Considering a career as a penetration tester or willing to know who the penetration testers at RedSocks Security are? This article is for you! After explaining the purposes of penetration testing, we are now talking about penetration testers. Joeri Blokhuis and Jordi Scharloo give their perspective on the job.
A penetration tester’s perspective | Joeri
The most exciting engagements are Black Box tests, when you have limited knowledge beforehand. In every engagement, the situation is different and you need to come up with new ways to complete the job successfully. Penetration tests are only truly successful when you can obtain privileged access or direct access to the crown jewels.
The objective is usually to get an initial foothold inside the application or infrastructure as fast as possible. Once the initial foothold is established it is time to find vulnerabilities that can be exploited. Exploited applications or infrastructure will ultimately lead to your end-goal.
In a small percentage of the engagements you will come across security misconfigurations, such as open-shares with all company backups. Ten minutes later you will be dominating the network with administrator credentials and collect all information that you’re interested in.
In more sophisticated networks you will first have to gain network access by manipulating MAC-addresses or certificates, which is often no real challenge. If no misconfiguration is found, credentials can be stolen by manipulating network traffic without detection or by finding a vulnerability in the software. Usually the larger the company, the easier it will be to get a foothold on the network.
A penetration tester’s perspective | Jordi
The most challenging part of any pentest is also what makes it fun to do: every situation and environment is different. You will need a good process to be able to give the customer a clear view on their current situation. Reconnaissance is the key starting point of any penetration test. Using as much sources as possible you try to get a complete picture of the environment you are testing. This is the foundation for any further work, and often already yields interesting information right from the get-go.
From a customers perspective you will nearly always provide crucial information about their security. Either it is very weak and you can easily access the organizations crown juwels, or they have taken a variety of measures which you can now prove the effectivity of. Of course as a penetration tester it is important to provide a clear and thorough assessment of the setup that you are attacking. It is also important to mention the less serious risks and less obvious vulnerabilities, because either can become a bigger issue as time progresses.
Personally I have also had the pleasure of doing mystery guest assignments. This is where you combine multiple possible entryways (including physical) into the organization to get to the crown juwels. My personal favorite: dropping infectious USB-sticks in restrooms. Close to a guarantee for success.
Luckily a good penetration test is not a wild goose chase. Often (and especially in bigger organizations) you will clearly define the scope and targets of the pentest beforehand. If you take all the right elements into consideration, you can truly boost the security of a customers assets.
Becoming a pentester
As a penetration tester, you will need to be able to think outside of the box, you would have good knowledge about systems and networking, know the concept of programming so you will be able to program in any language as required, like a challenge and you will use any mean necessary to accomplish your job. In a way, it is like being kid that outsmarts his parent’s boundaries every time. When you really want something, you will get it. Being challenged with new technology should not scare you, it will motivate you to learn everything about it to see if a mistake has been made somewhere along the line. To show your skill set you will be able to make a quick Proof-of-Concept to demonstrate the impact of the threat.
Interested to get in touch?
Contact our pen testers at email@example.com