Tips for an Information Security Analyst/Pentester career - Ep. 66: My second real pentest (2) and my first security conference
I've had a lot on my plate recently.
I volunteered with BSides LV for my first security conference ever .
After flying back from Vegas (through a troubled trip), I performed my second real-world pentest, while the Caesar's Palace havoc unfolded at Defcon.
I already voiced my opinion on the latter issue and I'm not repeating myself here.
What happened is totally inexcusable and, as both an American and a member of the hacker community, I'm totally appaled.
Additionally, I'm in full OSCP mode now, as I'm starting intensifying my study and I keep going, not without struggling.
Second pentest considerations
This time I had to crack a wireless network without even being connected to the Ethernet, only by using my wireless card in monitor mode and sniffing the traffic.
I could grab a WPA handshake and -lo and behold - I uncovered a WEP network, could you believe it?
It took me a while and I didn't have a lot of time but, once I learned how to use wifite in conjunction with airodump-ng, it was a piece of cake.
I'm not showing any images about my findings here, for obvious privacy reasons.
The lesson I learned from this is that every engagement is different and it's a totally new game every time.
This pentest was a totally different animal than the first one.
I hadn't done a lot with wireless pentesting, because I'd need to get an external adapter to play with this stuff in my virtual lab and, for whatever reason, I never made up my mind and buy one.
Well, looks like I'm gonna have to.
My first security conference - BSides LV 2018
I had a blast at BSides LV, but I think there's pros and cons to such an experience as a volunteer.
Pros
- Your room is covered by BSides, if you volunteer for at least 18 hours
- You get to know a bunch of interesting people and exchange experiences and ideas
- You might sometimes be able to get free Defcon badges
- You get to meet a much of recruiters working with the most important companies in the industry. The big guys were there, from Rapid 7 to Tenable, Amazon, HackerOne, VirusTotal, etc. and each one had recruiters you could talk to. I handed over a bunch of business cards (Vistaprint, right?) and created a "hire me" website before going. This originated a single phone call so far, but I remain hopeful; let's see how it goes.
- You can have a resume review for free. There are people around charging you hundreds or even thousands of dollars for this type of service.
- Being a volunteer for a hacking conference looks good on a resume, if you wanna break into pentesting.
- You can enjoy free drinks and there's a really cool final party pool with an open bar on the last day. Jump in the pool and relax, all free of charge!
Cons
- You need to share your room with another volunteer. In my case, the guy I shared it with was very nice and I'm sure most of them are, but you better be outspoken when filling in the room share form. If there's something you can't stand, state it outright. You don't want to spend time in an uncomfortable situation, if you can help it. I can't stand people smoking close to me, for example. I need out, it annoys the hell out of me.
- If you volunteer for a lot of hours, you end up having no time to see any talks or to talk to someone. I had some limited time over my first day and ended up having some unexpected time available over my second day, as one of my shifts was canceled. However, I couldn't attend any talks.
- You may feel very lonely. I tried to meet up with someone but it's hard to find anybody in a mess like that, too chaotic. I'm a lone wolf, so I don't care a whole lot, but, even so, you might sometimes have that feeling you're so far from home.
- If you're a narrow-minded guy used to a suit-and-tie environment, that's definitely not for you. Hackers are very non-conformist people and you can find people (un)dressed in the most unexpected ways (there was a bunch of men kilts, they were all the rage this year. Not that I cared a whole lot about it, but I wasn't necessarily a great fan of it), plenty of freaks and people of all kinds, genders and sexual orientations, transitioning or not. If that makes you uncomfortable, that's not the place for you to be. Simply be yourself, if your motto is 'live and let live', you'll be perfectly fine with all that.
- Of course, it's in Vegas, so there's plenty of dangers lying in wait for you out there. I like drinking, don't like trashing myself out and I don't give a damn about gambling, as it's a rigged game. As for all these aspects, I'd recommend you to read this article, written by a guy who's been to a lot of security conferences and knows what he's talking about.
- Expect to get hacked. I turned WI-fi off while at the conference. I only used cellular data, because it's highly likely for someone to setup a rogue access point in such an environment and, as a matter of fact, I've never seen so many wireless networks in a single place in my life.
- Sometimes you may get bored. Hackers know each other and they have all these inside jokes among them you don't know about. I'm a noob and I don't know anybody, other than some big wheels who sadly weren't there, and I felt a little bit out of place. Additionally, sometimes they might do stuff that I don't find particularly funny, but they think it is. I consider myself a hacker but that doesn't mean I always 100% enjoy certain oddball jokes, No biggie, anyway.
Wrap-up
I highly recommend volunteering at a security conference at least once. You get a lot of respect for helping out and get to meet people having so many different origins, ideas, mindsets and views, whom, on the other hand, all have your same interests.
I was with a bunch of people speaking my same language and, being a lone wolf, that doesn't happen a lot to me.
I'll surely go back next year, hopefully with a new job role as a pentester or red teamer.
I'm curious to have your feedback on this.
If you have a long-time experience attending security conferences, you might surely have a different view than I do, but that's fine, it's what we call democracy (until someone sitting in the White House isn't goose-stepping yet).
Comments
Post a Comment