The First Year of Being a Penetration Tester – The Year of Terror

This month marks my sixth year working as a professional penetration tester and all the experiences that have gone along with it.  Its been an interesting experience and has taken a lot of twists and turns.  I was already familiar with doing vulnerability assessments and light penetration testing as a security engineer.  I’d like to say I had lots of experience already, but the reality is that you do what you can, when you can as a security engineer.  So it was with some trepidation that I went into my first job as security consultant and penetration tester.  In fact, I’d say that first year was the hardest.

My first year was what I like to call the “year of terror”.  Everything was a first for me.  I was so nervous because I really had no experience on how a client would react to some guy telling them their network/app/whatever was screwed up.  Here are some of the funnier experiences from that year.

My first engagement was to fly across the country to go on site by myself to help someone with their Nessus scanning.  To be fair, I had just come from working as a trainer for Tenable for year, so I was pretty comfortable with the tool and Kevin Johnson, my employer at Secure Ideas, did talk to me for a bit to make sure I thought I could do this.  It still makes for some funny joking around when I bring this up to Kevin.

Ever war dialed 20,000 (I think) phone numbers as a security engineer?  Nope, me either, but when you become the penetration tester you might end up doing it.  This made for some hilarious phone calls at 3 am.  It turns out that tons of people at the client would forward their desk phones to their cell phones when they left for the night.  Enter the penetration testers who were instructed to call at night so as not to disrupt their employees.  Instead we woke up a large number of of them and listened as Kevin took phone calls to explain why their phone went off.

The First Physical Penetration Test

My favorite story is the first time I had to do a physical penetration test.  I don’t do these now and they didn’t come up often at my previous job.  Me and my partner in “crime” were tasked to see if we could get into the building and “steal” laptops or other interesting portable objects.  To say I was nervous was a bit of an understatement and we did lots of preparation.  I started this off by checking the client’s Facebook page and found that I could see pictures of employees wearing their badges.  Score!  I can make badges!

There were a couple of problems though.  First, I didn’t have a badge printer.  Second, we didn’t have the equipment to try to clone badges.  So this was going to all be about looking like we fit in.  I printed off something that resembled the badges on regular paper using an inkjet printer.  I then cut them out and glued them on to the cheap time clock badges that you can get from an office supply store.  Put them into a plastic badge holder and they look legit at a glance.  It worked for me when I walked in past the receptionist.  He was busy working on something, looked at my face, then looked down at my “badge”, then looked back up at me.  Then put his head back down to his computer.  I was in!

I was really nervous, so I wandered around a bit to try to settle down.  After a bit, I noticed two rows of cubicles where no one was there.  I decided to go for it.  The cubicle walls were about waist high, so I was completely visible to everyone in the area.  Rather than wait for someone to ask me what I was doing, I picked a laptop at the end of the row, walked up to it and asked someone sitting on the other side of the wall when “George” would be back.  (Thank heavens for name plates on desks!)  The person said, that he didn’t know and asked if he could help me.  I spun a brief story about IT sending me over to pick up “George’s” laptop to run some checks on it. 

There was a pause.  “Are you kidding me?!?”

Oh crap, I’m busted already!  “No, I’m not.  I really was sent over to pick it up.”

“Crap, we are playing a joke on this team while they are out at a team activity.  We moved all their laptops around so it would surprise them when they came back.  His laptop is over there,” as he points to a different cubicle.

I was insanely relieved at this point and thanked him for his help.  Then I hustled over a few desks.  Tunnel vision has set in at this point.  I want this laptop now and need to disconnect these cables ASAP.  I’m so focused that I don’t even look over the new cubicle wall to see who is there.

“Jason!  What are you doing here?!”

I jerked my head up to see who was talking to me and was shocked to see someone that I had dated a little after high school nearly 20 years earlier.  Not only that, we lived in a different state at the time.  Of all the laptops I decide to boost, I pick the one in a desk across from an old flame.  I must have been sweating bullets.  I certainly felt like it.  My adrenaline was going full throttle at this point.

We talked for a bit about what was going on in life, while I stood there with the laptop now under my arm.  I explained away me being there due to some contract work I was doing.  That wasn’t untrue, but it probably wasn’t what she was imagining.  In the process of chatting with her, she essentially authenticated me to anyone who was in the area and was paying attention.  After all, she knew me and if she though I was ok, then I must be.  I finally broke off the conversation and headed out towards where I had seen the tech folks sitting earlier.  One quick detour when out of sight and I was on the elevator and heading out of the building.  Once outside, I called my point of contact to tell them I had something for them to come pick up.

My colleague and the two security guys at the client were cracking up as I told them what happened.  I made no effort to hide the fact that she had scared the heck out of me and that I thought I was busted twice. 

So what’s the point of all this beyond telling a couple of funny stories?  Only to provide a little encouragement to those who want to become penetration testers.  If you are looking to make the change to getting into this line of work, it’s probably a bit intimidating feeling.  It might be a bit scary.  After all, you get to walk into some place and be THE EXPERT to your client.  They are paying a lot for you to be there and you want to deliver.  The point is, that feeling a bit nervous or anxious is going to be normal.  You won’t know exactly what you are doing at first, but take heart, it gets a lot better.  What was a freaky situation a year ago, seems normal with some time and experience.  And it makes for some hilarious stories to tell friends.