Getting Started as a Penetration Tester in NZ (2021 Edition)

Welcome to the latest installment of Getting Started as a Penetration Tester in NZ! An annual look at what is takes to get into this exciting industry sector. This year includes a new section on written skills, and a refresh of all resources referenced.

The cyber security domain has also grown massively as you can see from the mind map below (credit: Henry Jiang). I'm going to be focusing on roles predominately in the red (risk assessment) and blue (career development) branches of this map.

If you are interesting in domains other than penetration testing, check out the Awesome-InfosecNZ resources which cover DFIR, blue teaming and a bunch of other areas.

Maybe you want a job at Google as a security engineer? Well Grace has you sorted with her handy study guide.

To get into the industry it doesn't matter if you don't have a degree, your lack of tertiary education should not be a barrier to entry. A lot of companies are now committed to a 'no qualifications required' hiring model. At ZX we look for people that have passion and some practical experience actually hacking something, not just a bunch of theoretical knowledge.

Listed below are a number of ways to safely skill yourself up without breaking the law.

(Virtually) attend all the things

With the majority of in-person conferences now going virtual, and our inability to travel, seek out virtual conferences, pull up your chair and tune in. We have seen some really innovative approaches to running these events, and they are proving to be a good substitute.

1. ISIG - A monthly InfoSec meetup held in Wellington, Auckland and Christchurch and now Hamilton. You can subscribe to the mailing list (fairly low volume) to find out when the next meeting is by sending an email to the following addresses: [email protected] and [email protected] or via Meetup for Christchurch folk.
2. Social Media - Twitter is the main network where the InfoSec community hangs out, there are also a bunch of Slack and IRC channels around.
3. InfoSecNZ Slack Channel - @binarymist , @noodlesnz and @RhyvenNZ run the InfosecNZ Slack channel, if you are interested in joining the growing community, details on signing up can be found here
4. Summer Of Tech is an awesome resource for students and employers alike. They run a number of events throughout the year, with the ZX team presenting intros to cyber security and bug bounty workshops at various locations.
5. The New Zealand Network for Women in Security (NZNWS) community includes all domains of security, including cyber security, physical security, information security, business continuity management, data protection & privacy, fraud investigation, among many others.
6. Local Hacker Cons - The number of cons in NZ (and Aussie) has decreased significantly since Covid-19, there are still a couple of options though:

• CHCon is happening in NZ this year on the 5-6th of November in Christchurch.
• Kawaiicon is back on again this year, we are holding it at the Michael Fowler Centre in Wellington on November 11-12th 2021.
• OWASP NZ has been re-branded AppSec NZ and has already run for 2021, keep an eye on their website for 2022 dates.
• Witcon (Women in Tech) is a group that focuses on improving the support, representation, and opportunities for women, non-binary people, and other minority groups in any science or tech field.

Read/Listen to all the things

• Risky Business Podcast - Great weekly podcast hosted by Patrick Gray staring @Metlstorm. Helps to keep you up to date with the latest in InfoSec news.
• Darknet diaries - Jack Rhysider interviews various cyber criminals and tells their side of famous intrusions. The production value on this podcast is great, the storytelling excellent and the people he interviews really interesting.
• Reddit security sub-reddit - The latest in security research, write-ups from bug bounties and new tools.?
• Read CTF write ups and bug bounty reports. You’ll learn about what to look for, how to attack it, and how to write about it.
• A huge list of hacking resources

Watch all the things

There are a whole bunch of great content creators on YouTube, some of the ones recommended to me are:

• John Hammond
• IppSec
• Live Overflow
• CryptoCat

Hone your skills

A good place to start learning about web application hacking is using a virtual lab. For this you will need the following:

1. Virtualisation software (VMWare and VirtualBox are both good options). Windows Subsystem for Linux (WSL) also lets you run things like Kali in Windows without VMs. With the advent of WSL2 and support for additional system calls and networking functionality, it has become a lot more usable.
2. An intercepting proxy - Burp Proxy (the free edition is fine, and is the industry standard), some people also use OWASP ZAP .
3. The PortSwigger Academy has great training for Burp Proxy users. Its labs on business logic issues can be really helpful in developing your hacker mindset.
4. A web browser like Chrome with some security-specific plugins (Web Developer and a Proxy Switcher). The browser will be configured to forward traffic to the intercepting the proxy so that you can manipulate requests.
5. A virtual machine image (lab). The best lab for getting to grips with web hacking is the Pentesterlab Exercises. Once you have accessed the lab directly, or downloaded the ISO file and booted it up in your virtualisation software, connect to the web interface and start hacking. The course notes should help you along if you get stuck.
6. Alternatively the Damn Vulnerable Web App provides a similar environment for developing your web app skills.

If you want to hone your Metasploit skills (which is an important tool to get to grips with), check out metasploitable.

Once you have mastered Pentester Labs its time to shift it up a gear. Hack the box has a great selection of virtual machines that can really level you up. While these could be classified as a CTF as well (see below), they teach some great fundamental knowledge.?They also have a new Hack the box Academy

If you want to hone your network testing skills, check out Mininet, its allows you to create an instant virtual network. GNS3 is also popular network emulation software. A finally if you want to get good at Crypto, check out CryptoHack

Written Skills

A big part of being a penetration tester is being able to write well. Our clients pay for a report which documents the issues you have identified. If you can't articulate your findings, the message may fall flat or be lost.

Reports will often contain two styles of writing

• Technical content which outlines the issues you have identified in as much detail as possible, this is intended to assist the operational teams when they review and remediate issues identified.
• Business content which is aimed at the executive team, this should describe at a high-level what you have identified, without any technical jargon. The impact of any potential vulnerabilities should be clearly explained.

The following Github page provides a list of penetration testing reports collected from various places. They provide a good overview of how to structure a report, and the amount of detail expected.

While practicing your written skills can be difficult, the following ideas may be of some use:

• Read lots of books or all shapes and sizes - not just technical books - through osmosis you will start to learn sentence structure, additional vocabulary and flow.
• Participate in bug bounties and write up any findings you identify. Being able to clearly articulate your findings may mean the difference between a medium and a high-risk rating (and appropriate bounty) being assigned.
• Write blog posts and LinkedIn articles about your journey into penetration testing or areas you are researching.
• Make extensive use of Grammarly and in-built spell checkers to review your work.

Wargames / Capture the Flag?

Once you have mastered the Pentester labs and Hack the Box, move onto some Capture the Flag exercises, good ones include:?

• Over the Wire
• Smash the Stack

Then if you want to really challenge yourself:

• Plaid CTF
• Google CTF

Bug Bounties

One of the best ways to hone your skills legally is by participating in bug bounty programs. This is a good next step after completing the pentesterlab.com exercises. Start off with the free-tier/charity engagements, usually there are less people on these and therefore more bugs. After you build a reputation you may get invited to the closed/invite-only programs, again less people and potentially easier bugs.

The following platforms are the most popular (and well reputed):

• HackerOne (pronounced like macaroni)
• Bug Crowd

The Bug Hunters Methodology also provides some great insight into findings bugs in bounty programs. Ol' mate Shubs has a great write-up on how he cut his teeth bounty hunting back in the day. His more recent musings are captured on the AssetNote blog

If you find bugs, write a blog post about it (assuming its OK with the company you found the issue in). This will help your writing skills while showing your peers (or prospective employer) that you have a passion and competence in the area.?

If the bug you find is inadvertently in a corporate website or application outside of a bounty program, please consider responsibly disclosing it to the company in question. CERT NZ have a great process which covers this

Qualifications

There are a huge number of certifications now available in the penetration testing space as you can see from the image below available at Paul Jerimy's website (red section).

The first qualification you should aim for is the Offensive Security Certified Professional (OSCP), or its CREST equivalent. The OSCP was updated in 2020, which was long overdue and makes the certification more relevant than ever.

It will probably take between three and 12 months to complete the labs depending on prior knowledge, ensure you have a good grounding in Linux before starting. If you can obtain an OSCP before you start you first job the people hiring you will be seriously impressed.

The OSCP preparation guide (updated for 2021) from @johnjhacking might also come in handy. The OSCP is hard, @evildaemond has some useful advice.

Books

Compulsory reading for any budding hacker should be The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage.

Keep an eye out for Humble Bundle deals, sometimes you can pick up a whole bunch of great books for a really reasonable price.

Anything from No Starch Press is generally excellent, here are some of my favorites:

• Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
• The Tangled Web: A Guide to Securing Modern Web Applications
• Black Hat Python (2nd edition): Python Programming for Hackers and Pentesters

Standing Out

The following advice is from ZX's GM Ian White who was a cyber security recruiter in a previous life.

So you've read the how to, now you want to stand out. All this hard work is about?landing your dream role. You will need to grab the hiring managers attention in two key areas:?

• Professional ability
• Passion

Let's tackle each on separately:

Professional Ability

You need to be able to showcase your current ability. The best way to do this is with tangible results that a hiring manager can see. What would this look like on your resume for someone wanting to get into the industry??

• HacktheBox: Got user and root on 10 boxes
• Pentester Labs: Completed the boot camp, achieved a number of badges
• Certificates: 3 months into studying for an OSCP

The above gives a hiring manager a snapshot of your current ability. Again, this is just an example.?Even working towards one of these tasks would be great.

Passion

A hiring manager will always favor someone who has passion towards their work. Again, this can be showcased within?a resume.?

• List the security related blogs and podcasts you follow:?
• Talk about the various meet-ups related to security / cloud / development you are attending
• Mention that side project you are working on, bonus points for blog posts documenting it
• List the books on cyber security you have read recently

Some additional tips

• Create an account on LinkedIn and be active
• Follow the companies you want to work for
• Follow the people you look up to (and interact with their posts)
• Post on LinkedIn interesting articles you have read, do the same with Twitter

Mental Health

@sentreh provided the following advice which i think is pretty accurate

Remember to eat healthy and get a good night sleep. Nothing else matters much

Make sure you look after yourself, get outside and breath some fresh air, absorb some sunlight and don't spend every waking hour in front of your computer.

Some sage advice from @_tonijames

• Schedule your study time and don’t deviate.
• Determine what you have capacity for and for how long. If you have family commitments, plan around them, don’t take time away from the important things in your life.
• If you can do 2 hours a night, schedule it. If you can only do 2 hours a week, schedule it. If you have 40 hours a week for the next 3 months, awesome, schedule it, stick to it, and don’t burn yourself out.

A wise friend once told me "there is no magic in what we do", it's just hard work and cultivation of the hacker mindset. So get out there and start hacking!