| I work as pentester (as a freelance nowdays). Getting out of bed and "real stuff" is supposed to be part of a pentest. The problem is more the sheer amout of stuff your are supposed to know to be a pentester. Most pentesters come into the field by knowing a bit of XSS, a few thing about PHP, and SQL injections. Then you start to work, and the clients need you to tests things like: - compromise a full Windows Network, and take control of the Active Directory Server. Because of a misconfiguration of Active Directory Certificate Services. While dealing with Windows Defender - test a web application that use websockets, React, nodejs, and GraphQL - test a WindDev application, with a Java Backend on a AIX server - check the security of an architecture with multiple services that use a Single Sign on, and Kubernetes - exploit multiple memory corruption issues ranging form buffer overflow to heap and kernel exploitation - evaluate the security of an IoT device, with a firmware OTA update and secure boot. - be familiar with cloud tokens, and compliance with European data protection law. - Mobile Security, with iOS and Android - Network : radius, ARP cache poisoning, write a Scapy Layer for a custom protocol, etc - Cryptography, you might need it Most of this is actual stuff I had to work on at some point. Even if you just do web, you should be able to detect and exploit all those vulnerabilities:
https://portswigger.net/web-security/all-labs Nobody knows everything. Being a pentester is a journey. So in the end, most pentesters fall short on a lot this. Even with an OSCP certification, you don't know most of what you should know.
I heard that in some company, people don't even try and just give you the results of a Nessus scan.
But even if you are competent, sooner or later, you will run into something that you don't understand. And you have max 2 week to get familiar with it and test it. You can't test something that you don't understand. The scanner always gives you a few things that are wrong (looking at you TLS ciphers).
Even if you suck, or if the system is really secure. You can put a few things into your report.
As a junior pentester, my biggest fear was always to hand an empty report. What were people going to think of you, if you work 1 week and don't find anything? |
I'm trying to remember the rule where you leave something intentionally misconfigured/wrong for the compliance people to find and that you can fix so they don't look deeper into the system. A fun one with web servers is to get them to report they are some ancient version that runs on a different operating system. Like your IIS server showing it's Apache 2.2 or vice versa.
But at least from your description it sounds like you're attempting to pentest. So many of these pentesting firms are click a button, run a script, send a report and go on to the 5 other tickets you have that day type of firms.