Ethical Hacker Community Forums

I was testing a corp. wireless network, so pen test is a exaggeration, they had WEP and I told them so. So the question is what should I ask for this service? I spent roughly three hours at it, including a info meeting with CEO and IT dept. boss, and they went on to fix the WLAN themselves, so my involvment ended there, but will come and check it out once they've switched to WPA. So how much and how much does education and skill weigh in?

There is no easy answer for this.  Every area of the country has different rates at the moment, and even then your personal and company reputation will have a major effect.  This is just in the Detroit area, but I'm seeing small businesses paying small security shops in the area of $40 to $60 an hour for general security work. 

Are you in the Detroit area?

I bill $50/hr here in Mongomery, but that if for general IT work.

For security reasons I will neither confirm nor deny the presence of my physical body as being in Detroit.  That being said, traffic on the Lodge was suxx0r this morning, and I'm a Lions fan.

I agree with sgt_mjc, I'm in Ohio and don't leave the house for less than $50 an hour...and that's for basic PC Support. 

lmao... I didn't know you may or may not be in the same area as I am. Luckily, I don't drive on the Lodge :) but 275 is always a mess. Unfortunately, I also am a Lions fan :-\

Yeah, I don't do a whole lot of on-site stuff.. just a little bit on the side, but that's typically about what I charge too. Usually $50 to come out, estimate, and include the first hour.

Jeeze, you guys are too cheap for security work! $125 to $150 first hour and $75 TO $95 each additional hour. Depends on the size of the company.  I am in AZ.

As they say in the realestate business...location, location, location.......

I didn't say those were my bill rates, I said those were the rates for the local small firms and independent security guys.  The rates for my firm are a bit obscene. 

Ok, then its agreed.  Bill and I are going to take turns hacking everything Matt Millen owns...

HAHA! I'm totally up for that! "FIRE.., MILLEN!"

I wish they'd just sell the team to someone that actually cares. I think that would make all the difference. That, and maybe we'd get some cheerleaders instead of some goofy flag twirlers :P

Hmmm, I should start doing small jobs on the side. Extra cash would be nice. I wonder what's the going rate in the Caribbean...

Maybe a little sneaky, but check the yellow pages.  Call local companies that provide the type of service you want to offer and ask what they charge.

Well, thats another advatage for me, I'm *maybe* the only one in a 100km radius that does these things. I was thinking about roughly 50 dollars, so i've got it confirmed, and i'll see what the feedbak is from the customers. And thank you all replies, on topic and otherwise :D

For general PC work, charging by the hour is usually fine with some kind of cap for the customer. Obviously they are not going to pay you 2 full days of labor to install a simple hard drive. 

For security work, you figure what your time is worth and how long you think it will take to do a decent audit. It takes some experience to know how much time you need to spend.  Take the amount of hours you feel comfortable with and times that by what the market will handle. Then bid that as a flat rate. In my experience and I sure other's experiences vary, customers want a flat bid. If you just say I charge X amount per hour, they have no idea where you are going to end up and how open ended your charge is going to be. Large firms can bid 10,000 - 50,000 and higher for big clients. But they will often send a group of people as a tiger team.  Once in a while we hear stories of a large company charging through the roof only to send in a person that runs a Nessus scan, then prints out a pretty report that’s fluffed up to look large and that’s it. What's really scary is when you find out that is not just a "story" but what really happened!

I just don't print the nessus scan, I also tell them they're in  deep shit and should probably hire someone to fix it *pointing at self*, should I charge extra for that?

Kev's comments make a lot of sense.  Sounds right on the money. 

I assume a company will have no idea how many hours will be involved in a pen test, too many variables.  I'm positive they'll know how much they are willing to pay for it though!

Sadly, I see situations similar to what Kev mentioned all the time.  One of our new clients was a victim of this for about 3 years in a row. Gave the work to a VERY large company, and at the end of the year the results looked oddly like nessus scans copy and pasted into a different format.  Last year they tore up the contract an moved over to us.  Even within the same company it can really vary by office.  We just had an office in another midwest state piss off one of their large customers because they did something along these lines.  They had just started a new project for someone else and it was tying up all of their best testers.  The management thought they could get away with sending "the B team" over to the old client, kicking off some scans, and then tap dance through the rest.  Our relationship with the customer now resembles a smoking hole in the ground.  The managers still planned on sending over the "real" testers before the end of the project to do some good work, but they didn't get the chance as it blew up in their faces before then.  Anyway, morale of the story is that your can make your career and reputation by coming in after one of these situations and helping the customer get real value.  You get to play the white night.

The scary thing with Nessus is that it can shut down a network. What are those companies thinking?

As long as Nessus is on your list of approved tools and they signed the letter of authorization you are fairly safe.  We always give an overview of how we configure each of our tools and the possible impact in an effort to educate the customer before they agree to the testing, but you can't predict every possible risk.  For example, I was doing pen testing on a state government client early last year, and about 2 in the morning the target I was hitting became unresponsive.  I called my emergency point of contact who called the system owner.  The next morning we were getting our assess chewed out for being "reckless", and the system owner said we had done permanent damage to the box.  We found out later that day that the fans in the server had stopped working about a week before, and we just happened to be touching it when if finally melted down.  The system owner was trying to cover his butt by blaming it on us.  We didn't get an apology, but they also didn't question our testing methods anymore.

yes nessus can crash boxes but those plugins are disabled by default. it is also possible to tweak it and turn stuff on and off by type of check.  All the comes from experience and not covered in your CEH exam :-P  Breaking stuff is also possible during scans, VA's, and pentests.  The customer should understand that before you start and any mission critical systems should be given to you for proper care.

psedu0 is right though, if there is an act of god on that network pray that it doesnt happen while your activities are going on because you will automatically be at fault; someone else scanning from outside, it was you from the hotel...crap like that...just need to make sure you know whats going on with your activities and you are on your toes.