Ask a Pen Tester, Part 1: A Q&A With Rapid7 Pen Testers Gisela Hinojosa and Carlota Bindner

Recently, we tasked some of our Rapid7 customers to ask their most burning questions related to the mysterious art of penetration testing. And wow, did they deliver! Below, Rapid7 pen testers Gisela Hinojosa and Carlota Bindner break it all down, from how pen tests have been affected by the COVID-19 pandemic to recommendations around top pentesting certifications.

Q: What’s the easiest way you’ve gotten into a network or system?

Gisela: Password guessing would have to be the easiest way that I have gotten into a network. One of the passwords that I usually try when guessing passwords is Season + Year—it works pretty often! You just create a list with possible usernames, then use a password like Winter2020.

Q: What obstacle(s) do you find most common in pentesting?

Carlota: One obstacle that occurs on any type of penetration test is improper scoping and time allotted for testing. In some cases, the scope is too small to be reflective of the client’s network, or the amount of time allotted for the scope may be too short to thoroughly perform the assessment.

Q: How has your approach changed in light of COVID-19?

Gisela: External engagements have not really been impacted by COVID-19, and it’s just business as usual, as you might expect. But other engagement types, such as internal, electronic social engineering, and wireless, have been impacted. The main difference I have seen on internal engagements due to COVID-19 is less network traffic. Intercepting LLMNR traffic or relaying SMB credentials is usually an easy win for us, but since there isn’t a lot of traffic on the network, we have to rely on other techniques. Now that everyone is working from home, we have to work a little bit harder to find a foothold.

Q: What are some tools or phases that you’ve automated and trust that no manual testing is required?

Gisela: I personally don’t automate any phase completely, since there are some things that are better done manually. However, the OSINT phase is probably the phase that I use automated tools the most.

Q: When on a pen test involving endpoints and servers, how often do you find obsolete or unsupported operating systems, and which operating systems do you find most easily exploitable?

Gisela: I find surprisingly a lot of unsupported operating systems during an internal pen test. The oldest OS I have seen was a Windows 2000 server. However, on an external, it is not as common, since companies usually harden what is exposed to the world.

Q: When pentesting a system/network, what’s something that you’re surprised by every time it happens?

Carlota: I am surprised when I find default credentials on administrative interfaces. It is an issue I find on both internal and external network penetration tests.

Q: What methods do you use the most for updating your pentesting knowledge (CTFs, pentesting labs, courses, etc.)?

Gisela: I use different methods throughout the year depending on how my schedule looks. It also depends on what I am trying to learn. On a daily basis, I try to read articles from reddit on r/netsec or Twitter. However, I like using Pentester Academy when I am trying to learn something new, and I try to take a SANS class once a year. HackTheBox is also great for learning if you’d like a more hands-on approach.

Q: Would you advise pentesting or continuous testing?

Gisela: I would advise both, since pentesting and continuous testing have different goals in mind. Continuous testing is more for code quality, and your build will only be as good as your tests. With pentesting, there are always new vulnerabilities that are found each day, and the goal of a pen test is to exploit those vulnerabilities on a production web application or host to bring attention to gaps in in-production processes.

Q: What recommendations do you have for someone looking to be a pen tester?

Gisela: Show your passion. You don’t have to know everything about pentesting, but you have to be willing to learn. If you are passionate about pentesting, you will be willing to put the extra time in and outside of work. Build a home lab, be involved in your local security community, participate in CTFs, and never give up on finding the job you want.

For more insights on the art of penetration testing, please check out rapid7.com next Wednesday, Aug. 26, for our annual Under the Hoodie report. Gisela and Carlota will also be back for part two of this series in the next couple of weeks, so if you have any questions about penetration testing you’d like the pair to answer, please comment below or tweet us @Rapid7.