I’m Not A Pentester (And You Might Not Want To Be One Either)

I’m Not A Pentester (And You Might Not Want To Be One Either)

Hi all! So, this is going to be a different type of post. I’ve tried to stay a little off the radar personally with my blogs and Twitter account for a lot of reasons. It’s not hard to find out who I am. I have links to my Twitter account and this blog on my LinkedIn (I know, it’s a gross place), but I don’t flash it around.
大家好!所以,这将是一个不同类型的帖子。出于很多原因,我试图在我的博客和 Twitter 帐户上保持个人距离。找出我是谁并不难。我的Twitter帐户和LinkedIn上的这个博客有链接(我知道,这是一个恶心的地方),但我不会闪现它。

I don’t know if I’ve ever said this before on my blog (I definitely have on Twitter), but I’m not a pentester. Even though security is extremely interesting to me, it’s not my day job. I worked as a pentester for a very short time before leaving the position. Why did I leave? I’ll get into that later.
我不知道我以前是否在我的博客上说过这句话(我肯定在 Twitter 上说过),但我不是渗透者。尽管安全对我来说非常有趣,但这不是我的日常工作。在离开这个职位之前,我做了很短的时间。我为什么离开?我稍后会谈到这一点。

I haven’t been doing security stuff for very long. I think the first time I git cloned something was back in 2018. I didn’t get my OSCP until 2020 and I failed twice. I work as a Linux admin and I have for the majority of my time in IT. Prior to working in IT I was in the US Armed Services (not doing IT). So all of this was, and still is, very new to me.
我已经很久没有做安全工作了。我想我第一次 git 克隆东西是在 2018 年。直到 2020 年我才拿到 OSCP,而且失败了两次。我是一名 Linux 管理员,大部分时间都在 IT 部门工作。在从事 IT 工作之前,我曾在美国武装部队工作(不从事 IT)。所以这一切对我来说都是非常新的。

I’m not a good programmer or even that great with Linux. I still have to man page most of my job. I’m constantly saying why doesn’t this work “chmod web.txt 777”. Oh yeah, the file path comes after the permissions.
我不是一个好的程序员,甚至不是 Linux 的好手。我仍然需要为我的大部分工作提供手册。我一直在说为什么这不起作用“chmod web.txt 777”。哦,是的,文件路径位于权限之后。

Why am I talking about this? Well, because even though I don’t work in security full time, I still get to play around with malware dev, attack paths and other cool stuff. I just don’t get paid for it. The thing is, I’m also not accountable for it.

Five years ago, when I started all of this, I really wanted to work in security. Like, really wanted to work in it. Be careful what you wish for. I am not a pentester and here is what I wish somebody would have told me before I tried to be one.

The Job Market 就业市场

Oh my God, there are 3 million cybersecurity jobs out there that haven’t been filled! We’ve all heard it.

Take a look at where these stats are coming from. A lot of times, it is coming from an organization that does what? Offers cyber security training! Weird huh?

We’ve also heard the debate on what an entry level job in cyber is.

“They want 5 years experience and an OSCP for an entry level position!”
“他们想要 5 年的经验和 OSCP 才能担任入门级职位!”

Here’s the truth. There are ways that you can get an entry level position in pentesting. Like a true entry level position. But you have to have some experience. Entry level doesn’t mean no experience. It means some experience. And that’s not on HackTheBox or TryHackMe. Web devs, sys admins or .Net programmers have an excellent chance of getting scooped into an internal team. This would be a lateral movement with a company that the candidate is already established in.
这是事实。您可以通过多种方式在渗透测试中获得入门级职位。就像一个真正的入门级职位。但你必须有一些经验。入门级并不意味着没有经验。这意味着一些经验。这在HackTheBox或TryHackMe上是没有的。Web 开发人员、系统管理员或 .Net 程序员有很好的机会被挖到内部团队中。这将是与候选人已经成立的公司的横向移动。

Don’t have your OSCP or whatever cert is the hotness right now? Want to get into pentesting? You probably need a CS degree and you’ll have to pivot into a paid gig off an internship.
现在没有您的 OSCP 或任何证书?想进入渗透测试吗?您可能需要 CS 学位,并且您必须在实习后转向带薪演出。

The days of getting your OSCP and instantly having an interview at EY are long, long gone.

Get in good with a team and transition over to security. The team is going to know your strengths and weaknesses so they wont’ be annoyed or feel duped that they hired somebody who can’t code the new PoolParty POC in Nim.
与团队融洽相处并过渡到安全性。团队将了解您的长处和短处,因此他们不会因为雇用了无法在 Nim 中编写新 PoolParty POC 代码的人而感到恼火或受骗。

Also, most people in security have egos and feel the need to inject their technical dominance onto everybody online. It will be different talking in person to a mid level operator that can talk to a hiring manager on your behalf.

Since we’re on the subject of the job market. It’s 2024. Have you seen the layoffs? But how are people starving for talented cyber people when every tech firm is laying people off?
因为我们谈论的是就业市场。现在是 2024 年。你见过裁员吗?但是,当每家科技公司都在裁员时,人们如何渴望有才华的网络人才呢?

The job market is HOT for cyber people, but cyber people that have 10 years experience as a web app pentester, client facing consulting experience, CVEs and have given talks at conferences. They won’t have a problem finding a home.
对于网络人来说,就业市场很热门,但拥有 10 年网络应用程序渗透测试人员经验、面向客户的咨询经验、CVE 并在会议上发表过演讲的网络人。他们找家不会有问题。

The market is not hot for people that turn off Real Time Protection to run their MSF payload.
对于关闭实时保护以运行其 MSF 有效负载的人来说,市场并不热。

The market is also hot for web app people. Why? Because if you’re worth a shit at web apps you’re doing bug bounty and making 4–5 times what a consulting firm is willing to offer.
对于网络应用人员来说,市场也很热门。为什么?因为如果你在网络应用程序上值得一试,那么你就是在做漏洞赏金,赚的钱是咨询公司愿意提供的 4-5 倍。

Full disclosure I was offered 120k to be a web app person. I didn’t take it. I make way more as a sys admin.
完全披露,我被提供了 120k 来成为一名 Web 应用程序人员。我没有接受。我更多地作为系统管理员。

I’m not aware of the global job market, this is just what I’ve seen in the US. It could be different in other countries. I talk to a lot of people in the EU so they seem to have some openings. But who knows. I do know that pentesters in the UK make far less than they do in the US.

On a side note, have you noticed how many “training” sites there are now? It’s almost like people are making more money teaching hacking than actually doing it. Everytime I turn around I see a new EDR evasion, Malware Dev, REAL HACKER training course popping up. Strange huh?
顺便说一句,你有没有注意到现在有多少个“培训”网站?这几乎就像人们教黑客比实际做黑客赚的钱多。每次我转身时,我都会看到一个新的 EDR 规避、恶意软件开发、真正的黑客培训课程弹出。奇怪吧?

Consulting 顾问资格的

So, you want to be a pentester? Think you’re going to sit down at your Kali box and start psexec-ing to DA? Okay. Have you ever done a kickoff meeting? Have you ever been dragged into a sales call? Have you ever been expected to bring in clients?
那么,你想成为一名渗透测试者吗?你认为你会坐在你的 Kali 盒子前并开始对 DA 进行 psexec-ing 吗?好。你做过启动会议吗?你有没有被拖进销售电话?你有没有被期望带来客户?

Welcome to the consulting world. The majority of pentesting jobs you’ll find are in the consulting world. The dirty, grimy world of consulting is a hell hole that pentesters find themselves in with no foreseeable way out.

At some firms, the security comes secondary to the money. How much is the client paying? That determines the level of effort. I believe turn and burn was a phrase I heard.

I was actually told once “they aren’t paying that much money so just do whatever.” Sounds legit right?

A lot of times you’ll come away from an engagement with the client having paid 20k to be told to turn off LLMNR.
很多时候,您会离开与客户的订婚,客户支付了 20k 被告知关闭 LLMNR。

This is the world where a client pays 15k for a wireless pentest and the operator runs Wifite, doesn’t get a handshake and walks away. Sounds great, right?
在这个世界里,客户为无线渗透测试支付 15k,操作员运行 Wifite,没有握手就走开了。听起来不错,对吧?

Are all consulting firms like this? No, certainly not. There are some really good ones out there that actually take the time to work with their clients and secure their networks over months, even years.

Know what you’re getting into if you’re interviewing at a consulting firm. Ask them about billable hours, how many operators are on each engagement, what the reporting requirements are, etc. Also ask them about research, training and development time. How do they treat this?

Obviously, if you’re not on a client engagement you’re not just sitting around watching Netflix, but what are you doing? Are you editing other people’s reports, developing internal TTPs? Or do you go from one client to another with no downtime?

What happens when you get stuck on an engagement? You know something is exploitable, but you can’t figure it out? This happened to me a lot, but the firm didn’t want to bill another operator against the client so nobody would even take a look at my attack. The client suffered.

Internal teams are always better. There is usually not as much reporting and if there is a report, it can be tackled by the entire team. Or if the team is high speed enough, a staff technical writer!

Junior pentesters need to understand how they look to consulting firms. In the world of business, if you’re not bringing money into the company, you’re costing the company money. Pentesters don’t bring in money, sales people do.

Pentesters are the company’s product. They sell the pentester to a client for a specified amount of time. If you go over that time, you don’t cost the client more money, you cost the company more money.

As a pentester, you’re interchangeable with somebody that has just as much skill, but comes at a lower price. And in this job market, there are a lot of highly skilled operators desperate to make their mortgage after Rapid7 gave them the boot. Think they won’t take a job for 90k so they don’t get their house repossessed? Yeah, okay.
作为渗透测试者,您可以与拥有同样多技能但价格较低的人互换。在这个就业市场中,有很多高技能的操作员在 Rapid7 给他们靴子后不顾一切地进行抵押贷款。认为他们不会以 90k 的价格接受工作,这样他们就不会收回房子?是的,好的。

Unfortunately, because of the rise of offensive security training, there are more “hackers” out there than ever. Junior or even mid level pentesters will find it extremely hard to find a gig right now and probably for the foreseeable future. My prediction is that it will only get harder and we’ll see people with cyber certs trying to make their way into other IT fields like cloud, system administration, or web app dev.

The Salary 薪水

Think you’re going to make 150k? Think again. Senior level pentesters will make really good money. When I was a pentester, I made 120k. It was 5k less than I was making as a sys admin at the time, but I took the job because I wanted to be in security.
你认为你会赚 150k?再想一想。高级渗透测试者会赚很多钱。当我还是渗透测试者时,我赚了 120k。这比我当时作为系统管理员的收入少了 5k,但我接受了这份工作,因为我想从事安全工作。

Yes, you read that right. I took a pay cut to get into security.

If you get an offer it will be between 85 and 120k. That is the truth. Might sound decent, but you can make more money as an Azure admin. When I transitioned from security back to sys admin I made 40k more. I didn’t have to deal with reports, clients, or billable hours.
如果您获得报价,它将在 85 到 120k 之间。这是事实。听起来不错,但作为 Azure 管理员可以赚更多的钱。当我从安全过渡到系统管理员时,我多赚了 40k。我不必处理报告、客户或计费时间。

I have told this to several security people through DMs and have had a few say they were seriously thinking of getting out of security because they were working more than 40 hours a week and not making very much money.
我通过私信告诉了几位安全人员,有几个人说他们正在认真考虑脱离安全,因为他们每周工作超过 40 小时,而且赚的钱不多。

When I was working as a pentester, I did 60–65 hour weeks. I felt as if it were silently expected as did other people on the team. This is the reality. You will not work a 9–5. Security will be your life. When you’re not on an engagement you will be expected to go through the new hot course to level up.
当我担任渗透测试人员时,我每周工作 60-65 小时。我觉得好像这是默默地期待的,就像团队中的其他人一样。这就是现实。你不会朝九晚五地工作。安全将是你的生命。当您不参与时,您将需要通过新的热门课程来升级。

You will be expected to get the latest OffSec cert, develop novel AMSI bypasses, whatever. And this is all after-hours. Ever notice how many US based security people Tweet after midnight? Ever notice how many US based security people tend to be working on a Saturday afternoon?

The Skills 技能

Can you program in C, C#, python, perl, ruby, nim and rust? Can you script in bash, perl, Powershell, and VBscript? Yeah, me neither. For a lot of pentesting firms, you will need to know programming. They will even give you a programming challenge (maybe 2).
你能用 C、C#、python、perl、ruby、nim 和 rust 编程吗?你能用 bash、perl、Powershell 和 VBscript 编写脚本吗?是的,我也不是。对于许多渗透测试公司来说,您需要了解编程。他们甚至会给你一个编程挑战(也许是 2 个)。

Is programming really necessary for pentesting? Kind of depends. You should understand the basics of programming, especially WinAPIs in C# and C. Will you be expected to analyze an exploit and rewrite it if necessary? Yes, you will be. No matter what the exploit is coded in.
编程真的需要渗透测试吗?有点看情况。您应该了解编程的基础知识,尤其是 C# 和 C 中的 WinAPI。您是否需要分析漏洞并在必要时重写它?是的,你会的。无论漏洞利用是用什么编码的。

Pentesters are expected to be experts in everything from .Net programming to Cisco switch configurations to Java deserialization. What BitLocker bypasses do you know? Have you ever set up a rogue AP? Do you know how to set DMARC and SPF for phishing?
渗透测试人员应该是从.Net编程到Cisco交换机配置再到Java反序列化的所有方面的专家。您知道哪些 BitLocker 绕过?您是否曾经设置过流氓 AP?你知道如何为网络钓鱼设置DMARC和SPF吗?

Here’s something. Have you ever set up infrastructure to do war-dialing? This was an actual task I was given. If you don’t know what that is, look it up. It’s something they did in the 80s and I was asked to do it in 2021.
这是一些东西。你有没有建立过基础设施来做战争拨号?这是我被赋予的一项实际任务。如果您不知道那是什么,请查找它。这是他们在 80 年代做的事情,我被要求在 2021 年这样做。

These are just the technical skills. When you get to the soft skills there are also a plethora of things that will be expected of you. How about holding your tongue when trying to explain to a CISO that your implant being detected and causing a deconfliction is an expected behavior?
这些只是技术技能。当你掌握软技能时,你也会有很多东西需要你去做。在试图向 CISO 解释您的植入物被检测到并导致冲突消除是一种预期行为时,如何保持沉默?

When it comes to skills, you will be expected to either know it by heart, or be able to learn it in about 30 minutes. Quick! What’s the syntax to running secretsdump.py?
在技能方面,您要么熟记于心,要么能够在大约 30 分钟内学会。快!运行 secretsdump.py 的语法是什么?

The Engagements 订婚

Here’s something that nobody would tell you when you’re getting into security. All that cool shit you learned in your OffSec labs or even did on your own, you probably won’t be able to actually do it.

Say good-bye to Powershell based attacks. They weren’t allowed when I was a pentester. Why? Because it “might” get detected. That whole training that I did based on PowerSploit? Had to find a different way.
告别基于 Powershell 的攻击。当我还是渗透者时,他们不被允许。为什么?因为它“可能”被检测到。我基于 PowerSploit 进行的整个培训?不得不找到不同的方法。

Here’s another thing, got a dope implant? Think you’re going to drop EXEs on a target? Think again. I wasn’t allowed to drop anything to disk when I was a pentester. Why? Because I “might” forget about them and also because they “might” get detected.
这是另一件事,有兴奋剂植入物吗?你认为你要把 EXE 放在目标上吗?再想一想。当我还是渗透测试者时,我不允许将任何东西放到磁盘上。为什么?因为我“可能”忘记了他们,也因为他们“可能”被发现。

How about that BYVOD AV killer? Haha. Okay. You really think your manager is going to let you kill AV on a client target? Not going to happen. I changed a registry key to turn on RDP for lateral movement to a SQL server once and everybody had a meltdown.
那个 BYVOD AV 杀手怎么样?哈哈。好。你真的认为你的经理会让你在客户目标上杀死 AV?不会发生的。我更改了一个注册表项以打开 RDP 以横向移动到 SQL 服务器,每个人都崩溃了。

Obviously there are tactics that real APTs could use that would be destructive to a client’s environment so the line between adversary emulation and adversary action moves back and forth depending on your TTPs.
显然,真正的 APT 可以使用一些策略,这些策略会对客户端的环境造成破坏,因此对手仿真和对手行动之间的界限会根据您的 TTP 来回移动。

In some instances it would be acceptable to change a parameter of a scheduled task to get remote code execution. In other cases, you could really break something.

For instance, some firms will do simulated ransomware attacks to a segmented client network. But if you’re pentesting a prod environment, you do want to be careful of what you change.

What I’m saying is you’re not going to be able to go full auto on client networks. Many people getting into pentesting don’t understand this and think what they did on their CRTO exam will cut the mustard. Your firm will be restrictive, way more restrictive than you might think.
我要说的是,您将无法在客户端网络上完全自动运行。许多进入渗透测试的人不明白这一点,并认为他们在 CRTO 考试中所做的会减少芥末。你的公司将受到限制,比你想象的要严格得多。

The Reality Of EDR EDR 的现实

Another thing that people don’t consider is the reality of EDR. EDR, SIEM, whatever you want to call it, is getting much more prevalent in client networks.
人们没有考虑的另一件事是 EDR 的现实。EDR、SIEM,无论你想怎么称呼它,在客户端网络中变得越来越普遍。

Behavior based detections will take over within the next 10 years due to AI. Getting past these defenses is only going to get harder. Will there always be a way? Sure, but whether the industry wants to admit it or not, a lot of companies will start dumping yearly or quarterly pentests after operators stop finding ways to get in.
由于人工智能,基于行为的检测将在未来 10 年内接管。越过这些防线只会变得更加困难。总会有办法吗?当然,但无论行业是否愿意承认,在运营商停止寻找进入方法后,许多公司将开始倾销年度或季度渗透测试。

Imagine paying a firm 40k for a red team engagement just to get told that the operators couldn’t jump off their initial entry box (which the client provided). CISOs are executives. They want to see value. And a 40 thousand dollar Nessus scan doesn’t offer a whole lot. In fact, being told that the operator couldn’t jump off the box is even more reason to dump the pentests.
想象一下,为红队参与支付 40k 的公司,只是为了被告知运营商无法跳出他们最初的输入框(客户提供)。首席信息安全官是高管。他们希望看到价值。而 4 万美元的 Nessus 扫描并不能提供很多东西。事实上,被告知操作员无法跳出盒子是抛弃渗透测试的更多理由。

This goes back to the recent layoffs in the industry. Think I’m wrong? That’s fine. Maybe I am. Just my 2 cents.
这要追溯到该行业最近的裁员。认为我错了吗?没关系。也许我是。只有我的 2 美分。

I Get It 我明白了

Look, I get it. We all want to get paid to pwn. The problem is that the business of hacking is much different than OffSec Proving Grounds or HackTheBox Certified Whatever networks.
看,我明白了。我们都想获得报酬。问题在于,黑客业务与OffSec Proving Grounds或HackTheBox Certified Anything网络有很大不同。

If hacking is your dream, go for it! Just be ready for what it’s going to take. I’m not trying to be discouraging to junior or even mid pentesters. But if I had known what it was going to be like in the real world of hacking, I probably would have just stayed a sys admin and gone for my RedHat Certified Engineer cert (a work in progress for the last 5 years!).
如果黑客是你的梦想,那就去吧!只要为将要发生的事情做好准备。我并不是要让初级甚至中级渗透测试者气馁。但是,如果我知道在黑客的现实世界中会是什么样子,我可能会继续担任系统管理员,然后去考取我的 RedHat 认证工程师证书(过去 5 年的工作正在进行中!

If you’re interested in web apps, bug bounty is getting extremely competitive, but you’re still your own boss and many people specialize in 2–3 attacks (XSS, Injection, ect).
如果你对 Web 应用程序感兴趣,漏洞赏金的竞争会变得非常激烈,但你仍然是你自己的老板,许多人专注于 2-3 次攻击(XSS、Injection 等)。

And with that, I leave you to it! Go drop an EXE to disk on a client network for me!

原文始发于assume-breach:I’m Not A Pentester (And You Might Not Want To Be One Either)

版权声明:admin 发表于 2024年7月1日 上午9:31。
转载请注明:I’m Not A Pentester (And You Might Not Want To Be One Either) | CTF导航