Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Mon, 11 Sep 2000 10:51:23 -0500

I know this thread's gonna get killed eventually, because each person has
their own experience... but here's my story.

It all started with a problem I had, that many hackers (See the Jargon file
definition of this word) have... I couldn't learn enough about systems to
satisfy myself.  It started simple, but eventually I decided to focus on
host-systems and network- level security (as opposed to application-level or
physical security, although recently physical security has my attention as

My neighbor, a CS instrcutor, gave me my first AT&T shell account when I was
12.  I liked it, and he gave me some books to read, and sat down with me and
showed me how to navigate directories, etc.  I even learned how to use ed.
(shudder). from the age of 13-15, I was pretty much the lame script kiddie
exploit leech.  I broke into BBS's, used my unix account (which had been
switched over to 4.3BSD) to learn about unix security, etc...  I got a clue
when I was 16, but I didn't really stop tinkering with other peoples'
systems 'till I was 17.

I went through the lame high-school jobs with stupid retail computer and
video game stores, and when I went to college, I got hired as a computer lab
monkey (help users, make sure they don't steal the systems), then got
promoted to a hardware monkey (troubleshoot system problems, install RAM,
dig gummy-bears out of floppy drives, take floppy disks out of jammed CD-ROM
drives), and all along I was practicing system security at home in my spare
time. One day a friend asked me to test his dad's network, and I got paid
for it.  It was good money.  I did pen-testing freelance for
a while (most of my customers were willing to spread the word and give me a
good reference).  Eventually, a sales guy with my current employer asked me
to apply, saying I could probably land a decent pen-testing job with a
"real" network security company.  Here I am.

IMHO, all REAL Pen-Testers (not hackers-in-a-can with software on a laptop)
are hackers.  In order to be sucessful, you must stay on the bleeding edge
of developing security problems, as well as tinker with your own ideas, and
look for your own vulnerabilities, just like an "Enlightened System Cracker"
would.  Running Nessus, CyberCop, or ISS, and fixing what you see, will stop
80% of the script kiddies out there, but these products don't always check
for that exploit that came out on  bugtraq yesterday, and they most
certainly can not think logically enough to exploit a minor bug or
misconfiguration in order to make a larger scale exploit possible.  Even a
semi-dull-brained script kiddiot can think of stupid things like that.
Rule-based, systematic software scanners can not.

being a good pen-tester doesn't happen overnight.  In my case, it was the
logical next-step in my lifestyle of curiosity.  I still persue every hour
of every day, wondering what more I can learn before the next hour arrives.
I lose sleep at night because my eyes are glued to something I didn't know
15 minutes ago, and I'm still looking for just one more thing before I feel
satisfied.  When I find something else, I just want more.  I am almost
comfortable saying I don't need Crack or Meth, cuz there's still stuff out
there I don't know yet... Maybe when i know everything there is to know
about everything, I will have to pick up some other habit...

Most pen-testers I know in real life are at least as screwed up in the head
as I am...  That's my story and I'm stickin' to it.

-----Original Message-----
From: Lashley, Bryan [mailto:bryanl () EACIFS COM]
Sent: Friday, September 08, 2000 4:07 PM
Subject: How to "break into" the Pen-Testing field

I am wondering how did the readers of this list get into the pen-testing
field? What steps did you take to get from where you started in the field to
where your at now? Did employers train you? Did you get promoted into it?
Did you create the position yourself?

Pen testing & security is a very interesting area of the IS field I would
like to break into but many positions posted are requiring years of
pen-testing skills which I just don't have outside of my personal lab at
home (combo of Win95,NT Srv, RH Linux). Would you recommend starting at a
big 5 firm? A small firm? Fortune 500's? Has anybody heard of any
pen-testing firms in St. Louis?

Anything posted will help

Bryan Lashley

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]