Career – We learn Security!

Softskills: CV, Job Application and Interviews

This one might be a bit too specific, since every country has its own CV and interview culture. For example in the US you don’t add a picture of yourself, in Germany this is very common. There should be much more differences, so please don’t take everything here for granted in the area or county where you want to get a job. I try to be as general as possible here.

From my previous post Softskills: Networking for your Career you should be aware that it is good to get a job over a personal network and could be the most promising option.

CV & Job Application

A couple of points for the CV & job application:

be honest, when people found out you lied or made things up you are out
don’t go into details that don’t have something to do with the job you are applying to, unless it seems necessary
everything else write detailed, I like to have much information, but other people might have a different opinion
take a clean and easy to read format
write a great motivation letter for your application
proof facts, for example if you write you have a certification add a copy or scan of it to the application
check for grammar and spelling
if possible let somebody read your application who can give good feedback

Job Interview

I was on both sides of the table, conducting interviews and also of course being the candidate.

know your CV well, you should be able to explain everything without looking it up
if you have a bad feeling you normaly should not take the job, unless it is a huge chance for you or you can use it for jumping to a better job
prepare for the interview, think about what questions might be asked
try to prepare for standart questions like
- what was your biggest mistake
- where do you see yourself in five years
- what is your biggest weakness
- what do you expect from your employer
- and so on
prepare for technical questions
- there is nothing worse for example when you say for example you know XSS but could not explain the difference between a stored and a reflected XSS
- have a look at the Daniel Miessler interview questions (see also below)
if you have weak spots in your CV you can try to handle this pro-actively, if not prepare for critical questions
prepare questions that you want to ask, for me an interview always has to go into both directions

Links
https://us.experteer.com/magazine/should-you-put-a-photo-on-your-cv/
https://danielmiessler.com/study/infosec_interview_questions/
https://www.indeed.com/career-advice/resumes-cover-letters/motivation-letter

Softskills: Networking for your Career

Whether looking for a new job, enhancing your knowlege or finding like-minded people, networking is important for your career.

Social Networks

When I looked for my first job as a pentester I wrote to CEOs and company owners from smaller companies that I found interesting on Xing (which is manily active in Germany) and later I also used LinkedIn. I got invitations to interviews and found a job.

Further I use twitter, but not as much as I did 2-3 years ago. But you can still get information very quick when you follow the right people. For example when a PoC for an exploit is available it is posted fast here, but be careful and check the information.

On all networks you can use direct mail for contacting people when you have questions, in my experience most people are happy to help.

But how to start? First follow and add people you know. Search for people who might be interesting for you and also add/follow them. When contacting the first time, just say a few words about yourself. Share posts you find interesting and maybe start sending your own post, maybe a link to an interesting blog post you found interesting or a short course review.

You can also be successful without social media accounts, but for me it was a booster. It is also useful to stay in contact with people you meet at…

Conferences & Meet-ups

Another great place for networking is conferences and local meetings. At local meetings (I visited the OWASP meeting Cologne for some time) it is easy to get into touch with people in the area you live, you have presentations and can learn.

At conferences it depends strongly for me what you expect. For networking it might be better to go to smaller conferences, especialy if you don’t know anybody. Bigger conferences are also good, but maybe a bit overwhelming first.

You can get more contacts when participating actively, for example by giving a presentation or as a volunteer.

Or, when you are in the industry for a longer time, just meet with people you know.

And guess what? I got in touch with one of my employers at a conference.

Links

Career Path Red Teaming

For some people Red Teaming seems to be something like the holy grail and many people want to do it. In my opinion a Red Teamer should have experience in Penetration Testing before starting. Some experience in DFIR might also be useful, or at least you should have some understanding of this topic.

For me (I am planning and leading internal Red Team engagements since about two years now), Red Teaming is very different from pentesting, although experience here is important.

“Penetration testers have this problem where they frequently can’t see past the end of their Kali USB. They establish the false equivalence of: “China hacked $X; I can hack $X; therefore, I am an APT and an APT is like me.” An APT is literally the instantiation of a nation state’s will. It is not a toolchain.”
https://medium.com/@thegrugq/cyber-ignorethe-penetration-testers-900e76a49500

This sums up my experience. Some pentesters think: OK, let’s just use bloodhound, mimikatz and empire and and start firing, when I am domain admin it is red teaming. Well, maybe kind of.

But do real attackers think that way? Think more about WHY a malicious actor is trying to hack you, and then how. What are attackers looking for? That might define the scope of your engagement. You should read threat intel and incident reports for being up to date regarding TTPs and scope. When doing Red Teaming you should start thinking more into this direction.

I also tend to go through single scenarios, and not only full blown attack simulations, like:
• Account compromisation
• Exfiltration if possible
• APT traffic simulation for testing and enhancing capabilities of the blue team
• Phishing
• Water Holing
• Malware Simulation

This is also a good starting point for enhancing a penetration tester career, since usually you are not able to start with full blown Red Team engagments.

I can recommend “The Hacker Playbook” series, review for the third issue here. Further the book “Advanced Penetration Testing” is a good read.

More recommendations:
• https://www.cobaltstrike.com/training
• https://medium.com/@thegrugq/cyber-ignore-the-penetration-testers-900e76a49500
• https://www.pentesteracademy.com/redlabs
• https://github.com/aptnotes
• https://attack.mitre.org/
• https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2019.pdf?__blob=publicationFile&v=3

Review Pentester Academy and AttackDefense Labs

Hello All, this is a review of Pentest Academy and AttackDefense Labs. The content is really huge:

So it is not possible to review all of it, this post is just meant to give a rough overview and some examples.

Pentester Academy

As said before, in the courses sections are 40+ courses available. The topics include for example (all from a security perspective, but some are also from a defenders viewpoint): Python, ADS, shellcoding (I made SLAE 2015, helped me also with my OSCE certification), Javascript, web app pentesting, some forensics topics, WiFi and network pentesting, exploitation and much more.

For a complete overview have a look here.

Currently I started the course Traffic Analysis: Tshark unleashed, so this is the short example for this post.

What comes really handy is that you can just start the labs in the AttackDefense labs, so you don’t need to setup own VMs only for following the courses:

Screenshot from one of the Traffic Analysis: Tshark unleashed course

What is also great, you can download the videos, so you can also watch them later.

As far as I can say, all the videos are suitable more or less for beginners.

AttackDefense Labs

The labs include a huge amount of topics, including: Webapps, MSF, Pivilege Escalation, Eploiting, Wi-Fi, Forensincs, Reversing, Cracking, Python and so on. Some labs include a small task, but others include for example full blown webapps like juiceshop.

In this case there was a small issue (for me), the labs are timing out after some time, which might be a bit annoying when having a full web app. For the smaller labs I never had problems.

As advanced labs there are also some CTF style labs available.

Verifiable Badges

With verifiable badges it is possible to verfiy your knowlege to an external source, as I did here:

Network Scanning Basics – Daniel Sauder : Accredible : Certificates, Badges and Blockchain. https://t.co/4R5R5ruN49
— Daniel Sauder (@DanielX4v3r) January 3, 2020

“The holder of this badge has successfully completed the Network Pentesting challenge exercises in Pentester Academy’s AttackDefense labs. These challenge exercises test a practical understanding of how to perform remote network reconnaissance of various infrastructure components.”
(https://www.credential.net/b5050be1-05c9-41fa-93a9-ea0b5cd8825f#.Xg8KBMQX5XM.twitter)

As far as I could see all badges have three small challenges where you have to find flags (like a small CTF), badges are available for lot’s of topics (19 badges are available at the time of this writing) and most of them can be done after you viewed and worked through the courses.

Certifications

It is also possible to take certification exams (like the SLAE): https://www.pentesteracademy.com/exam

This way it is possible to take exams from pentestacademy (if you subscribed) without buying the whole course.

Pricing at time of this writing

Conclusion

My conclusion after using it for myself and speaking to some folks who also using it:

it is affordable
the content is huge
the courses are a great resource espeacially for beginners
courses and labs suite for attackers and defenders
I like the badges

For me Pentester Academy and AttackDefense Labs is highly recommended.

Book review: Real-World Bug Hunting

One of the good things about Defcon is that there is a No Starch Press store at the vendors area.

So I bought it for the flight, but it took a bit longer until I was through the book.

The book has 20 chapters, starting with Bug Bounty Basics. The next 17 chapters go through different classes of vulnerabitlites like XSS, SQLi, memory corruption, CSRF and so on.

After an explanation of the vulnerabilty itself, real reports are also included with further hints. At the end of each chapter the reader can find useful takeaways.

The last two chapters are not about bugs, one is about finding bugs in general, including some descriptions for tactics and tools. The last chapter is about writing a good report, communication to the companies and how to deal with the different programmes, which seems very useful to me.

Real-World Bug Hunting is helping to maximaize payouts and finding more bugs. It shows up lots of attack vectors and creative way for exploing them.

The book is not for beginners. I recommend to have a look at the recommendations list, the bug bounty beginners and the penetration tester basics articles for more resources.

Real-World Bug Hunting: A Field Guide to Web Hacking
Author: Peter Yaworski
Content: A very practical guide to bug hunting and bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner, Intermediate

Interview with Christoph Haas

A short interview with Christoph Haas with some advise for career starters.

Für Sicherheit und Selfies kommen Sie zu uns in Halle 10.0-514 auf der #itsa #itsa17 #securai https://t.co/ECqD0FwPgU—
(@Securai) October 10, 2017

What brought you to IT security? How did you get into penetration testing?
I started with an apprenticeship as a developer. After that I made my Bachelor in Business Informatics. During this I worked three days a week in the security department of a bigger company in the technology sector. However, during this phase I found out that my part is more in the “offensive” field 😉 . So I met the company I started working as a penetration tester at a small German conference (Backtrack-Day).

You are the owner of Securai, a penetration testing company that is specialized in application security. Why did you specialize?
I believe that specialization is the key success factor. IT security is a complex topic, but if you really want to be good at it, you have to focus on one thing.

Do you also look for newbies in the field?
Sure, always 🙂 !

What do you expect from applicants? What do you think makes a good penetration tester?
They really have to want it. If someone is getting frustrated easily, I would recommend another career. They also should be happy about communicating with other people. Penetration testing is a consulting business, so you have to deal with people a lot. They should have fun learning new things, because this is what you have to do all the time, even after years in pentesting.
From a technical perspective we are looking for people with a development background, as I think they can communicate better with devs and as we focus on appsec, we mostly have those types of customers.

What has been the best or worst moment in your penetration testing career?
The best moment is, when after hours or days of struggling you finally get an application to fall. This is the fun part about pentesting 🙂 .

What is your thought about certifications?
I think they are necessary and sometimes even are fun to do. I personally like the OSCP and we basically use it as a test for new colleagues.

Christoph is Founder and Owner of Securai, a company focusing on application security.

Review Black Hat & Defcon 2019

Black Hat

Black Hat is a pretty commercial conference, tickets for two days cost more than 2000$, if you want to attend the briefings. There are also trainings, costs vary and are much higher. The content qualitiy is usually very high, the attendees vary from consultants, CISOs, developers, and all kind of IT security professionals. There is a big crowd with about 17000 attendees in 2017.

The Black Hat is being held at the Mandalay Bay.

The briefings are picked by a review board in a call for papers process. Researchers present their top work, often campaigned weeks before the conference.
In the business halls all kind of vendors are present and giving away loads of swag for attendees and also throwing parties.

Keynote

Black Hat USA 2019 Keynote: Every Security Team is a Software Team Now by Dino Dai Zovi

Arsenal

I am mainly at the Black Hat for the Arsenal. It is a great opportunity for developers to present their work at booths that are also located at the business hall. For the last three years I could thankfully present AVET (AntiVirus Evasion Tool), which is giving presenters a briefings pass. The tools are also picked by a review board.

There are a few things I wanted to mention about my experience #Blackhat2019 @ToolsWatch
— Daniel Sauder (@DanielX4v3r) August 10, 2019

A short thread

Defcon

Defcon is the “real” hacker event in Vegas and is completly different as Black Hat (although both have the same founder). Black Hat and Defcon overlap one day, Defcon is four days. Costs for 2019 were 300$, qualitiy of the talks is also high and more fun might be included (like talks about phreaking). More offensive security stuff seems to be included here.

pic.twitter.com/gwxbxNlOvj
— DΛNIΞL 🤖 (@hypoweb) August 7, 2019

This year the event was spread over four hotels including four presentation tracks, several villages (areas with talks and hands-on for several topics), parties, CTFs, movies and so on. It was said that about 30000 people attended defcon in 2019, so everything was pretty crowded and also a bit confusing. Walking between the different spots can take between 10-20 minutes.

Defcon is meant to be a hacker con, which is true. Also, there is a strong drinking culture present, fist time speakers must drink a shot (and attendees demand it loudly).

Track 2 @ 11 am! Might have to make the speaker take a shot.
— defcon parties @ cancelled (@defconparties) August 10, 2019

There is also a media server which is worth a look.

Conclusion

If you have the chance to attend Black Hat/Defcon you should give it a try. It is great to connect and develop your skills and I have met some great people and made new friends.
For people who want to advance their career it is definetly great, but if it is your first conference you might consider to go to a smaller event. The atmosphere in Las Vegas is somewhat special, with the hotels, the casinos and the tourists around.

More free Pentesting resources

While I wrote the articles about how to start a pentesting career I came accross more great resources that I did not mention before, so here they are. Most of it is hands-on :).

The Complete Beginner Network Penetration Testing Course for 2019

CTP/OSCE Prep – Wrapping Up Our Prep
Article with OSCE resources.
https://h0mbre.github.io/CTP_Summary/#

Web Application Exploits and Defenses
Online Webapp hacking.
https://google-gruyere.appspot.com/

XSS challenges
Online XSS challenges.
http://xss-quiz.int21h.jp/

XXE Lab
XXE Lab for downloading and hacking.
https://github.com/jbarone/xxelab

Root Me
Hacking challenges online.
https://www.root-me.org/

Cryptopals
Crypto hacking CTF.
https://cryptopals.com/

RingZer0 CTF
https://ringzer0ctf.com/challenges

Damn Vulnerable Web Application (DVWA)
Vulnerable weeb hacking VM (download).
http://www.dvwa.co.uk/

Pentesterlab
List of the free Webapp hacking excercises.
https://pentesterlab.com/exercises?dir=desc&only=free&sort=published_at

Link List with more CTFs and excercises
https://wheresmykeyboard.com/2016/07/hacking-sites-ctfs-wargames-practice-hacking-skills/

Kali Training
https://kali.training/

Vulnhub
Loads of challenges and VMs (downloads).
https://www.vulnhub.com/

Career Path Security Researcher & Bug Bounty

Security Researchers work in the field of bug bounties and exploitation, often they are independent but sometimes they also work as employees. I think that both paths are not easy, but of course it can be done. On both paths you can earn lots of $$$ but I also heard of people who came out disappointed. Some people starting this as a side job and then go independent. If you don’t know some basics look here and here.

The reason why I put both paths in one post is that for me you need a similar mindset. You have to be highly motivated, need to learn a lot before you gain some success (well, at least for most people) and if you go independent you work on your own. For both you need a plan or tactics, you can’t just start hacking and hope to find something.

When you want to participate in bug bounties normally you are using platforms like hackerone or bugcrowd, but lot’s of companies have their own bounty programs. Since most of these programs are public this makes starting easy.

On the other hand, when you want to start as a researcher and do exploit development, you also have some public resources like ZDI or zerodium. But what is more important than in bug bounty, is networking with other researchers and companies. One way is to go at conferences and trainings, have a look at the links section of this article.

Both paths might take months or even years until you get into it, so this article can only be a starting point that I hope is helpful.

Links

Bug Bounty

Blog Articles, programs

LevelUp 0x02 – Bug Bounty Hunter Methodology v3

Advanced Web Attacks and Exploitation (AWAE)

Probably interesting for both paths, but web hacking is more bug bounty for me…
https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/

Exploiting

35C3 – From Zero to Zero Day

The Exploit tutorials from corelan

https://www.corelan.be/index.php/articles/
That said, I can highly recommend the trainings that you can book at several conferences:
https://www.corelan-training.com/

OSCE- Cracking the Perimeter (CTP)

Also mentioned here before, the Offensive Security course and certification:
https://www.offensive-security.com/information-security-training/cracking-the-perimeter/

OSEE – Advanced Windows Exploitation (AWE)

I also heard great things about the AWE (OSEE) for more in depth exploitation, but I don’t have personal experience here.

Even more links:
https://www.zerodayinitiative.com/
https://zerodium.com/
https://googleprojectzero.blogspot.com/
and especially this article from project zero:
https://googleprojectzero.blogspot.com/p/working-at-project-zero.html

Conferences

As said before, learning new things and networking is really important, so here are some conferences that seem good, you should also consider to take some trainings:

Books

Hands-On Bug Hunting for Penetration Testers
Author: Joseph Marshall
Content: Go through common bugs in Webapps and introduction to bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner

The Shellcoder’s Handbook
Authors: Chris Anley, John Heasman, Felix “FX” Lindner, Gerardo Richarte
Content: Exploiting security holes for Windows, Solaris, MacOSX, Cisco. Although from 2007 still worth reading.
Career: Penetration Tester, Exploiter
Level: Intermediate, Experts

Hacking: The Art of Exploitation
Author: Jon Erickson
Content: Goes from the first steps in Bash and C to in depth exploitation and debugging on Linux.
Career: Penetration Tester, Exploit Developer
Level: Beginner, Intermediate, Expert

And here is a great free book:
Modern Windows Exploit Development
http://docs.alexomar.com/biblioteca/Modern%20Windows%20Exploit%20Development.pdf

Career Path Penetration Testing Basics

Penetration Testing – “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” (From wikipedia)

The scope of the article is to help to get your first job as a penetration tester. If you have more great links or recommendations please add them in the comments section. Becoming a good penetration tester requires much more skills than described here. It also means that you never stop learning.

If you don’t know the IT- and IT security basics yet, please have a look here. When you want to start a career in Penetration Testing you should know that most of the penetration tests performed today are Web Application tests. Therefore this article is focusing on this topic. Later I will add new posts with Specializiation Paths for more advanced topics like exploitation, red teaming and so on.

As already mentioned in the article Career Path Security Basics, I strongly suggest that you make a plan what goal you want to reach. For example playing CTF all the time might be fun for some people, but if you need the OSCP it might not be helpful to waste too much time.

Web App Penetration Testing

Port Swigger: Web Security Academy
Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs.
Career: Penetration Test but I recommend it also for everyone interested in security
Level: Beginner
Price: Free