Phillip Wylie - The Pentester Blueprint: A Guide to Becoming a Pentester

and not take much of you guys time thank you thanks everyone and welcome to my talk i hope everyone is enjoying the conference so far thanks to b-sides boston for having me uh good that it went on virtual but i really would have loved to been there in person boston is one of my favorite cities so my talk is the pentester blueprint a guide to becoming a pen tester a little about me uh i have my cissp oscp and gwapt i'm the lead curriculum developer at 0.3 federal i just recently joined 0.3 i was working as a red team lead at the company i left i'm an adjunct professor at dallas college the founder of the phone school project

which is an educational meetup that focuses on cyber security topics and uh mainly offensive security i've been in i.t and infosec for 23 years this month i've been pin testing for eight and a half years i was featured in the tribal hackers red team book which uh the publisher actually reached out to me about writing a book and so i wrote a book based on this talk and that is due out in december i'm also the co-host of the uncommon journey with chloe mustaghi and alyssa miller and so to go way back to the beginning of where i started i like to share this slide because that way people can see that you know you may not think you're cut out to be a

pen tester but you know someone that was a former pro wrestler could be a pen tester than anybody can so i started out out of high school didn't know what i wanted to do for a career so uh i ended up going to wrestling school and was a pro wrestler for a few years got married and needed a more stable uh income so i went to school at trade school to be a cad draftsman learned autocad worked in as a draftsman for for a few years and while i was working as a draftsman i found out about sysadmin work and it looked a lot more interesting than what i did and the company i was working at we were

this is back in 1995 we were being billed out at dollars an hour and making fifteen dollars an hour this uh cis admin came in was working our systems and they were billing fifty dollars an hour so i thought this guy's making ten dollars an hour more than i am and what he's doing looks a lot more fun so i kind of got more interested in computers i did some i.t related work at companies i worked for because not everyone had i.t staff and so i really got interested in and found out that i had kind of a natural skill for computers so i've taught myself how to build computers took a nobel network network operating system course got my

first uh sysadmin job and that was in 97 97 and then in 2004 i moved into infosec i was doing network security did that for about a year and a half and they formed an apsec team and i got to move into the appsec team and this is where i found out about web application vulnerability scanners i got to use those and then also found about pen testing so pin testing really sounded interesting to me and so i worked started out in consulting worked in consulting for five years and then after that i've worked for a couple different companies doing pen testing and more recently red teaming so back in my wrestling days i actually wrestled

a 750 pound brown bear which you can see in the picture there that is impressive i was going to ask you is that a real bear yes yeah it was a real 750 pound bear people always ask me why did you do that i was 22 years old i'm a guy what you that doesn't need more explaining than that we do stupid things when we're young it's just like if you go back to the mean of why women live longer this is right up there with it but fortunately it was named bear and i came out of it okay that was actually that picture was actually the second time i wrestled the bear that night

and how i know is we got these i got a t-shirt because i did the best wrestling against the bear and so i changed into that t-shirt so that's how i knew which time i wrestled the bear because it was a yellow shirt it said i wrestled samson the bear and lost oh my gosh were you on tv did you um end up being in uh gosh i don't even remember i we used to watch wrestling way back in the day yeah i was on tv i was uh when i started out i was in the wcw which was like the former nwa uh i wrestled there and then i wrestled in dallas at the

wccw world-class wrestling where the vinerix wrestled okay some of the most notable people are wrestled is mick foley he wrestled in texas as cactus jack manson oh nice pretty big name in in the wwe i got to wrestle the road warriors a lot of big names so it was an interesting experience i'm glad i did it i wouldn't change what i'm doing for a living because i really love really love hacking and what i do but i'm glad that i tried it to see what it was like so i it won't be one of those things that what would have happened you know so are you comfortable sharing what your wrestler name was yes i just went under phil wiley because

when you start out wrestling you have to lose all the time unless you've got family or connections in wrestling so uh so i just wanted my own name because i thought if i use the gimmick then getting beat all the time it would take a while to get past that stigma so my plan was once i got to where i was able to was winning and you know doing like the stars do then i would uh you know come up with a gimmick but i don't really want to run my gimmick although i did wrestle once in florida uh as corporal chaos i wore this this uh camouflage makeup on my face and and had painted my wrestling boots camo so

it was one time i wanted a different name but it was a lot of fun i went to school with the undertaker awesome well i'll let you continue and then we can talk more in questions i must see more people joining so we gave people time to get in so yeah i was that was part of purpose to ask the question i was like well we started a little early planning so no one no one's missed anything so yep so now we'll go right into the content so yeah this this slide i share each semester in my my ethical hacking class as well as in workshops that i do and and uh different talks and you know make sure you have

permission when you're you're doing any kind of pin testing or hacking because without permission it's illegal so i like to share this this quote i first heard the quote in spider-man and the quote is with great power comes great responsibility so just because you have the skill make sure you use it for good and be careful because you don't want to get get in trouble and i'm also part of hacking is not a crime hacking is not a crime is a organization that is trying to demonstrate to the public that not all hacking is bad hacking is needed for pen testing testing the security of different products that it's a needed thing it's it's kind of like a lock locksmith you

know lock picking is not a crime unless you use it to break into houses so we're trying to help get the name back you know as a good name it's a skill it's not a crime so but it could be used as a crime but we're trying to get that name back the media has over the years they clung onto that term hacker when hacker was originally makers people building stuff people uh you know taking things and making it do things that it couldn't do before you know you look at a lot of these these hackathons that's the true spirit of hacking you know building things coding that is that's hacking although you know the the

term that we've come to know outside the criminal aspect is hacking in another another sense but it's not not always a crime so if you do it with permission you know you're doing research doing it in your own lab then it's legal and it's not a crime so uh also along the lines of that mentioned the first slide that was that was um you know this court this whole talk came about from uh from a my first class first day of class lecture so each each day of each uh beginning of the semester i would go through and tell students about pen testing and then it kind of morphed to uh adding what it takes to become a

pentester people were in the class to learn so it was kind of an overview of pen testing to get students familiar with that and at the college i taught out the other professors there asked me to come to talk to their classes and tell them about pen testing and this was in january 2018 that i started teaching and so by november 2018 i presented this talk at b-sides dfw that's the local dallas-fort worth b-sides and i gave the talk there and since then i've given the given talk on several different several b-sides several different conferences as well as webinars into different schools so that's how this came about and then you know it's evolved into a book so

that book will be available in december for those are just joining the missed that so what is pen testing pen testing is assessing security from adversarial's perspective testing you know testing security the way a cyber criminal would try to gain access to you know sensitive data and systems and so this is important because you're able to get to test things beyond uh initial access to that system maybe it's easy to get into the system but then you don't really know what you can do further maybe you're able to get domain administrator get access to databases with sensitive information so that's one of the one of the benefits so it's also understanding security from adversarial perspective

gives you a better understanding of the security risks exploitable vulnerabilities are higher risk and higher priority for remediation and these usually justify budgeting so something can be breached then companies are more willing to put out the money to remediate these items sometimes it's not not cost prohibitive it may be something like changing passwords or password setting to make it more difficult to break into the system but you know it can get expensive where it may require some expensive software maybe rewriting software or something so you know doing a pen test finding that the vulnerabilities are exploitable is a good way to justify remediation and get the budget to do so and so uh why pentesting continued

regulatory compliance it's required for payment card industry data security standard or pci dss a lot of job opportunities because of like pci uh back in 2012 when i started pen testing it was mainly consultants and contractors doing pen tests most companies did have their own pentest team it's kind of like you go back earlier in 2000s late 90s when people didn't have dedicated security groups so pci compliance has really driven that one of the companies out of banks that i worked for we had like 13 people on our team as well as a dedicated red team and they've expanded since then uh citibank bank of america u.s bank capital one they all have pen test teams so this is

one it's an area that's continuing to grow it's not like a totally new uh type of job but it's just something that hasn't really been utilized or needed and so now there's a need for that and as far as being a fun job i still get a thrill anytime i hack a system it's still a lot of fun just as much fun as it was when i started so pen testing jobs so you know the long term of pentester's penetration tester these are also these roles fall under security consultants anderson engineers not all hr departments have individual terms for every role sometimes they're just trying to more easily manage it so consider security analysts and engineers

that could be your endpoint protection folks this could be your firewall administrators sock different roles that fall under that under those categories so when you're looking for a pen test job you know look at the job description some jobs are getting more towards the titles including penetration tester or pentester and also be familiar with these terms these terms are synonymous with pen testing ethical hackers is probably one of the most popular because this certified ethical hacker was one of the first certifications and they used the term ethical hacker it's a term that's more easy for the public to understand so when you're explaining that you're a pen tester sometimes it's easier to tell people that you're a

ethical hacker or professional hacker so other terms that are synonymous is offensive security adversarial security and a very common group that pen testers work under at times is called threat vulnerability management so when you're looking for a job look at those those terms and those departments for for jobs so pin testing skills is also helpful in other areas be able to determine malicious traffic understanding the attacks is helpful for sock analyst and network security analysts and engineers digital forensics and incident response engineers analysts can benefit from understanding the attacks because if they understand how attacks work then that will help them in their investigation and then uh more common some new way that these skills are being used is in purple

teaming so this is where the defenders get together with the offensive team and the offensive team will launch certain types of attacks just seeing that they can execute scripts on the endpoint or certain attacks work if like mimikats or invokemen cats will work if you're able to execute powershell on that system just different things like that is a way to find those vulnerabilities that can be exploited and fix those and sometimes this is a quicker way to get secure if your offensive security program or vulnerability management program is not mature then there's a good chance that there's a lot of vulnerabilities so going through and finding some of these major uh exploit paths and blocking them you know

as you execute a script you're being monitored they see if they catch it if they don't then they try to tune their systems to detect those those signatures and just work until it's detected so this will go a long way of preventing a malicious actor into getting too far very far into your network and then application security this was the area that i learned about pen testing because you're doing some vulnerability scanning there doing some kind of vulnerability testing through that software development loss life cycle so that's one area that is helpful understanding those attacks makes it easier for application security to work with the developers to prevent those types of attacks different types of targets so as a pen

tester you're testing variable various different top different targets network application hardware transportation people and buildings so network is a very common one and needs to be tested internally as well as external and wireless applications your web app thick client mobile cloud and api and these the api is very important because your iot devices and mobile devices use apis a lot hardware so be able to test the security of hardware routers and switches even from just like a per product perspective so these companies are having their products as they build them they're having their internal people test to see if there's any any uh security vulnerabilities there that can be exploited internet of things in the medical devices

i was listening to a talk yesterday and someone from the government said that talk about attacks on medical devices that people attackers have actually bricked medical devices so these need to be tested i've done wi-fi pentest before for hospitals where you can see the medical devices connected to the wi-fi network so that goes to kind of a little scary there to think that if an attacker can get access to that wi-fi what can they do from there so we need to make sure the medical devices are secure transportation so vehicles of all types trains planes uh different types of automobiles trucks with the the autonomous vehicles coming we really need to make sure that those those are secure because an

attacker could take control of those and cause injury or use use that vehicle by weaponizing it and people buildings this is kind of goes hand in hand with social engineering you can have the most secure network the most secure endpoints and servers but if someone is able to get physical access get into the building get into your server room get into a wiring closet where your routers and switches are at it's gonna be a lot easier for them to to breach a system types of pen test knowledge so when you're testing a system then you're either coming in from a black box or blind pen test where you have limited to no information on that in a

lot of cases this is maybe just an ip address or just a url and this is more of an attacker approach the opposite end of the spectrum is your white box or crystal box test this is detailed system information accounts for each role and level as well as even source code and documentation on the software and these all are based on you know this all can be affected by the amount of time there is to test so with the white box test you can more thoroughly test the system in less time with a black box test that's going to take more time because you're doing a lot of reconnaissance detecting the systems and collecting more information

on the systems so you can attack the systems and the gray box is kind of a partial knowledge of both of these and so this is what you more commonly see in a pen test usually it's gray box because you go in the company wants to give you the scope of ip addresses or the urls to test to make sure nothing gets missed so all these have value and a lot of times it's good to use a combination if you're doing a web application pen test or any kind of application pen test start out an authenticated black box style test to see what you can do on authenticated and then go to the crystal box of white box test

and use those different roles to see what happens can you elevate your privileges from an average user can you you know access other people's content or other account levels at a lower level user and and on top of that you know administrators don't need to be able to see social security numbers and sensitive data so you need to make sure that sensitive data is not being revealed so different types of testing depth also different stages in a pen test vulnerability scanning is not a pen test it's part of a pen test in a standalone function companies will have a vulnerability management team and they will run vulnerability scans uh reoccurring you know anywhere from once a week twice a week twice a month

or once a month and look for vulnerabilities so those can get into the patching schedule make sure the patches are working make sure the configurations are secure and the next step is vulnerability assessment so this is doing vulnerability scans plus vulnerability validation and on top of the validation you're also running port scanners like nmap to look for open ports uh looking for different services maybe the vulnerability scanner missed because vulnerability scanners do find false positives and they do miss things so you want to make sure that they're that you're finding everything that's vulnerable so you validate those vulnerabilities during the step and then you find look for other vulnerabilities using different tools so this next step is the

actual pen test this is like a vulnerability assessment plus the exploitation also known as hacking and then you get to the red team in adversarial testing red teaming is generically lumped in with all offensive security types of skills including pen testing uh vulnerability assessments which is really not truly red teaming is emulating an adversarial uh attacker you're trying to gain access to the system trying to go undetected part of this is also to test your blue team you're also testing the the people processes and procedures making sure that there's something in place if they're being attacked are you able to block that are you detecting it so that's a a very important place there a very

important type of test that has been overlooked because due to compliance testing things have gotten more focused on pci compliance just focusing on you know protecting the card holder data but not the whole environment so some things get overlooked there and this is where red teaming comes in formally you heard you may hear the term here referred to as like an open scope pen test and so this is really important area and it's becoming more popular kind of like pen tests where 12 years ago pen testers there really weren't that many pen test teams but now people are starting to add the red teams and do the red teaming into their offensive security program and their specializations we kind of

covered some of the different types of targets but you can also specialize in these areas a generalist you're going to be doing network wi-fi some light web app your application pin testers you're going to do web app mobile cloud api thick client to client your executables like your office running on your your system or other applications before web apps got popular there are a lot of thick client apps but there still are and those need to be tested to make sure that they're secure uh social engineering and physical security assessments these kind of fall under one one category so usually people do physical and social engineering but there are people that specialize some people are

you know are too shy to do the physical so that's maybe difficult for them but that's a very important area transportation and then red team these are other areas of specialization and red team a lot this is a good area for someone in general that's a general pen tester to expand into and these the physical uh assessments and social engineering are used a lot in red teaming so there's a lot of crossover red teaming wise some light web application uh is helpful there too but it's not like one of the main skills network is a big one understanding active directory be able to most uh enterprise environments are running active directory and how to become a pentester this is

probably one of the most uh interesting or most uh topics of interest through this whole talk is how to become a pen tester and so you know before i became an instructor teaching pen testing i mentored a lot of people and i would share my path with how i got into pen testing as well as tips on how to prepare for the oscp and just different tips in general to become a pen tester so first thing first off you need the technology knowledge you need to be able to understand the knowledge before the knowledge before you can break into it understand the technology before you break into it uh you need to understand how to

build secure before you can break so understanding is going to make you a lot better pen tester if you get a command line to a windows or linux box you need to understand that operating system or you're going to be doing a lot of googling to try to navigate and see what to do so under having this base knowledge is going to help you to be more successful and more efficient as a pen tester so you need to understand networking operating systems especially windows and linux and know them from a sysadmin level so you're able to do networking uh manipulate the firewall from the command line sometimes you get access to a system if you can turn off the firewall then

you can do more things understanding security if you understand how windows and linux security works then you're going to understand how to breach those securities application hardware also helpful areas to to learn and hacking knowledge once you have that technology technology base and your security base then you learn how to hack this was where i was at when i was becoming a pen tester i had worked in as a sys admin i did network security and worked in application security but i didn't know how to hack and as a pen tester you know that's where kind of the the term came ethical hacker you have to know how to hack so i enrolled in the oscp course worked on

that for about a year got my oscp and it was like one of the best courses that i've taken i was able to learn a lot and at the time it was more about the labs in the in the mission going through hacking all the systems you know that was the real value although they've recently updated the content that course and it's there's a lot more educational content back when i went through it you had to do a lot of research not everything was really there and now the course is expanded to cover active directory so that's a really good place so classes as i mentioned like the oscp conferences meetings and meetups getting out there connecting with the community

you're going to find some good resources mentors and people just to share information with you self-study so build your home lab watch videos there's a lot of good informational stuff on youtube a lot of tutorials on there there's a lot of good blog posts and articles on the topic and twitter infosec twitter is a great place for resources and you can find some really good people to follow in the hacker mindset so becoming a pentester you need that hacker mindset so this is kind of similar to troubleshooting you know how you install a server and or operating system of any sort or install application and when everything goes smooth that's fine but then when it

breaks it's hard to figure out how to fix it you've got to learn how to troubleshoot it to get it to work so pen testing is the same way you know you try some attack it doesn't work and then you learn how to chain the attacks together you know that attack that didn't work you have to figure out how to make it work what need what do you need to do different maybe you try a different exploit so learning how to switch exploits learning how to chain the exploits together so if you get like a uh default credentials to like a tomcat java server and you're able to upload a malicious file what can you do next if you get access

you're able to execute that shell so you have to know okay what level user am i running at if you're running as root nt system authority or administrator then you can do anything you want to but if you're just like a lower level service account the way it should be configured then you gotta learn how to elevate privileges so chaining all that stuff together and just practicing that helps develop that mindset and the hacker mindset is is a combination of creative and analytical thinking there's several areas in security most of them require some kind of creativity but this is one of the top ones as far as creativity just be able to put things together the people that are coming up

with the zero days you know this wasn't created before they're able to to exploit these things and this is built off the knowledge they know about the target so the best way to develop this mindset is uh through hands-on hands-on experience you know bug bounties your home lab ctfs and just repetition the more you do it then some of the easy exploits you're able to pull off easier and you have that base built up so once you get to the more advanced attacks then you're able to get through the easy stuff and then spend more time on the advanced stuff so the pentester blueprint formula this is this formula consists of the technology knowledge plus security knowledge

in the hacker mindset so you put these together then this is what what is needed to become a pen tester so where do i start so you need to develop a client plan and so we want to do is do a gap analysis you look at the skills that you have and you look at the skills you need so then you know what to focus on so it all depends on what your experience is to what you need if you have if you're an i.t then you may have some of these basics no it experience you're just starting then make sure to take time to learn the basics like a lot of things pen testing is a

marathon not a sprint so you really want to make sure you spend your time learning the basics if you if you go through things quickly and this is one of my big mistakes that i i do a lot is i get so anxious to learn it and get down to the end the good part and i really skip some of the stuff and then when i have to go back and do this again that i've got to learn it over so take your time to learn it understand networking and operating systems if you're wanting to you know if you're learning pen testing then you can study more than one topic at a time you think about

the way universities and colleges operate you're usually not taking just one class you could be taking a microsoft server class and you're taking like a sql database class so you're working on multiple topics so as you're learning this it doesn't mean you have to wait to do the hacking piece until you learn the basics you can kind of learn windows networking and windows operating systems at the same time going along with the security piece of that learning content looking at how those can be exploited you know some of the security content is only going to tell you how to secure find out what happens if it's not secure how those different uh types of uh components can be exploited

if it's not secured properly and then for everyone no matter where you're at no matter what level build a lab i still have a home lab myself home labs are good even for experienced pen testers to test proof of concept code if you have an exploit you want to try it's better to test in your home lab because sometimes exploits once you run them and if it's not successful it requires rebooting the system so you want to make sure you have it down and figured out before you perform that attack and so setting up your home lab i've got three three main categories here and this can be as granular as different as you want but my favorite is

the minimalist lab and my favorite is the my reason it's my favorite is because it's portable you know you can put this on a laptop you can take it with you on vacation if you're traveling for work if you just want to get out out of your home and go somewhere else and study because sometimes if you're in one location for a long time you get kind of burnt out so sometimes it's nice to go out somewhere to a coffee shop and once cobid's over then we'll do that a little more freely but just having the portability is nice because one of the things i've started doing in my home to be able to focus i've got a dedicated area for

study and work and then sometimes i need to get away from that work area so i go to my living room and get on my couch and recline and and work on it there so that be able the portability is good so the next step is your dedicated lab so this is a computer that you just have your targets running on different vulnerable vms and so uh you set that up and you can take your your attack laptop or desktop whatever you're using is your attack system and attack those so you're going across the wires so it's more emulating you know network connectivity and then you have advanced labs you can have individual components you can have

servers individual computers routers and switches you can even do this with like raspberry pi's you know some the small form factor like that you can install linux on it i think even raspberry pi's are supporting windows now so you can set up individual systems and and you can take like one of the raspberry pi's and build like a firewall with it set up routers and switches so you can get as complex as you want to it's a good way to learn but also if you really need to learn the pin testing skills and hacking skills then you may want to stay more simplistic because the more advanced your lab is if something breaks then you're spending more time

troubleshooting so you need an attack platform so you've got your your uh system set up to attack so you got to have you know your tool set what are you going to use to hack with so kali linux and peros are two really great options uh prior to this year i really hadn't used parrot os much but i'm becoming a big parados fan uh ubuntu with the pentester framework the pentester framework is a utility or python script that you can run that installs all the hacking tools like you would see on kali linux and parrot os and this gives you a little more control over what you install and especially if you like ubuntu that's

a good option in windows 10 windows windows 10 with commando vm commando vm is a script by fireeye similar to the pentester framework it automates the installation of all your hacking tools and windows is great too because there's a lot of system administrator tools that are valuable for hacking active directory and other windows technologies so it's kind of good not to depend on one to have windows in your tool toolset as well and home lab targets so for your home lab you have to have targets so vault hub is a good place to find vulnerable vms metasploitable 2 metasploitable 3 are really good ones to start out with they have a lot of vulnerabilities in

there and i would say one either one of these have as many vulnerabilities as probably you know two or three other vulnerable vms and so this takes up less disk space less resources so that's a good option that's where i would start out there's a lot of good walk-throughs so you can go through those walk-throughs if you can't figure things out and the nice thing about walk-throughs is everyone does things a little bit different so you may get some different opinions on how to do things so building up that hacking knowledge and metasploitable was created by rapid7 the creators of metasploit so it's a way for people to learn how to use metasploit as well as you don't have to just limit it

to metasploit but that's why it was created a wasp web goat along with juice shop and some other vulnerable apps are really good targets to use and then create your own vm targets with vulnerable software from exploit db if you're not familiar with exploit db exploit db is a repository of exploits different tools and scripts you can use to hack with and so on there they usually have links to the vulnerable software version so you can download that version to use to test exploits or either build out you know some vulnerable vms in your lab another thing you can do too is you can find some study partners and you can build vms so you can create

vms for each other to attack so recommended reading so here's some good books to get started with the one i recommend to start with first is penetration testing a hands-on introduction to hacking by georgia weedman this is a really good book it goes through not only teaching you uh hacking skills as a pen tester it also guides you through building your own home lab so you've got your own lab set up so one of the advantages to a home lab is something happens you lose internet connectivity then you can still still work away on your home lab and the book i recommend second after that is the hackers playbook version two and three don't skip to

version three it's not just uh a updated version version three goes into red teaming so start with with uh version two and then move to the third edition that way you get those skills and this is a really good you know really good book and guide for someone pin testing i mean you could use this as a guide as a professional pen tester and web application hackers handbook this is created by the creators of burp suite so this is like one of the best books on web app testing it's several years old now not up to date but it's still good still a great book a lot of consulting companies with their internships will will have

this as required reading i know netspy out of the minneapolis-st paul minnesota area this is one of the books they give people when they're starting to learn web app pen testing the operator handbook this yellow cover book used to the red team field manual was my go-to book for quick syntax on different hacking tools and windows and linux and powershell commands but the operator handbook recently came out the spring of this year it's available in ebook which i like the red team field manual is not an e-book and it's also printed so i actually have the printed copy as well as the ebook because i like the portability of ebooks it's got a lot of different syntax so

this is helpful for offensive security oset and blue team so there's a lot of good information they cover information on docker some different uh cloud technologies so this is a really good reference that i highly recommend certain learning resources so i've got you can kind of see where there's a little space here in the middle and this is separating the top piece which is paid resources from the bottom piece which is free resources so sans institute is some of the best training that you can get out there they really do a good job of keeping things up to date which is very important when it comes to learning content sometimes learning content can be behind

and companies really they try to keep it updated but sometimes it's not that quick i'd have to say sans is probably one of the best about keeping their materials up to date uh it's expensive training though thirty 3 800 for a two day two or three day course then 7 200 for six day courses they're really good i've gotten to attend uh three different sans courses so far and they've been really helpful elearn security and offensive security are really great learning resources these are a lot less expensive you know this you're looking around the thousand to twelve hundred dollar range for training their offensive security certifications as well as the sands are really sought after certifications

by hiring companies so those are great to have virtual hacking labs is good prep for the oscp pentester academy has a wide range of of learning resources as well as labs and it's very newbie friendly so someone is new to pen testing there's you can learn a lot there and if you're experienced pentester then there's other areas that you can learn more they've got some different things on hardware hacking active directory uh they have some web app pen testing courses and their labs there's like 1700 to 1800 online labs and they're expanding that and so pentester lab is another one this focuses on web app pen testing and it goes beyond just be able to do a

a cross-site scripting pop-up to check for the vulnerability if there's a way to get a shell they show you in this course so that what i like because it goes beyond just be able to identify vulnerabilities they show how to truly exploit those vulnerabilities in practical pentest labs this is the least expensive on this list it's sixty four dollars for lifetime access you have vpn access to some vulnerable systems they have a short course on there on pen testing and ethical hacking and then you get to to try test out that knowledge in the labs and then we get to our free resources here bud crowd university and hacker one have great resources blood crowd has hacker university hacker

one has hacker 101 they all have videos and learning content but hacker 101 has an online ctf that you can actually practice and get experience and they're trying to build up researchers people to gain web out pen testing skills to join their bug bounty programs so the sans pen testing blog this is another great resource there from sans they're different cheat sheets and posters on different in tutorials on different tools and techniques then hackingtutorials.org is from the creators of virtual hacking labs there's a lot of different tutorials on vulnerability scanners nmap and metasploit really great free resource and then owasp has links to different vulnerable applications the owasp testing guide plus osap which is a free web

application vulnerability assessment tool and then you gotta hack the box try hack me which is some vulnerable vms that you can test your skills against these are really good areas to spend time over the wire ctf and under the wire ctf over the wire ctf is unix focused and under the wire is windows and powershell focus so you can get into these two and really learn windows and linux security as well as how to exploit those systems so those are really good places there to learn and to find these learning resources if you go to my site the hackermaker.com forward slash learning dash resources you can get this list of resources certifications everyone's asking about

certifications one thing i'd like to say before we get into discussing the certifications is no matter what certification you go after learn the topic learn that subject that content thoroughly because if you're wanting to be a pen tester you're going to need those skills also going through the certification process you know the ceh and pentest plus these are question answer based but you the more you not you know using an exam cram type or some type of uh testing software practice test that's going to help you but what's going to help you more is to understand because if you get into the exam and you find a question that you didn't have on the practice test

if you understand the topic you're going to be able to figure that out so make sure you learn the topic take your time because you're going to use this later on as a pen tester your intermediate advanced certs these are the ones that are going to help you get pen test jobs ceh is widely recognized it's an hr you know recognized cert as well as a dod it's on the dod list of certifications if you're going to do business if you work for the government doing business with the government they like to have that certification but for just real world pen testing they're going to ask for the g pin the oscp the gw apt

the advanced search the gxpn or the osce the sans are question answer type of exams although they're not easy they give you uh it's open book but don't let that fool you you're going to have to understand the content create an index to get to things you don't understand quickly because you're not going to be able to spend time looking for those books if you don't know the topic so back to that subject of knowing the content and then your your offensive security certifications are going to be hands-on so you have to actually go and perform a pen test and not just perform pen tests actually hack into uh enough systems to get 75 points for

the oscp uh the gxpn and osce these are more exploit and development in advanced pin testing but these are really good ones to you to get the osce is getting ready to go through a reboot so if that's on your list you'll want to sign up for that now because they're getting ready to redo the the course they're actually improving upon that certification uh their advanced web app pen testing cert and course is going to be one of the requirements for that so there's several search you'll have to have in courses that go go through to do this so it's going to be a really valuable cert whenever they update it which is coming soon

job tips so so you're looking for a job as a pen tester and this is important information a lot of this for any type of role professional networking go to your different you know meet up groups and conferences get involved in your local community virtual communities network with people on linkedin also in linkedin make sure to update it it's your online resume put all your skills on there doc you know populated just like you would your resume and this is going to get this is going to get the recruiters to you and your hiring managers so make sure that you've got that populated and also use linkedin professionally don't use it like facebook uh you know sometimes people get on

there and treat it like facebook and it just kind of you know maybe the hiring manager doesn't agree with your thoughts or you know or your way of thinking you know so make sure you keep it professional and you know you keep the other topics to other social media you know keep it professional this is like you're you're trying to you know convince employers to hire you or people to offer you different opportunities so uh being professional goes a long way then interview tips make sure to prepare for your interviews look at the job description and then kind of look at your resume and your skills and look how you you know you're qualified for that so make sure to study

those topics you know be prepared to answer questions it could be something you haven't worked on in a while maybe something you hadn't dealt with but go in and study up on it before that interview so make sure on your resume that your resume is accurate and not to exaggerate because the the interviewer is going to look at your resume that's their guide to interview they're going to look for questions from your resume so make sure that you have things that you do on there and make sure not to put things on there you don't know because if you don't know burp suite be prepared to answer questions on burp suite know the wasp top ten even if you're not

going for a web app pen testing job these are the vulnerabilities that you always get asked questions for understand the different types of cross-site scripting uh you know understanding the oauth top ten in general but also understand the remediation understand what you know what you're seeing there don't just memorize be able to explain the basics like the 3-way tcp handshake and the osi model so a lot of times you'll get answered ask questions on this sometimes more the senior management you know they haven't worked in these areas for a while but they remember the basics they're more familiar with that so maybe one of the hiring managers hasn't worked in pen testing so they're going to ask you questions based on

their expertise and what they think you should know so this is my contact information before i became an instructor and started giving this talk i did a lot of mentoring and helping people out so feel free to contact me here and so if we have any questions i am ready to take those awesome it was a great presentation thank you for uh providing that and i i liked how you spoke very slowly as you went through your presentation um it was easy to digest everything uh one of the questions that everyone is asking is if they are able to get a hold of your slides yes okay great awesome okay so the first question here i have

from jim kaye it says do you have an experience slash advice in getting an organization with vulner getting an organization with vuln management slash limited red teaming and a separate blue team sock to moving to a purple team setup i.e integrating pen testing with a sock well ideally purple teaming is more of an exercise it's something you do periodically so this is typically like the company i recently left we did a purple team exercise and so what we did is we got together wasn't so much just the sock but you know we had our incident response people on because sometimes they know how to detect things and they're able to work with the people that do the monitoring and uh

and that they're able to work with them so this is kind of an exercise so purple teaming is some is an exercise you do periodically and this could be as frequent as you want purple teaming is a really good way to bring up that security gap so that's just that's something to recommend you know i haven't really seen dedicated purple teams there they could exist but it's just combination of the the the two things but it's just kind of an exercise of getting together so that's one of the things i'd recommend and one of the things way to recommend it is you know based on your vulnerability management program and the maturity of your pen testing

program you know there's some there's i'm pretty sure there's going to be some security gaps there and doing these purple team uh exercises are going to help bring up those gaps because are you able to execute powershell or mimikatz on you know the powershell version of mummy cats we vote many cats on a system can you do that you want to make sure that you're not able to do that execute certain scripts and do certain things so that's a quick way to bring that up but yeah that's one thing i would recommend uh george archias has a lot of good information on purple teaming so check out any of his stuff he has a lot of good information on red

teaming but the purple teaming thing has become really popular he works for scythe now and scythe has uh some commanding control and adversary uh automation tools that that work for purple teaming so check out his content i would would venture to guess you're probably going to find a lot of good tips on how to pitch that to your management let them see those topics i mean a good thing too is to get management if they're not familiar with it just get them familiar with the miter attack framework because this really shows the need for offensive security and purple teaming and also it's a good script to test during your purple team engagements looking at the different

ttps and how to perform those