Penetration Tester - Am I on the right track?

Hey all,

I've been browsing the forums for a bit, and am looking for some feedback on my plans and experience. I would like to eventually become a penetration tester. At my current employer, we pay people to come in and do pen testing, and that's what has kind of drawn me to the field. I enjoy writing big plans/reports, and plus the fact that you can essentially get paid to find security holes looks fun.

My Experience:

8 years of T1-T2 helpdesk/hardware support
1 year of desktop lifecycle support (imaging, domain migrations, and XP->7 migrations for a 10k+ machine environment)
2 years of Windows Sys Admin experience (a bit of everything - moved to a smaller company.)

My Education:

A.S. in Information Technology
B.S. in Information Systems

My Certs:

A+ (circa 2004)
MCITP & MCSA: Windows 7
MCTS: Server 08 AD
MCSA: Server 2012
MCSE: Server Infrastructure
CCENT

My Cert Plan:

CCNA R&S (working on now)
Sec +
OSCP? - this is where I'm confused on where to go.

I feel like I really need to do the OSCP so I can see what a real pen tester does, but I want to make sure that I get the most out of going through the program (and can pass). I decided to start on the Cisco side (just passed CCENT this weekend), as my networking skills are lacking. I know I should probably do Sec + as my intro security cert, but am wondering if I should try to knock out a Linux cert as I have no experience there either (other than home tinkering). Maybe I should go for Linux+ or RHCSA before attempting OCSP?

The other kicker with all of this is my employer will reimburse cert tests if you pass, but doesn't reimburse training. This makes exams like CEH very difficult since you have to pay quite a bit to get the opportunity to test (training).

Are there any others that have been down this path and can provide any advice?

Thanks!

Find more posts tagged with

Comments

slinuxuzer

You are on the right track, you have a good ways to go yet though. A lot depends on your general knowledge of security, I would suggest doing Sec+ next for multiple reasons. You don't need a linux cert really unless your planning to be a linux admin, check out CentOS sys admin fundamentals course from CBT nuggets for linux info. You should def get a good linux base under you. I'd suggest Sec+, then CEH, then start thinking OSCP.

OSCP is heavy hands on and not to be considered entry level. Also finish CCNA R/S.

lsud00d

To be a good pentester, you definitely need a solid *nix background as @slinuxuzer suggested. You'll need to learn bash, posh, python, and ruby. Also it helps to understand the forensics side of the house, including memory forensics. This side of security is literally a deep, deep rabbit hole.

The CCENT/CCNA background will help you understand things happening in the network layers, however as you know L3 is just a small facet of everything involved in pentesting. You don't need a *nix cert, but it will help you demonstrate those skills if you don't have them in the professional realm.

Also, have you tried pen testing? I used to think I wanted to go that route because it is highly technical and I enjoy those things, but I just do it for fun now in my home lab. My suggestion to you is to do just that--make a home pentest lab and build your chops up that way to see if you want to go further with it

Noobz Guide for Setting Up a Vulnerable Lab for Pentesting - InfoSec Institute

https://community.rapid7.com/docs/DOC-2196

https://www.youtube.com/watch?v=AiWRmMzwwJM

IMO don't worry about the CEH, low ROI. Get S+ (should be relatively easy for you) and after practicing in a home lab you can start to think about the OCSP.

Don't forget about OWASP! web/appsec is all the rage since nearly every org has an external web presence...there's your attack vector! SQLi, woohoo. Do you know binary? Do you know hex? How good are you with Wireshark? What security blogs do you read? Do you like watching DefCon videos?

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Also, how good are you with the defense side of things? The issue becomes how can you attack if you don't know how to defend, and vice versa. Have you configured firewalls? Forward/reverse proxies? You obviously have some routing experience so you should know a few things about ACL's, VLAN's, network segmentation...have you looked at the CCNA:S? Have you worked with SIEM's? Any log aggregators? Parsed security logs? Parsed application server logs to look for irregularities? This could go on for days...

zaaa

Thank you both for your responses. This has definitely given me a lot to think about. I apologize for rambling below but I'm going to hit most of your questions.

Those are some good links - I will use them and others and do some at home pen testing before attempting OSCP. I think I am going to work on finishing my CCNA R&S, then do Linux+/LPIC-1 and then do Sec+. I'll do some at home pen testing then do OSCP.

The only "pen testing" I have done is using Kali to hack a fake WiFi network I setup - I did WEP/WPA/WPA2/WPS, played with dictionary attacks. I don't even know if I would call that "pen testing", more of just playing around than anything.

I will probably do CCNA:S and/or CCNP:S at some point but I figured it was best to get R&S out of the way first since I feel like you really need at least some basic R&S skills before moving into other areas. Since Cisco has a 3 year recert and the CCNA:S would renew my R&S, I figure I can tackle that later (after OSCP) and kill two birds with one stone. I really want to learn about Cisco's ASA/IPS.

Defense side I'm OK but not great. At my current employer (retail), we use an IPS, tripwire, and some very extensive network segmentation (seperate public wifi, POS, servers, storage, etc.). Even though we have it and I know some about it, it's not like I initially set it up or used it extensively.

Binary/Hex skills are good. Have used WireShark for sniffing traffic at work before (analyzing a virus that someone got to see what it was trying to access). So, in the grand scheme - I've used WireShark some but definitely not a lot and not to its full potential.

Security blogs - not much. I've read Krebs but I've not been doing it daily. I should probably put that into my routine instead of reading random clickbait garbage.

I feel that in order to become "good", I'm going to have to pick up some skills in several areas (Linux, Network) that I currently do not have in order to be successful.

I realize I have a long way to go; I don't plan on being there even next year, but I figure everyone has to start somewhere and as long as I'm going down the right path hopefully I will get there.

JDMurray

You need to hang out with other people who do pentesting and hacking in general. Check meetup.com for hacking groups in your area. If there are none, start one and see what talent you attract. Always make the annual pilgrimage to DEF CON (and BSidesLV) in Las Vegas the first week of August.

BlackBeret

Lots of people get in to from lots of areas. The organizations I know of require CISSP, GPEN, and an in-house lab test (OSCP comes in handy) to get started, then require you to get a MCTS and Linux cert while working for them.

Honestly OSCP starts you from the beginning and walks you through it all. If you've used Kali in any capacity you could follow the OSCP material. Also because you mentioned, CEH doesn't require the training. You can fill out the verification form and pay their fee to skip the training portion and just take the test. I'm not advocate for it, but it was required for my job and the cert that got me hired so it can come in handy.

NovaHax

BlackBeret wrote: »

Honestly OSCP starts you from the beginning and walks you through it all. If you've used Kali in any capacity you could follow the OSCP material.

This ^^^. People frequently ask the question of whether they are ready to take the PWK/OSCP course. Its not about being ready, its about just doing it...and its about how bad you want it. The entire course (and PenTesting in general) is completely about persistence and not giving up. Hence the course motto...Try Harder...

MrAgent

Agreed with NovaHax. Persistence will definitely pay off in the OSCP course. I had a couple of moments where I thought about just giving up. Instead of giving up, I tried harder, got through the course, and ultimately passed the exam.

If you are interested in it, and can be persistent, take the plunge and do it!