So, You Want to be a Pen-Tester?

As I sat behind my desk, preparing for my first penetration test, a wave of sickness and nerves came over me. This was what I had been training for, but the reality of facing a real company's defenses and a vigilant Security Operations Center (SOC) team was troubling.

Unlike the controlled environment of Capture the Flag (CTF) competitions, the consequences of one wrong move felt all too real. The possibility of triggering a DDoS attack due to incorrect settings or compromising an asset outside the designated scope of work weighed heavily on my mind. Taking a moment to collect myself, I took a breath, closed my eyes, and reached for the only remedy I trusted: a cup of Death Wish coffee.

Little did I know its effects, which promptly sent me sprinting to the bathroom.

After washing my hands and composing myself, I returned to my desk, and with trembling fingers, I initiated my very first penetration test. I must confess that when the penetration test was over, it was everything that I hoped it would be and everything I wasn’t prepared for. During the course of being a newbie pen tester, the stress made me lose weight, grind my teeth at night and broke me down mentally. It was something I was not prepared for. The vast amount of knowledge that was necessary, as well as the reports at the end of the pen test, is that, yes, you have to write reports about what you accomplished during the pen test. They also have to be a certain format and make sense to C suite executives who only know how to answer emails and are not tech savvy. Don’t get me wrong, I really enjoyed doing the work, but the beginning was difficult. That is why I am writing to you today.

I want to show you what it takes to be a pen tester before you start your journey. So please sit down, relax, and grab some coffee. Hopefully, it's not Death Wish.

The journey that began with my wife’s laptop.

To guide you on the path of becoming a pen tester, I'll share my journey and the events that followed. It all started with my decision to conduct pen testing activities at home. I needed hands-on experience and familiarity with pen testing tools, so when my wife offered me her old laptop, I saw it as an opportunity. Little did I know, there was much more to it than just having the hardware. I needed pen test software, and after hearing about Kali Linux, I imagined the laptop with the latest version and felt like a real pen tester. However, that feeling was short-lived.

After participating in Capture The Flag competitions and experimenting with exploitable virtual machines, my confidence in pen testing grew. I became adept at wielding the tools and speaking the language of the trade. I invested in Hak5 devices, read numerous books, purchased lock picks, and even conducted Phishing campaigns at work. I went as far as buying a black hoodie just to immerse myself in the role. It all felt real to me at the time. Then, one day, I received the phone call I had been eagerly anticipating—the opportunity to become a pen tester, specifically the sole pen tester for company X.

Company X and Y I broke.

Working with company X had been a long-standing dream of mine ever since attending their conference and being inspired by the talks from seasoned pen testers. Joining company X was a dream come true—an opportunity to not only be part of the company but also to speak at their conferences. I envisioned myself as the go-to person for pen testing expertise.

However, my first pen test experience felt like my first day out of the womb, a lot of flailing around and crying. Despite all the training I had undergone, nothing had prepared me for the reality of a live pen test. I was clueless about network ranges and how DNS worked. In my early attempts, I even accidentally launched a DDOS attack on a client because I overlooked the settings in the vulnerability scanner. Alerts were triggered whenever I scanned the network with NMAP or updated tools. The beginning was rough, with pen tests stacking up every week. Writing reports for concluded pen tests left me feeling inadequate as if clients viewed me as a joke. It's worth noting that when I was hired, I only held a high school diploma and beginner-level IT certifications, with no prior pen testing experience. What saved me was my passion for the field and my ability to learn rapidly.

As time passed, Weight loss and nightly teeth grinding became regular occurrences. You could find me by the riverside park praying that another job became available because I felt like giving up. Amidst the chaos, the world shut down due to COVID-19, and I found myself expecting a baby while navigating the complexities of homeownership.

The pressure mounted as pen tests continued, and though I improved, it wasn't at the level I had hoped for. I seldom obtained domain admin credentials or compromised assets in a manner that wowed the clients. Often, the assets in scope had numerous vulnerabilities, making compromise expected. The situation was exacerbated by the necessity of report writing. If you believe that pen testing is solely about flaunting successful exploits, you're missing the point. It's about meticulous reporting and subsequent remediation. Clients need to understand the actions taken and the measures required to mitigate potential threats. While this may sound straightforward to some, I hadn't written a report since high school—in the '90s.

I am here to report a crime…it’s your report.

After completing the pen tests, the next hurdle was crafting an executive report for C-suite level management, who often lacked understanding of the technical information involved. Following the company's format, I had to meticulously break down findings from critical to high and include mediums and lows. However, lacking experience in report writing, it took me a considerable amount of time to get it right. More often than not, reports were returned for further editing, causing delays and frustration.

The next phase involved sending the report to the client for review. This often led to back-and-forth exchanges, with clients requesting retests on certain findings and subsequent edits to the report. This iterative process added to the already demanding workload of reporting. With the stress of Covid and the chaotic state of the world, I eventually made the decision to transition to a more stable job. Though I look back on my pen testing days with fondness and a sense of accomplishment, I can't help but wish for a different outcome. Working alongside incredibly intelligent individuals in the field was an invaluable experience. However, life doesn't come with a handbook, and sometimes you have to navigate your own path.

Pen to paper. It’s time to be a pen tester.

Thank you for listening to my story. It’s not meant to sway you from pen testing but to help you with my experience and a few rules to help you. I leave you with words of wisdom that will guide you when you are ready to start training to be a pen tester.

Rule 1.) Enjoy life outside of work: Finding joy and balance outside of work is crucial for resilience during challenging times.

Rule 2:) Learn technical writing skills: Developing the ability to effectively communicate findings and recommendations to executives is essential for impactful reporting.

Rule 3.) Take an effective listening course: Enhancing communication skills, particularly listening, can significantly improve interactions with clients and colleagues. The listening institute is a great place to start. “Tell Robert I say hello..”

Rule 4.) Learn basic networking: Understanding fundamental networking concepts like DNS and different network ranges is essential for troubleshooting and problem-solving.

Rule 5.) Build a lab at home: Creating a safe environment for testing tools and experimenting with techniques is invaluable for hands-on learning.

Rule 6.) Continuously learn: Stay hungry for knowledge by reading books, attending conferences, listening to podcasts, and engaging with technical communities.

Rule 7.) Learn to fail: Embrace failures as opportunities for growth and learning, and don't let setbacks discourage you. Effective leaders support their teams through failures.

Rule 8.) Get certified: Investing in certifications such as ethical hacker courses or HTB certifications can enhance your skills and credibility in the field.

Rule 9.) Master different operating systems: Stay versatile by gaining proficiency in various operating systems, with a focus on Linux, which is widely used in penetration testing.

Rule 10.) Communicate openly: Foster strong relationships with your boss and colleagues, and don't hesitate to seek support or express concerns when needed.

Thank you for listening, and I hope this story helps pave the way for pen testing. Now go forth and PWN!!!