A day in the life of a pentester, or is my job is too sexy for me?
As a professional penetration tester I often get asked questions like "What are the top 10 tools you use" or "How do you get to be a pentester". Since I become a SANS instructor more and more these questions come from media and they get to reword my responses to make their story. I would like to post here my direct and accurate answers to some of of questions I have been asked recently.
Q: What are the top five skills that a penetration tester must possess?
A: Interesting question in that we tend to think in terms of a single lone wolf penetration tester, when the truth is that the best engagements are run with teams. Some of the skills that are required on that team are project management, creativity, being methodical, analysis, and writing. They will all need an extensive background in information security, and tend to be very technical in their areas of expertise. Team membership will vary based on the specifics of each engagement, expertise in network testing is not as useful in a wireless or web application test.
Q: Are there typically broad steps that a pen tester follows? Like a playbook that they follow? What do these steps look like?
A: Penetration testers tend to all follow the same high level methodologies, often tailored for a specific organization or engagement. Many of them are free and available for download. Examples are the SANS PenTest methodology, the Open Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP) Testing Guide, and NIST Technical Guide to Information Security Testing and Assessment SP 800-115. The steps are generally:
- planning and logistics;
- reconnaissance and intelligence gathering ;
- identification and enumeration of targets;
- vulnerability assessment and validation;
- exploitation;
- post exploitation - pillaging and pivoting; and
- analysis and report writing.
A superlative pentester knows when to exactly follow the methodology and derived checklist, and when to get creative and document where the team goes off the path.
Q: What three tools are typically first in a pen tester's arsenal?
A: It really depends on the scope and nature of the engagement. The only required tool is the matter most people have between their ears. As my friend James Jardine puts it " I thought it was just a mindset? The rest is just pretty accessories". The honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in. Probably not the sexy answers you were expecting. For Internet based testing a port scanner such as massscan, nmap or unicornscan, a vulnerability scanner such as OpenVas or Tenable Nessus, and an exploitation kit such as Core Impact Pro or Metasploit. For web applications, wireless, or other forms of testing the tools are quite different.
The real ingredients for a successful penetration test by a good team are people, process, and technology.
–People with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner.
–Process includes determining the rules of engagement, project management, logistics, scope, policies, procedures, and methodology of the pentest.
–Technology. Finding the tools is not difficult, often they are free and open source readily available for download by anyone. In the hands of a skilled penetration tester they are incredibly useful. In the hands of a wannabe they are a disaster waiting for a place to happen.
Q: What is the single biggest mistake that a pen tester can make?
A: Violating the rules of engagement or going out of scope. The rules of engagement include the laws and ethical guidelines as well as those types of tests that are allowed to be performed in that engagement. The scope are those things that you are allowed to test in that engagement. Going out of bounds on either of these can not only be career limiting, but also freedom limiting. When in doubt always go back to the written rules of engagement and scope. Ask for clarification or modification if required. There is no cheating in penetration testing. Only those things that are illegal, immoral, unethical, or illogical.
I have always described penetration testing as attempting to find an alternative functionality or data. Or identifying an alternative method of accessing functionality or data. Both of these are often not placed there deliberately, but they sure are handy.
I am never quite certain how to respond to the question of how to become a penetration tester. Honestly, it seemed to have found me as a career. My first degree is in political science. However my true interest has always been in exploring new ideas, and playing with things until they broke. Most people I know have found many different paths to this one. The many creative arts and scientific methods required in a team make for eclectic mixes of people that's for sure!
Please let us know what you think are the tools, techniques, and skills required for penetration testing!
Cheers,
Adrien de Beaupré, @adriendb #bsidesottawa
Intru-shun.ca Inc.
If you are in Ottawa or can be nearby and enjoy information security check out bsidesottawa.ca! The conference is 2-3 October 2015.
I will be teaching penetration testing next in Dubai, Florida, and at the Hackfest!
Comments
I would be interested in some past examples of phishing email text. I'd like to test my own users in my organization to see how well I've educated them.
Thank you!
Anonymous
Sep 17th 2015
9 years ago
:-)
Ever since I wrote a chat program on an old TOPS-20 system in High School in the mid-80s only to find the system admins had broken it because being able to read/write from a station that wasn't logged in was a security risk (you could write a fake login prompt, accept a username/password, print out "password incorrect" and disconnect), it was as if a light went on and I began to see the cyber world in a whole new way. Now, when someone is describing the features of some program or showing me a network diagram, I'm often noticing how it might be abused. It's almost as if it's just instinctive.
The key, IMHO, seems to be finding someone with the right mindset, but who also has enough moral character to understand that just because one CAN do something doesn't mean one SHOULD do something... at least not without permission... in writing... :-)
Anonymous
Sep 17th 2015
9 years ago
Anonymous
Oct 6th 2015
8 years ago
I will always answer the question though. After all "the customer is always right". ;)
Your methodology is sound. That's the way I do it and believe most pen testers do it that way.
One key differences between pen testers is the final report. if someone hands you a Nessus report and says "have a nice day", run the other way. Find the tester that takes the time to actually write up findings and provides a detailed and actionable analysis.
--cheers
Anonymous
Oct 9th 2015
8 years ago