Pentesting

Off-topic
,
17

Thanks for popping up this thread…
This topic really brings me back in time to a long time ago.
I stopped pentesting back in 2005, so sorry if my opinions may sound quite “aged”, but i think that some of the messages are still valid…
At that time, where i live it was almost impossible to pay the bills with IT security, so i was used to spend only my “spare time” on this part of the field…
Instead, nowadays, pentesting is often a well rewarded job and has got a new shiny “cyber” look. Saying you are a “red teamer” or a “pentester” makes you cool, but i cannot hide myself the four lessons i learnt back in the late nineties and early 2k’s…

  1. Pentesting is 50% editing report templates and reviewing presentations and only the remaining half is actual systems vulnerability exploiting: being able to drill into AD is completely senseless if you are then unable to explain to the decision makers how you did it and what should be fixed. It is indeed fascinating and enjoyable, but do not expect to be paid for hacking the s**t out of a system. You’ll (eventually) get paid for the information you’ll give back to the client. And, believe it or not, most of the times you will end up with a lot of unknowns. You are usually paid for the pentest itself, not for the sheer number of vulnerabilities you find…
  2. Spotting exploitable vulnerabilities and actually exploiting them are two huge different things: a white hat is usually not expected to gain root on a system unless it is explicitly asked to. And this usually comes AFTER a preliminary report is handed over to the customer. Black Box pentesting without agreed objectives were exceptionally rare at that time as nowadays. This means that 99 times out of 100 you will have to resist to the temptation of making that little step ahead that may not be well appreciated by the systems or applications owners. Getting a sneaky eye inside to understand and explain the effective impact of a vulnerability is relevant. Showing that you were able to download the whole contents of their CEO’s mailbox is not.
  3. Pentesting should always be done as teamwork. I know none but a few exceptionally talented guys who are able to take the whole monkey on their shoulder and do a good job. If you want to pentest, consider that your skills as a team are often much more valuable than the sums of each one’s skills. Moreover, you will end up being stuck sooner or later, and another approach will seldom come from yourself “at will”. Here we’re used to CTF’s, and we know that the system must be exploitable. We can be noisy, we can reset the machine, we can do a lot of things that usually are not allowed during a reeal life pentest. So it’s important to have access to specialized skills. I am potato in coding, not bad at finding footholds but i am (maybe better to say that I was) good at finding privesc paths once in. Without the help of someone able to code my intuitions i would have been never even capable to report a dll injection…
  4. Sometimes pentesting means something not strictly related to IT systems. No matter what you are looking at, remember that, 99.9% of the times, a system is built to allow some type of interaction with humans, and social engineering is a completely legitimate attack vector. If you see that you could easily trick someone into providing you access, consider it as a potential attack vector exactly as you would consider as such a www-exposed CVE. I know it is not that fascinating to write in the report that you were able to gain access thanks to an employee who provided you its credentials. My old fashioned approach tells me that the term “cybersecurity” somehow lacks of the depth of the whole “IT security”. Needless to say that the surrounding “Information Security” is broad enough to include also printouts management, labial recognition, eavesdropping and lockpicking. You really do not want to dive into the vast ocean of physical security during a pentest, but if getting access to an IT infrastructure can be easily done by simply asking a receptionist to let you have a look into the network cabinet and link up your Raspberry pi…it is worth to report it.
    Those are my opinions, and i am sorry in advance if some of the exceptionally talented guys that are here on HTB may disagree or consider my words as “shortsighted” or worse… i know the IT Sec community has grown a lot in the last few years, and eventually became a less inclusive world than what was back in the past…i hope noone will feel offended for not saying that everything is gold and diamonds.
    I still work in the IT Security, even if I am no more a professional pentester, hence i’m here on HTB just for fun and learning, but i truly believe that our world will need all of the devotion and passion that any of you (us?) can pour in it.
    Because if you start considering the “cost opportunity” of being a white hat…you’ll be easily tempted to switch to the dark side!