Son Of Sun Tzu

To content | To menu | To search

Tag - HackingForALiving

Entries feed - Comments feed

Sunday 26 March 2017

Hacking For A Career - Drinking From The Firehose

( NOTE - this should have been published six weeks ago, apologies )

A short list of which podcasts to listen to, and which blogs to follow. These are just a few entries to get you started, there's a lot of information out there, learning how to filter it to what is relevant to you is a very useful skill.


Risky Business - particularly the first twenty or so minutes covering the main stories of the last week, but also the interviews tend to be worth your time. Find it here.

SANS Internet Storm Center - released daily, and just a few minutes long, a quick way to be bang up to date with security news. Find it here.

Down The Security Rabbit Hole - good coverage of recent news, or an in-depth look at particular issues. Find it here.

The Silver Bullet Podcast - particularly useful just to get an insight into the "names" from cyber security you'll have seen online or presenting at conferences. Find it here.


I went through my RSS reader and pulled out those few blogs that would be the most useful to anyone entering the industry:

For thoughts on penetration testing by working penetration testers try Holly Graceful, Carlos Perez's Dark Operator, and Digi Ninja's blog,

For a wider perspective of information security go to Black Swan Security, Michael Santarcangelo at CSO Online, Naked Security from Sophos, or Brian Krebs.

For regular updates on security news and testing tools, try Darknet. While I've found the quality of entries to vary quite considerably, this seems to be the best resource for quickly reviewing the latest news and a useful way of seeing what's out there.

Monday 6 February 2017

Hacking For A Career - Which Events To Attend

A short blog this time, which events should you attend as a budding penetration tester?

There's a great list here on of all the relevant UK conferences - the only thing I'd add is that the dates for BSidesLondon have been announced.

So once you're at a cyber security conference, how to make the most of it? Talks are always important, they can be great chance to learn a lot about a subject in a short amount of time. But do make a point of making contact with new people in-between or outside of the presentations, what people tend to call "CorridorCon".

As with any experts cyber security people will tend to dislike uninformed questions, so "how do I learn to hack?" or "who will pay me the most?" or "you use Windows, you must suck" won't go down well. However if you're obviously put in some effort, and ask "I really enjoyed your presentation, I'm interested as to why you advocate X not Y" or "I'm looking for a company to work for over my holidays, and I'm wondering whether to contact Weyland Industries or The Umbrella Corporation, who should I consider?", you're much more likely to get a response.

Be interested, be interesting, and have your contact details ready to pass on, and a day spent at security conference can make all the difference to starting your career in the right way.

Hacking For A Career - Tools You Should Know

This is the next entry in the series, aimed at providing depth to parts of my "Hacking For A Living" presentation.

Further to the packed slide I gave during my presentation, here are the tools you should have a passing familiarity with. Note that these aren't the offensive tools, but the other programs you should be familiar with. Do bear in mind my background is as an infrastructure tester, in my experience of web application testing a lot of the information on the target was within a single application - Burp Suite.

Also, do look at the functionality and integration between up to date versions of Nmap, Nessus, and Metasploit - being able to easily transfer data between all three will enable you to do more testing in less time, making you more valuable as an employee, and more efficient as a tester.

The emphasis below is very much on Unix tooling, if you prefer to test from a Windows system I'd still recommend installing Cygwin to give you access to these, unless you're particularly adept at the Windows command prompt or PowerShell.

System and network monitoring tools

These will help you understand what your own system is doing, any bottlenecks or other issues that mean your system is slower than it should be, or any local connectivity issues causing you problems:

htop, iotop, ip, lsof, netstat, ps

Interrogating remote services or networks

All of these programs are useful for determining that you're on the right network, that you've got the right connection to your target systems, and so on. Also some of them are useful in an elementary way for obtaining information on whatever system or service it is you're attacking:

arp, arping, dig, host, hping2, netcat ( in all its forms ), nslookup, ping, openssl, socat, tcptraceroute, telnet, tftp, tracepath, traceroute, wget,

Terminal multiplexers

These programs allow you to easily manage multiple programs simultaneously, or to keep a session up on a remote system that will survive a break in connectivity:

screen, tmux

Recording your output

These programs are useful for recording your tool output, or network traffic - so you can grab entries from their logs for your report, or demonstrate to a customer what was or was not happening on your testing system at a particular time:

script, snoop, tcpdump, tshark

Sorting, searching, and manipulating output

There's a lot here, and I should stress that you don't need to know them extensively, you just need to know *of* them, and have an idea of how to start using them when necessary:

awk, sed, head, tail, strings, grep, egrep, findstr, cut, sort, uniq, sponge, tee, pee

Recording your knowledge

You will learn a great deal as a penetration tester, and won't have access to old machines or reports or notes when you change employer. For recording wehat I learnt on a test, so I could easily reference it on a future test, I always liked TiddlyWiki. Find something that suits you, but I'd strongly recommend using something digital, rather than a paper notebook - that way you can back up your notes, or easily search through them for a specific entry.

Programming Languages

You can arguably get by as a penetration tester with just a little bash shell scripting, but to really get on with automating your penetration testing workflow do look at advanced bash shell scripting, or Python. If you're going to be attacking Windows systems a working knowledge of PowerShell is increasingly required.


A couple of commands it's worth familiarising yourself with, just so you can ensure the output from your tools, or your notes, isn't accidentally overwritten:

chmod, chattr

And also the text editor "vi", as you'll find it on any Unix system you have access to.

One last thing, familiarise yourself with "man" pages. I always find man pages useful reminders for how a tool or program works, but far less useful in determining why or when I should use it.

Hacking For A Career - What To Learn

So, you want to become a penetration tester, where do you start?


Really the place to start is Robin Wood's two "Breaking in to Security" blog posts, which are here and here.

After that watch this great twenty minute interview with John Carroll on what it's like to be a penetration tester.

Now you have some context, work through "Start In InfoSec", put up by Rob Fuller, also known as Mubix. His Twitter feed is here: There's a considerable number of resources there, don't be afraid to pick and choose, move on to the next entry if the subject matter or the tone isn't relevant.

There's also a lot of information listed in "Getting Started in Information Security" on the netsec sub-reddit wiki here: While not directly useful this is handy to see the breadth of the subject matter, and what resources are available. Overall "/r/netsec" is worth your time as long as you aggressively filter. The regular hiring threads, while mainly focused on North America, are also worth following.

Attack Platforms

Kali is definitely the attack platform that many penetration testers use, and the most common. However it's also worth looking at BlackArch .

I would recommend running these as a virtual machine, however if you're looking at attacks at Layer 2, such as VLAN Hopping, you may have issues and ideally you'll run your attack platform directly from your laptop.

There are other platforms available, and also you may prefer to "roll your own" rather than having the platform maintainer decide how you work and what interface you use.

Offensive Tools

Depending on where you'll focus as a penetration tester you'll either need to become very familiar with very few tools, or at least have an understanding of a wide range of tools. These are good ones to start off with:

  • Nmap - the industry default for port scanning.
  • Nessus - this tends to be the vulnerability scanner that companies will use, and expect you to know.
  • Metasploit - a well maintained collection of attacks and an industry default.
  • Nikto - useful to see just how simple some tools can be, and the strengths and weaknesses of that approach.
  • SqlMap - SQL injection is still a major weakness on websites, this program automates exploiting it.
  • Burp Suite - the free version is enough for you to get the hang of this software, which is an industry default for web application testing.
  • Kismet - for analysis wireless networks.
  • Aircrack-NG - for testing wireless networks.

Targets To Attack

Of course you should only be attacking systems that you control, and have authorisation to do so. I always think it's much better to attack something locally that you're running as a virtual machine rather than to attack a Virtual Private System ( VPS ) you've paid for on the Internet. The best resource I've found is Awesome Cyber Skills as a list of systems to download, or access online.

Other Notes

As per my presentation, if you're interested in physical Social Engineering look at films such as Sneakers or the TV series Leverage just for flavour, look at the YouTube videos of Jayson Street and Johnny Long to see how professionals do it. Also check out the "career" of Karl Power and the book "The Complete Guide To Gatecrashing" to obtain interesting and entertaining insights into what's possible, and the mental challenges involved.

I expect similar examples of real world security failures to be present in Channel Four's "Britain's Greatest Hoaxer" documentary, which is on this week.

For real world examples of where this is important, look at the "KVM Hack" of Santander, and much more recently, the taping of members of the Republican Party...

Friday 3 February 2017

Hacking For A Career - Introduction

I was a penetration tester for ten years, working for a few companies in the UK, and participating or leading hundreds of tests. I also find the overall philosophy behind penetration testing, and pentesters themselves, particularly interesting, so I'm reasonably familiar with how the industry "works" in the UK.

Since moving on from penetration testing I've presented a few times on "Hacking As A Career", a rough guide to being a penetration tester, covering what the career involves, how to get into it, and what to get out of it. The presentation is usually given to Computer Science students in the UK, so that's where my focus lies. It's mainly based on my own experience, but I've made a point of asking a few friends for suggestions for each category.

In the following blog posts expand on this presentation, with references taken from my research and notes, and partly filling in the detail from my slidedeck:

What To Learn

A few references on where to start:

  • which resources to read on breaking into the industry
  • which attack platforms or tools to learn
  • what to attack using those tools

Tools You Should Know

A list of the tools which any aspiring tester should familiarise themselves with in order to make their life easier.

Which Events To Attend

A list of which events anyone looking to enter the industry should attend.

A guide on what to ask, and how to introduce yourself.

Drinking From The FireHose

Which blogs to follow, and which podcasts to listen to - focusing on those that will provide the greatest value in the shortest amount of time.

In particular for this one I'll list relatively few resources as I'm naturally averse to listing everything, pre-curated lists of resources are woefully rare on the present day Internet.