Stuff for new starters in Penetration Testing
Suppose you’ve just started in the industry; congratulations and welcome to the shitshow. Here are some things to consider:
You are a consultant more than a hacker in this role; the computer side is essential, but you are ultimately attempting to play a game of explaining how wrong something is, while breaking that thing, and you get bonus points for actually breaking something of value.
When dealing with your company/organisation/sweatshop:
They mostly all suck in different ways, but they’re usually in one of these flavours:
alert(1)
proof of concepts, vague executive summaries, etc.Sometimes a large organisation will pretend it’s a small organisation when it comes to budget, but a large organisation when it comes to organising the smallest of things. This behaviour can be frustrating, but it is ubiquitous.
The best advice here is to realise that no matter where you go, your workplace will have silly things - different stupid things, but silly things all the same. Learn what silliness you can tolerate, learn what other shops are like, go where makes you the least unhappy.
When dealing with your team:
@general
with hello/did everyone have a good weekend. Not only does this waste everyone’s time, but they’ll hate that interruption.Know that you will get a lot more things done with fewer distractions; optimise to have the least number of distractions, context switches, and other nonsense.
To cite Aaron Swatz of http://www.aaronsw.com/weblog/officespace:
People are always asking me how I manage to get so much done. For a while, I tried to impress them with my pearls of wisdom but soon I just sort of gave up. I don't really feel like I do anything special — I worry about getting stuff done a lot, but mostly I just sort of do it.
It wasn't until I started working in an office that the question begun to make sense. Since I moved to San Francisco I literally haven't gotten anything done. I haven't finished a book (I finished three on the plane out here), I haven't answered many emails (I used to answer hundreds a day), I've written only a couple blog posts (I used to do one a day), and I haven't written a line of code (I used to write whole programs in the evenings). It's a pretty incredible state of affairs.
When dealing with clients:
You probably can’t fix most of them, nor is it your job to fix systemic organisational issues - but you can fight hard to get a better scope for the engagement. Also, remember to be professional; however, to quote a prominent penetration tester at PyCon AU - “Being professional isn’t wearing a suit, it’s giving a shit” [1]
[1] https://www.youtube.com/watch?v=30whGoKOduA
These come in many flavours:
Some tests are pointless and just for compliance. They’ve been looked at a million times; they don’t change; there might even be using good frameworks. You’ll get them; you’ll have to do them, get them done and then move on to something more exciting.
There is no credential / “see what you can do” tests - Sometimes, you can salvage these, but ultimately looking at a log in page won’t give you much coverage. Fight the client on getting a better scope.
The target just doesn’t matter - Getting a shell on a random VPS, which gets zero traffic and no adjacent access is technically deficient but isn’t motivating to test. Fight the client, get a better scope and understanding - you want to be sure this target is pointless before you deem it so.
When dealing with your target:
Some would call it “goals-based testing”, others would just say “doing your job” - The author fits in the latter camp.
When doing anything:
alert(1)
; do something funky in the app.