.svg){kind=icon}
.svg){kind=icon}
The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished ethical hacker.
1. Can you tell us a bit about yourself and how you got started in penetration testing?
I started in IT as a software developer and infrastructure automation engineer. Due to the skills I acquired through these positions, I managed to transition into penetration testing. At my first pentesting job, I was surrounded by awesome people that took me in, taught me the ins and outs, and shared their knowledge.
2. What educational background and certifications do you have that prepared you for a career in pentesting?
I’m entirely self-taught without any formal IT education and have learned programming on my own. I gained a solid knowledge of operating systems, programming languages, and communication protocols. These skills have been invaluable in my transition to cyber security and penetration testing. Along the way, I’ve also acquired a few certifications, such as OSCP and CRTP, which have helped further solidify my penetration testing skills in various scenarios, such as web application penetration testing, Active Directory, and infrastructure penetration testing.
3. Walk us through your career journey as a pentester, are there any significant milestones or projects that stand out?
During my penetration testing career, I’ve executed numerous engagements, both solo and with an entire team. However out of all of them, a few stand out - testing major banking institutions from an internal assumed breach scenario, which was quite entertaining to execute, gaining access to core banking infrastructure and live transactions, as well as accessing company sensitive documents. While on the same topic, I’ve also tested ATM hardware, testing the operating system deployment, network segregation, traffic interception, and tampering; the most fun I’ve had with this was to reverse engineer the banking application and initiate cash dispersal operations.
Apart from internal assessments, I’ve performed extensive penetration tests on externally facing infrastructure and web applications, and identified high-severity vulnerabilities that led to internal network access; this allowed me to pivot to sensitive systems, gain access to the client’s data, and achieve various computer network exploitation objectives.
I particularly enjoy red team-based assessments, where I need to maintain a reasonable degree of stealth, apply specific tactics and techniques, and where a simple web application or vulnerable VPN appliance might lead to full Active Directory compromise.
4. What are your go-to tools and techniques when conducting pentests, and why do you find them effective?
First and foremost, Burp Suite Professional is the golden standard for executing most penetration testing engagements that are scoped toward web applications, APIs, mobile applications, and thick clients. It’s an invaluable tool and there’s no better one for these specific assessments.
I’m a big fan of automation and I’ve got a lot of personal projects that automate various tasks, such as reconnaissance, open-source intelligence gathering, vulnerability scanning, payload generation custom encryption, and so on. I particularly like the entire tool suite from ProjectDiscovery, they’re very well built, provide consistent results and the ability to quickly pipe results from one tool into another is awesome. Why waste time manually performing ASN or subdomain enumeration, feed them into a port scan, feed them into a service scan, feed those into an automated headless Chrome browser for screenshots, then finally into a nuclei scan, when all of this can be automated to provide entire sets of results? Even better, a few cron jobs to push this data into a Teams/Discord/Slack/etc channel alongside, and you’ve got yourself a DIY ASM suite.
I’m also fond of creating realistic Proof of Concepts for identified vulnerabilities - you’ve got a Stored Cross-Site Scripting, but a simple “alert(document.domain)” doesn’t show a potential attack scenario. Instead, having a full-blown Microsoft-like authentication pop-up that captures credentials and sends them to your attack server provides evidence for both the technical risk, as well as the business risk of harvesting credentials. If these PoCs can also be programmatically generated, even better! I think it’s each tester’s responsibility to have their own arsenal of developed tools, tactics, techniques, and procedures to create realistic attack scenarios for clients.
5. For individuals aspiring to enter the field, what advice would you offer in terms of skills development, networking, and breaking into the industry?
As there’s little formal training or educational programs available to get into the highly technical side of cyber security i.e., penetration testing, I think it all comes down to dedication and willpower. Consistently studying on your own, powering through tough times when motivation might be low or burnout might be high is essential. I also think a realistic attitude towards the psychological process of learning is paramount - nothing comes overnight, experience is gained in time, and with repetition and constant learning the accumulated knowledge is better consolidated in the mind up until the point that it becomes second nature.
As for networking, it’s my own opinion that professional security work creates good connections between yourself as a penetration tester and the client you’re working for, be it C-Level executives, IT personnel, managers, project owners, etc; these are the kinds of people you can build long-lasting relationships with by letting your work speak for you. Although I’ve been encouraged, I’ve never done presentations at security conferences, but I do enjoy attending them and mingling with other people, which is another avenue for building your network, meeting people, and creating both personal and professional relationships.
6. How do you approach client interactions during penetration tests? Are there specific communication skills that you find crucial for success in this aspect of the job?
You might come into penetration testing thinking it’s all about technical work, however, there’s a very present human element right in the middle of it all. It’s necessary to be able to clearly and concisely communicate, manage expectations, and navigate situations where specific business needs have to be translated into technical requirements. Often, you need to help the client understand what their risks are, how to mitigate them, how to improve their security posture, and especially how to scope various organizational elements for penetration testing engagements. I think that, paradoxically, you need good people skills to succeed in this line of work.
7. Can you share your experiences and preferences in terms of teamwork, communication, and coordination when engaging in pentests?
I’ve experienced both sides of the fence - doing solo engagements and team-based engagements. The most fun and satisfaction I’ve had is when working in a team context, where collaboration and brainstorming occur organically because we all want to solve a specific puzzle, exploit a vulnerability in a certain way, or get the enjoyment of identifying a security issue and figuring it out. When doing this kind of technical work, I think we’re all equal and raw skills speak louder than words and corporate titles.
8. Looking ahead, how do you envision the future of penetration testing evolving in 2024, and what do you believe will be the key challenges and opportunities in the coming years?
With the human world consistently digitizing itself, developing more and more technical solutions for various challenges, problems and opportunities, penetration testing and cyber security will have a solid place in the IT landscape for a long time.
AI and GPT systems won’t be taking out the human factor in performing penetration testing, but it has become quite a game-changer in terms of aid in programming various types of tools, applications, payloads, and generally solving several programming challenges.
I think there will be a place in this IT niche for everyone that wants to get into it, but it’s all dependent on how good you perform and how well your skills speak for you.
