so you wanna be a pentester - free webinar to show you how

Strategic Security, Inc. © http://www.strategicsec.com/

So You Wanna Be A Pentester

Presented By: Joe McCray

[email protected]://www.linkedin.com/in/joemccray

http://twitter.com/j0emccray


You Wanted To Be A Hacker


You Found Out You Could Do It Legally


Now The Only Question Is…

How?


Ok, so you wanna be a pentester

You wanna know what takes to get into this game

There are 3 major things that you can bring to ANY job

• Education• Certification• Experience

Other intangible factors are relevant (ex: work ethic, willingness to learn, etc)

We’ll be focusing on the first 3 for this presentation, but we’ll cover the other areas as well later


Education


Should You Have A Degree?

Short answer – YES

Is it an absolute requirement – NO

Each year it is however getting harder and harder to get into this field without one

My Recommendation:

If you have the resources (time/money) – go for it!

Having it will never hurt you, but there will be cases where not having it will.


What Kind of Degree?

Short answer – Computer Science Degree

Is it an absolute requirement – NO

Will a degree such as an MIS, BIS, CIS or similar degree work – YES

Will a less technical degree work – YES- but you may have to supplement it with certifications and/or experience


Do I Need A Degree From A Big Name School?

Short answer – NO

Some companies look highly upon people that have attended high profile schools:(ex: Harvard, Westpoint)

This is usually because they want access to the network you develop while attending that type of school.

They are looking for long term business development opportunities from you because of the network you’ll have developed.

Sometimes its because that’s just where they get most of their candidates.

My Recommendation:As long as it’s not a flat out papermill – you should be fine where ever you go.


How Do I Know If A School Has A Good Program?

Short answer – Most schools don’t have a good program

Most of the schools claim that their program will help you and often times that is flat out wrong.

Most Computer Science programs are too focused on learning your IDE versus learning to program, and even worse there is little focus if any on IT Security.

A lot of graduates of these “Information Security” degree programs can’t do trivial things such as (yes, these are real examples):

• Install a common server (Web, DHCP, File Server, etc)• Create a simple unprivileged users in Active Directory• Can not perform basic Linux commands (ex: list directories, read a file)


Can You Be More Specific – about finding a good program

Don’t sleep on Junior/Community Colleges – often times they have VERY technical instructors with real world work experience offering progressive programs at a low cost.

Verify (talk to actual students – not sales people)

Ask if they learned about (meaning actually did something with the following tools):• Nmap• Scapy• Burp Suite• OllyDBG/Immunity Debugger

Ask to sit in on a class, and after the class talk to the instructor.

For good technical courses to use as a reference check out:http://samsclass.info/http://pentest.cryptocity.net/

http://samsclass.info/

http://samsclass.info/

http://pentest.cryptocity.net/

http://pentest.cryptocity.net/


Certification


What Certifications Should I Get?

EC-Council• C|EH, ECSA/LPT

SANS• GPEN, GWPT, GAWN

Offensive Security• OSCP, OSWE, OSCE

The trend in the industry is to go after these certifications listed above

They are good, they are very helpful to have during the interview screening process



Networking• CCNA, CCNP

Operating Systems• MCITP (formerly known as the MCSE), RHCE, SCSA

Programming• MCPD (formerly known as the MCSD), SCJD, OCA

Although security certs are important, your job will be to help people fix the security problems you find on penetration tests.

You’ll find great value in the certifications above when you actually get to the technical interview.



Networking• CCNA, CCNP

Operating Systems• MCITP (formerly known as the MCSE), RHCE, SCSA

Programming• MCPD (formerly known as the MCSD), SCJD, OCA

You don’t need to have all of these certifications, but you really need to be able to show that you have these or close to the functional equivalent levels of knowledge of each of these certifications.

Trust me – this background knowledge is indispensable….


These Types Of Courses Are Expensive

These types of courses are expensive….duh!!!!- Way to go Captain Obvious!

Find schools that teach this and be prepared to open up your or your company’s check book.

If you are disciplined you can home study all of this stuff or build a lab environment at home heavily relying on virtualization to learn this stuff.

I’ll cover building a lab later in the presentation.


Experience


Chicken Before The Egg

You don’t have any experience, and because you have no experience no one will hire you.

Deal with it!

This is NOT going to change!

Get some experience or do something else

Yes I know it’s harsh, but it’s true!

Don’t worry…

I’ll give you some tips in a minute…


What are the most important skills to have or get?


Important Skills To Have

1. Network Pentesting

2. Web App Pentesting

In the world of pentesters there are a lot more people with “Network” experience, then there are with “Web App & other App Related Experience”.

The web app, and other app related areas of pentesting are growing the fastest.

The network area is quite mature (Nessus is 15 years old), and quite frankly the market for NETWORK Pentesters is shrinking.

My Recommendation:Learn network pen, but focus on Web App.


What’s A Good Measure Of Important Skills To Have

What’s a good measure of these important skills?

For Network:You should be able to do everything here (and explain it):http://www.offensive-security.com/metasploit-unleashed/Main_Page

For Web App:You should be able to do every webgoat level – and explain it:https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Being able to explain what is going on when performing pentesting tasks is absolutely critical.

Being able to articulate security issues and their respective fixes is a key skill.

http://www.offensive-security.com/metasploit-unleashed/Main_Page

http://www.offensive-security.com/metasploit-unleashed/Main_Page

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project


Important Skills To Get

Web 2.0 (Ajax, Web Services, etc)

Mobile (generic mobile technologies, enterprise integration, exploitation, etc)

Cloud (IaaS, PaaS, SaaS and specifically how to interact with these technologies)

If your focus is to be prepared for the future of pentesting then you’ll have to get really comfortable with emerging technologies.


Where Do I Get Experience

This is the ultimate chicken vs. the egg dilemma

What I recommend you do is to volunteer as a contributor to an Open Source IT Security Project that interests you.

Go to http://sourceforge.net/

Find any IT Security project that interests you and volunteer to assist the developers.

- You can write code for the project- Debug/Test the project for the developers- Write documentation for the project (they will love you for this one)

This will put you in the right circles (networking), and give you some tangible/verifiable experience

http://sourceforge.net/

http://sourceforge.net/


Where Do I Get Experience

Shameless Plug

You can be an intern

Go to: http://it-security-professionals.com/blogs/joemccray/2013/05/cmon-rookies-lets-get-to-work/

http://it-security-professionals.com/become-an-intern/








How To Build A Home Security Lab To Get Experience

Build A Lab

1. Start with a virtualization platform (VMWare, VirtualBox, etc)2. Install the most common OSs

• XP/Vista/Win7/2K8/Win8/2K12/Ubuntu/CentOS3. Install the most common apps

• Java/Adobe/QuickTime/Flash• Wordpress• Joomla• Drupal

4. Build an IDS (you’ll learn a lot doing this)• Snort• Surricatta

5. Build a SIEM (you’ll learn a lot doing this)• AlienVault• RazorBack


What Should I Be Doing In The Lab

Foundation (Network/Web)• Start with the SecurityTube.net megaprimers for Metasploit and Wireless• Go through all of the levels in WebGoat

Weekly workGoto the following websites each week. Download the latest tools and exploits each week and try them against hosts in your lab network• Exploit-db.com• Packetstormsecurity.org

Know that you may have to build new virtual machines just so you can attempt to run these new tools and exploits each week.

This is an important thing to do because this is what you’ll need to know when you are actually pentesting. What are the latest or most popular attacks, what apps or platforms do they target, and what do they look like on the wire (IDS).


What Programming Languages Do I Need To Know/Learn?

• An Interpreted Language • Perl• Python• Ruby

• Some exposure to modern enterprise development languages• .NET• Java

• I would recommend more focus on the interpreted languages (at least initially) because you’ll make your own life easier automating testing tasks.

• As you get more experience then yeah I’d say to transition to .NET/Java because you’ll bring more value to your customers


What Programming Languages Do I Need To Know/Learn?

• If you are new to programming – start with an interpreted language first

• Perl, Python, Ruby

• Youtube is your friend – the best I’ve seen is from ‘thenewboston’

• Python: https://www.youtube.com/watch?v=4Mf0h3HphEA

• Ruby: https://www.youtube.com/watch?v=WJlfVjGt6Hg

• Perl used the be the exploit and tool development language of choice

• Now it’s Python and Ruby

My Recommendation:Do 2-3 videos 3 or 4 times a week

https://www.youtube.com/watch?v=4Mf0h3HphEA

https://www.youtube.com/watch?v=WJlfVjGt6Hg


Security Clearance


Do I Need A Security Clearance

Short Answer – NO

Will it help – YES

There is significantly more pentesting related work in the cleared space than outside of it. Something ridiculous like 5-8 times as much.

Easier to get/maintain if you are prior US military.

Difficult to get if you are regular civilian. You will generally have to come to the table with significant skillsets for organizations to submit you for a clearance as apart of the hiring process.

Basically, you’ll have to come in with a significant amount of (Education, Certification, Experience) that I’ve listed in the previous slides.

They will have to wait close to a year to get you – so you have to be worth it in their eyes.

e


I’ve Got An Issue – Not Too Sure I Can Get Cleared

Maybe you’ve done drugs in the past

Maybe you’ve been arrested before

Maybe you’ve had financial issues

Maybe you are not a US citizen yet

Although these are things that WILL raise issues during the clearance processthey are not flat out show stoppers

The key to the clearance process is they are looking for things in your background that someone may use against you to coerce you to give up secret information.

With the first 3 issues I listed – you are usually ok if that kind of stuff happened at least 5 years prior to your applying for a clearance.


What If The Security Clearance Includes A Polygraph

Generally your higher levels of security clearances will often require you to take a polygraph.

The types of questions they ask you get more intrusive the higher level of clearance you are applying for.

My Recommendation:Don’t lie – no matter how bad what ever you did is, or how bad you think it is.Don’t lie!

They aren’t hiring for the boy scouts – having a checkered past won’t necessarily disqualify you, but lying about it will.

e


Where & How To Look For Work


Where Do I Go To Look For Pentest Work

Start with IT job sites• Dice.com• Monster.com• Computerjobs.com• http://it-security-professionals.com/jobs/

Important Lesson: Job Titles Vary Greatly

You may see titles like: IT Security Consultant, Information Security Engineer, Network Security Analyst, and many many more…

My recommendation: Keyword search for pentester tools

Metasploit, Canvas, Core Impact, Burp Suite, nmap, scapy

http://it-security-professionals.com/jobs/

http://it-security-professionals.com/jobs/


I’m not in the US – Where do I find jobs abroad

Finding Pentesting work outside of the US is much more difficult- Much more who you know than in the US

Each country will have its respective IT Jobs sites and you should have a look there first, but nothing will be as fruitful as attending International IT Security and HackerCons

Check sites like:• SECore.info• http://infosecevents.net/calendar/

http://infosecevents.net/calendar/


What Kinds Of Companies Can I Expect To Be Hiring Pentesters?

Defense Contractors

Federal Government (Department of <insert entity here>)President Obama recently signed an executive order mandating more comprehensive IT Security programs for the federal sector (that means more pentesting in the coming years)

Financial Entities

IT Consultancies

Fortune 1000 companies often have an internal pentest group


Even After Doing Everything You Say I Don’t Meet The Job Quals

You need to understand that most of these job reqs are basically wish lists

Taken from real job posting:10 Years experience in IT7 Years experience in IT Security5 Years experience as a Penetration TesterCCIE, RHCE, MCSE, C|EH, GPENTop Secret ClearanceJava, C#, Ajax, XML

For $85,000 a year….gimmie a break

As a team lead - If I can find this guy the only thing I can offer him is my job.

I can’t give this applicant top money, and if he is that qualified…HE ALREADY HAS A JOB!



You need to focus on what you bring to the table

Technical knowledge• It doesn’t matter if it came from your home network• It doesn’t matter if it came from volunteering to help an open source project• It doesn’t matter if it came from being an intern• It doesn’t matter if it came from playing in CTFs

Certifications• It doesn’t matter if you took courses, or home studied them

Education• It doesn’t matter if you didn’t go to a big name school• It doesn’t matter that it’s not a CS degree

My Recommendation:Focus on how you can help the company hiring you. Work ethic, documentation, willingness to learn, etc.



We’ve all worked somewhere either for or with someone that wasn’t qualified to be there.

Obviously having the right qualifications isn’t a show stopper when it comes to finding employment.

How well you sell yourself is often more important.


What Should I Expect During The Interview

You can generally expect something in the area of 1-4 interviews

The most common process is something similar to:• Initial Phone Screen• Generic Interview• Technical Interview• On-Site Interview


What Should I Expect During The Interview?

People are generally most apprehensive about the technical interview

The biggest thing people need to understand is that you don’t need to get everything right.

If don’t know the answer to a question – SAY YOU DON’T KNOW THE ANSWER

Interviewers usually just need to know where you are technically.

If you do know all of the answers – don’t be a jerk


What Are Some Questions I Should Expect On An Interview?

How do you get to Google.com – be as explicit and detailed as possible?

Interviewer is looking to see you explain how an endpoint connects to a host somewhere on the internet.

Everything from ARP for the default gateway, to local resolver, to dns lookup, to redirection from http to https, to SSL session setup, to data transfer, to termination of the session.

If you want to see some sample pentester interview questions:http://strategicsec.com/PentesterInterviewQuestions.pdf

http://strategicsec.com/PentesterInterviewQuestions.pdf


How much money can I expect to make

How much you can make is heavily dependent upon:• Job Location• Job Title (level of seniority)

In most cases non-senior positions will range from $60-$80K USD

Senior positions can range anywhere from $120-$150K USD


How About Freelance Work

Freelancing as a pentester is even more difficult to get into (very who you know)

There is a lot of this kind of work, but you really have to know people.

Several IT/IT Security Consultancies get overloaded with work and will contract out to subs (usually 1099-self employed status)

They often need someone with the experience that can represent their company well so they generally hire other people that the pentesters already know.

You can also look on outsourcing websites• Odesk.com• E-lance.com• Vworker.com

Know that the security testing projects on these websites tend to be very small, and often offer very very very very very very very very low pay.


I Want To Start My Own Pentest Complany

I strongly recommend that you work at a consulting firm before you attempt this!

This is NOT for the faint at heart – you need to understand that you are running a business and all of the things associated with running a business must be down well to have a prayer at success:• Sales• Marketing• Finance• Research & Development• Operations

Most businesses fail because there is too much focus on Operations – the actual doing the work, and not really that much thought is put to the other equally important areas


The Good, The Bad, & The Ugly


The Good

You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!

Did I mention - You get paid to hack!


The Good, The Bad, and the Ugly

Documentation

Travel

Lack of training

Crazy Learning Curve

Going through the motions


The Bad

Documentation

As a pentester you will often find that nearly 1/3 of your time will be devoted to documentation.

For every 1 week pentest, there is usually 1-2 full days of the assessment dedicated solely to documentation


The Bad

Travel

This really depends on the person, and where you work.

Consultants tend to travel a lot. Often times more than 50% of the time.

Staff penetration testers don’t usually travel very much

Web Application Penetration Testers don’t usually travel very much


The Bad

Lack of Training

The industry moves so fast – you have to keep up an industry that changes daily.

Even if you do receive a training class (ex: EC-Council, SANS, Black Hat) once a year

You’ll very quickly find out that this isn’t enough training – not even close

You’ll have just get used to building/testing/practicing in your home lab


The Bad

Crazy Learning Curve

Even with all of the stuff that I’ve told you to in this presentation when you actually start working as a penetration tester you’re going to feel like you’ve been thrown to the wolves.

The first few months will be straight hell (especially if you are working for a consulting firm).

The work load is usually pretty heavy, and the learning curve is through the roof.


The Bad

Going The Motions

One of the complaints from long time pentesters is the going through the motions.

Telling the customers the same things over and over and over:• Use strong passwords• Patch both system and 3rd party vulnerabilities• Be sure to do input validation• Be sure to do output encoding


The Ugly

The Ugly – Honestly there is no ugly

Honestly, I love the job. I’d be working at McDonalds if I wasn’t a pentester.

I’m pretty good at incident response, malware analysis, and several other IT Security skills, but at the end of the day I love pentesting.


Questions?


Contact Me....

Toll Free: 1-866-892-2132

Email: [email protected]

Twitter: http://twitter.com/j0emccray

LinkedIn: http://www.linkedin.com/in/joemccray

so you wanna be a pentester - free webinar to show you how

Technology

strategic security

gawnoffensive security

ocaalthough security

technical degree work

kind of degree

good technical courses

similar degree work

short answer yesis