So you wanna be a pentester - free webinar to show you how

Strategic Security, Inc. © http://www.strategicsec.com/
So You Wanna Be A Pentester
Presented By:
Joe McCray
joe@strategicsec.com
http://www.linkedin.com/in/joemccray
http://twitter.com/j0emccray

You Wanted To Be A Hacker

You Found Out You Could Do It Legally

Now The Only Question Is…
How?

Ok, so you wanna be a pentester
You wanna know what takes to get into this game
There are 3 major things that you can bring to ANY job
• Education
• Certification
• Experience
Other intangible factors are relevant (ex: work ethic, willingness to learn, etc)
We‟ll be focusing on the first 3 for this presentation, but we‟ll cover the other
areas as well later

Education

Should You Have A Degree?
Short answer – YES
Is it an absolute requirement – NO
Each year it is however getting harder and harder to get into this field without one
My Recommendation:
If you have the resources (time/money) – go for it!
Having it will never hurt you, but there will be cases where not having it will.

What Kind of Degree?
Short answer – Computer Science Degree
Is it an absolute requirement – NO
Will a degree such as an MIS, BIS, CIS or similar degree work – YES
Will a less technical degree work – YES
- but you may have to supplement it with certifications and/or experience

Do I Need A Degree From A Big Name School?
Short answer – NO
Some companies look highly upon people that have attended high profile schools:
(ex: Harvard, Westpoint)
This is usually because they want access to the network you develop while
attending that type of school.
They are looking for long term business development opportunities from you
because of the network you‟ll have developed.
Sometimes its because that‟s just where they get most of their candidates.
My Recommendation:
As long as it‟s not a flat out papermill – you should be fine where ever you go.

How Do I Know If A School Has A Good Program?
Short answer – Most schools don‟t have a good program
Most of the schools claim that their program will help you and often times that is
flat out wrong.
Most Computer Science programs are too focused on learning your IDE versus
learning to program, and even worse there is little focus if any on IT Security.
A lot of graduates of these “Information Security” degree programs can‟t do trivial
things such as (yes, these are real examples):
• Install a common server (Web, DHCP, File Server, etc)
• Create a simple unprivileged users in Active Directory
• Can not perform basic Linux commands (ex: list directories, read a file)

Can You Be More Specific – about finding a good program
Don‟t sleep on Junior/Community Colleges – often times they have VERY technical
instructors with real world work experience offering progressive programs at a low
cost.
Verify (talk to actual students – not sales people)
Ask if they learned about (meaning actually did something with the following tools):
• Nmap
• Scapy
• Burp Suite
• OllyDBG/Immunity Debugger
Ask to sit in on a class, and after the class talk to the instructor.
For good technical courses to use as a reference check out:
http://samsclass.info/
http://pentest.cryptocity.net/

Certification

What Certifications Should I Get?
EC-Council
• C|EH, ECSA/LPT
SANS
• GPEN, GWPT, GAWN
Offensive Security
• OSCP, OSWE, OSCE
The trend in the industry is to go after these certifications listed above
They are good, they are very helpful to have during the interview screening process

Networking
• CCNA, CCNP
Operating Systems
• MCITP (formerly known as the MCSE), RHCE, SCSA
Programming
• MCPD (formerly known as the MCSD), SCJD, OCA
Although security certs are important, your job will be to help people fix the
security problems you find on penetration tests.
You‟ll find great value in the certifications above when you actually get to the
technical interview.

Networking
• CCNA, CCNP
Operating Systems
• MCITP (formerly known as the MCSE), RHCE, SCSA
Programming
• MCPD (formerly known as the MCSD), SCJD, OCA
You don‟t need to have all of these certifications, but you really need to be able to
show that you have these or close to the functional equivalent levels of
knowledge of each of these certifications.
Trust me – this background knowledge is indispensable….

These Types Of Courses Are Expensive
These types of courses are expensive….duh!!!!
- Way to go Captain Obvious!
Find schools that teach this and be prepared to open up your or your company‟s
check book.
If you are disciplined you can home study all of this stuff or build a lab environment at
home heavily relying on virtualization to learn this stuff.
I‟ll cover building a lab later in the presentation.

Experience

Chicken Before The Egg
You don‟t have any experience, and because you have no experience no one will
hire you.
Deal with it!
This is NOT going to change!
Get some experience or do something else
Yes I know it‟s harsh, but it‟s true!
Don‟t worry…
I‟ll give you some tips in a minute…

What are the most important skills to have or get?

Important Skills To Have
1. Network Pentesting
2. Web App Pentesting
In the world of pentesters there are a lot more people with “Network” experience,
then there are with “Web App & other App Related Experience”.
The web app, and other app related areas of pentesting are growing the fastest.
The network area is quite mature (Nessus is 15 years old), and quite frankly the
market for NETWORK Pentesters is shrinking.
My Recommendation:
Learn network pen, but focus on Web App.

What‟s A Good Measure Of Important Skills To Have
What‟s a good measure of these important skills?
For Network:
You should be able to do everything here (and explain it):
http://www.offensive-security.com/metasploit-unleashed/Main_Page
For Web App:
You should be able to do every webgoat level – and explain it:
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Being able to explain what is going on when performing pentesting tasks is
absolutely critical.
Being able to articulate security issues and their respective fixes is a key skill.

Important Skills To Get
Web 2.0 (Ajax, Web Services, etc)
Mobile (generic mobile technologies, enterprise integration, exploitation, etc)
Cloud (IaaS, PaaS, SaaS and specifically how to interact with these technologies)
If your focus is to be prepared for the future of pentesting then you‟ll have to get
really comfortable with emerging technologies.

Where Do I Get Experience
This is the ultimate chicken vs. the egg dilemma
What I recommend you do is to volunteer as a contributor to an Open Source IT
Security Project that interests you.
Go to http://sourceforge.net/
Find any IT Security project that interests you and volunteer to assist the
developers.
- You can write code for the project
- Debug/Test the project for the developers
- Write documentation for the project (they will love you for this one)
This will put you in the right circles (networking), and give you some
tangible/verifiable experience

Where Do I Get Experience
Shameless Plug
You can be an intern
Go to:
http://it-security-professionals.com/blogs/joemccray/2013/05/cmon-rookies-lets-
get-to-work/
http://it-security-professionals.com/become-an-intern/

How To Build A Home Security Lab To Get Experience
Build A Lab
1. Start with a virtualization platform (VMWare, VirtualBox, etc)
2. Install the most common OSs
• XP/Vista/Win7/2K8/Win8/2K12/Ubuntu/CentOS
3. Install the most common apps
• Java/Adobe/QuickTime/Flash
• Wordpress
• Joomla
• Drupal
4. Build an IDS (you‟ll learn a lot doing this)
• Snort
• Surricatta
5. Build a SIEM (you‟ll learn a lot doing this)
• AlienVault
• RazorBack

What Should I Be Doing In The Lab
Foundation (Network/Web)
• Start with the SecurityTube.net megaprimers for Metasploit and Wireless
• Go through all of the levels in WebGoat
Weekly work
Goto the following websites each week. Download the latest tools and exploits
each week and try them against hosts in your lab network
• Exploit-db.com
• Packetstormsecurity.org
Know that you may have to build new virtual machines just so you can attempt to
run these new tools and exploits each week.
This is an important thing to do because this is what you‟ll need to know when
you are actually pentesting. What are the latest or most popular attacks, what
apps or platforms do they target, and what do they look like on the wire (IDS).

What Programming Languages Do I Need To Know/Learn?
• An Interpreted Language
• Perl
• Python
• Ruby
• Some exposure to modern enterprise development languages
• .NET
• Java
• I would recommend more focus on the interpreted languages (at least initially)
because you‟ll make your own life easier automating testing tasks.
• As you get more experience then yeah I‟d say to transition to .NET/Java
because you‟ll bring more value to your customers

What Programming Languages Do I Need To Know/Learn?
• If you are new to programming – start with an interpreted language first
• Perl, Python, Ruby
• Youtube is your friend – the best I‟ve seen is from „thenewboston‟
• Python: https://www.youtube.com/watch?v=4Mf0h3HphEA
• Ruby: https://www.youtube.com/watch?v=WJlfVjGt6Hg
• Perl used the be the exploit and tool development language of choice
• Now it‟s Python and Ruby
My Recommendation:
Do 2-3 videos 3 or 4 times a week

Security Clearance

Do I Need A Security Clearance
Short Answer – NO
Will it help – YES
There is significantly more pentesting related work in the cleared space than
outside of it. Something ridiculous like 5-8 times as much.
Easier to get/maintain if you are prior US military.
Difficult to get if you are regular civilian. You will generally have to come to the table
with significant skillsets for organizations to submit you for a clearance as apart of
the hiring process.
Basically, you‟ll have to come in with a significant amount of (Education,
Certification, Experience) that I‟ve listed in the previous slides.
They will have to wait close to a year to get you – so you have to be worth it in their
eyes.

I‟ve Got An Issue – Not Too Sure I Can Get Cleared
Maybe you‟ve done drugs in the past
Maybe you‟ve been arrested before
Maybe you‟ve had financial issues
Maybe you are not a US citizen yet
Although these are things that WILL raise issues during the clearance process
they are not flat out show stoppers
The key to the clearance process is they are looking for things in your
background that someone may use against you to coerce you to give up secret
information.
With the first 3 issues I listed – you are usually ok if that kind of stuff happened at
least 5 years prior to your applying for a clearance.

What If The Security Clearance Includes A Polygraph
Generally your higher levels of security clearances will often require you to take a
polygraph.
The types of questions they ask you get more intrusive the higher level of
clearance you are applying for.
My Recommendation:
Don‟t lie – no matter how bad what ever you did is, or how bad you think it is.
Don‟t lie!
They aren‟t hiring for the boy scouts – having a checkered past won‟t necessarily
disqualify you, but lying about it will.

Where & How To Look For Work

Where Do I Go To Look For Pentest Work
Start with IT job sites
• Dice.com
• Monster.com
• Computerjobs.com
• http://it-security-professionals.com/jobs/
Important Lesson: Job Titles Vary Greatly
You may see titles like: IT Security Consultant, Information Security Engineer,
Network Security Analyst, and many many more…
My recommendation: Keyword search for pentester tools
Metasploit, Canvas, Core Impact, Burp Suite, nmap, scapy

I‟m not in the US – Where do I find jobs abroad
Finding Pentesting work outside of the US is much more difficult
- Much more who you know than in the US
Each country will have its respective IT Jobs sites and you should have a look
there first, but nothing will be as fruitful as attending International IT Security and
HackerCons
Check sites like:
• SECore.info
• http://infosecevents.net/calendar/

What Kinds Of Companies Can I Expect To Be Hiring Pentesters?
Defense Contractors
Federal Government
(Department of <insert entity here>)
President Obama recently signed an executive order mandating more
comprehensive IT Security programs for the federal sector (that means more
pentesting in the coming years)
Financial Entities
IT Consultancies
Fortune 1000 companies often have an internal pentest group

Even After Doing Everything You Say I Don‟t Meet The Job Quals
You need to understand that most of these job reqs are basically wish lists
Taken from real job posting:
10 Years experience in IT
7 Years experience in IT Security
5 Years experience as a Penetration Tester
CCIE, RHCE, MCSE, C|EH, GPEN
Top Secret Clearance
Java, C#, Ajax, XML
For $85,000 a year….gimmie a break
As a team lead - If I can find this guy the only thing I can offer him is my job.
I can‟t give this applicant top money, and if he is that qualified…
HE ALREADY HAS A JOB!

You need to focus on what you bring to the table
Technical knowledge
• It doesn‟t matter if it came from your home network
• It doesn‟t matter if it came from volunteering to help an open source project
• It doesn‟t matter if it came from being an intern
• It doesn‟t matter if it came from playing in CTFs
Certifications
• It doesn‟t matter if you took courses, or home studied them
Education
• It doesn‟t matter if you didn‟t go to a big name school
• It doesn‟t matter that it‟s not a CS degree
My Recommendation:
Focus on how you can help the company hiring you. Work ethic, documentation,
willingness to learn, etc.

We‟ve all worked somewhere either for or with someone that wasn‟t qualified to
be there.
Obviously having the right qualifications isn‟t a show stopper when it comes to
finding employment.
How well you sell yourself is often more important.

What Should I Expect During The Interview
You can generally expect something in the area of 1-4 interviews
The most common process is something similar to:
• Initial Phone Screen
• Generic Interview
• Technical Interview
• On-Site Interview

What Should I Expect During The Interview?
People are generally most apprehensive about the technical interview
The biggest thing people need to understand is that you don‟t need to get
everything right.
If don‟t know the answer to a question – SAY YOU DON‟T KNOW THE ANSWER
Interviewers usually just need to know where you are technically.
If you do know all of the answers – don‟t be a jerk

What Are Some Questions I Should Expect On An Interview?
How do you get to Google.com – be as explicit and detailed as possible?
Interviewer is looking to see you explain how an endpoint connects to a host
somewhere on the internet.
Everything from ARP for the default gateway, to local resolver, to dns lookup, to
redirection from http to https, to SSL session setup, to data transfer, to termination
of the session.
If you want to see some sample pentester interview questions:
http://strategicsec.com/PentesterInterviewQuestions.pdf

How much money can I expect to make
How much you can make is heavily dependent upon:
• Job Location
• Job Title (level of seniority)
In most cases non-senior positions will range from $60-$80K USD
Senior positions can range anywhere from $120-$150K USD

How About Freelance Work
Freelancing as a pentester is even more difficult to get into (very who you know)
There is a lot of this kind of work, but you really have to know people.
Several IT/IT Security Consultancies get overloaded with work and will contract
out to subs (usually 1099-self employed status)
They often need someone with the experience that can represent their company
well so they generally hire other people that the pentesters already know.
You can also look on outsourcing websites
• Odesk.com
• E-lance.com
• Vworker.com
Know that the security testing projects on these websites tend to be very small,
and often offer very very very very very very very very low pay.

I Want To Start My Own Pentest Complany
I strongly recommend that you work at a consulting firm before you attempt this!
This is NOT for the faint at heart – you need to understand that you are running a
business and all of the things associated with running a business must be down
well to have a prayer at success:
• Sales
• Marketing
• Finance
• Research & Development
• Operations
Most businesses fail because there is too much focus on Operations – the actual
doing the work, and not really that much thought is put to the other equally
important areas

The Good, The Bad, & The Ugly

The Good
You get paid to hack!
Did I mention - You get paid to hack!

The Good, The Bad, and the Ugly
Documentation
Travel
Lack of training
Crazy Learning Curve
Going through the motions

The Bad
Documentation
As a pentester you will often find that nearly 1/3 of your time will be devoted to
documentation.
For every 1 week pentest, there is usually 1-2 full days of the assessment
dedicated solely to documentation

The Bad
Travel
This really depends on the person, and where you work.
Consultants tend to travel a lot. Often times more than 50% of the time.
Staff penetration testers don‟t usually travel very much
Web Application Penetration Testers don‟t usually travel very much

The Bad
Lack of Training
The industry moves so fast – you have to keep up an industry that changes daily.
Even if you do receive a training class (ex: EC-Council, SANS, Black Hat) once a
year
You‟ll very quickly find out that this isn‟t enough training – not even close
You‟ll have just get used to building/testing/practicing in your home lab

The Bad
Crazy Learning Curve
Even with all of the stuff that I‟ve told you to in this presentation when you actually
start working as a penetration tester you‟re going to feel like you‟ve been thrown
to the wolves.
The first few months will be straight hell (especially if you are working for a
consulting firm).
The work load is usually pretty heavy, and the learning curve is through the roof.

The Bad
Going The Motions
One of the complaints from long time pentesters is the going through the motions.
Telling the customers the same things over and over and over:
• Use strong passwords
• Patch both system and 3rd party vulnerabilities
• Be sure to do input validation
• Be sure to do output encoding

The Ugly
The Ugly – Honestly there is no ugly
Honestly, I love the job. I‟d be working at McDonalds if I wasn‟t a pentester.
I‟m pretty good at incident response, malware analysis, and several other IT
Security skills, but at the end of the day I love pentesting.

Questions?

Contact Me....
Toll Free: 1-866-892-2132
Email: joe@strategicsec.com
Twitter: http://twitter.com/j0emccray
LinkedIn: http://www.linkedin.com/in/joemccray

So you wanna be a pentester - free webinar to show you how

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a So you wanna be a pentester - free webinar to show you how

Semelhante a So you wanna be a pentester - free webinar to show you how (20)

Último

Último (20)

So you wanna be a pentester - free webinar to show you how