|Image courtesy of cooldesign / FreeDigitalPhotos.net|
These tips helped me to become a better, more efficient penetration tester, although (or because) they are not entirely focused on the technical side of hacking.
- Create a knowledge base. Seriously, most pentesters are lazy people. We don't like to do things twice if we can avoid it. Start writing down the commands you use! Just do it alongside while you are pentesting or doing some trainings. Each command you write down is one less to write in the future. I've got several cheat-sheets for different purposes, one for Linux commands and one for XSS filter evasion, etc. How you organize your knowledge base is up to you. I like to keep it simple by sticking to .txt files. Of course all these info is somewhere available scattered online. Having it offline and maybe as a backup in a central, online place saves time and comes in handy when at a customer site where no internet is available.
- Automate things. Let's face it, many of our daily penetration testing tasks are routine. Running nmap with specific flags, giving nikto a go and configuring our favorite wordlist for dirbuster are just a few examples. Why not automate these things? Before the wonderful WiFi-Pineapple was created I used to write my own bash scripts to create a fake access point for luring in victims and stripping away SSL. The privilege escalation phase is also a good candidate for automation. A great example for automating this phase can be found here with the wonderful linuxprivchecker.py script. Not only will these small scripts make your life a little easier, they will also keep your scripting-skills up to date.
- Properly learn SSH. How can one "learn" SSH and what are the benefits of this? Well, SSH is more than meets the eye. Besides allowing us to connect via an encrypted connection to different machines, it has an interesting history of exploits and vulnerabilities itself. Look up weak SSH debian keys or well-known SSH backdoors if you never have done it before. SSH is often overlooked as an attack vector besides brute-forcing. Another great, often neglected feature of SSH is its ability to port-tunnel. This can help you to evade firewall and IDS-detection if used correctly.
- Attend a congress. I've mentioned this before in another post and here I will stress it again. Get in touch with other hackers and technology enthusiasts. Not only is the networking itself usually great fun but you will notice how your perspective changes and how you will get a new view on things. You can go with the smaller, more locally-oriented congresses or directly head for the big ones like Defcon, BlackHat or the German CCC.
- Get as much practical experience as possible. If you are doing pentesting for a living, you will probably be exposed to a lot of real-world ethical hacking experience. However, most of these projects will be commercially driven and will have limitations in dimensions such as time, budget or manpower. Why not do some testing for friends who are running web-servers or web-applications? How about offering your security know-how to this cool Open-Source project you stumbled across the other day? Of course you always have to check with your employer if he does not have any obligations when you continue pentesting in your private time, but as long as no money is involved, most employers will have no issues with it. Don't get me wrong, you don't have to sacrifice your complete spare time for this, but gaining more exposure in different contexts is a great way to grow in our field.