moving from teaching to pentesting

This topic contains 7 replies, has 7 voices, and was last updated by  unicityd 4 years, 12 months ago.

  • Author
    Posts
  • #8738
     electricbanshee 
    Participant

    I currently teach server 2012 and CEH v8 for my job, but I am growing weary of the teaching side of it and would like to move on into the actual career of pentesting. The way my mind works is I have to be able to know all aspects of a job to feel comfortable going for it and Im curious if my neurosis is justified to begin a career in Pentesting. Ive taught a 4 week course for CEH recently and realized after design a huge number of my own labs that I feel im beyond script kiddie stage and I understand how exploits and payloads work. I know a good deal about nmap, metasploit, av evasion with veil and other more up to date methods, definitley not stuck in the older methods taught in ceh. I designed a hyper-v lab setup and have teaching certs in a+,net+,sec+,ctt+,mct,mcsa,mcse (410,411,412,413,414,415,416), CASP, and CEH. Am I setting my standard too high for myself? I havent gone and done a real pentest for a client before because these companies here in austin wont let people shadow them so I guess im nervous that I wouldnt know what to do. I see my main issue being scripting that im not as strong in but, but I do understand the basics by looking at someones code and seeing how it works, just not coding from scratch. Ive been putting this career change off, reading a huge amount of books and videos, but to be honest all of them use the same ole ms08_067_netapi mentality in their material and im really not gleaning anything new. Does this mean I should be ready for a jump into pentesting field or should I get an actual pentest cert other than CEH? Any advice would be awesome, thanks.

  • #53917
     UNIX 
    Participant

    You could always try to apply for a junior pentester position. Depending on your performance it should be easy to leave the junior status once you have done a couple of penetration tests.

    Did you look at something like Offensive Security’s Penetration Testing with Kali Linux course? It is much more hands-on than CEH and might give you a better idea of how you might perform in a “real” penetration test. Although it is not an advanced course, it should give you a good idea about your current skills and areas where you should improve.

    You could also take a look at the various bug bounty programs that are available (also bugcrowd, hackerone, etc.) to get some more experience and references.

    Are you interested in any particular area?

  • #53918
     electricbanshee 
    Participant

    thanks for the reply. i suppose my best fit would be network security as thats where most of my knowledge lies. i havent tried the offensive security courses yet but they look good.

  • #53919
     impelse 
    Participant

    You are in a good position, you have the knowledge now you can shoot with confident, you just need more practice like the offensive security training.

    You will be fine very easy.

  • #53920
     The New LT72884 
    Participant

    Thomas Welhelm operates and runs the hacking dojo. Right now for a very very limited time, he has his intermediate course running at 50% off. So it is 300$ It is very informative and you get life time access to the material not just a 30 day time frame.

    http://hackingdojo.com/

    look at the bottom of the page for more info. In case you dont know Thomas, he is very good at what he does and he has written many books.

  • #53921
     hayabusa 
    Participant

    @The New LT72884 wrote:

    Thomas Welhelm operates and runs the hacking dojo. Right now for a very very limited time, he has his intermediate course running at 50% off. So it is 300$ It is very informative and you get life time access to the material not just a 30 day time frame.

    http://hackingdojo.com/

    look at the bottom of the page for more info. In case you dont know Thomas, he is very good at what he does and he has written many books.

    He’s also a member here, and we hear from him, from time to time:

    memberlist.php?mode=viewprofile&u=11751

  • #53922
     Grendel 
    Participant

    Did I hear my name? 😉

    To the OP… There are entry-level pentesting jobs available – the job market is sooo short of security professionals that I’ve even seen jobs in the pentesting field asking for anyone with a college degree in IT or networking, and the business would teach them the ropes personally.

    That said, entry level salaries aren’t 6 figures. I would even say that entry level network security jobs RIGHT NOW are paying slightly higher than entry level pentesters, if you need to take salary into consideration. If not, the top tier pay for pentesters is solidly in the 6 figure range, so long term it is a great field to get into.

    Regarding certs…
    Having a CEH is a fine start, and will get you past the HR filters. However, it is the hiring manager that you actually have to convince to hire you. That’s where experience and other courses come into play. Other courses provide you with the hands-on experience… you just have to decide which ones fit your needs.

    Since someone already mentioned my course, let me explain how it works. The course isn’t designed to teach to exams – it’s designed to give students hands-on experience on how to conduct a pentest and become a professional penetration tester. We cover methodology and concepts that include deep-dive discussions… like “how does nmap ACTUALLY conduct network discovery… what are the packets it sends out.” We do this so that the students don’t focus on a tool, but rather pick the appropriate tool based on their current situation within the pentest (for those who don’t know (and sticking with my earlier reference to nmap), nmap scans have very obvious signatures and are easy to block with an IPS).

    That said, having the CEH is a good start, but you need to know the intricacies of the business to be able to convince the hiring manager you are a professional, and not just a paper tiger.

    Regarding coding…
    I hate programming. I cut my teeth using perl as a sysadmin, and rarely wrote more than 20 lines of the stuff. From my experience, coding isn’t required. It helps, but isn’t necessary. Scripting, on the other hand, is invaluable.

    Hope this helps.

  • #53923
     unicityd 
    Participant

    I think the actual pen testing part of your question has been well answered. If you’re motivated to improve your scripting skills, you should check out Code Academy. It has free online interactive tutorials for several languages. If you just want to be able to do basic scripting/automation, the Python tutorials should serve you well. If you’re interested in web app pentesting, you should also check out the tutorials on HTML and Javascript. Unfortunately, they don’t have tutorials for bash.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?