During my time as a Penetration Tester, friends and family often asked me what my job was like, so I thought I would share my story. Keep in mind this has been my experience and a rather limited one at that, your mileage may vary.
It all started with me contacting a company via LinkedIn that was looking for Penetration Testers of the junior level. I was very excited as these positions are very rarely seen and often highly contested as many security practitioners are looking for an entry into the world of penetration testing.
The interview process was what one would expect during a typical technical interview, rounding it out were questions about what I like to do other than stare at code and read security books. From the interview process I garnered that the company was looking to augment their relatively small group of core Pen Testers and they were willing to take someone greener and bring them up to speed.
I spent the first week or two just doing administrative things to get set up as this was mostly a remote position with a moderate amount of traveling. After getting all of the paperwork and logistics out of the way it was now time for ramp up. I promptly packed my bags, booked a flight and flew out for a week of training, which covered things such as company policies, tools, test methodologies along with some hands-on exercises to put it in perspective; all in all, a fairly solid experience.
Now with initial training complete, I settled back into my home office where the remainder of my training was more of an ‘on-the-job’ approach. It’s worth noting that this particular type of job requires a great deal of self learning, seemingly more than any other job I have encountered, you are constantly ‘in the books’ learning the tools of your trade and ways to improve your tradecraft.
I started off by assisting the other consultants, I would take initial findings/vulnerabilities that had been vetted and input those into an initial draft for the client. This is a fairly straightforward process as most clients have similar if not the same vulnerabilities.
Client reports are where you really spend the majority of your time, this is your bread and butter and is essentially what the client is paying for. It’s your job to provide as much coverage as possible into what the clients weaknesses are and make sound recommendations on remediation plans. If you are not adept in the use of Word beforehand, you will be soon enough.
A month or two in and I had penned out some reports, did some external/internal network vulnerability tests and tried my hand with web application assessments. External network testing requires a bit of patience. Most companies seem to spend a considerable amount of time and money ensuring that their perimeter is locked down so tight, that their security in place drops or denies any suspicious traffic, by and large, this is a good thing.
Your hope on an external test is that you are able to find something such as a server or web site that was stood up, forgotten or poorly maintained before a bad guy does. Internal network testing and web application assessments are a completely different story, if external testing is the hard outer crust, internal would be the equivalent of the soft chewy inside.
The time had come for me to do my first on-site assessment, for me, this was a pretty exciting moment. On-site we meet up with a short-list of IT personnel, managers and executives with the need to know. We set up shop, do a briefing to set expectations and detail workflow. This is an interesting time as you can visibly see anxiety set into some of the clients faces, this is usually never a fun ‘visit’ for them.
On-sites are also interesting in the fact that you will see personnel that are attempting to champion change in their organization and are looking for you to validate their ideas.
Next steps are really driven by what was negotiated in the contract and what we have been given long before we show up at the door. In my experience, with initial set up done, you would proceed to scan the ‘pre-approved’ range of IP’s given you. You will probably use a commercial scanner to do that. This could take a long time so it’s best to use your down time to accomplish other tasks. The freely available scan tool Nmap is usually spun up shortly after the commercial tool finishes.
Day one is usually set up and scanning and concludes with a progress brief at the end of the day. Day two and beyond, you’ve probably finished your scans and now you have a rather lofty list of vulnerabilities. Now you work your way through the report by validating and categorizing said vulnerabilities. Validation is usually done with Metasploit, however other tools and methods can and will be used.
Assuming you have gotten a solid start on this, your teammates may have already chosen a few interesting items from the report that could lead to potential entry points into the organization. The path from here is greatly dependent on the scope of the project and given authorization. If you had not identified in the initial client contract that you would be doing social engineering, the capture and cracking of passwords, then you probably won’t be doing it.
On-sites typically last for a week, sometimes two. As we near the end of the assessment we have pretty much categorized all the vulnerabilities and are finishing up our validations. By now your teammates have found some form of access, possibly by the use of default credentials being used. This initial access allows them to move deeper and freely within the organization.
The assessment usually concludes with an end briefing and possible demo for effect if need be. Once you get back home, you catch your breath and start to work on the final report that is due the client. This is where you wrap up any findings or deficiencies and make your final recommendations.
Even after you hand over the final report there may still be some level of communication with the client if they don’t understand a particular finding or recommendation.
This is what an on-site, internal penetration test looked like to me. I will note that there could be other activities performed, such as wireless audits, firewall reviews, application assessments, physical security and social-engineering events. Again, this is greatly dependent on how the contract was written, the scope, time allotted and budget.
Overall, I found penetration testing to be a very rewarding and challenging experience, I am sure that this was only the tip of the iceberg!