Professional pentesting is not all cops-and-robbers fun, of course. Pentesters have to stay abreast of the latest vulnerabilities and know what weaknesses are likely to exist at a given facility so they know what to target. There are endless hours of research, often laborious social engineering, and weeks of preparation before actually attempting to penetrate a client site. The attack could be as complex a deploying wireless pentesting assets via FedEx, or as simple as sprinkling thumb drives in the parking lot. But when it comes, a pentest often reveals just how little return companies are getting on their security investment.
As a consultant for a security firm, Eric Escobar gets to challenge companies on a daily basis. He's also a regular on the con circuit, participating in challenges like Wireless CTF at DEFCON until he won too many times. Now he helps design and execute the challenges, helping to share his knowledge with other aspiring pentesters. And he'll stop by the Hack Chat to do the same with us, and tell us all about the business of keeping other businesses in business.
Eric12:42 PM @guido.giunchi we're all pretty fluid. an individual will have a specific test but we all help one another if there's something an individual is specialized in
Eric12:42 PM @Phabeon I can write some bash/python but just enough to be dangerous lol
Rhythm Chopra12:43 PM Eric, I am totally fascinated by penetration testing be it software or hardware. And wanna get started with the domain. Is there a kind of todo list or something or getting started.
Eric12:43 PM I'd check out the OSCp certification. it's tough but really well rounded
Rhythm Chopra12:44 PM I have a pretty good experience in programming with C++ & python. But doesn't seem of much help as of now
Eric12:44 PM it will when you're trying to fix an exploit, automate something, or do something at a large scale
bprofitt12:45 PM @Eric how do you avoid burnout with the massive amount of info that you have to keep digesting/trying out/etc
Eric12:46 PM @bprofitt working on an interesting project or deep diving into some research thing, or building tools, or just taking time off
Rhythm Chopra12:47 PM So, regarding OSCP certifications, how much better or preferred a certification is as compared to some hands on experience? Shouldn't hands on be more helpful over theoretical knowledge in this kind of domain?
Eric12:47 PM I'm going to punt and say both are important. However, I'd also add people skills in there too
Rhythm Chopra12:49 PM Well, yeah. Social engineering is for sure a biggest upper hand. Coz humans are more vulnerable and exploitable than machines :P
Eric12:50 PM I think the main goal of understanding something should be the ability to explain it to a standard human. I use my mom as an example. If i can explain an exploit, vulnerability or something to her I know i'm golden.
Dhruv Mehta12:52 PM Thanks, Eric for the awesome answer
matt12:53 PM It seems like you have to meet a minimum technical threshold. But at a point, additional technical chops hits the wall of diminishing returns and a pentester might be better served by focusing on their ability to interact with a wider body of less technical folks. Is that way off base Eric?
Phabeon12:53 PM Eric, have you ever been hacked? If so, lesson learned?
bwa haha, If not is it because you are zero network connection dwelling?
Eric12:53 PM @bprofitt gosh, sammy kamkar and justinsteven are great
Eric12:54 PM @Phabeon not that I know of. Just watch phishing emails LOL
Eric12:54 PM @matt thanks for the softball. you couldn't have said that any better
guido.giunchi12:03 PM How did you get in that field from Civil engineering?
I was just going to ask about that. How did you make the leap to security?
Eric12:04 PM sooo in college I didn't have wifi in my dorm so i bought a yagi antenna to pull wifi from library ~300 yds away.
Eric12:05 PM That planted the seed, and I dabbled in breaking WEP and WPA2 networks
Ioannis Valasakis12:05 PM OK, now it starts getting interesting :) Are you a radio amateur as well? If not, are you using/experimenting with RF techniques on networks and devices?
Eric12:06 PM I was at home on summer break and at my roommates parents house, turns out his father was a director of security at a tech company and asked if I wanted to join the security team he was creating
Eric12:06 PM annnnnd yes I got my ham license in college!
Eric12:09 PM also knowing what a typical corporate environment looks like and how outdated hosts are everywhere
Eric12:09 PM @dcox there was one time we tested a theme park which was pretty awesome
Eric12:10 PM @dcox more than once we've been able to compromise and entire organization without stepping foot in their office
airforcetxn12:10 PM What does your 'kit' look like? I've found some hak5 stuff to be great in theory but a bit unreliable at times.
ChangeFlutter12:10 PM what changes in our approach do you expect with the new WiFi standard?
Eric12:11 PM @airforcetxn a handful of raspberry pi's, a hotspot, a laptop, and a bunch of panda pau09's
Gabriel D'Espindula12:12 PM Eric, when you get an assignment, you use more known exploits and look for unpatched services or really spend time understand the client's system and trying to break in? If so, how you know when is time to stop and start the reports?
Dana12:12 PM Do you have a most notable wireless find from a pentest? (funny/ridiculous/unique/awesome)
Eric12:12 PM @ChangeFlutter I expect that we'll see capturing 4 way handshakes will stop with wpa3