I recently interviewed for a Penetration Testing position and was able to get some great insight about the process. I don’t know if this process reflects how all companies assess a candidate but I know the information I got was valuable and I would like to share it. I will share information about the process but will not reveal the company or any in depth details just a simple overview
I think describing my level of experience will aid this article greatly:
I have been working in IT since 2008 so roughly 7+ years of experience. My experience in systems administration has helped me grow my knowledge of business technologies, networking, and security. I became interested in security & penetration testing as a career in 2012 as I continued my IT career. I have done a significant amount of independent course work including setting up a penetration testing lab with a partner that emulates a business, doing CTF’s, and working on vulnerable VM’s. I started IT consulting in 2011 which has greatly expanded my knowledge and challenged me on many occasions. TLDR; Sys Admin, 7+ years IT, IT & Security consultant, study security topics daily.
The process began with a skills challenge that was made to evaluate the way you think and assess your capabilities. This challenge included the following:
Section #1 Hands on challenge
Web application assessment:
- Analyzing the functionality of a web form
This particular section involved reviewing the functionality of a web form and discovering what information would allow you to proceed past this form. If you simply followed the instructions and reviewed all linked files and their functions you should be able to piece this together. I think the take away here is the spend the time reviewing everything in front of you.
Working with shellcode:
- Decoding a string
- Working with shellcode
- Using a debugger
This section involved taking an encoded string and decoding it then working with the remaining shellcode. Some knowledge of assembly may be needed including the ability to work with a debugger. This can all be accomplished with a bit of research but once again I recommend some of the Securitytube Videos.
Section #2 The write up
This section simply involved doing a write up of the steps involved in completing the challenge. Since this had a 2 page max I decided to only detail the progress I made. I saved space by referencing photos to be reviewed while reading the write up. I think this section was very important because being able to articulate your steps and progress is a very important skill in penetration testing. I tend to write technical documentation with the reader in mind. I write as if I’m walking someone through my thought process so that the actions can be easily duplicated.
Section #3 Scripting challanges
This section involved 3 scripting challenges that varied in difficulty and could be performed with your scripting language of choice. I chose to use Python because this is the language I currently use for most things. Knowing at least one scripting language for the purpose of throwing together small tools and automating tasks is an important part of being a penetration tester which I feel can separate you from D grade testers. This challenge seemed to be a way to filter out candidates without fundamental scripting skills but also a way of seeing how you think and piece things together.
Section #4 Penetration testing report challenge
This section involved reading a description of a vulnerability and writing up a report that could be presented to a customer. The way technical information is presented to a customer and your ability to convey ideas clearly will be tested in this line of work. You must be able to accurately describe the vulnerability, attack vectors, business impact, and recommendations to address the weakness. Many examples can be found of penetration testing reports and I recommend reviewing a few before starting any hiring process. I remember one other case where I was at a meetup querying people about hiring and one of the first things they brought up was the writing of penetration testing reports. The take away here is that the product the customer is buying is the penetration testing report so you better be good at writing them.
I then moved onto an over the phone technical interview. Depending on the level of penetration tester they are hiring for your expected knowledge will vary. In my particular instance they asked about one part of a penetration test and what tools I would use to perform the actions he specified. Understanding all stages of a penetration test is useful here and prior experience penetration testing can help you greatly.
Many questions were asked during the process but I wanted to highlight some of them:
If you had the scope and ip addresses for an external/internal penetration test/assessment how would you start?
Whatever level you come in at they are interested in knowing how you would begin a penetration test. This question was asked of me multiple times during the process. Have a good understanding of scanning and enumerating before interviewing.
What tools would you run to scan/recon a network? what ports would you scan? what commands would you run?
This question should be easy to answer if you have ever run nmap or any scanning tool. I was also asked which ports I would scan for quicker recon. I said 21(ftp), 22(ssh), 23(telnet), 80(http), 139(netbios), 445(smb), 3389(RDP), 1433(mssql), 3306(mysql), 5432(PostgreSQL). I also mentioned that I would start a vulnerability scan then move on to manual recon.
How would you perform privilege escalation on a Windows desktop?
This question was the section of a penetration test that they chose to ask me but I would expect to be asked about any stage of a penetration test.
How does a buffer overflow attack work?
This seems to be an entry level concept among the community and is a great right of passage to learn how to perform. Although the simplicity of this attack is scarcely found nowadays it is a great entry point into learning exploitation. Reference the article Jumping into exploit development for more info.
Do you have a blog? a github? or projects?
This seems to hold weight with potential employers. I would recommend that anybody working professionally or hoping to get into security have a blog. This will enable you to display technical writing skills, your passion for security, and point to current projects you are working on. I would also recommend getting involved in coding projects and building small useful penetration testing scripts. Also I was asked about projects in general and how I chose to spend my free time.
When I was finished with the process I felt very fulfilled that I had a much better understanding of the overall steps involved in getting a penetration testing job. This gave me direction in what topics to study and solidified some of the ideas I already had about my skill-set and knowledge. I’m sure different companies have different processes but I would say you can expect to do some sort of hands on lab/challenge and go through a number of technical interviews. Also the OSCP was mentioned throughout the entire process. If you have an opportunity to obtain this certification on your own time I feel this will give you a big advantage.
One big take away is don’t bullshit and passion can go a long way. It seemed to me that my passion for security was well regarded and I was very proud of the time I had spent trying to chisel myself into a worthy hire. One other point I will make is that you should definetly get involved in your local security meetups and go to some conferences to get to know what the industry is about. You can also meet tons of great people who can give you advice. I hope this article can give you some insight about what it takes to get through the hiring process to become a penetration tester.