The First Few Months of Penetration Testing: What they don't teach you in School

I entered into school with the hope and dream of somedayentering into the information security industry. I obtained a Bachelors ofScience in Information Assurance with a focus on Network Security from EasternMichigan University in December 2010. During my time there I walked into everyclass absorbing every bit of information I could, then I went home and set upmy own environments to play with. My career goal was penetration testing. Itdidn't start that way, but listening to all the podcasts from industry leaderslike Space Rogue, Chris Nickerson, and Paul Asadoorian helped inspire me to seriouslyexamine this role as a career. With every NotACon, HOPE, DEFCON, and BSidesthat I attended I became more certain that this was in fact the life for me. SoI went to my advisors and asked them how to get to point B and began a somewhataccurate path towards that end.

Knowledge I gained from classes is very important. Sometimesyou might hear "Oh I'll never use this <insert archaic method from an olderbook> in the real world", but lo and behold someone decided that it was afantastic idea to use that method in their production environment and the onlyreason I know what it is without having to research it is because some old guyin a polo decided to write about it. Not that it's wrong to use older methods;they were 'secure' and valid at one point in someone's career. What is a badand insecure configuration now was either the only way to accomplish a certaingoal or the best practice at the time. This is the evolution of technology;things change, and we have to change our methods with them.

If it weren't for my professors teaching me how NetBIOSworked, the difference between routing and routed protocols, active directorymanagement, linux configuration, or how to understand subnetting, I seriouslydoubt I'd be posting here right now. While there are a significant number ofself-taught geniuses out there, I am not one of them. Everyone learns in his orher own way and when just starting out in this field of study, I wanted andneeded guidance. Learning firewall and network configuration gives you insightas to why you can't connect to port 445 to another machine on a differentsubnet. Configuring AD properly tells you what decisions an administrator mighthave made that could let you do enumeration or privilege escalation. These areall critical skills and knowledge that a penetration tester has to have inorder to get in while causing the least amount of harm along the way. Academiataught me these things.

The issue with academia is well known; most of the time it'sthe former professional or academic looking from the outside in on an industrymaking inferences on how to get in or drawing from experience on how they brokein. Most of the time these great minds lack current knowledge on what's neededto perform a job role. This is not to say that academia is useless for gettinga job, but it is to say that professors are only one part of the equation ingetting in. Community involvement is extremely important, and academia might bewhat teaches you how to speak that langue that the community uses. Schoolscan't and won't force you go to your local 2600/DCXXX meeting, drive out toDEFCON with a guy you just met, or hang out in IRC channels.

Academia teaches you all these skills, gives you theopportunities to meet people interested in the same things, and gives you aplace to play with techie toys, so what doesn't it give you? Real worldexpectations, and yes that's somewhat obvious, but being able to understandwhat the differences between your test network when you're running ms08-067against your unpatched version of win2k3 and what a client is expecting fromyou on their network is a very difficult leap to make.

A few things I was told within the first week that I'vefound very valuable over the past few months are:

  • Don't run wild with exploit frameworks against aclients network as there are safe and unsafe exploits that could seriouslydamage infrastructure availability
  • Stay in touch with the client constantly, beavailable at all times and make sure you're receptive to their needs
  • Build a trusting relationship, you are on theirside and you want them to know that you feel their pain right along with themas though this network was your own, after all you've probably been there
  • Be methodical and check everything you possiblycan in the amount of time you have
  • Set expectations with every client every time
  • Passion is an expectation, not an exception

A few things I've learned on my own since my start with TrustwaveSpiderLabs:

  • Being in the office is the exception, and notthe norm. We work at interesting times of the day and night, usually when usersare active or database copies are going on
  • Tools are very fallible, just because it workswith one environment doesn't mean it will work with a similar environment
  • Tools are about 25% of what's necessary to doyour job, the other 75% is between knowing what to look for, knowing how towork with people, continually growing as a consultant, and being accurate

The creative thought process and passion are what's key tobeing successful. These are the foundations of the hacker spirit. A hacker isnot a title one receives when one obtains a diploma; a hacker is born and drawninto this lifestyle no matter the path.

While you can build a process by doing things over and overand making mistakes, and then fixing those mistakes, are you thinking aboutwhat you're doing or what that tool you just launched against the clients ADserver is doing? Always think about the impact, try to come up with a betterway of doing things, and always be learning. I can learn how to config a routerfrom my into to networking class, but researching different methods, thinkingabout the path the packets are taking, and determining a better method will alwaysbe what I should do. Academia teaches you how to do, not necessarily how tothink. Academia cannot give you passion, you have to be able to summon thatfrom within. You have to accept that there will be weeks where you can't go outwith friends, or can't see your kids the way you'd like. You're going to fallflat on your face, you're going to be an intermittent hermit, you're going tolearn to code, schmooze, and eat all while troubleshooting a clients networkbecause your connection is getting dropped. Conferences are your vacation,manuals are your bedtime stories, and if their not, you're probably not a pentester.

With all that being said, always schedule time for yourself.

Feel free to contact me with feedback on this post.

This is by no means aprimer on how to get hired at Trustwave SpiderLabs. Toquote our Director:"You can teach a hacker how to be a consultant but you can'tteach a consultant how to be a hacker."

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.