.

First Pen Test

<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed Feb 25, 2009 12:27 pm

First Pen Test

I know lots of people are asking how to get into EH. We have spoken a lot about the training and such but how did you get your first break in to Pen Testing?

I'll start...

Prior to my first gig I did the things suggested by everyone else, set up a lab, lots of reading, and took some training.

I had friend who had a worked for a company and they provide a nice little web site and community related to their industry. The community around his site was something that is line with my company's business so I joined. When I setup my account I put some funky characters in my name to see how it would be rendered and found that there was an XSS vulnerability. I promptly change my name to something normal and I let my developer friend know there was an issue.

They weren't totally sure of the risk but I informed him of XSS and its dangers. I told him that, among other things, XSS would allow me to steal his session cookie and interact with the site as him. I got the written go ahead from his company to do a POC (Proof of Concept) and hijacked his session. I send a message to me from him to show that I had been in. I promptly deleted my cookies and all such information.

There were intrigued with this and we had a phone conversation. They asked that I submit a proposal. I worked for a consulting business before so I had experience with proposals, but not of this nature. Off to google I went to research. I spend a lot of time making sure that I got everything down including the rules of engagement and get out of jail free card. At this point I didn't do insurance or the other legal stuff since it was rather informal (benefits of dealing with a smaller company). However, I do recommend getting legal paperwork in order to protect yourself and to make sure that everything is defined in writing.

After a few conversations and iterations of the proposal they hired me to do a test of the site and internet facing devices. I did it at a lower rate since this was going to be my first formal pen test outside of my day job. I just wanted to be able to add it to my resume and get some more experience. I slightly underbid on hours and spent extra hours to make sure it was the best I could possible do. I delivered the report to them with findings in the web app and their internet facing devices.

I made sure that the report was the best I could do. If you can't communicate the risk and mitigation strategies then the whole test is not going to be help to the business. All my internal experience had been with less formal reports. Getting this down was the one part I didn't practice. Seriously, who practices writing reports? I spent a lot of time researching report formats and such. After all that work I submitted the report. I spent three times as many hours on the project as I had bid, but I knew that going in. (BTW, bidding is a tough thing to get down, but I had experience with that. Rule of thumb take a guess, then double it.)

All in all they were very pleased. I got paid, had lots of fun, and have been able to leverage that into additional gigs.

Google took a while to find the relevant info but it was a great help. It will take lots of digging to find the relevant structure. Ultimately, the GPEN training from SANS was able to help validate my report structure, negotiation and the other non-technical portions. The class also gave me some additional tools to put under my belt. (I highly recommend it)

Sorry, but I can't post the proposal or report.

Hope that helps.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Artful Dodger

Newbie
Newbie

Posts: 43

Joined: Tue Apr 29, 2008 8:58 am

Post Wed Feb 25, 2009 5:23 pm

Re: First Pen Test

I think this is a good post.  All to often people dont like to explain the details of what they go through.  And sometimes the business side of it is shrouded in secrecy.  In reality, the profession is so new that ANYONE that can get out there and make some type of change, build process, get the word out, for a group (like this site) can change what pen testing will be like in 10 or 20 years.  Its all the little things.  Sharing honest info like this can help refine the profession that needs some serious refining:)
CISSP, C|HFI, Security+, Network+, XYZ...blah.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Feb 25, 2009 5:42 pm

Re: First Pen Test

I agree. Fantastic addition to the community to get them to start talking more about the process.

Much appreciated,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed Feb 25, 2009 10:42 pm

Re: First Pen Test

Thanks, I'm glad I could contribute.

There is so much on the technical side of the hacking but no one talks about the business and political side. It boils down to you (the pen tester) have to provide value, that is it.

My goal was to convey that it isn't all fun and games just hacking.

On the consulting side a only a fraction of the time is spend hacking. Sales, proposals, negotiation, legal paperwork take a lot of time (and money since it isn't billable). And even well hacking there is a lot of documentation that has to take place. Also, depending on the gig, half of the billable time is spent putting those findings into a report. Regeritating Nessus or a report from Core isn't worth it for the business. They can run those tools themselves.

Everyone seems to dwell on the fun hacking part, but I don't think that the people who want to get into the business understand that there is a lot of non-hacking work involved. If they aren't willing to put in the time on the business side of things then it won't work out for them.
twitter.com/timmedin | http://blog.securitywhole.com
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Feb 26, 2009 12:30 am

Re: First Pen Test

I talk about this a lot in DIY Career in Ethical Hacking and how there is an entire industry for pen testing. An industry can't survive on tech gurus alone. We need execs who own businesses, sales people to bring in the job that the tech guys work on, marketing to bring those leads to the sales force... and just like any other industry, there's press. That's where EH-Net comes in.

Imagine the other duties required to make this site what it is. Of course there's a technical component, but what about writing, editing, advertising, getting all those monthly giveaways, keeping up with all those damned 2.0 technologies to keep the site growing, contracts, plagiarism, forum spammers, speakers, venues, more contracts... the tech part of my brain is being overrun by business needs.

But what must be understood is that although I am not HD Moore or Dan Kaminski, it is OK. I truly feel I have a valuable place in the industry and that I'm contributing greatly to its maturity. That makes it sustainable for the next crop, who are just interested in the tech, to do only what they love before they too end up on the business side of the equation.

The rewards are different, but there are rewards. I work more hours than if I still just had my kushy government job, but I wouldn't have it any other way.

Hope that wasn't too off-topic.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Thu Feb 26, 2009 5:35 am

Re: First Pen Test

I found that useful Don,  I'm not a penetration tester yet but my day job is as an analyst/programmer and there is a component of documentation that needs to happen in additional to doing the fun technical stuff.  Currently I spend much more time designing and coding than I do documenting, but I'd imagine that perhaps for pen-testers the documentation and "other" components would be a higher proportion.  I'm concerned about this because I would (as I guess most people would) prefer to spend time doing the fun technical stuff.  The only place that I can think of where the percentage of research and actually "doing stuff" would be greater than the peripheral stuff would be in a government cyber-security squad or as part of a mercenary cracking group.  Perhaps blackwater-esque cyber security companies might start springing up around the place if they haven't already.

Anyway, just thoughts.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Feb 26, 2009 6:17 am

Re: First Pen Test

Timmedin,

nice post, thanks for taking the time to share.

The aspect with not practising writing reports was interesting, and I can imagine a lot of new entrants get caught with the same problem (I did first time round and I'm still not entirely comfortable with this aspect of the role). Don't know if you came across this in your research (it's been discussed in these forums before) but Offensive Security have released a sample pen test report which may be of use.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Feb 26, 2009 8:38 am

Re: First Pen Test

RoleReversal wrote:Don't know if you came across this in your research (it's been discussed in these forums before) but Offensive Security have released a sample pen test report which may be of use.


I didn't know about that sample report, but good link.

For those new people....
I looked a lot of different sample reports (that I can't seem to find anymore) and I would highly suggest you do the same. In my experience the report style varies from gig to gig. does the customer just want you to get in deep or do they want a broader attack. What is their goal? How did they sell this project to the business? Is it a vulnerability assessment, a risk assessment, a pen test...? All these words mean different things to different people and the report has to be tailored for the client.
twitter.com/timmedin | http://blog.securitywhole.com
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Thu Feb 26, 2009 8:44 am

Re: First Pen Test

We do both Vulnerability Assessments and Pen tests here. There is no end to the documentation that goes into either event. The actual time to collect data on an event is nothing next to the time to actually write the report. With that said, we have developed in-house tools using COTS to help us. As far as reports go, you are right on that there are many different formats, Our largest customer falls under DIACAP while others fall under HIPPA. Great post Tim.
Last edited by sgt_mjc on Thu Feb 26, 2009 8:46 am, edited 1 time in total.
Mike Conway
CISSP
CompTia Security +
C|EH
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Feb 26, 2009 9:10 am

Re: First Pen Test

For those new people following along, here is a thread on reports.
http://www.ethicalhacker.net/component/ ... ic,3318.0/
twitter.com/timmedin | http://blog.securitywhole.com
<<

Artful Dodger

Newbie
Newbie

Posts: 43

Joined: Tue Apr 29, 2008 8:58 am

Post Thu Feb 26, 2009 10:45 am

Re: First Pen Test

Here are two random thoughts Ive had about pen testing in general.  I think I spoke about them before…but oh well, you guys get what you pay for:)

One of the biggest things that can happen is to form a comfortable name for the profession with an identifiable purpose.  Meaning, if I talk about Hacking to my 10 year old nephew he thinks “cool, you get to be a clever bad guy!  Neat!”  And he knows exactly what that word means.  If I talk about security analysis or penetration testing his eyes glaze over and he giggles at the word penetration.  So what happens when you try to sell to a CEO and add words like Ethical Hacker.  It is just plain difficult to explain our world.  But if we had some type of easily identifiable person, organization or something that is identifiable in pop culture, it would be so much easier.  The mafia has Elliot Ness and the FBI.  Cops have Robbers.  Yin has Yang.  Hackers have “well were kinda like hackers, but don’t call us hackers we are info sec professionals and kinda….blah” 

And what does this have to do with this post?  Who knows…I just felt a rant coming along.  But one thing I think would be interesting is to set up a sales section that can define who needs what types of testing (PCI needs….HIPPA needs….), ideas and other things surround how to approach these companies.  And maybe even a reference part were companies that are doing research can find people they are looking for.  This site may already have these things, I just don’t remember seeing them…sorry if it is here:)
CISSP, C|HFI, Security+, Network+, XYZ...blah.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Feb 26, 2009 9:59 pm

Re: First Pen Test

Artful Dodger wrote:Here are two random thoughts Ive had about pen testing in general.  I think I spoke about them before…but oh well, you guys get what you pay for:)

One of the biggest things that can happen is to form a comfortable name for the profession with an identifiable purpose.  Meaning, if I talk about Hacking to my 10 year old nephew he thinks “cool, you get to be a clever bad guy!  Neat!”  And he knows exactly what that word means.  If I talk about security analysis or penetration testing his eyes glaze over and he giggles at the word penetration.  So what happens when you try to sell to a CEO and add words like Ethical Hacker.  It is just plain difficult to explain our world.  But if we had some type of easily identifiable person, organization or something that is identifiable in pop culture, it would be so much easier.  The mafia has Elliot Ness and the FBI.  Cops have Robbers.  Yin has Yang.  Hackers have “well were kinda like hackers, but don’t call us hackers we are info sec professionals and kinda….blah” 


An interesting point. I kicked off another thread on the subject.
http://www.ethicalhacker.net/component/ ... ic,3666.0/

Artful Dodger wrote:And what does this have to do with this post?  Who knows…I just felt a rant coming along.  But one thing I think would be interesting is to set up a sales section that can define who needs what types of testing (PCI needs….HIPPA needs….), ideas and other things surround how to approach these companies.  And maybe even a reference part were companies that are doing research can find people they are looking for.  This site may already have these things, I just don’t remember seeing them…sorry if it is here:)


A job board may not be a bad idea.
twitter.com/timmedin | http://blog.securitywhole.com
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Feb 27, 2009 7:49 am

Re: First Pen Test

Artful Dodger wrote:... It is just plain difficult to explain our world...


I think you've hit the biggest problem on the head right there.

I struggle to explain most of this to other IT people, when it comes to non-technical folk I've often gone back to 'play with computers' when someone asks what I do, it just makes life simpler...
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri Feb 27, 2009 8:41 am

Re: First Pen Test

RoleReversal wrote:
Artful Dodger wrote:... It is just plain difficult to explain our world...


I think you've hit the biggest problem on the head right there.

I struggle to explain most of this to other IT people, when it comes to non-technical folk I've often gone back to 'play with computers' when someone asks what I do, it just makes life simpler...


This problem isn't specific to our industry. My degree was in electrical engineering and people would ask if I wired houses (No). I would have to explain it and they would still look confused. (My wife didn't understand what I did for the first 3 years we were married) There was no concept of what an electrical engineer might do, at least with computers people know what they are,

Depending on the person I am talking with I either use Computer Security, Hacker, or Anti-Hacker since that is what they understand and the average person has some comprehension of what those titles mean. (BTW, I don't care about the hacker/cracker debate.)
twitter.com/timmedin | http://blog.securitywhole.com
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Fri Feb 27, 2009 11:09 am

Re: First Pen Test

I describe it as being paid to break into someone's network and computer systems. That usually clears things up a little.
Mike Conway
CISSP
CompTia Security +
C|EH
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software