Posted in Articles on November 9, 2018
5 things I wish I knew when I started as a junior penetration tester
Posted in Articles on October 31, 2018
Hi, today I’m going to share with you some advice that I wish somebody told me as a beginner penetration tester.
Working on your technical skills is important. But from my experience, mindset and productivity/organizational habits are even more important. They are the basis on which you will build solid technical skills, while maximizing your time and efforts.
The following tips are not exotic or extraodinary. But if you apply them and make them habits, they will help you up your game as a pentester and bug hunter.
Seriously structure your notes
Writing and taking notes is never fun compared to testing for vulnerabilities. But I can’t tell you the number of times I’ve looked for the same information, sometimes wasting hours.
The first step in your ninja hacking journey should be to create a personal knowledge base. Use any tool you prefer. Some options are: Note taking apps like Evernote & Laverna, text files, IDEs, Wikis like Dokuwiki, etc.
What matters most is having an organized space where you can add every payload, tool, tips or information you learn.
If you notice that you repeatedly look for the same information, add it too. This can be steps to configure Kali tools to go through a SOCKS proxy, command line options, or how to troubleshoot an issue that you often encounter.
Also, if you have a manager at work and they give you any useful advice, make sure to take notes. Nothing is more annoying than having to repeat yourself.
I’ve trained junior pentesters and gave them this same advice. Of course, they brushed it off only to ask the same questions again and again. Needless to say that I didn’t bother explain anything extensively anymore, since it was like talking to a wall.
It’s a lot of work. So don’t waste a minute!
Hacking is like chess: the more you do it, the more you’re good at it.
And it’s a ton of work! Pentesters and bug hunters must be polyvalent and specialized at the same time. It comes from days, weeks, months of training, learning, racking your head with complicated vulnerabililities and concepts until you master them one by one.
But the journey is worth it.
So if you decide to be a ninja hacker, be proactive. Don’t wait for anyone to hold your hand and force you to do the work.
Just don’t waste time playing games or watching TV shows. There is so much to learn and create. So which skill do you have and is unique to you? The world needs it!
Do bug bounty. It’s worth it even if you don’t find anything
Bug bounty hunting is like penetration testing on steroids. It is a lot harder because:
- Generally, only bugs with a real business impact are accepted
- You’re competing against hundreds of other hunters, and only the first one to report a bug is rewarded
As a beginner, you will probably have a hard time finding valid bugs and being the first.
But it doesn’t matter! You will learn so much from what other hunters share (writeups, tools, tips) and from testing different environments and technologies.
I strongly believe that pentesting and bug hunting go hand in hand. Money is a good motivation, but the learning potential in bug hunting is the real prize.
Use templates & checklists. And build on them over time
Reporting can consume a lot of your time and energy on penetration tests. The time spent depends on the delivrables expected by the client and your manager(s).
Bug bounty reports are usually shorter than pentest reports. But no matter the format, you will gain from creating templates of every document and type of test (black box, white box, Web, network, wifi…).
Ideally, your pentest templates would include:
- A list of tests usually performed. Sometimes clients will ask for this, so prepare it in advance
- Results & mitigations for each vulnerability type (XSS, CSRF, XXE…)
- The basic outline of your reports (All sections with your usual page layout)
I’ve been on one-month missions where the actual time spent on penetration testing didn’t exceed a week. We were asked to write, polish and re-write the reports 5 or 6 times.
I’ve also had a long-term client ask for extensive details on tests performed and their results including negative one (i.e. tools’ output & proof when no vulnerability was found).
Creating templates and asking both managers and client to validate them beforehand saved us a lot of time during missions.
Work on automation, it’s never a waste of time
Automate as many tests as possible. It will allow you to save time from menial tasks and use it to test for more complicated, logical bugs that can only be found manually.
Use any programming language you know: Python, Perl, Bash…
Your scripts can be entirely custom made, but it’s not mandatory. You could create wrappers around other existing tools.
The idea is to automate what you already do manually like:
- Testing SSL/TLS, FTP, SSH… with a nice output ready to go to your pentest report
- Looking for subdomains using multiple proven tools
- File & directory brute-force
Also, leverage Burp Intruder and Burp API to test for Web vulnerabilities like Open redirect, Basic authentication brute-force, IDOR, etc.
That’s all hackers! I hope you learned something from these tips. If you did, please share them so that your friends can benefit from them too.
And let me know if you have any comments, requests for tutorials, questions, etc.
See you next time!