Mastodon Hillbilly StoryTime: How Can I Become a Pentester?

Friday, September 21, 2018

How Can I Become a Pentester?

After I tell someone that I am a pentester or that I work in InfoSec, the most common question I get asked is if I can help them fix their computer. The second most common question I get is, “How can I become a pentester?”

My answer is usually fairly concise and to the point, “Learn how computers and networks work, learn what rules are in place to protect them, and then learn how to circumvent those rules.” While that answer is fine if I am in a hurry, I thought I might take this time to elaborate a bit more and provide a more helpful answer.


First, let’s take a step back and understand that while the term “pentester” gets used quite often, it is not the only role/position available in Information Security (InfoSec). Within the realm of InfoSec, there are primarily two general categories: “attacker” and “defender”. Within each of the “attacker” and “defender” categories, there are numerous subcategories and roles, all of which are critical to producing and maintaining secure systems, networks, and users. While this article will focus more on the “attacker/pentester” side of the equation, the concepts could be applied to any other role as well.


Does someone need a formal education in Computer Science to become a pentester? Short answer: No! I have been in the InfoSec field, mostly as a pentester, long enough to know that nearly anyone can become a pentester. I have had coworkers that have had formal education in information systems as well as co-workers that used to be auto mechanics or chemical engineers. While a strong education will not go amiss, it is by no means a requirement. If you are willing to learn and educate yourself, you should do fine.

Earlier I mentioned that having a prior education in InfoSec was not a requirement. I would recommend that someone looking to get into InfoSec and people who are already in the field should continue to seek additional education and training. The InfoSec field changes rather quickly and to keep up to date on all the latest vulnerabilities, tools, attacks, and defenses, it is imperative that you continue to educate yourself. That education can come in the form of classic college classes, InfoSec specific training, attending conferences, or performing some self-guided research.


One of the interesting aspects of pentesting and InfoSec as a whole is that no one is great at everything. While most penetsters are somewhat knowledgeable of most aspects of pentesting, each will generally have one or two areas in which they focus. Personally, I prefer social engineering, programming, and red-teaming; however, when it comes to mobile devices, Internet of Things (IoT), and low-level system driver attacks, I will defer to others that know those areas much better than I do. This is a great aspect of the InfoSec field. Since no one needs to know everything, we are all free to specialize as needed and we can get help from others when we encounter a situation where we are less knowledgeable.


As you start your journey toward becoming a pentester, you will find that many times it comes in handy to have a close relationship with a few more senior individuals in the field. Again, this is not necessary for becoming a penster, but it does make certain aspects easier. This is what is typically referred to as “Finding a mentor.” This mentor does not have to be just one person, you could have mentors for each of the various aspects of pentesting you wish to pursue. These mentors can help provide suggestions of tools and techniques to learn, suggestions of classes or training that may be of benefit, and be available to talk with about any other aspect of your career. Now that I have said that, let me also say that, you should not necessarily allow someone else to fully guide your career path or your development. It is up to you to make those decisions and the mentors, if you have any, are there to just provide suggestions as needed.

Talking about training, mentors, and areas of focus are great, but will that get you a job? Probably not by themselves. Most employers will be looking for evidence of your abilities and knowledge. This evidence can come in many forms such as years of experience in the field. If you are reading this I can probably safely assume you do not have years of experience, so what else can you do?  Some employers like to see certain professional certifications on your resume. I will not get into the merits of each particular certification here but suffice it to say that some certifications hold more weight in the pentester field than others. Examples of these are OSCP, OSCE, and OSEE. If you do not have years of experience or the certifications the employers are looking for, my general suggestion is that you start a blog so that you can share samples of your knowledge. This can be write-ups about the latest exploit or vulnerability that is making the news. It could be about a new tool that someone wrote. It could even be a review of an old tool or exploit where you share your views or opinion on it. If you are a researcher, write up blog articles about it. If you are so inclined to be a developer, start a GitHub, GitLab, or similar account where you can host any code or tools you have developed. At the same time, go ahead and write up a blog article about the code or tool.


If you are looking for more pentesting experience without actually breaking the law by attacking other people’s networks, I would suggest participating on Capture the Flag (CTF) competitions. Most of the CTFs are free to participate and other than your time, will not cost you anything. Another great resource is reading the write-ups of other people who have completed other CTFs. Those write-ups may contain new ideas or ways of approaching particular situations that you were not aware of. If you do not want to participate in formal CTFs, there are plenty of other standalone challenges that you can try. Most of these come in the form of downloadable VMs (Virtual Machines). You will download the VM from a site like VulnHub, load up the VM in either VMware or VirtualBox, then attempt to attack the system and achieve the specified goal. Here again, many of these will have write-ups written by other people who have completed them already.


If you are more into research, then set up a home lab. This lab could be a VM server if you are focused on operating systems or electronics gear if you are interested in hardware hacking. In both cases, I would not recommend going out and spending lots of money. You can usually run several VMs from whatever laptop or desktop you already have. As for hardware labs, you can usually get started with just a few cheap items like a soldering iron, a logic analyzer, and a UART and JTAG connectors. Obviously, this is not everything you may need, but it should get you started. Now, what about targets to attack/research? For operating systems, most of us have at least 1 Microsoft system we can possibly target, and most Linux operating systems are free to download and use. If you want to attack hardware devices, eBay, second-hand stores and garage sales can be great resources for cheap equipment to buy and attack.


Personally, I have a blog, a GitHub account, and I enjoy giving presentations at InfoSec conferences. Presenting at conferences is not something that everyone enjoys, but if you do not mind, it is a great way to present yourself to the industry, share your knowledge with everyone, and possibly get to meet potential employers. I have met so many amazing people because of my presentations and people coming up to talk to me afterward.

As a final suggestion, do not forgo developing your “soft skills” such as public communication and writing. Regardless of the path your career takes, these skills will serve you well whether it is in a job interview, presenting a report to a customer, writing a report, presenting at a conference, or even writing your resume. Ultimately, it does not matter how awesome your exploit was, or how many years of personal experience you have, if you cannot convey your ideas to others, it will mean very little.

No comments: