The Ethical Hacker Network

W4nn4B1337

Newbie

Offline

Posts: 6

Just signed up

« on: March 15, 2008, 12:02:40 AM »

Greetings.
I just wanted to drop a note and say hi. I just signed on here after finding the site doing some research for the CEH exam. I'm scheduled to take it on 3/19. I'm looking forward to talkign with you folks so here is a little about me. I've been in the IT biz for over 15 years. The last 10 being part of the IT staff for a large corporate network. My primary duties were vulnerability assessment and patch management. I recently passed the CCNA, net+ and sec+ in 2007 and am very interested in going further into the pentest side of things.
My big question is how to get a job pentesting? Job notices on Monster.com for this sort of thing seem to be a bit light...
Anyway, thanks for having this site up and I'll be digging through it in time.
~Peace


	Logged

W4nn4B1337

Newbie

Offline

Posts: 6

Re: Just signed up

« Reply #1 on: March 15, 2008, 12:57:38 AM »

I have to add that just looking at the broad spectrum of topics on the CEH is pretty intimidating. The rabbit hole goes pretty deep (not a reference to the Matrix) Do you guys who do this for a living have a specialty or does youre employer expect you to be a full expert in all areas? I see the CEH as more of a "frame work" to begin building advanced skills from. Is that an accurate assessment?


	Logged

Manu Zacharia (-M-)

Sr. Member

Offline

Posts: 393

c0c0n Hacking Conference - where hackers unite

Re: Just signed up

« Reply #2 on: March 15, 2008, 01:07:42 AM »

First of all Welcome to EH-Net.

Since you have around 15 year of experience and already working with VA and and Patch Management, a certification on CEH will put you in the right direction towards a Pen Test Career. CEH will elivate you to a point from where you can start exploring more on PenTest and Ethical Hacking. Wish you all the best and Happy Learning.


	Logged

Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n

LSOChris

Guest

Re: Just signed up

« Reply #3 on: March 15, 2008, 07:02:00 AM »

Quote from: W4nn4B1337 on March 15, 2008, 12:02:40 AM

My big question is how to get a job pentesting? Job notices on Monster.com for this sort of thing seem to be a bit light...

we're full, go try something else.

just kidding in all seriousness, the CEH != penetration tester. i cant speak for why there arent that many pentesting gigs on monster but i can speak some of the things you need to know in addition to passing your CEH. you need to know Microsoft, Cisco, a bit about all the different DBs out there, as well as other random third party apps (go google) so you can recommend fixes to the things you find on your assessments. you need to know web programming and really web application security if you want to work for one of the big companies and you need to know all the code fixes. ideally if you find sql injection in an app and get in, given the source you need to find that vulnerable query and help rewrite based on the backend db to be secure. you need to know layer 2 hacking for internal assessments, you need to know all the client side hacking, you should probably know some windows programming so you can write or modify your own tools so they dont get picked up by AV. you need to know how to use all those hack tools and keep up to date with whats doing on. oh and learn how to deal with jackass customers and write reports and sit on planes for long ass flights.

i'm sure i forgot a bunch of things but thats a start. Also be prepared to not make the money like people used to doing it. with the prevalence of "hey i passed my CEH now i'm going to go be a pentester and people working for peanuts sometimes people that have some of those skills dont necessarily get paid according to their knowledge and ability level.

pentesting isnt like running nessus with credentials or the scanner of the month. you've got usually 3-10 days to find the one thing that the old you missed or forgot to do. its a different mindset. i dont know you, so i'm not saying you dont have it, but it is something to keep in mind. most of the guys we have doing the VA work arent real good at or interested in doing the piece that we do.

advice for getting in, if you are sure you want to do this, really sure, be prepared to a take a junior role and get mentored and use that time to work on your skills. how much that "junior role" pays will depend alot on your skills and where you live. do your best to find a place that has people alot better than you to learn from get your X number of years of experience and hopefully move on to more $$ and different types of networks/apps to audit.

hope that helps


« Last Edit: March 15, 2008, 07:05:58 AM by ChrisG »	Logged

Andrew Waite

Hero Member

Offline

Posts: 928

Re: Just signed up

« Reply #4 on: March 15, 2008, 09:18:48 AM »

ChrisG,

don't know about anyone else, but I just got the sense that I still have a loonnngggg way to go here. Still, it's always good to have something bring you back to earth to help refocus, thanks.


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

LSOChris

Guest

Re: Just signed up

« Reply #5 on: March 15, 2008, 11:10:36 AM »

no problem, just trying to put out some of the information i was or would be looking for if i was in the same situation


	Logged

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Just signed up

« Reply #6 on: March 15, 2008, 11:00:12 PM »

Thanks Chris for reminding me that there really is a lot to know. It brings home one of the things I picked up in my BS and that there is a lot to know in the IT world. It would seem to be more than any one person could be an expert in. What knowledge level would you say a pen tester should be at in the various areas you mentioned like dbs? Thanks again Cris.


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

W4nn4B1337

Newbie

Offline

Posts: 6

Re: Just signed up

« Reply #7 on: March 16, 2008, 01:35:28 AM »

Quote from: ChrisG on March 15, 2008, 07:02:00 AM

Quote from: W4nn4B1337 on March 15, 2008, 12:02:40 AM

My big question is how to get a job pentesting? Job notices on Monster.com for this sort of thing seem to be a bit light...

First of all, thanks for taking the time to lay this out. And thanks for hitting on pretty much all of my weak areas. I'm familliar with getting around a Windows based NOS and Cisco networks but never looked at them from the "outside in" or from the hackers viewpoint. I know about the weaknesses of these systems and know how to mitigate fixing them. However, I never went as far as learning what those exploits were and knowing how to deploy them. This is new turf for me.

With that, I hope you don't mind me asking a few more questions?

Quote

we're full, go try something else.

just kidding

I've been around long enough to know that in all humor there is a hint of truth. I can imagine the field is tight because I can't imagine many IT staffers hiring 3rd parties to break into their systems. I for one am not that willing to learn about my incompetence. (Lots of big egos in the IT backend world.) I imagine that those who hire a team are not usually the IT directors does this = true?

I can imagine that the marketing for a pentest is not mature yet as this seems to be a evolving market. THerefore, not many CEO's are aware of the benefits or even the service. Is that also true? This would equate to a small and tight job market for pentesting I would imagine.

Quote

in all seriousness, the CEH != penetration tester.

Thanks - how do I market myself once I pass the exam?

Quote

i'm sure i forgot a bunch of things but thats a start. Also be prepared to not make the money like people used to doing it. with the prevalence of "hey i passed my CEH now i'm going to go be a pentester and people working for peanuts sometimes people that have some of those skills dont necessarily get paid according to their knowledge and ability level.

What does the payscale look like?

Quote

pentesting isnt like running nessus with credentials or the scanner of the month. you've got usually 3-10 days to find the one thing that the old you missed or forgot to do. its a different mindset. i dont know you, so i'm not saying you dont have it, but it is something to keep in mind. most of the guys we have doing the VA work arent real good at or interested in doing the piece that we do.

I understand, although I have a VA background it's not where I want to stay.

Quote

advice for getting in, if you are sure you want to do this, really sure, be prepared to a take a junior role and get mentored and use that time to work on your skills. how much that "junior role" pays will depend alot on your skills and where you live. do your best to find a place that has people alot better than you to learn from get your X number of years of experience and hopefully move on to more $$ and different types of networks/apps to audit.

Excellent advice
Do you usually work "piece meal" or sit on a list waiting to be picked up on a job like a mercenary or something? Are you employed full time with benefits or are you contracted? i.e 1099 etc. I have a family to take care of so would I need another source of income during the "slow" months?

Quote

hope that helps

Great help, and don't mind my screen name - I have to do things like that to keep myself from getting "too" serious sometimes.


	Logged

LSOChris

Guest

Re: Just signed up

« Reply #8 on: March 16, 2008, 07:07:15 AM »

Quote

I can imagine that the marketing for a pentest is not mature yet as this seems to be a evolving market. THerefore, not many CEO's are aware of the benefits or even the service. Is that also true? This would equate to a small and tight job market for pentesting I would imagine.

i think this is not true and that alot of people are aware that they "should" in some form or fashion being doing this, whether its from an internal team or an external team. i'm a believe that an external team not tied to the company will 9/10 times give you a more honest look than internal.

Quote

Thanks - how do I market myself once I pass the exam?

that's the biggie actually and the toughie too. not to start the cert debate, but cert whoring will help get your foot in the door. experience, is the 2nd part. i volunteered alot, i also did all my work with LearnSecurityOnline.com when i was in a job that i wasnt doing straight security, i was doing IT but not security. one way or the other you have to demonstrate experience, lab time helps too. hopefuly psedu0 will chime in as well.

Quote

What does the payscale look like?

that depends on where you live. there are cert salary survey's and what not and the CISSP type ranges is where i'd expect to be. lots of companys will say that its based on experience, yadda yadda, thats the nice way to say they are going to screw you on your "get experience job" in the pay category.

Quote

i am with a govt contractor, so i am full time. I'm in your same situation and while some people can work doing the 1099 stuff i cant, i need to know how much my check is going to be every month and that its actually going to show up.

best advice/opinion, is to work on getting experience while you learn, you obviously have the background. does the place you work have a security section? can you volunteer or get moved. although in alot of places the VA section IS the security section. in addition to volunteering, build you lab and start playing, try to build some decently complex networks once you get the hang of the ./exploit stuff. i read alot on stuff too, some people argue that you need to do more doing than reading, i personally need to see things, so reading helps me but you do have to balance that with alot of doing. reading doesnt equal doing, but sometimes you dont know what to do if you dont read.

HTH

Chris


	Logged

W4nn4B1337

Newbie

Offline

Posts: 6

Re: Just signed up

« Reply #9 on: March 16, 2008, 02:59:28 PM »

Thanks for the response and advice - my past VA experience is as a DoD contractor and yes that is the security team. It is mostly reactive/preventative. Have been doing it for a while however, it is not in our contract to provide pentesting services and the interesting thing is it is a bit taboo to mention it. In fact in all the training the Army provides we aren't allowed to have any kind of offensive capability what so ever. Most of the IT team (especially the security team) consider the network certification guys who do the pen testing as the bad guy in a way. (although they won't say it out loud their attitude shift says enough - people got real nervous!)

After reading some of your blog I see how and why the pentester isn't a welcome site for the IT team. Whenever the network certification guys came around it was a bit hostile for them. Anyway, thanks again for your help.


	Logged

LSOChris

Guest

Re: Just signed up

« Reply #10 on: March 16, 2008, 03:30:39 PM »

anytime man


	Logged

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Just signed up

« Reply #11 on: March 17, 2008, 09:51:46 AM »

Chris,

Where do you work? I'm looking at defense contractors as my next step as I transition out of the military and am always looking for a military/DOD friendly environment.

Mike


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

LSOChris

Guest

Re: Just signed up

« Reply #12 on: March 17, 2008, 01:37:35 PM »

i'm in northern VA, plenty of gov contractor work there, plenty of traffic and high housing prices too.

actually there will be gov contractor jobs around any DoD base


	Logged

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Just signed up

« Reply #13 on: March 19, 2008, 01:47:05 PM »

Yeah, I'm looking in the Huntsville area near Red Stone.


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

W4nn4B1337

Newbie

Offline

Posts: 6

Re: Just signed up

« Reply #14 on: March 19, 2008, 10:52:49 PM »

I just passed the exam today

Now I just need to find work!

Anybody need a low rent ehtical hacker for hire?


	Logged

Pages: [1] 2 Go Up

« previous next »