Penetration testing tips, tricks and unusual situations
by Mirko Zorz - Monday, 2 April 2012.
Raul Siles is a senior security analyst with more than 10 years of expertise performing advanced security services. He is a SANS Institute author and instructor of penetration testing courses, a regular speaker at security conferences and contributor to research and open source projects.

In this interview, Raul talks about unusual and interesting situations he encountered while working as a penetration tester, outlines practical tips for those interested in a penetration testing career, lists his favorite tools, profiles his upcoming training workshop at SANS Secure Europe 2012, and more!

A great deal of newcomers to the information security field are fascinated by penetration testing. What advice would you give to those interested in making this their career path?

Penetration testing is one of today's cutting-edge information security topics, to some extent influenced by Hollywood, where the main movie character's goal is to break into some IT infrastructure or critical systems to save the world, and also somehow influenced by human nature, considering most people prefer breaking things (if they are given the opportunity to do so) versus fixing them.

After so many years as a professional penetration tester, I am glad I can feel still the excitement of breaking into a new network, system, application, or device, and still have the enthusiasm of discovering new vulnerabilities, and keep my interest on understanding and building new tools. However, newcomers must know this is the grateful part, and penetration testing also involves lots of, sometimes boring, repetitive tasks. You will face multiple disheartening situations where you spend many hours or even days trying to find a vulnerability to get in, and you do not succeed. Almost as you have lost hope of finding anything interesting, you end up finding that key element or flaw that compensates all the tough work.

In order to be a good professional penetration tester (and leaving social engineering apart) it is crucial to possess an in-depth technical background. You must love the technology and always be willing to learn about new things, that is the reason why I like to self-dubbed myself "the apprentice". The more you know and have played and tested how technologies work, the better. It is only through a thorough understanding of how things work, and an insatiable desire of learning all the details, that you will be able to find ways to manipulate them to make them work or behave in an unexpected way they were never designed for. This is the real out-of-the-box thinking and philosophy behind the original and positive hacking term.

A final key point for newcomers is that during their career as professional penetration testers they are going to get involved in two very common scenarios: working alone or as a team member. Most experienced penetration testers are used to and feel comfortable working alone, but they also need to practice and improve their skills to work as a team member. We at Taddong are always trying to improve and become more effective and efficient, optimizing our interactions as a team, especially during large penetration tests.

In all your years as a penetration tester, what are some of the most interesting situations you've encountered?

It is difficult to select the top situations from all the different penetration tests I've been part of, and my memory is not good enough to do a fair comparison between them. I feel that through the years you get used to breaking into the most commonly spread technologies (such as Windows or Unix systems, networks and network devices, or web applications), so I definitely like when I encounter something new that catches my interest, and in particular, if it is tied to the physical world.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th