Introduction to Becoming a Penetration Tester

00:00

Hey, everyone, welcome back to the course in this video. We're gonna talk about the penetration tester job role so we'll talk about what a pen tester is. We'll talk about some of the common job responsibilities they might have. We'll talk about the skills you're gonna need is a pen tester at least some of the basic comment skills. And we're gonna talk about some of the certification center available to be a pen tester. But I do want to stress that you don't need shirts or a college degree to be a penetration tester,

00:25

and we're also going to identify the general salary range for a pen tester.

00:31

So what is a pen tester? What do they actually do? Well, these air individuals that identify and exploit vulnerabilities these could be software vulnerabilities. These could also be physical vulnerabilities. So, for example, I might be able to talk to your employees and say, Oh, no, I forgot my badge today and they may let me in through something like tailgating,

00:49

and that's a vulnerability in your organization, right? Because if I was an attacker,

00:53

we're adversary. I could get into your company and do who knows what right I could go in and steal something, or I could plug in a malicious USB and install malware and then take control of your systems so

01:06

the vulnerability itself could be software. Or it could be a physical vulnerability

01:11

and pen testers.

01:12

You work in a variety of areas so they could be a network pen tester. There could be an application pen tester, so like a Web pen tester, they could specialize in mobile pen testing, WiFi, pen testing, etcetera, etcetera.

01:25

And it's kind it might. You might see it out there and job roles title as like ethical hacking as well. So penetration tester, pen tester and ethical hacker ethical hacking all that's kind of wrapped up into one When you're looking at different jobs, you also might see a term called Red Team. So the kind of the main difference between a penetration test and a red team engagement is

01:44

the red team. Engagement is gonna be longer. That's a very high level

01:47

overview of the differences or some other nuances there. But that's kind of a high level of the difference there, so you might see any of those terms when you're looking at actual jobs to be a pen tester.

01:57

So what are some of the common responsibilities of a pen tester? Well, number one, it's gonna be scoping, right? You need to scope that engagement. Understand? What are the I P address? Ranges, weaken, touch. What are the systems that we contest? How far can we go? So, for example, if I know that I can gain root access on this machine, can I actually gain root access?

02:16

Can I actually install malware, right. What? What kinds of things can I do?

02:22

So we need to make sure we scope that out. Also, if I'm doing a physical pen test

02:27

once I break into that building, what can I do? Like water? My rights. In fact, there was a case a while back up in the Dallas, Texas area where Cem penetration testers

02:35

broken too. I think it was. The court's up there in Dallas, and there was some question on the scope, so they were actually arrested. There was some questions on the scope of the pen test, so they were arrested

02:46

as they believe we're navigating through the building. I think

02:49

if I recall from the scope of the pen test, they could only enter the building, So there's kind of a gray area there, right? So you want to make sure that you scope that pen test properly so you know exactly what you can do. So you don't get yourself arrested,

03:01

open source, intelligence or innocent or just information gathering in general. That's another common responsibility. You have to identify everything you can about the target,

03:13

whether that's a company or a system or an individual, maybe,

03:16

and that social engineering is another common responsibility where we're actually manipulating that human psychology, whether that's through a phishing email attack, whether that's as I mentioned before, manipulating your employees to allow me in,

03:29

whether that's doing it via phone call. So another form of fishing is vish ing, which is via phone call or smashing, which is via text. So a number of ways we could do social engineering attacks. But again, we're just taking advantage of the human psychology there

03:44

exploitation. So, actually, once we gain access to a system, what can we do? How can we actually exploited and then maintaining persistence? Because

03:53

if we're doing like a red team engagement, for example, we find identify vulnerability. The defenders or the blue team, they might fix that, right? They might install a software update, and that fixes that particular issue. And we no longer have access. We need to make sure we can persist in our access on the target. And then nothing matters in a pen test unless we can actually

04:13

report it properly to the stakeholders and let them know Hey, thes air. The issues we found

04:18

this is the way you can fix them. And this is what all this means if you don't fix them, right. And what you're gonna find if you work is a pen tester is a lot of companies still don't fix stuff, even though you reported properly to them.

04:30

So what are some of the common, like fundamental skills that you're going to need to be a pen tester? Well, you need to have a strong background in computer networking.

04:39

This is not an entry level type of job role. I know you could potentially be entry level and get a junior pen test role, but you have to really get your technical skills up. So if you have no technical skills right now, this is probably not the right job role for you. So you do wanna have a strong knowledge of networking and really understanding How does data flow across an enterprise network?

04:59

And how do we encrypt it

05:00

at each area that it's traveling across that network? So really, understanding some fundamental networking is gonna help you quite a bit. Also, you want to understand operating systems. You wanna understand you don't have to be an expert in Linux or Windows or something, but you do want to understand how are they structured? How is a file structure? How do you create users? Where are some common files where you might find sensitive information? So

05:26

really having that strong background? So it's recommended

05:29

that you have experienced in I t before you become a pen tester. So, for example, working as a sys admin or working as a network admin or network engineer, or even working in the help desk right? Just having that fundamental knowledge of technology and how it works is really, really gonna help you when you become a pen tester.

05:48

Documentation skills. As I mentioned, reporting is a critical component of being an effective pen tester. It's also a good idea to have some scripting skills. So python bash whatever or even just some programming skills and C or C sharp.

06:02

It's just good idea. Have that so you could automate some things. That, being said, I've met some pen testers at conferences that are pen testers in their companies,

06:13

but they don't know any scripting right there just using automated tools. But I do recommend that if you wanna be a pen tester and be successful at it, you get some scripting knowledge under your belt. Oh, so you really wanna be good at gathering that information,

06:26

being able to use different tools? That's another common skill. That, being said, going back to scripting, you really want to be able to write your own tools or modify the tools you use. For example, medicine Lloyd is a tool you might use, and you wanna be able to modify the code that you're using for medicine. Floyd, because a lot of organizations are automatically flagging

06:46

ever says anything about medicine Floyd in the code.

06:48

So you wanna be able to know how you can adjust that as you advance your career as a pen tester. It's not something you need to know necessarily as you just start out brand new, you don't know have toe. You don't have to know how to write your own tools,

07:00

but it's a good idea as you evolve, your career is a pen tester to learn how to write your own tools, because that will really help you when you're doing the real life engagements, understanding CVS and so knowing where to look in the C V database and identifying some CVS that you think or maybe not patched in the organization

07:19

and understanding the command line interface or the command line or the terminal. So in Lenox or Windows just kind of specialize in one of those or no, all of them preferably, but just understanding how to type commands in where you're not relying on, Ah, gooey. With all these tools, you can actually do them at the command line, because that's going to give you a lot more options.

07:39

So what are some of the common certifications for a pen tester?

07:44

So probably the most common kind of entry level search you might see out there for a pen tester is gonna be the SCP.

07:49

So the offensive security certified professional and that's a hands on exams. So that's why you see it is kind of that entry level pan tester search. You also might cease, um, pen testers like myself holding the CH with a certified ethical hacker.

08:01

I will say that I had experiences of pen tester long before I ever went. Got certifications. So keep that in mind that you don't need certifications to become a pen tester. You also don't need any college degree.

08:16

The BJP today. That's the junior pen tester,

08:18

the G pen, which is from Guy ex or their affiliated with Sands. Uh, that's a penetration test research that you might see now. One thing I'll mention there is all the guy experts are pretty expensive to get. So if you're on a budget,

08:31

you may not even wanna worry about getting a certification. To be a pen tester. You might want to just focus on getting a technical skills up and get the job first.

08:39

Conte is pen test. Plus, it's kind of a newer one that's out there. It's not necessarily adopted a whole lot by pen testers that I know, but some of them do have it, so it's another one you might consider as a kind of a junior level entry level pen tester type of certification. But again,

08:56

Oh, SCP is kind of the de facto standard with CH also

09:00

sometimes being asked for in job applications and then also G pen has been around for a while, too.

09:05

And then l p t the license penetration testers through easy council That's more of an advanced pen tester served. This one actually does require things like a background check. And so this one can really, as you're evolving your career, really open up a lot of opportunities for you to command a higher salary and to get Maura at least here in the U. S. More government jobs.

09:26

So speaking of salary, what are some common salaries for pen testers? I grab some from the US, the UK and India just to give you kind of a range here. So in the US, anywhere from 66 to 120 plus k, I will tell you that Ah, junior pan tester rules probably realistically around the 66 toe,

09:43

80,000 year range and get it depends on the area you live

09:46

and moving upwards once you've got like a year experience or so a couple years experience, then you're gonna be making the six figures in a lot of cases. Multi six figure so that 1 20 is actually a low number. It's probably gonna be a lot higher than that, depending again on the type of job you do where you work the location and especially if you're working as like a contractor for the government,

10:07

you're more than likely going to be north of 200,000 year, depending on the agency you're working with

10:13

in the UK, just kind of arranged there. I don't work in the UK job market, so I'm not a specialist in that one. Same with India. But I did want to show those because I know there's a good number of students watching this course that air from those areas as well.

10:24

So just a quick, quick question for you. What are some of the common skills needed as a pen tester? So they include Which of the following here

10:31

is that Lennox is a networking is a critical thinking.

10:35

Alright, if you guessed all the above, you are correct, right? I mentioned you need to have some strong knowledge of operating systems like Linux, Windows Mac,

10:41

strong networking knowledge as well as you need to be able to think outside the box as a pen tester because a lot of times you might get in an engagement and you're thinking of I'm gonna do it this way and then you find out that there's some appliance for something in place where you can't do that. And so you need to think outside the box of thinking, figuring out, like, How else can I exploit this system?