I’ll preface this article by saying that these are my personal opinions and views on pentesting, which may not align with those of other pentesters and that’s ok. Everyone has their own perspective and these are just my thoughts on the subject. I also want to clarify that this applies to all forms of offensive-type security testing, not necessarily just “pentesting” as a strict term.
I don’t consider myself an expert (and likely never will) and I’m always learning new things in this field. However, as someone with a reasonable amount of work experience as a pentester, I’m frequently approached by people trying to break into security. They want to know what skills are important to know or what they can do to become a pentester. While there are many answers to those questions, I was contemplating recently about one quality that pentesters have: “predatory instinct” or “prey drive”.
By “predatory instinct”, I mean the generic inclination to pursue a target or to exploit a weakness. I’ll give an example. Have you ever seen someone riding by on a bicycle and for a split second, wondered what would happen if you threw a broom in the spokes of their wheels?
Sure, it’s terrible, and why would you want to do something like that? Does that make you a bad person? Probably. But the fact remains, if you had that thought, you may have a glimmer of that predatory instinct I’m referring to: that inherent desire to probe a weakness or make something break. I’ll caveat this by saying I’m not advocating doing permanent damage to anything: I’m referring only to working within the scope of an assessment and having an ethical approach to exploitation. Don’t delete production databases because you found an exploit on an assessment… that should go without saying.
Builders & Breakers
Here’s another example commonly used when talking about the security field: the difference between “builders” and “breakers”. Some like building sandcastles, some like tearing them down. This analogy doesn’t ring quite as true for me personally, but admittedly I’ve used it in the past. This doesn’t work for me because predatory instinct isn’t about random destruction of someone’s creation, but specific exploitation of weakness.
In a former life, I used to write software and often had the job of doing initial QA for others’ projects or applications. I discovered the thrill of throwing some punctuation or unexpected characters into a form field meant for something specific and watching the app fall apart. Then after repair, doing it again slightly differently and watching it all burn down once more.
There’s a concept in software engineering called “code smell”. It refers to indicators in an application that give a reason to believe that something isn’t right. Red flags that show that there are bits of code that are broken, poorly written or weak. If you start examining a web application and things just seem strange or out of place, such as links being broken, pages are missing, or they don’t render properly, that’s a good indicator that something is wrong with the application. Error messages that reveal a bit too much information such as stack traces or indicators of underlying technology used in the application or server, or functionality that crashes when unexpected input is provided are good examples. Unexpected ports that are open and providing access to services that shouldn’t be there or functionality in the application that likely shouldn’t be accessible to a user at your privilege level such as diagnostic pages. These all fall under the general concept of “code smell”.
As a pentester, we need to be that predator: that app, like a wounded animal, is leaving clues to its weakness and we have to follow those clues to capture our prey. We need to have the mindset of seeking out those weaknesses and taking advantage of them.
To some of you all of this might sound sadistic and it probably is to some extent. All of the best pentesters I’ve met will produce a little chuckle or a slight grin when they see an app fall apart after a successful exploit. The rush of getting a shell and knowing you’ve broken through the defenses. That tinge of Schadenfreude when you see that previously beautiful webapp filled with Doge memes. However, this hunt for weakness is what provides our clients value. It’s what discovers the holes they need to patch.
Emulating Bad Guys
Some people come into pentesting with the mentality that they want to help and fix things. Helping and fixing things is the ultimate goal, but as we’re emulating “bad guys”, this is best achieved by having an attacker’s mindset. Empathy with developers is a good thing; writing software can be awful at times and we should be empathetic to a point. It’s good to understand a client’s mentality and what they’re trying to do. But as a pentester, we need to put on our “bad guy” hat. In the security game of “cops and robbers”, we’re playing the villain. It’s our duty as pentesters to act like one: we need to effectively exploit the client as best we can in order to help them prepare for the real world where bad guys don’t give them a nicely formatted report and give them time to fix things before attacking again.
My advice to new pentesters is to try and develop that attacker mindset. Don’t let people tell you that you either have it or you don’t, that it’s an innate quality. I firmly believe that this quality is inherent in everyone to a degree and can be developed with practice. The more experience you gain and the more you attempt to mentally place yourself in the role of a bad actor, the better you will be at pentesting. If you see a weakness, probe it. If you see something that looks like it’s fragile, break it (within reason). Throw a broom in those spokes. It’s for your clients’ own good.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.