undefined | Better HN

0 pointsFaelian22y ago0 comments

I work as pentester (as a freelance nowdays).

Getting out of bed and "real stuff" is supposed to be part of a pentest.

The problem is more the sheer amout of stuff your are supposed to know to be a pentester. Most pentesters come into the field by knowing a bit of XSS, a few thing about PHP, and SQL injections.

Then you start to work, and the clients need you to tests things like:

- compromise a full Windows Network, and take control of the Active Directory Server. Because of a misconfiguration of Active Directory Certificate Services. While dealing with Windows Defender

- test a web application that use websockets, React, nodejs, and GraphQL

- test a WindDev application, with a Java Backend on a AIX server

- check the security of an architecture with multiple services that use a Single Sign on, and Kubernetes

- exploit multiple memory corruption issues ranging form buffer overflow to heap and kernel exploitation

- evaluate the security of an IoT device, with a firmware OTA update and secure boot.

- be familiar with cloud tokens, and compliance with European data protection law.

- Mobile Security, with iOS and Android

- Network : radius, ARP cache poisoning, write a Scapy Layer for a custom protocol, etc

- Cryptography, you might need it

Most of this is actual stuff I had to work on at some point.

Even if you just do web, you should be able to detect and exploit all those vulnerabilities: https://portswigger.net/web-security/all-labs

Nobody knows everything. Being a pentester is a journey.

So in the end, most pentesters fall short on a lot this. Even with an OSCP certification, you don't know most of what you should know. I heard that in some company, people don't even try and just give you the results of a Nessus scan. But even if you are competent, sooner or later, you will run into something that you don't understand. And you have max 2 week to get familiar with it and test it. You can't test something that you don't understand.

The scanner always gives you a few things that are wrong (looking at you TLS ciphers). Even if you suck, or if the system is really secure. You can put a few things into your report. As a junior pentester, my biggest fear was always to hand an empty report. What were people going to think of you, if you work 1 week and don't find anything?

0 comments

pixl972y ago

>As a junior pentester, my biggest fear was always to hand an empty report.

I'm trying to remember the rule where you leave something intentionally misconfigured/wrong for the compliance people to find and that you can fix so they don't look deeper into the system. A fun one with web servers is to get them to report they are some ancient version that runs on a different operating system. Like your IIS server showing it's Apache 2.2 or vice versa.

But at least from your description it sounds like you're attempting to pentest. So many of these pentesting firms are click a button, run a script, send a report and go on to the 5 other tickets you have that day type of firms.

throwaway20372y ago

Thanks for your honest reply. This part was my favourite:

    Nobody knows everything. Being a pentester is a journey.

I recommend that you add some contact details in your HN bio page. You might get some good ledes after those post.

j / k navigate · click thread line to collapse