Shared thoughts after 6+ years in Pentesting

Whoa! This might be the longest post/introduction ever on 0x00sec! It gave some very interesting insights and took me about half an hour to read :slight_smile: How did you start to learn infosec? Which resources did you use to learn more about networks?
I’m mostly a software guy wanting to get on deeper levels and networking, so any advice would be helpful.
BTW, which programming languages do you know? Do you attend security cons?

Looking forward to your answer,
SmartOne

3 Likes

Holy Guacamole! Great post, definitely worth the long read. Also, love the whole transparency and honesty present in the whole post.

However, like @ricksanchez said, the post might need some formatting and the correction of some typos, other than that, awesome article.

1 Like

n3xUs and ricksanchez-

The formatting issue was a weird one that I had to correct a few times (it still does not look great). I also realize there are some typos…

I will work to get those issues fixed out of respect to the community and the readers. It may be a while though; as I stated, I am extremely busy.

The typos and length exist because I felt guilty that I had joined this community and gotten much from it while giving nothing back. Giving back was on my list of things to do; when I finally found the time, I did my best to give my most I could.

4 Likes

Outstanding article. Thank you for sharing @maderas.

I just completed a pentest for a client with a similar “PASSWORDS” story. For whatever reason, a developer was “testing” the internal platform messaging system’s attachment capability and attached his private password file. :confounded:

1 Like

Thank you SmartOne.

Answers to your questions are below. You had asked for advice; I take this request seriously, and thus the length of the reply.

Whatever you choose to do in this field, it all comes down to competency. . What anyone says isn’t as important as what they can do at the keyboard or with a soldering iron.

It all boils down to skills, knowledge, experience and development.

That is why I feel you must really love what you do in this field, because you are going to have to spend most of your time improving at it. If it isn’t fun, then the time sink will drive most running toward something else.

You had stated that you are a software guy; so for this example I am going to say you worked/work as some form of engineer or developer of web based applications.

This would mean you already have many very important skillsets that can be bent to serve you in any InfoSec/NetSec path you choose.

For example, you would likely already have developed intangibles such as an eye for detail and an ability to concentrate focus for extended periods, which are difficult to teach someone.

Not to mention that a competent programmer has an excellent, high level advantage in this industry. Even if you do not find the languages you specialized in immediately useful, you have the capacity to learn others at an expedited rate (and likely have applicable experience in secure development, code review, etc).

It is really going to come down to what you want to specialize in. Once you have some idea about what you want to do, make the skills you already have work for you toward that goal.

Let us further the example by saying you wanted to become a Penetration Tester, and you wanted to specialize in Network Penetration (easily my favorite facet of my career).

Than I would say continue to focus about 80% of your development toward network penetration skills, but also weaponize your pastWeb Development background: dedicate about 10% to 20% of your total development time into studying and gaining a deep working knowledge of the OWASP Top 10 (fortunately, the exploitation methods/vulns listed in the Top 10 do not usually shift violently).

Why? Often, you can find a way into the target network via Web Application Penetration. If you had some manner of Web Development background, your current skillsets maximize any time you spend learning Web Application Penetration,.

Which in turn adds a valuable, more familiar weapon to your Network Penetration skillset (your ultimate goal).

Train hard, train smart and have fun. If you are consistent, you will be amazed where you are a year from now.

How did I start to learn InfoSec?

Like anything else in life, if you know what you want, than develop a plan that develops the skills you need to get there. If you are steadfast and willing to make sacrifices equivalent to your ambitions, you will get there.

When I got really serious about developing my skills, I developed a training regimen of at minimum, 4-8 hours of study/research/practical training a day, at least 6 days a week (I did this with a full time job working between 40-60 hours a week) .

The best way to learn is to do; when I was pushing forward with my development, there were a (slowly) increasing number of (a few) vendor bounty programs (now called a bug bounty).

Google had been doing so for awhile at that point. They were offering bounties and allowing most (it may have been all)of there domains to fall within scope.

(Note: In the present, Yahoo’s bug bounty program has all of their domains within scope, including acquisitions.)

I took full advantage of these real world opportunities; I didn’t even bother to graduate past the enumeration phase for months.

Attacking/enumerating applications like DVWA , Windows/Linux/Unix VMs, or any of the Metasploitables are good practice.

However, I would probably join BugCrowd, find a program/customer where attacks on most (if not all) of their domains are within scope, and begin/conduct your live training that way.

This method has multiple advantages, not the least of which being that you will develop more current, real world skills . This will also make your research/study more efficient as you will invariably gear some portion of your training by experiences you have against live hosts.

SmartOne, it also seems like you are interested in improving your knowledge of networking, so I will tell you how I have grown mine:

The way I learn is to begin with studying a basic overview of something and fill in the gaps of my understanding with more and more complex material.

The Prof Pro’s CompTIA Network+ Study guide is a good example ( http://www.proprofs.com/mwiki/index.php/Comptia_Network%2B_Study_Guide ) of materials that are like those I have applied the principle to in the past .

The link takes you to the index of Prof Pro’s Comptia Network+ study guide. I never prepared/studied for Network+; I just have a weakness for bookmarking clear, concise reference materials.

Much of the knowledge in the study guide could be considered basic, which is a damn fine start. However, let us say you run into into vocab or concepts that need greater clarity (let us call such an example concept A),

And the magic happens: by seeking clarity from other sources, you discover that you need to studty conceptB to better understand conceptA. To better understand conceptB , you need to learn a bit of something about conceptC.

Before you know it, hours have passed and the branches of your networking knowledge have grown in multiple directions.

The programming languages that I know:

Python 2. something to 2.7.8; I haven’t even touched Python 3.0 outside reading documentation to make necessary changes to modules/exploits/tools. I learned Python for those situations wh

I wouldn’t call myself a programmer though; I lack the talent and creativity in programming that allows for innovation and creation (which is magic really).

I know enough C to get an module, exploit or tool to do what I need if there is a minor issue. Fluency in C and ASM are high on my list of dream of skill acquisitions.

Where scripting languages are concerned (though many call Python a scripting language), I am proficient in Bash and Powershell.

I have some knowledge in a number of other scripting/G4L/programming languages, but that knowledge is strictly exploitation related. I maybe able to identify a dangerous string of PHP that could lead to LFI/RFI on a site, but I cannot r program in it.

Do I attend security cons:

Not yet; I keep an extremely low profile; this is actually the first community I have ever joined online. I am also extremely busy and my work flow can go from 1 to 100 in seconds.

I love the spirit and content coming out of DefCon, ShmooCon, BlackHat and CCC every year (and HOPE every 2 years). I usually watch all of the recorded presentations each year.

Someday I would like to go to Defcon, CCC and HOPE in the same year; kind of like paying my respects to the holy land.

9 Likes

Great post!
:thumbsup:

Thank you for your outstanding answer!
I’m currently attending to a local countrywide infosec competition to benchmark my skills. So far, many of the challenges did have to do with WebApps (I indeed started my journey with WebDev) and I found them very easy.
I will definitely follow your advice to finally make a step into Bug Bounty programs. You also motivated me to spend more time doing research, which is hard due to my school times, but I will certainly manage.
The link unfortunately doesn’t work for me, did you mean this?

I really appreciate the effort you put in all of your answers and I could really imagine you speaking at one of the mentioned conferences :slightly_smiling_face:

Best, SmartOne

P.S.:

On purpose, or does it just happen to be so?

1 Like

SmartOne-

I am glad you found some merit in my reply.

And thank you for pointing out the issue with the link; I fixed it.

It is an awesome thing that you are out in the world testing your skills. I feel like this is a very important thing to do. Especially when you can test those skills against others outside your personal circles.

I keep a low profile very much on purpose.

Partly because we are fortunate to live in interesting and dangerous times.

I believe that privacy is an indelible human right;.working to keep your privacy is a form of resistance against the stupidity and greed of today.

Good luck with school; education and bright minds that apply their learning are the world’s solutions.

-maderas

3 Likes

Thank you for writing this up. It gives me hope as someone who’s self taught with no degree and I’m currently doing my OSCP. I’m currently at the Director level in a very large corporation with the hopes of moving into InfoSec either internally or externally. Most people I’ve spoken with who are currently employed in InfoSec say it would be hard to transition. I’m somewhat betting on my experience and passion for the dark arts will place me among like minded individuals. I have a lot of experience with PCI and specific kinds of software that are genuinely overlooked for security. Do you think there is a way I can optimize my chances of moving into InfoSec without needing to completely restart my career? I know I’m being some what general in the information I’ve given so it might be hard to answer that.

2 Likes

Great write-up, Thanks.

mf_redstars-

Flesh and blood human beings just like you and I have gone to the moon.

They did this in an age where information and technology was far less available.

Too many have lost site of what the Internet is under all the bullshit: it is the Cosmic Library, the repository of humankind’s accumulated knowledge.

Imagine if Socrates or Einstein or Tesla had access to such a marvel?

You will be fine my friend; the need is so great for InfoSec/NetSec professionals, and you already have some applicable knowledge (and you have succeeded in another field, which definitely speaks of attribiutes that matter).

Keep improving your skills, and never give up. Your first InfoSec/NetSec position may not be your dream job, but you will be building the bridge to get where you need to be.

If you persevere, you will get where you want to be. It is just about building the skills you need; everything else is persistence and patience.

I did it, so I know anyone willing to put in the time can as well.

So just go do it my friend.

5 Likes

Thank you for your post. I’m 6 months into the journey to learn pen testing on my own, and I’m attempting to lay foundational groundwork (networking, security, programming, OS, etc… i want all the knowledge) over the next couple years. I only recently immersed myself in this world. I’ve always stayed at the edge of everything. Learning enough of all topics to wear many hats but not truly understand something at a deep level. I finally committed to this goal because I feel it will be a rewarding climb that will keep me inspired and interested. Your detailed post confirmed things I considered and will push me to learn what I didn’t understand.

1 Like

Me.s.a-

I am glad I could help.

What we do is extremely important. I believe that InfoSec/NetSec is one of the most important jobs in the world. And I believe its importance will continue to grow.

Good luck in your journey. It is an amazing path to follow. I shudder to think where I would be if I hadn’t taken so many steps down it.

-maderas

2 Likes

Awesome story. Thanks for sharing. Shame that due to your diligence and competence at your job you were treated like this! Seems to be the way sometimes in the industry!

smarteraser-

The industry can be tough sometimes…money vs. security, development time vs. security, usability vs security…

The answer seems obvious to me many times: if you skimp on security now, you tend to pay later.

Fortunately, security is now becoming a premium in the minds of customers, which will hopefully force companies (and individuals within companies) to begin taking security much more seriously.

Its the one part of security that is difficult to prepare many newbies for: the human element in dealing with other teams, managers, etc; many of the latter (and more) have way different motivations.

Even still. this is the best field in the world…I have no idea what I would be doing if I wasn’t doing this…

Glad to meet you and sorry for the late response!

2 Likes

What a great post! I just started my journey into the INFOSEC field about a month ago. (I’ve been a lurker here for about that long) I currently work in a computer help desk for a big company and after being here for 10 years I am finally wanting to do something more exciting. Back in 2006 I got a few cisco certs and some comptia certs. I am wanting to get into NETSEC and pentesting.

I guess I would love a little guidance with what I should do. I do not have a degree and it would all be self taught. I’ve started studying for my A+ exam because I thought it would offer a good refresher on the basics of computers etc but now I feel like maybe thats a waste of time. I really want to get a job in INFOSEC in about a year or so. Should I instead focus my time learning Linux,network and studying for the OSCP cert? I have already setup a virtual lab using virtualbox and I am starting to learn tools like Kali and backbox.

Below is some information I put together for “a plan” for reaching my end goal of getting into INFOSEC. I do feel its CERT heavy and I may not need everything I have in it.

Certifications I need for obtaining a job in INFOSEC/NETSEC.

A+
https://certification.comptia.org/certifications/a

Network +
https://certification.comptia.org/certifications/network

Security+
https://certification.comptia.org/certifications/security

Linux+
https://certification.comptia.org/certifications/linux

CCNA

MCSA: Windows 10
https://www.microsoft.com/en-us/learning/mcsa-windows-10-certifications.aspx

MCSA: Windows Server 2016
https://www.microsoft.com/en-us/learning/mcsa-windows-server-certification.aspx

Certifications to get after I get a job in INFOSEC/NETSEC.

Linux Foundation Certified Engineer (LFCE)
https://training.linuxfoundation.org/certification/lfce

Kali Linux Certified Professional (KLCP)

Offensive Security Certified Professional
https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Certified Ethical Hacking Certification
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

Certifications I need to get once I am in a security role for 4+ years

GIAC Penetration Tester (GPEN)
https://pen-testing.sans.org/certification/gpen

GIAC Mobile Device Security Analyst (GMOB)
https://pen-testing.sans.org/certification/gmob

GIAC Web Application Penetration Tester (GWAPT)
https://pen-testing.sans.org/certification/gwapt

GIAC Assessing and Auditing Wireless Networks (GAWN)
https://pen-testing.sans.org/certification/gawn

CISSP

Programming I need to learn.
Python

Powershell
https://msdn.microsoft.com/en-us/powershell/mt173057.aspx

I guess I just need some help with how I should go about this thing. :slight_smile:

maderas you seem VERY knowledable in what you do and thank you so much for taking the time out of your busy schedule to help us that are just starting out. :slight_smile:

3 Likes

Did you have a look at this? :slight_smile:


(Beware shameless self promotion :smile:)

2 Likes

No but now I will!! Thanks so much. :slight_smile:

1 Like

Thisadamis-

Thank you for your kind words.

You already have 10 + years of technology experience…so that is a big plus.

If you are looking to go into pursuing a pentesting/InfoSec career within a year, I would whittle down your pursuits a bit (then get back after learning everything and anything afterward and forever more).

The OSCP would probably be the best thing to go after in such a short period. To help prep in that pursuit (looking over the list you posted) getting a solid understanding of Linux, Bash, Python and some Powershell (and applying what you learn/practice in a pentest lab) would definitely be helpful.

Personally, that is what I find myself using most when I am pentesting (Bash, Python, Powershell) now.

As well as studying for the OSCP, you may want to stay current on (and practice ) current pentesting techniques. Don’t skimp on some solid practice where privilege escalation is concerned; run killav, getprivs, getsystem or load mimikatz or load incognito in a straight shot are pretty rare these days.

Lately I have been loving Power Tools, CrackmapExec, Kerberoasting, Invoke Mimikatz and psexec_scanner.rb (not newish…but combined with Invoke Mimikatz…).

I mention these because they (or my strategies when using them) heavily call upon Powershell usage.

This place (in my view) in the best place to learn and hang your hat; the folks here are doing cutting edge stuff, and not focusing on what worked in 2011. I am literally blown away by some of the tutorials going on in this place…

With your background, if you focus on the OCSP and work like a mad person to improve your skills, then it is definitely doable. Good luck and get after it!

3 Likes