Junior pentester and a disturbing trend

Before I start this rant I’ve got to say, I am not a pentester. In fact, I would make a horrible pentester. Once I have my foot in the front door I’m bored. I got in, I got the cake, and the rest is most likely possible too. Very few people or organizations protect their internal network better than the internet facing one.

And let’s be clear, I have no problem helping someone on IRC with a specific question or two about a subject they are having trouble with. Not everyone can be a master on every subject. But at some point, you get the feeling that because of question after question it’s you doing the pentest for them.

Basically what happens is that some junior pentester on his first gig (who amazingly often seems to be flying solo), is asking people on IRC for help. Not once, not twice, but all the freaking time. When you ask a question in return like “is that in scope?” you get an answer like “everything is in scope!”.

Which is bullshit, since if everything is in scope they didn’t scope the gig right or have no clue what they are doing. Correct and clear scoping before starting to break stuff is more important than anything! It tells the tester what they can do and what is off limits. If nothing is offlimits why not just DDoS the entire company off the face of the internet for a month or delete the file storage and all users once you are AD admin?

So for crying out loud, learn to scope, and scope well and good. If you ever need information on how to scope well read this: Pre-engagement.

Another worrisome bit is that often these junior pentesters disclose way to much information about what they are doing. While they might not always give out the company name, most pentesters should have signed a NDA. That usually includes giving out possible sensitive information to random people on the internet about what you are doing. Because even without a name it’s possible to connect the dots and figure out the target. And lets be honest, if the person “helping” the tester is smart, how hard would it be to social engineer a junior pentester to cough up actual sensitive information if you are busy helping them? Answer: very easy because they are looking at you to help them, and they will do anything to help them look better in the eyes of their customer and manager.

Which brings me to the next point of this article: if someone is constantly asking questions they are not only fooling themselves, but also the customer and their employer. Because they appear to be way more experienced than they really are. This is most likely going to bite them in the ass at some point when they either have no internet at a gig or they get someone across the table at a pre-sales meeting who knows better than they do.

And last but not least! These juniors are asking random people on the internet for help to (allegedly) ethical hack a network. Who’s to say someone less ethical but knowledgeable decides to have a little fun and makes the junior take down the entire network? How would the junior explain that?

Or worse for those giving the advice: what if the gig isn’t a real gig, but just some scriptkiddie who found his way into a corporate network? In that case, by providing advice, you are unknowingly aiding someone who is doing something very illegal.

So from now on I will be a bit more careful about what kind of advice I give to whom and how much of it.