10,000 reasons why experience/knowledge in the disciplines of networking, OS and programming combined with security research are such huge advantages (and another reason why if you take up this path you may never stop learning).

  1. Learn to use every tool you can, but more importantly, learn why the tool works. If you work in/at exploitation long enough, the principles governing the tools will help you exploit a box someday,regardless of whether you use that particular tool to get the wanted/needed result…

  2. Knowledge/experience over tool use is especially important today: regardless of what many sites say, you will not find many enterprise/corporate networks today (as a professional penetration tester at least) where there are gross configurations/deployments leading to an easy, out of the box (deploy tool== Meterpreter) exploitation.

  3. When training for a fight, professional mixed martial artists put themselves in the worst possible positions so they react properly when the fight is underway.

Eventually, training/practicing your exploitation/research techniques the same way will be a huge boon in engagements, POCs (or in the wild). I especially like to round difficulty up during research; it is difficult for someone else to minimize your findings if you have added (and circumvented) greater security measures than the norm (rather than having reduced them).

  1. Most of my exploitation of networks in the last couple years have been a process of discovering network misconfigurations and weaknesses (especially in Windows firewall, Programs and Features, LGPO/GPO policies and/or IE/Internet Options within Window Domains/Networks) or information leaks that I locate online or through DNS enumeration that ultimately leads to my gaining access to a host.

From there, remote exploitation (toward post exploitation/privilege escalation/pivoting) will often occur This is largely when knowledge of things such as Powershell (leveraged by itself or tools like Powersploit/CrackMapExec/PsExec/Empire) become invaluable (in Windows networks).

I have actually been finding easier remote exploits when attacking Linux/Unix boxes in enterprise networks (finding Solaris with Apache Tomcat during enumeration still springs hope eternal in my human breast).

Many (actually, maybe all) of these companies are/were new at deploying Unix/Linux boxes in their networks and were making some serious mistakes with deployment.

  1. Enumeration is the most important part of an engagement to me. You should get used to enumeration without automated tools; I love Nmap, but many times it is not feasible to usewithin the customer’s network (network overhead issues, the chance of detection
    by IIDS, the chance of breaking PLCs or other embedded devices, etc.).

In cases where you are on the customer’s network, tools like Wireshark, Tcpdump, knowledge of networking protocols/ports and banner grabbing are your friends.

  1. For those engagements where you first need to gain access to the network, you definitely have more room for running some louder tools:

I love Fierce (and DNS enumeration in general) as it often presents my way in.

Google dorking is still also an incredible tool, as is Firefox with the right set of extensions (Hackbar, Tamperdata, Wappalyzer, BuiltWIth, Uppity, IP Address and DOmain Information, etc,.).

Who loves Dirbuster in these cirumstances? This carbon/caffeine based lifeform right here.

Whether you are pentesting, bughunting or hacking/freedom fighting, a paid Shodan subscription will($50) is worth every cent. The capacity to make exacting, accurate searches for greater than five pages has helped me in more engagements/bughunts than I can remember.

  1. When I am explaining why a config/setting/LGPO /GPO (etc.) is a security risk to a client or my fellow employees, I like to explain that many of the advantages I look for in my environment are most often advantages that are needlessly provided to me.

If it does not break key functionality or seriously impede efficiency/development time, than it is in their best interest to deny me as many advantages as possible, even when the advantages appear as if they are minutia.

When dealing with a client or non-security fellow employees,you should work to create a relationship of mutual help and teamwork.

I am not there to rub their noses in there crap; I am there to help improve their security so the company can prosper. This is partially a customer service gig where solutions (remediation/counter measures) are more beneficial to the customer than the exploitation itself.

Whenever possible, I like to end the post-exploitation/penetration test conversation/meeting/presentation with the attitude that I am here to help fix these issues , how can WE best close these gaps? How can I help make your (or our) company safer, so that we can become
more prosperous?

  1. I personally despise Microsoft (and many proprietary products/companies) on many levels, but when it comes to work, I am platform agnostic. Whatever tool is needed to complete the mission is the tool I am going to employ.

However, whenever possible without jeopardizing the mission, I am going to employ an Open Source/Unix/Linux-centric solution.

I work hard to show my company the value in Open Source. The way to show that value isn’t to be the super Unix/Linux/GPL neckbeard who constantly bemoans proprietary software./platforms.

The best way (for me), is to show how effective the strategy involving the Open Source tool is. Then, in my report, I explain the business hook of using Open Source (if the tool is free for commercial use).

I am sensitive to companies taking Open Source tools and turning them into something proprietary.

However, if I can make my company (which is both huge and almost universally recognized as ethical, which is rare) see the value in Open Source, I know they will eventually incorporate Open Source into the support packages for their products (which they have while keeping the tools ad the license in tact).

This than spreads the value of Open Source to smallercompanies who see it being trusted by a much larger company.

  1. I have tens of thousands of dollars worth of licenses atmy disposal. However, I will never use tools like Nexpose, Nessus, Canvas orMetasploit Pro unless the project, client, or a governing body specificallyrequire them.

I believe these tools develop poor habits. Obviously, if a project such as evaluating an entire domain of IP/hosts for vulnerabilities is my task, I am going to use Nessus. However, (whenever a time/project permits, which they most often do) I am going to evaluate the findings (and search for other vulnerabilities) manually.

  1. The ultimate goal should be reliance on nothing more than a Linux/Unix Terminal, some manner of network access and a programming language. One of my favorite exploitation tools is my Nexus 7 2013 flo tablet (running a modified version of Nethunter) and a Bluetooth folio keyboard ( I got the idea from n-o-d-e, https://www.youtube.com/watch?v=hqG8ivP0RkQ) as the final product is a netbook that fits in a jacket pocket).

I have exploited some seriously huge clients with thislittle rig (for ingress and a quick root shell, WPS on network/enterpriseprinters and knowledge PCL/PJL/Postscript are often your friend).

I have also exploited other customers with a cheap UMX smartphone with 5 gigs of storage, 1
gb of memory and GNUroot Debian (Guest Wifi access from the parking lot or an onsite public restroom, human nature, and Responder.py analyze mode, followed by WPAD, LLMNR and NetBios poisoning with NTLMv1 and LM authorization downgradefor the win).

  1. During (red team, onsite, etc.) engagements, even when the ultimate target of the engagement is located on a hardwired network with heavy segmentation/compartmentalization (such as the conduit/zone based layouts that are general best practice in Industrial sectors), it is always worthgaining a host/node with corporate WIFI access.

One thing WIFI access provides is reach: an Administrator’s (or other privileged user’s) dedicated workstation may be out of reach, but his other devices (if in scope) may be connected to Corp. WIFI for reasons such as saving data on a plan.

Also, WIFI allows me attacks of opportunity even when I am doing other things. Running Responder.py on a misconfigured network’s WIFI while I am elsewise engaged is gaining me advantages (maybe clear text creds, maybe hashes, maybe NTLMv1 and LM hashes) at little cost to my time or attention.

When I employ this, I like to spoof the poisoning machines hostname/mac address to something familiar on the network. If you see a bunch of hosts named “Apple” during your recon, and all of those hosts are not online, spoof the hostname/MAC to match one of the Apple machines (this will not withstand close scrutiny, but will often suffice with a little work).

It always helps to watch and take note on the norms of the network traffic and protocols. Try to match this as much as possible (this will likely help you avoid IDS/IPS, firewall rules, etc.) and whatever traffic would seriously stand out, try to tunnel or encapsulate with normal network traffic/protocols.

  1. This leads to two other points:

A) Be prepared for the majority of people within a company who do not care about, or will minimize security issues. Do not get frustrated; I find that showing the parties involved what they stand to lose as a company from a vuln to be more effective than focusing on the vuln itself.

B) This is where the Nexus and cheap smartphone come into play: taking the client’s domain with a laptop may scare up some results, but showing s customer that an attacker could cost them tens of millions with a $20 dollar smartphone or a $100 dollar tablet (from the parking lot) works wonders.

C) I have an interest in learning to exploit everything and anything. This has served me well during network penetration tests, as many targets will defend their DCs, file servers and hosts, but not pay much attention to the printers and IoT devices within the network.

D) To this end, learn to work with uncommon protocols. UPnP. NTLDNA and SSDP have been serving me well for the last couple years. Many file servers (and company smartphones/tablets when they are in scope) keep the UPnP door (and associated protocols) wide open. I once grabbed SNMP and other default network appliance creds from a fileserver through UPnP.

  1. If you are going to pay for certs with your own cash, I recommend the OSCP. Yes, some of the machines/exploits are outdated. You won’t find many of the SMB remote exploits used for the course in the wild very often anymore (unless an Admin leaves a test server up, which happens occasionally).

However, the overall experience, breakdown on enumeration methodology, self reliance and mindset the entire experience teaches you are invaluable.

I have seen some sites peddling garbage certs with no industry recognition. Save your money for the OSCP; its profile in the industry is high and growing. Certs are no replacement for experience, but starting out with a IT/CS related degree or some general IT experience (even Helpdesk work) along with the OSCP will get you hired somewhere.

  1. For persistence, I prefer adding innocuous user accounts/Remote Desktop accounts.

If I am going to add some manner of privileged user account early to mid engagement, I usually try to add a more low profile account (if I have the option) such as Server Operator; these type of accounts allow privileged access you can build from, but generally are not watched with the scrutiny of an Administrator account.

When I do create Administrator accounts (I try to wait until I begin my endgame), I will try to match the naming convention to similar accounts in within the network. if a

For example, if the Administrator accounts within the network are named USsupervisor, I will name the added account something like USupervisor. If I know the clear text password of the account I have mimicked, I will use the same password.

  1. Keep good notes during the engagement; too much information is better than to little information. Captured PCAPS of network traffic are great for examination during down time between engagements.

  2. If you are a hacker, freedom fighter, or someone generally concerned about max privacy, this series of articles and configurations are for you:
    https://www.ivpn.net/blog/privacy-guides/advanced-privacy-and-anonymity-part-1

  3. My favorite distro is Backbox; it starts out with a solid set of tools ninus the obscure bloat (and so far I have been able to add anything Kali has to Backbox). You can use Backbox’s “Anonymous” option for a full transparent Tor proxy, Macchanger and host name changer and set RAM to overwrite on exit.

I also keep Portable Virtualbox on a USB drive with a Kali Linux image…

You could follow some of the advice here: http://www.torforum.org/viewtopic.php?f=2&t=18320

And here: http://www.torforum.org/viewtopic.php?f=2&t=18320

The articles above could help you create an encrypted USB with a Whonix gateway and Kali Linux workstation (you could probably exchange Kali OS in the Whonix Workstation for any Debian/Debian like OS).

This configuration is disposable and concealable, and will run all of the Kali Workstation’s (or other Debian/Debian like OS) through Tor. You could also create multiple other Vanilla Whonix Workstations/Gateways on the USB to create a type of local jumpbox sequencea to tunnel between/through SSH and/or VPN them before final Kali workstation.

(Note: This is just a gut feeling, but for your own OpSec/security/anonymity, you are probably best replacing the Kali workstation with another Debian/Debian like distro. I have tried Katoolin in the Whonix Workstation, but I find that Katoolin often breaks i).

  1. A VPS with your pentest tools installed is a valuable commodity; I call mine DeathStar, and I can call down some thunder from my Nexus 7 2013 flo (and a prepaid Wireless hotspot) from pretty much anywhere.

There are some providers who do not give a damn about the traffic leaving your VM as long as you are using a VPN and a DMCA does not come their way.

For hackers and freedom fighters, get your VPS from a country outside 14 Eyes countries (providers in Eastern European/former Soviet Block countries can be both dirt cheap and extremely honorable; just do your research and have tolerance for the occasional technical issue).

You could pay with laundered/tumbled Bitcoin; even better are those providers who except gift cards (much like some VPN providers do)as payment.

Have another party buy the gift cards a good distance away from you; you can find some of these providers who take gift cards on Low End Box. The VPS can be a valuable addition to the encrypted USB above (as you now have a host/node to catch your reverse shells without sacrificing Tor) when combined with SSH or IPsec (such as Strongswan, which is in the
Debian repos).

  1. Again, this post was long because I am busy, and Iwanted to make the contribution I felt I owed this site since shortly after it began. If you have technical questions concerning (or any questions in general), please post them as comments and I will definitely get you back an answer.

#2

Awesome post! Do you have any engagement stories to share?


(Zalman) #3

Thanks a lot for this thread!
Although I`m not a red teamer this kind of information is always invaluable.


( Bushido signifies desperate death.) #4

Man…so many. The ones that stand out the most are the ridiculous ones.

This was the worst one; it is so bad it is long (sorry everyone): Pivoting onto a manager’s desktop and finding an Excel Workbook entitled “PASSWORDS”.

Inside was every current username/password for that manager’s direct reports: at least 500 employees.

The credentials belonged to ACSR/CSG, the billing software used by Time Warner and Comcast for updating/creating/adjusting customer’s cable/phone/HSD accounts/services (the facility handled/subcontrcated work for all North American online orders for Time Warner and Comcast among other large telecommunications conglomerates).

To improve efficiency, management had implemented tabs for the employees to click on their homescreens: the tab dropped the last 20 customers accounts the employees had worked on.

500 employees * 20 customer accounts = access to 1000 customer accounts. Legacy accounts prior to 2007 (accounts where the customer hadn’t moved, canceled, or lapsed service since at least 2007) had their full SSN and credit card data available in the clear.

Managers had convinced IT to never force them to change their passwords; There were macros/notes near the manager entries that said “Do not change these passwords”, One of the managers had not changed their password for 6 years.

I gained access to the network/segment from a machine on the network that had been setup as a Timeclock machine in the employee lounge (employees would sign into their shifts or on/off breaks from it). Management felt they were off their “adherence” metric because the employees had to wait until they got back to their desk/workstation to sign in/out of their timeclock software.

They were basically trying to screw with their analytics to shut up corporate and their clients (rather than managing their employees properly).

They connected the Time Clock machine to the Guest WIFI connection in the lounge… which had been supplied with a cheap Belkin router that IT had used as a “temporary solution” for 7 months.

I literally gained access via PSK by using router keygen via my Nexus 7 from the parking lot.

Managers and employees had been signing into that Time Clock machine. The credentials they signed in with were saved in cleartext within logs in the software’s Program Files folder.

IT wasn’t assuring that employees weren’t reusing username/passes for the TimeClock, their workstations, or VPN access.

All of the the workstations (WIndows 7 ENterprise) in that segment had an OS side panel that would allow you to Remote Desktop onto any other workstation on the egment with privileged credentials. IT had implemented it (because they were lazy) because they neede dto be able to remote into “any workstaion from any workstation”.

The Managers had talked IT into adding their accounts to that GPO so they could remote into their direct hires machines to help fix billing system issues…

That was the first time I had pentested my former employer. When I refused to change the facts of the report (IT and management kept accusing me of “throwing them under the bus”), I earned the hatred/distrust of most of the management and the entire IT department for the rest of my 3+ year career.

I had also been hired as their first (and last) official InfoSec/NetSec employee.

When I left, they just went back to pulling everything together with a “PCI comsultant” (their clients ALL let them know when the contractual PCI audits would occur) , pass the audit, then letting everything go back to shit until next time.


#5

holy ballsack man. I love this insight.
I didn’t dive deep into real world work stuff since I’m still in uni, but this article has so much information in it.
I need to read it again to soak in everything.
Working as a pentester sounds tough but fun. I’m curious where I will end up in a year from now when I’m done writing tests…

On a side note though: This long of an article might need some more formatting since I personally found it difficult to read.

Anyways I keep looking forward to your stuff. Maybe you can make some kind of shorter article series out of it. I’d be happy


(Not a N00b, but still learning) #6

Whoa! This might be the longest post/introduction ever on 0x00sec! It gave some very interesting insights and took me about half an hour to read :slight_smile: How did you start to learn infosec? Which resources did you use to learn more about networks?
I’m mostly a software guy wanting to get on deeper levels and networking, so any advice would be helpful.
BTW, which programming languages do you know? Do you attend security cons?

Looking forward to your answer,
SmartOne


#7

Holy Guacamole! Great post, definitely worth the long read. Also, love the whole transparency and honesty present in the whole post.

However, like @ricksanchez said, the post might need some formatting and the correction of some typos, other than that, awesome article.


( Bushido signifies desperate death.) #8

n3xUs and ricksanchez-

The formatting issue was a weird one that I had to correct a few times (it still does not look great). I also realize there are some typos…

I will work to get those issues fixed out of respect to the community and the readers. It may be a while though; as I stated, I am extremely busy.

The typos and length exist because I felt guilty that I had joined this community and gotten much from it while giving nothing back. Giving back was on my list of things to do; when I finally found the time, I did my best to give my most I could.


#9

Outstanding article. Thank you for sharing @maderas.

I just completed a pentest for a client with a similar “PASSWORDS” story. For whatever reason, a developer was “testing” the internal platform messaging system’s attachment capability and attached his private password file. :confounded:


( Bushido signifies desperate death.) #10

Thank you SmartOne.

Answers to your questions are below. You had asked for advice; I take this request seriously, and thus the length of the reply.

Whatever you choose to do in this field, it all comes down to competency. . What anyone says isn’t as important as what they can do at the keyboard or with a soldering iron.

It all boils down to skills, knowledge, experience and development.

That is why I feel you must really love what you do in this field, because you are going to have to spend most of your time improving at it. If it isn’t fun, then the time sink will drive most running toward something else.

You had stated that you are a software guy; so for this example I am going to say you worked/work as some form of engineer or developer of web based applications.

This would mean you already have many very important skillsets that can be bent to serve you in any InfoSec/NetSec path you choose.

For example, you would likely already have developed intangibles such as an eye for detail and an ability to concentrate focus for extended periods, which are difficult to teach someone.

Not to mention that a competent programmer has an excellent, high level advantage in this industry. Even if you do not find the languages you specialized in immediately useful, you have the capacity to learn others at an expedited rate (and likely have applicable experience in secure development, code review, etc).

It is really going to come down to what you want to specialize in. Once you have some idea about what you want to do, make the skills you already have work for you toward that goal.

Let us further the example by saying you wanted to become a Penetration Tester, and you wanted to specialize in Network Penetration (easily my favorite facet of my career).

Than I would say continue to focus about 80% of your development toward network penetration skills, but also weaponize your pastWeb Development background: dedicate about 10% to 20% of your total development time into studying and gaining a deep working knowledge of the OWASP Top 10 (fortunately, the exploitation methods/vulns listed in the Top 10 do not usually shift violently).

Why? Often, you can find a way into the target network via Web Application Penetration. If you had some manner of Web Development background, your current skillsets maximize any time you spend learning Web Application Penetration,.

Which in turn adds a valuable, more familiar weapon to your Network Penetration skillset (your ultimate goal).

Train hard, train smart and have fun. If you are consistent, you will be amazed where you are a year from now.

How did I start to learn InfoSec?

Like anything else in life, if you know what you want, than develop a plan that develops the skills you need to get there. If you are steadfast and willing to make sacrifices equivalent to your ambitions, you will get there.

When I got really serious about developing my skills, I developed a training regimen of at minimum, 4-8 hours of study/research/practical training a day, at least 6 days a week (I did this with a full time job working between 40-60 hours a week) .

The best way to learn is to do; when I was pushing forward with my development, there were a (slowly) increasing number of (a few) vendor bounty programs (now called a bug bounty).

Google had been doing so for awhile at that point. They were offering bounties and allowing most (it may have been all)of there domains to fall within scope.

(Note: In the present, Yahoo’s bug bounty program has all of their domains within scope, including acquisitions.)

I took full advantage of these real world opportunities; I didn’t even bother to graduate past the enumeration phase for months.

Attacking/enumerating applications like DVWA , Windows/Linux/Unix VMs, or any of the Metasploitables are good practice.

However, I would probably join BugCrowd, find a program/customer where attacks on most (if not all) of their domains are within scope, and begin/conduct your live training that way.

This method has multiple advantages, not the least of which being that you will develop more current, real world skills . This will also make your research/study more efficient as you will invariably gear some portion of your training by experiences you have against live hosts.

SmartOne, it also seems like you are interested in improving your knowledge of networking, so I will tell you how I have grown mine:

The way I learn is to begin with studying a basic overview of something and fill in the gaps of my understanding with more and more complex material.

The Prof Pro’s CompTIA Network+ Study guide is a good example ( http://www.proprofs.com/mwiki/index.php/Comptia_Network%2B_Study_Guide ) of materials that are like those I have applied the principle to in the past .

The link takes you to the index of Prof Pro’s Comptia Network+ study guide. I never prepared/studied for Network+; I just have a weakness for bookmarking clear, concise reference materials.

Much of the knowledge in the study guide could be considered basic, which is a damn fine start. However, let us say you run into into vocab or concepts that need greater clarity (let us call such an example concept A),

And the magic happens: by seeking clarity from other sources, you discover that you need to studty conceptB to better understand conceptA. To better understand conceptB , you need to learn a bit of something about conceptC.

Before you know it, hours have passed and the branches of your networking knowledge have grown in multiple directions.

The programming languages that I know:

Python 2. something to 2.7.8; I haven’t even touched Python 3.0 outside reading documentation to make necessary changes to modules/exploits/tools. I learned Python for those situations wh

I wouldn’t call myself a programmer though; I lack the talent and creativity in programming that allows for innovation and creation (which is magic really).

I know enough C to get an module, exploit or tool to do what I need if there is a minor issue. Fluency in C and ASM are high on my list of dream of skill acquisitions.

Where scripting languages are concerned (though many call Python a scripting language), I am proficient in Bash and Powershell.

I have some knowledge in a number of other scripting/G4L/programming languages, but that knowledge is strictly exploitation related. I maybe able to identify a dangerous string of PHP that could lead to LFI/RFI on a site, but I cannot r program in it.

Do I attend security cons:

Not yet; I keep an extremely low profile; this is actually the first community I have ever joined online. I am also extremely busy and my work flow can go from 1 to 100 in seconds.

I love the spirit and content coming out of DefCon, ShmooCon, BlackHat and CCC every year (and HOPE every 2 years). I usually watch all of the recorded presentations each year.

Someday I would like to go to Defcon, CCC and HOPE in the same year; kind of like paying my respects to the holy land.


(face) #11

Great post!
:thumbsup:


(Not a N00b, but still learning) #12

Thank you for your outstanding answer!
I’m currently attending to a local countrywide infosec competition to benchmark my skills. So far, many of the challenges did have to do with WebApps (I indeed started my journey with WebDev) and I found them very easy.
I will definitely follow your advice to finally make a step into Bug Bounty programs. You also motivated me to spend more time doing research, which is hard due to my school times, but I will certainly manage.
The link unfortunately doesn’t work for me, did you mean this?

I really appreciate the effort you put in all of your answers and I could really imagine you speaking at one of the mentioned conferences :slightly_smiling_face:

Best, SmartOne

P.S.:

On purpose, or does it just happen to be so?


( Bushido signifies desperate death.) #13

SmartOne-

I am glad you found some merit in my reply.

And thank you for pointing out the issue with the link; I fixed it.

It is an awesome thing that you are out in the world testing your skills. I feel like this is a very important thing to do. Especially when you can test those skills against others outside your personal circles.

I keep a low profile very much on purpose.

Partly because we are fortunate to live in interesting and dangerous times.

I believe that privacy is an indelible human right;.working to keep your privacy is a form of resistance against the stupidity and greed of today.

Good luck with school; education and bright minds that apply their learning are the world’s solutions.

-maderas


#14

Thank you for writing this up. It gives me hope as someone who’s self taught with no degree and I’m currently doing my OSCP. I’m currently at the Director level in a very large corporation with the hopes of moving into InfoSec either internally or externally. Most people I’ve spoken with who are currently employed in InfoSec say it would be hard to transition. I’m somewhat betting on my experience and passion for the dark arts will place me among like minded individuals. I have a lot of experience with PCI and specific kinds of software that are genuinely overlooked for security. Do you think there is a way I can optimize my chances of moving into InfoSec without needing to completely restart my career? I know I’m being some what general in the information I’ve given so it might be hard to answer that.


(John Demco) #15

Great write-up, Thanks.


( Bushido signifies desperate death.) #16

mf_redstars-

Flesh and blood human beings just like you and I have gone to the moon.

They did this in an age where information and technology was far less available.

Too many have lost site of what the Internet is under all the bullshit: it is the Cosmic Library, the repository of humankind’s accumulated knowledge.

Imagine if Socrates or Einstein or Tesla had access to such a marvel?

You will be fine my friend; the need is so great for InfoSec/NetSec professionals, and you already have some applicable knowledge (and you have succeeded in another field, which definitely speaks of attribiutes that matter).

Keep improving your skills, and never give up. Your first InfoSec/NetSec position may not be your dream job, but you will be building the bridge to get where you need to be.

If you persevere, you will get where you want to be. It is just about building the skills you need; everything else is persistence and patience.

I did it, so I know anyone willing to put in the time can as well.

So just go do it my friend.


(Fiz) #17

Thank you for your post. I’m 6 months into the journey to learn pen testing on my own, and I’m attempting to lay foundational groundwork (networking, security, programming, OS, etc… i want all the knowledge) over the next couple years. I only recently immersed myself in this world. I’ve always stayed at the edge of everything. Learning enough of all topics to wear many hats but not truly understand something at a deep level. I finally committed to this goal because I feel it will be a rewarding climb that will keep me inspired and interested. Your detailed post confirmed things I considered and will push me to learn what I didn’t understand.


( Bushido signifies desperate death.) #18

Me.s.a-

I am glad I could help.

What we do is extremely important. I believe that InfoSec/NetSec is one of the most important jobs in the world. And I believe its importance will continue to grow.

Good luck in your journey. It is an amazing path to follow. I shudder to think where I would be if I hadn’t taken so many steps down it.

-maderas


#19

Awesome story. Thanks for sharing. Shame that due to your diligence and competence at your job you were treated like this! Seems to be the way sometimes in the industry!


( Bushido signifies desperate death.) #20

smarteraser-

The industry can be tough sometimes…money vs. security, development time vs. security, usability vs security…

The answer seems obvious to me many times: if you skimp on security now, you tend to pay later.

Fortunately, security is now becoming a premium in the minds of customers, which will hopefully force companies (and individuals within companies) to begin taking security much more seriously.

Its the one part of security that is difficult to prepare many newbies for: the human element in dealing with other teams, managers, etc; many of the latter (and more) have way different motivations.

Even still. this is the best field in the world…I have no idea what I would be doing if I wasn’t doing this…

Glad to meet you and sorry for the late response!