Being a penetration tester is fun, but it can be quite challenging. In some ways, it’s kind of like playing a sport. With both types of endeavors, you start off not being very good, and then you spend a lot of time and effort trying to get better. You make mistakes, learn from them (hopefully) and then try it again.
Really good pen testers make it look easy, but they weren’t always that good. They had to pay their dues, learn the basics and slowly develop their skills over time.
There really isn’t a shortcut to learning how to conduct pen tests well. However, you can avoid some of the missteps and wasted time by focusing on developing some common traits that many effective pen testers possess. As you acquire the necessary skills and experience, paying attention to cultivating these six habits will help you to become a solid pen tester.
Get TestRail FREE for 30 days!
Habits Common Among Experienced Pen Testers
If you get the chance to observe several people who make their livings as pen testers, you’ll likely notice a few ways in which they are similar. These shared habits can reveal a lot to lesser experienced pen testers, and emulating these common habits can help accelerate the learning process.
These basic habits tend to help internalize much of the foundational knowledge that pen testers need to be effective, but this isn’t an exhaustive list. They won’t replace the need to acquire lots of knowledge and skills, but they can help organize the many requirements of pen testing into manageable areas. Although there are many habits that can help make you an effective pen tester, here are the six most common ones.
- Hanging out at the command prompt: Although GUIs often look very nice, most pen testers agree that the real power and art of pen testing is at the command line. You’ll see most experienced pen testers drop to the command line, regardless of operating system, and spend a good bit of time there. That means for Windows testing, you need to learn the command prompt, batch file scripting and PowerShell. For Linux, become familiar with at least one shell, such as Bash, and learn to write shell scripts. Command line interface (CLI) utilities give you the flexibility to poke around systems in many ways.
- Talking their way out of problems: Pen testers need good soft skills in addition to technical skills. The ability to use social engineering is one of those skills that some people are just born with. They seem to be able to talk themselves out of any predicament. Developing this habit makes you better able to leverage those around you to participate in your pen test. In other words, perfecting the ability to smooth-talk your way through a social engineering exploit is like working on sleight of hand for a magician.
- Solving puzzles and playing games: Good puzzles and games that make you think are great training grounds for pen testers. Those who love the challenge of figuring out the solution tend to map that desire to pen testing. That’s because pen testing is really all about solving a few puzzles.
- Strongly preferring closure: This is a nice way to say that pen testers tend to detest open-ended sequences of events. People who enjoy pen testing generally find leaving things undone to be uncomfortable. That means that they generally stick with a thread of activity until it is finished. This habit helps pen testers stick with a process that can become tedious until the conclusion of a test sequence is reached. Closure is important in pen testing to ensure that the tests have provided sufficient coverage of the test domain.
- Scripting everything: It isn’t necessary to write a shell script or batch file for every activity, but it does often help. People who script most activities tend to know their operating systems quite well and are comfortable using the available tools to get work done. Additionally, scripting many tasks leverages automation and can increase the amount of work accomplished over manual command entry.
- Getting the gadgets: Because technology changes so rapidly, good pen testers often spend time and money to stay up to date with the latest techno-gadgets. They are often some of the first to acquire new technology, and they often gain an edge by playing with new gadgets first. This natural curiosity leads to a desire to discover how things work — and that leads to a good pen tester.
Why Are These Habits Important?
Remember that there is no easy path to becoming a good pen tester. Becoming good takes time and lots of practice. But developing the habits listed above can help.
These habits aren’t a prescriptive approach to getting good, but they do seem to be common habits among effective pen testers. That means there appears to be some value to them. One way to get good at anything is to observe those who are already good and emulate them.
Pen testing is all about carefully searching for vulnerabilities in infrastructure and software. To do that, you need to have a very good understanding of what you’re examining. Medical doctors study the human body for years before they ever study what can go wrong with it. Without a deep understanding of how the human body is put together and how it works, it would be nearly impossible to understand the impact of a heart attack. That one event is important in the context of the whole body.
Pen testing is somewhat similar. You must have a solid understand of operating systems, networks, hardware and software before you can effectively search for security vulnerabilities. Most of the habits we discussed above all depend on a good understanding of the technology that makes up computing infrastructure.
On the other hand, some are just interesting personality traits. But if you practice these habits, you’ll find that you will have to learn more about your computing environment, and that includes social engineering — remember that users are part of the computing environment.
How You Can Develop These Habits
Let’s assume that you currently possess none of these habits. That’s OK. You don’t have to habitually do all the things on the list. But if you want to improve your pen testing skills, it would be a good idea to try to incorporate as many as possible into your normal activities.
Try to cultivate these habits whenever you can. Do you like to solve puzzles or play games? Then do those activities more. Do you tend to type commands over and over? Write a script instead. Learn how to use parameters and input/output, and you’ll both learn something useful and lighten your workload.
The point is to think about what makes an effective pen tester. It is more than just knowing some tools. A good pen tester really understands the environment and leverages the actors, both human and technological, to explore and find vulnerabilities. Happy hunting!
Article by Michael Solomon. Michael Solomon PhD CISSP PMP CISM is Professor of Information Systems Security and Information Technology at University of the Cumberlands.
Test Automation – Anywhere, Anytime
- Announcing TestRail 5.5 Release with Ranorex Integration, GDPR, Admin, UI and Performance Enhancements