17 Dec 2018

Becoming a (better) pentester

In my never-ending quest to learn more about hacking in general, I’ve decided to take on a personal project and bone up on the skills required for penetration testing.

In my never-ending quest to learn more about hacking in general, I’ve decided to take on a personal project and bone up on the skills required for penetration testing.

My goal is to follow thru the stages of the Penetration Testing Execution Standard (PTES) and collect up knowledge on the most used skills in each area. I will skip around a bit at first to focus on technical skills but hope to complete the entire framework.

Never fail due to a lack of effort, because effort requires no skill. - Sam at Financial Samurai

What is PTES?

The Penetration Testing Execution Standard is one of a handful of frameworks designed to give pentesters a roadmap to follow during an engagement. I chose this framework as it seems to be more widely discussed and is freely available. PTES consists of seven major stages:

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

It also contains a set of technical guidelines for the actual performance of the testing as well.

Gather study topics

One of my first tasks is building up a list of study topics within each category. This has involved pulling my SANS GPEN study materials back out, reviewing a couple Cybrary courses, and pulling topics out of some of the books I’ve collected.

I’ve also been scanning relevant job postings to find out what employers are asking for. As you can imagine, this ranged from downright unhelpful to “Holysh*t, I’ll never be that good!” asks. In general, any employer looking for a pentester is looking for the same basic skill set. Many are looking for experience in web app testing as well, which makes a ton of sense considering the app landscape versus the rather stagnant network landscape. One job asks specifically for “manual pentesting experience.” I wonder if that means RTFM experience?

The typical topics are nmap, nessus, openvas, metasploit, etc. but they also focus on report writing and client interaction. Having been around the block a time or two, those soft skills are likely to have a far bigger impact on clients than technical skills ever will. If the client leaves the engagement with an empty wallet and no idea how to fix what you have found, they did not get what they paid for.

Next Steps

My next post will cover setting up my testing and lab environments. Many have done deep dives into this topic, so I will primarily focus on my setup and issues.