Dragos Ionica is one of the 290+ Core pentesters worldwide who has contributed to the over 4000 Cobalt pentests. We had a chance to sit down with him to learn more about his pentester journey and what he enjoys about being a part of Cobalt’s pentest community.
His professional experience stems from both development and offensive security, and in this spotlight he shares insights from his diverse educational background including academia, certificates, and self-learning. Let’s dive in:
Pentester Origin Story: How did you first get involved in pentesting?
DI: I started as a web developer during the first year of my undergraduate studies in Computer Science, and after creating some nice local websites that received a good amount of traffic, I got hacked. Although I was upset about that, I started to dig into how the attackers were able to do that. What started as curiosity soon became more organized, and I began to implement a testing methodology after the development phase. I started out with some small easy testing, but passion and motivation quickly increased as I began to understand the complexity and technologies behind the applications I was developing and technologies.
So after three years into development, I switched sides and started to learn more about security and network architectures. I also got several certifications that helped with my continuous learning process. For exploit development, I would recommend GXPN, because it requires C/Python programming knowledge and improves debugging skills. For web developers, I would suggest OSWE (PHP, NodeJS, Java, or .NET) because it requires source code review skills and really improves the offensive mindset.
In 2013, I started my master’s degree in eGovernment, which involved a range of studies areas, from digitalization of government institutions, government processes, eHealth systems, financial and critical systems. These opened up my appetite to explore and discover vulnerabilities in critical infrastructures. After finishing my degree, I started to spend a lot of time conducting vulnerability research. This would lead me to pursue a Ph.D. in Cybersecurity at Politehnica University of Bucharest.
During my studies, I have been supported by both teachers and colleagues. With their encouragement I started to research and develop various cyber ranges and attacking scenarios for red team exercises, which involved a lot of research on corporate networks, looking at the most common vulnerabilities, and misconfigurations in those types of networks in order to create a proper playground for both blue and red team engagement.
What projects are you currently working on?
DI: Currently, I’m finishing my Ph.D. thesis on “Architecture and Features in Next Generation Cyber Range,” and will present my research at the end of July. I’m also involved in some pentest assessments and red team engagements.
Also, two months ago, I passed some red team certifications (CPTX and CRTE), and I started to develop red team scenarios for learning purposes. These involve private environments where clients can have access via VPN that allows them to practice some learnings and play some exercises based on real-life scenarios (such as enterprise attacks, phishing, malware analysis). I’ve also been working on creating an environment for purple team exercises.
What do you find the most rewarding about the community?
DI: I started pentesting for Cobalt in May 2019 and later that year became a Lead Pentester. If I could use one word to describe the Cobalt Community, it would be– lovely! With every engagement, I am able to meet new security professionals, who have great mindsets and skills. Cobalt encourages collaboration and continuous learning, since I started being part of this wonderful community I have improved my communication and collaboration skills. And my skills and knowledge only continue to grow, as well as my time management.
What motivates you when it comes to pentesting?
DI: I think the offensive mindset can only be fed with challenges that involve new exploitation techniques, new technologies, and topics. For me, an important aspect is that I enjoy what I’m doing and I can honestly say that I’m having a lot of fun working in this field. Even from the outside, people may say that it’s quite hard to work 12-14 hours per day focusing on breaking things but it’s my passion and I love it!
What makes a good pentest engagement?
DI: I think that the main elements of a successful engagement are communication and good scope coverage. For successful engagement, the most important aspect is the ability to share ideas, test cases, and testing results with the teammates and the customer. A great engagement requires close communication between pentesters and the customer, this allows pentesters to focus their efforts on what truly matters for the customer.
What kind of targets excite you the most? And do you have a favorite vulnerability type?
DI: I really enjoy exploiting complex applications when there is a mix of topics because there is a larger chance to trigger juicy issues and the exploitation of those issues becomes more complicated due to the protections in place. These topics can range from web API, web and binary exploitation, or web and cloud networks. I also like these kinds of assessments because they require complex test cases and attack scenarios. For example, triggering a Cross-Site Scripting (XSS) into a web console from a parsed text file by a Windows/OSX agent.
Where do you go to learn about different security concepts?
DI: I learn a lot of new techniques from online webcasts, organized by known security learning providers such as Sans, Blackhat, and Black Hills. In addition to the information presented in the webcasts, there are also hands-on sessions, similar to short courses, where you can practice new skills and learn new techniques, and find answers to questions related to that topic. Also, a good way to learn new things is by participating in security conferences (I prefer in-person rather than virtual conferences) where known researchers are presenting their work with Proof of Concepts, demos, and good explanations.
How do you conduct research and recon for a pentest?
DI: First, I spend a few hours reviewing the documentation provided, or I search for public documentation on the customer’s website in order to get as much information as I can. From this, I can get a sense of how I should build my approach. If it is a network pentest, I collect all the information possible from niche portals like Shodan, Censys, BinaryEdge, SecurityTrails, and Intelx. I also use Collection#1 for searching email addresses in dumped databases, in order to weaponize my password spraying attacks.
What are your go-to tools?
DI: For web applications, I use Burp Suite like most people from the community, with Param Miner and PsychoPath extensions. For SQL issues, I use sqlmap or custom python scripts and Metasploit to get some reverse shells. For binary exploitation, I use ProcessMonitor and IDA Pro.
What advice would you offer to someone who is interested in getting into pentesting?
DI: I think it’s all about the passion and time you want to spend learning new concepts and techniques. Speaking from my experience, when you already have a developer mindset, it’s quite easy to switch to the “evil side” because it should be easier to identify code that might cause security flaws. Then it’s important to read and try to understand the methodology provided by OWASP and start doing hands-on exercises with different platforms, such as HackTheBox or Vulnhub.
What do you wish every customer knew before starting a pentest?
DI: I think customers should understand that the security testing process offers a good way to improve the overall security posture for their products. If the customers are open to collaboration and improvements, they will get the best results. Also if the customer is able to provide good documentation and a short demo that explains product flows this can help let the pentesters know what areas are the most important to focus on.
What do you like to do outside of hacking?
DI: Outside of hacking, I enjoy traveling and discovering new places and cultures around the globe. One place that is on the top of my list is India. I would like to attend an ashram there to learn more about meditation and practice more of their techniques. I also enjoy cycling, both indoor and outdoor, because I want to stay fit, which is quite hard nowadays with so many sweet temptations around us.
What are your short-term and long-term goals?
DI: My main goal is to continue to improve my skills in pentesting and keep up with the latest techniques. I just jumped into mobile exploitation because, somehow, I think this will be the trend for the next few years. I want to dig into ARM exploitation, BaseBand exploitation, application debugging, and other vulnerability research from this topic.
For my personal goals, I would like to travel for conferences and holidays. Right now, things can be a bit confusing with the pandemic but I look forward to having things go back to normal and having as many great experiences as possible.