Becoming a pen tester

[Deleted User]

So after contemplating with myself for 8 months, I decided that I want to take my career towards the route of being a penetration tester. With that in mind, I want to have a good solid understanding of networking as that is important for pentesting from what I hear so I decided to go for my CCNP R&S and probably just maintain that and focus on pentesting/security certs. Yeah I have my CWNA planned but it was only $275 for the voucher and practice tests as I got the book for free so having a foundation of wireless knowledge is essential I believe as wireless is in all fascists in technology from home users to enterprise WI-FI networks and even in the vehicles we drive today. I also want the CISSP to demonstrate overall security knowledge from different areas. With all that said, here is my problem. I know that OSCP is the name for pentesting certification but I just don't think that a cert that doesn't expire will hold a lot of weight (o god I'm in for it now) So I am not sure if I should pursue the ECSA/LPT track or go for the GPEN from SANS. I know EC-Council gets 50/50 reviews and SANS is more respected but I also don't want to have 7-8 vendors for certifications to have to maintain as it would be a nightmare maintaining them all. What is everyone's thoughts on this? Any current pentesters willing to share their opinions?

iBrokeIT

You don't think the OSCP holds weight but think the EC-Council certs do? LOL

Have you looked at pentesting job descriptions?

Codyy

Definitely go for OSCP. Solid network experience is always recommended but something that I never see mentioned is learn all of the Windows CLI commands you can. Referring to something like RTFM for all commands can be time consuming. Nothing like finally getting a shell and then not knowing basic commands. Learn Powershell. Learn a language.. python, Ruby, etc.. so that you can come up with something on the fly if needed. Metasploit is written in Ruby.

Most difficult but most important IMO, find ways to improve your strategic thinking. There's so many variables when it comes to this stuff and scenarios are rarely the same. This isn't a check the block kind of job, you're constantly thinking outside the box.

Honestly though I hate to break it to you, but... it isn't that glamorous. Nothing like the movies or TV shows, not even remotely close. There's so much work that goes into it and sometimes very little if any reward. You'll be an emotional roller coaster from one moment to the next. And it certainly isn't a 9-5 job, so if home life is important look elsewhere.

Mike7

This is what PCI SSC suggest in their Penetration Testing Guidance

Certifications held by a penetration tester may be an indication of the skill level and competence of a potential penetration tester or company. While these are not required certifications, they can indicate a common body of knowledge held by the candidate. The following are some examples of common penetration testing certifications:

•  Offensive Security Certified Professional (OSCP)
•  Certified Ethical Hacker (CEH)
•  Global Information Assurance Certification (GIAC) Certifications (e.g., GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), or GIAC Exploit Researcher and Advanced Penetration Tester (GXPN))
•  CREST Penetration Testing Certifications
•  Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) certification

And this is what the Association of Banks in Singapore (ABS) put in their Pen Test Guidelines

Although it is difficult to recommend security assessor skill set, below are some guidance that can be used to help the FIs in making their assessment:a. Gain accreditation with recognised technical certification. Some recommended certification are:[LIST=|INDENT=1]
[*]CREST Registered Penetration Tester, CREST Certified WebApplication Tester, CREST Certified Infrastructure Tester from CREST
[*]OSCP, OSWP, OSCE, OSEE, OSWE from Offensive Security
[*]GMOB, GPEN, GXPN, GAWN and GWAPT from SANS Institute
[/LIST]

You already have CEH. CREST is well recognized in UK and Europe.

Go for OSCP then convert to CREST CRT. Travel to UK to finish the conversion.
OSCP does not require renewal but CREST does.
Your certs will be recognized everywhere and you get to travel around the world.

[Deleted User]

I don't believe OSCP is worthless just that most certs i see usually have an expiration date to stay up to date with technology and the industry and from my experience at least certs that don't expire usually don't show up on job posting with the exception of ITIL and maybe some Microsoft certs like MCSA. I have a background in PowerShell and python already with some exposure to vbscript along with some bash scripting experience but very minimal with bash but working on it. So I'm hoping that over the timespan of 5 years I will reach my job of being a pentester as I work in IT security currently. If not, I would like to fall back and do networking. It is not an easy journey being in IT but it is rewarding to say the least.

MrAgent

I just accepted a job recently working on a red team. If it weren't for the OSCP, I don't think they would have even looked at me.

eth0

Mike7 wrote: »

Go for OSCP then convert to CREST CRT. Travel to UK to finish the conversion.

Can you write more details about that? I have OSCP but still almost I don't know this CREST, found that some weeks ago on someone linkedin profile that that is all what I know. I will need so some exam in UK? My main problem is English language . Thanks!

kMastaFlash wrote: »

I don't believe OSCP is worthless just that most certs i see usually have an expiration date to stay up to date with technology and the industry and from my experience at least certs that don't expire usually don't show up on job posting with the exception of ITIL and maybe some Microsoft certs like MCSA. I have a background in PowerShell and python already with some exposure to vbscript along with some bash scripting experience but very minimal with bash but working on it. So I'm hoping that over the timespan of 5 years I will reach my job of being a pentester as I work in IT security currently. If not, I would like to fall back and do networking. It is not an easy journey being in IT but it is rewarding to say the least.

I have friend with over 30 certificates, you want take exam for each every 4y and again pay for it also too ? imo this renew is stupid. Good is new version of certificate, what I mean you can have ABC certificate in version 1 and there will be new version after 5 years then you will can have this v2 or still keep only v1. Other solution is just making money.

MrAgent wrote: »

I just accepted a job recently working on a red team. If it weren't for the OSCP, I don't think they would have even looked at me.

With OSCP you will be always better for tech people, so will be always easy to found red team job even when you don't have work experience they will invite you to interview . imo CEH/CISSP is more for HR or when you want be manager/team leader or something other soft tech.

Mike7

eth0 wrote: »

Can you write more details about that? I have OSCP but still almost I don't know this CREST, found that some weeks ago on someone linkedin profile that that is all what I know. I will need so some exam in UK? My main problem is English language . Thanks!

CREST is from England so those staying in England do chip in.

The OSCP to CREST CRT (Registered Penetration Tester) conversion was announced August last year.
From OSCP and CRT Equivalency | CREST - Ethical Security Testers

Candidates that wish to have equivalent status granted will be required to submit a current resumé, along with evidence of their OSCP exam pass, (including Offensive Security ID) to CREST for validation.
Candidates will be required to pay a $500USD administrative fee which will cover the processing of their application, along with one attempt at a CREST top-up exam.
The time from initial application to CREST CRT equivalency being granted is expected to be five (5) weeks.
Within six (6) months of being awarded CREST CRT (Pen) equivalence, the candidate will be required to sit a CREST multiple choice top-up examination.

If you decide to convert, you will need to do the MCQ top-up exam in England. For booking details, refer to Booking a CREST Examination | CREST - Ethical Security Testers

Refer to CREST - Ethical Security Testers for other details

TechGromit

kMastaFlash wrote: »

So after contemplating with myself for 8 months, I decided that I want to take my career towards the route of being a penetration tester.

Is there good money in being a Pen tester? It looks like the average salary for a Pen tester is around 71 to 77k a year.

MrAgent

Man, what is with the haters lately? All sorts of negative rep without having the courtesy to even say who they are.

ThomasITguy

Great Info. Im very interested in Pen testing and I appreciate all the info on this thread! I wanted to ask....

Can you get the CEH, or the CASP just to get your foot in the door, then get your OSCP or GIAC? Or is it best to get the GIAC or OSCP and not worry about the CEH... I ask because i have read threads here that look down on the CEH.

aderon

A while back I spoke with a lead recruiter at a very large security company and asked for some guidance and career advice towards becoming a penetration tester and what they were looking for in people that didn't have pen test experience. I was lucky enough to have them respond and they recommended a few things:

1) A degree in IT/CS/etc is a good start
2) Enter as many CTFs and CCDCs as possible and place highly in them.
3) Candidates who have the OSCP cert have tended to have stronger knowledge than those who don't (but not always).
4) Even if you don't take the actual exam, going through any relevant study material would be a great use of your time.

And that was it. No mention of CEH, Security+, or anything of that sort. They just wanted someone who could perform a pen test which, from their experience, people with the OSCP were able to do.

Anyways, just thought I'd try to provide some insight into whatever decision you make!

zackmax

At an interview for a QA Analyst job, I was given a pen and asked "how would you test this pen?"
That day I became a pen tester

ThomasITguy

zackmax wrote: »

At an interview for a QA Analyst job, I was given a pen and asked "how would you test this pen?"
That day I became a pen tester

What was your answer to the question?

IronmanX

Codyy wrote: »

Honestly though I hate to break it to you, but... it isn't that glamorous. Nothing like the movies or TV shows, not even remotely close. There's so much work that goes into it and sometimes very little if any reward. You'll be an emotional roller coaster from one moment to the next. And it certainly isn't a 9-5 job, so if home life is important look elsewhere.

Can you (or anyone else) elaborate on what it is like working as a pen tester?

Really not 9-5? Unless doing physical pen tests I thought it would be pretty much set hours.

"it isn't that glamorous"
Yeah I picture it as being pretty repetitive and I think those who are really good at it are good as coding to automate a lot of what they do.
Plus security issues for the most part (not row hammer) are software issues so having good knowledge of software development should go a long way.