Question for other Penetration Testers
So, at the beginning of the year I managed to get myself into a penetration testing position. Doing red-team work is something I'd always thought had the potential to be lots of fun. I knew there would be quite a bit of paperwork, but still... I figured the thrill of popping a box / domain would more than make up for it (and it does... when it happens). Similarly for running social engineering engagements and having someone just give you their password over the phone, or following the link in a phishing email and entering credentials into a phony website I've made.
A fair amount of the time I feel kindof like a fraud I guess? Most of the external engagements are verifying what the vulnerability scanner already detected -- SSL vulnerabilities (SSL, TLS1, Bar Mitzvah, Drown, Poodle, etc). Or some type of information disclosure (private IPs in html responses, etc). Blindly guessing passwords on external facing sites which has never had any success - that kind of stuff.
On the internal engagements, it feels like it's 90% opening responder & ntlmrelayx and hoping some hashes come over the wire that I can forward AND have sufficient credentials to get a foothold. Yeah, occasionally I get something else -- a java deserialization or today when I tried to exploit Dameware v12 with shellcode I made with msfvenom (which didn't work - whether that's me or it was patched I still don't know haha),
All in all it kinda feels a bit cookie-cutter or like a 'mass produced' version of pentesting. Maybe that's how it is nowadays? I'm hoping other pentesters might be able to chime in and give me a better idea if I've made an unrealistic version of what this type of job can be in my head, or if there's variation in this type of work. It feels a bit silly now that I've typed it out -- why wouldn't there be variation? But I'm still curious the extent of that variation, I guess.
Latest Completed: CISSP
Current goal: Dunno
Current goal: Dunno