Pentesting: I wanna be a hackerrr…
No, it’s not about testing writing pens/pencils. It’s harder than that.
When I was a teenager, my dad showed me this cutting from a newspaper that he kept which had one of those pictures of a hacker in a hoodie with the face blacked out, & it was titled: “A Career in Ethical Hacking/Pentesting”. Ever since that day, I’ve been striving to make myself as good as computers as someone who’s willing to pursue a career in this field should be, ’cause cybersecurity is no joke.
In today’s write-up, let’s try to make ourselves truly aware of what exactly Pentesting is & how is it possible for someone to make a living ethically by hacking into computers. Now, before we get into that you all must’ve seen a lot of movie scenes about hacking, & although there’s really a good amount of awareness out there about this topic today, still I’d like to reiterate that most of what those scenes depict is bullshit. It’s not how exactly hacking into computers looks like. As a bonus cookie, I’ll tell you about a TV show in the end that you can watch if you really wanna see real hacking, for real. (I repeated that on purpose, it sounded cool)
So let’s begin from the top. We have these awesome machines what we call Computers. Now, no matter how smart these machines are & how easy they make our lives today, with a bit of genius applied by someone talented & skilled enough, these machines can turn out to be the dumbest thing you own when it comes to their security & protection from being misused. So we have a whole dedicated field of study called Cyber Security or more broadly speaking Information Security, which is all about protecting the computers, & the information they carry & process. Inside this field, we have a sub-domain or practice or method that helps in making sure our computer systems (that includes everything from a PC to a Desktop, Laptop, Smartphone, Tablet, IoT devices, Wearables etc.) are secure. We call it Penetration Testing, or Pentesting for short. And it is exactly what it sounds, you test if it’s possible to “penetrate” into a computer system from outside, even after all of the security measures have been put in place like installing Firewalls, Antivirus Software, putting up passwords, ensuring no unauthorised access, etc. Basically, what you do is try to hack into a system exactly how a bad actor or a malicious hacker would, but you do that with the authority & permissions of the system owners. And, if you find a way to pass through all of the security measures & get in, you share your findings with those owners & all the other involved stakeholders & they go ahead & fix that flaw in their computers & close the way with which you came in so that no one with the malicious intentions can do the same. That’s why this practice is also more generally called Ethical Hacking or Whitehat Hacking.
Companies, government organisations & all the other kinds of people who use computers or whose business depends on computer systems, do hire people who can perform pentesting on their systems. There are generally two ways someone can make a living in this profession. Either they join a company as a permanent employee & test the products that the company develops. Or they can work as a freelancer and take on projects on a contract basis & do it. There’s also a more interesting profession inside the domain of Pentesting which we call Bug Bounty Hunting. In this, you do the same thing, you hack software & websites made by the software companies with their permission through programs that they run online & if you find a “bug” in their product or website, you get paid a “bounty”. It can range from 100 dollars to 100,000 & more. Now, a “bug” here refers to a flaw or a vulnerability that can be exploited to hack into the software. Platforms like HackerOne.com are some of the prestigious ones where companies organise these kinds of bug bounty hunting programs, & some organisations tend to have private forums of their own to conduct such competitions. It’s also more attractive to security & pentesting professionals ’cause if you find bugs in the products of the big giants like Google, Microsoft, Amazon etc. through their bug bounty programs, not only do you get paid a huge sum of money but also you get to be a part of their hall of fame if your findings are critical & impactful enough. And also you don’t work under tight deadlines unlike being in a permanent pentesting position at a company or being under a contract, some people don’t prefer that. But one downside of being a professional bug bounty hunter is that there’s no regularity in income. Sometimes it might take months to find something worth the effort & win a bounty. That’s why most professionals do bug bounty hunting typically side-by-side to their permanent jobs.
If we talk about the technical aspects of Pentesting, then it’s almost like malicious hacking, you use all the kinds of tools that bad actors might use to break into the system, but to mention again — your intent tends to be not malicious. You sign a Non-disclosure agreement so that you don’t share your findings about the weaknesses of the systems & software products of organisations you’ve been hired by with third parties and although most of the tools used for pentesting are open-source & freely available you also make sure that if you’re using any proprietary tools then you acquire them through legitimate & official sources. One of the most widely-used tools & the most famous one is Kali Linux. It’s an operating system just like Windows 10/11 that you use on your PCs or Android or iOS on your smartphones. The main & highlighting difference is that it comes pre-loaded with most of the tools that are needed to hack into computers, from network traffic analyzers to password crackers & whatnot.
For those who are good with computers & like to break into things, Pentesting can be a really exciting profession. And it’s also a noble profession ’cause in most cases you’re protecting people & organisations from cyber threats & attacks, & helping them continue their business safely & securely. Also, if you establish yourself well in this field, it can be really well-paying. One important aspect of being a Pentester other than the technical skills is being good at writing & explaining things to people. This is ’cause after you’re done with your attacks, you’ll always need to share your findings with people. Most of the time, these people will come from non-technical backgrounds so you need to be really good at explaining complicated technical things in as simple & clear manner as possible. In the field of Ethical Hacking, you might be a really good hacker who can break into systems in minutes or who can find vulnerabilities a hell of a lot faster than others but if you can’t put in writing how you were able to accomplish what you did, you won’t go much farther. So people looking to get into this field to make a career should really work on their report-writing skills.
It’s also important to mention that Pentesting isn’t just limited to Computers and digital systems. The same practice is also followed in the case of physical places like office buildings & campuses of companies & other critical organisations. That version is termed Physical Pentesting. In this method, the purpose tends to be testing the security & preparedness of places & buildings. It’s the same, in principle, as digital pentesting, the only difference is that here your goal is to penetrate a physical location instead of a virtual system. The tools used to conduct this are usually those which can work against physical security measures like lock-pickers, ladders & ropes, barbed-wire cutters, RFID scanners & readers, fake employee badges, etc. The physical pentesting doesn’t need much explanation as one can guess what happens on the ground while doing it. Your job here is to covertly trespass into a building just like a robber or a thief would, by tricking or manipulating security staff, picking locks, climbing walls, hiding from the CCTV cameras, avoiding or shutting down alarms, breaking into doors & reaching as deeper inside as you can or to the point where you can get access to something that is valuable & critical to the organisation whose premises you’re testing. Sometimes a Pentest might involve both the physical & digital pentest where the goal is to first get into the campus or offices of a company to get physical access to computers & servers & then to try to gain actual privileged access inside the computers. Other times, it’s only the one. Generally, both kinds of Pentesters — physical or digital — tend to have some knowledge & skillsets about the other practice as well. But physical pentesting is less common, & involves much more resources than its digital counterpart. The former is more risky than the latter when it comes to the safety of the professionals who are performing it, ’cause there are usually high chances of them getting physically harmed or seriously injured during the break-in.
A collective form of Pentesting also exists, which is more like a group activity & teamwork rather than a one-person job. It’s called Red Teaming. In the world of information security & the Pentesting community, the two colours Red and Blue are used to signify “Offensive” & “Defensive” parts of security. So, Pentesting actually falls on the Red side ’cause Pentesters perform attacks. The Blue Team guys are usually those cyber security professionals who defend the systems against these attacks. Thus, Red Teaming in a nutshell is the practice where a group of Pentesters organise & conduct tests by attacking & penetrating the computer systems (& sometimes also the premises) of a company as a team. Each team member might be an expert in a particular skill or aspect of hacking. Someone might be good with networks & internet, others might have really good social engineering skills, etc. The Red Team tests are typically more broader than a usual pentest of a single product or a system & cover a lot of phases & activities. This can include physical pentest, social engineering, phishing tests on employees, data collection, etc. Red Teaming is mainly done to test the overall preparedness of the company/organisation against a cyber attack, including the awareness of its human resources. Real-world cyber attacks are also simulated to check whether the company & its security teams are ready & prepared for an actual attack on their environment & systems or not.
When the Red Team tests and Physical Pentesting are conducted, it’s almost always the case that only the top-level management stays aware of what’s going on. It’s mostly the Chief Information Security Officer (CISO), the Chief Executive Officer (CEO) & a couple of other people from their teams who hire professionals to conduct these tests, authorize them & are kept in the loop while these tests are being performed. No other employees are informed to make sure that the tests are effective & are performed in a scenario similar to what it would be during the time of a real attack or breach. And, all of these professionals are also supposed to submit their reports in writing to the stakeholders about the methods they used & their findings, when the tests are completed. So, if you’re a team player, Red Teaming can be an exciting career for you. But it’s harder to directly get into a Red Teaming position, ’cause most Penstesters begin their journey as solo players & when they’ve gained enough experience in the field they’re made part of red teams. And, also ’cause Red Team tests are more complicated than normal pentests. In fact, the striking difference between a normal pentest & red teaming is with the former, you’re given a certain scope within which you can act. It’s usually written in the agreement where can you go, and what can you touch regarding the product or system. There are restrictions that are put in place. Whereas red teaming is more like when someone’s leading a company or an organisation of importance, they wanna see how deeper you can go within their institution & systems, what applications & information you can get access to, how much damage can you cause (well, you don’t actually cause damage but you at least reach to the point & position where you can). There are very less restrictions put in place & the scope tends to be really broad. That’s why red team operations typically can go longer, even up to 6 months.
If we’ve to put this all in a nutshell, we can say that the job of computer engineers is to build something related to computers — software products, hardware, websites, etc. And, on the opposite side — Pentesting, Bug Bounty Hunting & Red Teaming are all about breaking things that those engineers have built — by finding flaws & exploiting them. This can really be dopamine-inducing & most people do get a kick out of this. Still, the most important thing to keep in mind is that you must stay on the right side of things & don’t end up crossing lines, ’cause sometimes the line between “ethical” hacking & malicious one can be pretty thin. So, you gotta be careful & cautious.
Now, it’s time for the bonus cookie. The American TV show named Mr. Robot is the most realistic piece ever made about computer hacking. It’s one of my favourites, not just ’cause of its theme but also the storyline. It’s a psychological & techno-thriller, that received the Golden Globe Award for Best Television Series in 2016. Go check it out, & with this, we’ve come to the end of today’s write-up. Until the next time, have a good one! Buh-Bye.
