this post was submitted on 16 Dec 2024
717 points (97.9% liked)

Greentext

4604 readers
1470 users here now

This is a place to share greentexts and witness the confounding life of Anon. If you're new to the Greentext community, think of it as a sort of zoo with Anon as the main attraction.

Be warned:

If you find yourself getting angry (or god forbid, agreeing) with something Anon has said, you might be doing it wrong.

founded 1 year ago
MODERATORS
 
all 46 comments
sorted by: hot top controversial new old
[–] Cornelius_Wangenheim@lemmy.world 165 points 6 days ago (3 children)
  1. No one's hiring you unless you have an OSCP or similar certification.
  2. A real pen test will set off all kinds of alarms.
  3. You don't get paid until you deliver a 100+ page report detailing what you did and your findings.
[–] echodot@feddit.uk 33 points 6 days ago (2 children)

You hope it'll set off alarms. Sometimes it doesn't, mostly because they don't have monitoring setup.

Pen tests aren't cheap. Even basic ones are ~$20k. There's only 2 types of companies that bother with them: ones that care about cybersecurity and ones that have to do it for compliance (PCI/CMMC/etc). Both will have some kind of IDS and a SIEM.

[–] jol@discuss.tchncs.de 13 points 6 days ago (1 children)

Or because you hacked into the wrong company. This has happened multiple times.

[–] echodot@feddit.uk 2 points 6 days ago (1 children)

That's what happens when you do off the book stuff on company time. Got to organize yourself better.

[–] jol@discuss.tchncs.de 3 points 6 days ago

I've even heard stories of physical pen testers entering the wrong company. Oops.

[–] ameancow@lemmy.world 24 points 6 days ago

You're implying that people who post on 4-chan have no clue how the real world works and no idea what business is like and how people make money!

[–] CaptainHowdy@lemm.ee 20 points 6 days ago (2 children)
  1. Most folks dgaf about certs, and I agree with them. Certs are BS. I only have certs because employers paid for them and in tech (especially security) there's a LOT of free time if you know what you're doing. Certs only prove you can pass a test.

  2. Bold of you to assume most companies have intrusion detection systems and that their monitoring isn't muted half the time.

  3. Findings come from an automated report generated by a scanner that does literally all the work.

OP post is really not that far off. It's an easy gig.

Source: I've worked on both sides.

[–] expr@programming.dev 12 points 6 days ago

Uh, certs are a huge deal in cyber security. Absolutely useless in most fields, but cybersecurity is not one of them.

[–] SaharaMaleikuhm@feddit.org 9 points 6 days ago (1 children)

So pen testing is a scam? I knew it! Opening all my ports right now.

[–] TriflingToad@sh.itjust.works 4 points 6 days ago

oh yeah I probably should close those unused ports I've had open since 2020...

[–] sugar_in_your_tea@sh.itjust.works 141 points 6 days ago (2 children)

I'm pretty lazy, but I'd at least run a port scan so I have something to submit in a report. That takes a few minutes to run and can be scheduled to run daily so there's something in their logs.

That said, our audits always turn up something new (usually benign), so I'd be very suspicious of an "all clear" result.

[–] elvith@feddit.org 32 points 6 days ago

Also, even without a prior pentest the admins should have a rough idea where problems areas are (or maybe even know them for a fact but cannot completely patch/disable them to not lock out legacy systems or so). A completely empty report would definitely raise suspicions

[–] TachyonTele@lemm.ee 22 points 6 days ago

Just copy some report from online and change a few characters. Easy to do on the toilet.

[–] massive_bereavement@fedia.io 89 points 6 days ago

You're not paid for the test, you're paid for the report.

[–] Agent641@lemmy.world 84 points 6 days ago (2 children)

As a professional pen tester myself, you have to test at least some of the pens to make sure the ink isn't all dried up or run out. It's not hard.

[–] Diplomjodler3@lemmy.world 17 points 6 days ago (2 children)

So which is your favourite flavour?

[–] prettybunnys@sh.itjust.works 11 points 6 days ago

Only the best marines are able to become pen testers.

Sharpies smell great.

[–] SkaveRat@discuss.tchncs.de 15 points 6 days ago (1 children)

It’s not hard.

well, unless the ink has dried

[–] swab148@lemm.ee 6 points 6 days ago

Get a lighter

[–] Ilovethebomb@lemm.ee 73 points 6 days ago (2 children)

And the company doesn't ask for references, or proof of what was done?

[–] HubertManne@moist.catsweat.com 32 points 6 days ago (2 children)

or like a detailed report. I bet you could make a standard report and just change a few things and maybe pull the scam sometimes. The hardest part I think would be getting someone to accept from a cold call. Would need to be pretty stupid to do that to begin with.

[–] mosiacmango@lemm.ee 32 points 6 days ago* (last edited 6 days ago) (2 children)

The reports list your hardware on them generally. They need access into your network.

The truth is that instead of faking it, you just do an actual pentest. It is generally a mix of FOSS tools like kali, metasploit, nmap, etc and pay tools like nessus. These can all be automated.

Charge the money, mail them a pre setup laptop, then hit the "go" button and still sit on your ass for a week.

[–] HubertManne@moist.catsweat.com 18 points 6 days ago (1 children)

I was thinking this. Get a nice format with letter head or whatever for dumping from the tools but now its almost like an honest living. ewwww.

[–] Kusimulkku@lemm.ee 10 points 6 days ago (2 children)

They need access into your network.

"Sir we found an issue in your security practises. You let some rando into your network. That's a terrible idea. My invoice is in the mail."

[–] stetech@lemmy.world 1 points 2 days ago

You jest, but I’ve read somewhere it’s actually reasonable to provide some amount of info or access to pen testers… since they’re just gonna find out anyway, but if you pay them for a week, you might as well not waste the first 3 days to have them figure the basic setup which doesn’t have an effect on the security analysis/outcome.

[–] cactusupyourbutt@lemmy.world 6 points 6 days ago

I was asked to review a project of another company, and needed access to their documentation for that. they gave me access to their whole wiki instead of just a part of it. definitely included that in the report

[–] Cruxifux@feddit.nl 7 points 6 days ago

Yeah well you don’t want to try to scam smart people anyways.

[–] Glitterbomb@lemmy.world 31 points 6 days ago

This is why you should hire me, the pen tester tester. For $2000 I'll make your network slightly less secure to see if the pen test catches it.

[–] shneancy@lemmy.world 33 points 6 days ago* (last edited 6 days ago) (2 children)

>get sued a week later when a real hacker breaks into their system and the IT department notices a security flaw that would easily be addressed by first few staps in pen testing

[–] GhiLA@sh.itjust.works 8 points 6 days ago

It's in crypto and I'm in Portugal.

Points out where working with me give no security guarantees, that they accept when agreeing to allow me to hack them, either in person, writing, or electronic communications, along with allowing the terms to change at any time, for any reason, without notice.

[–] JoMiran@lemmy.ml 52 points 6 days ago (2 children)

LOL. I wish it was that easy. Also, if you say you did a pen test bjt didn't, then the client gets hit through an exploit you said you checked or should have checked for, you and your company are done.

[–] MimicJar@lemmy.world 26 points 6 days ago (1 children)

Not me, just my company Try-N-Hack LLC.

Luckily I'll be back on my feet as ThisGuyHacks LLC in no time!

[–] JoMiran@lemmy.ml 3 points 6 days ago (1 children)

Not how that works. They will go after the company and individuals. You can bet that fraud charges will be filed with the police and don't think that wire fraud with the feds is out of the question.

[–] echodot@feddit.uk 2 points 6 days ago (1 children)

It depends on what happened. If the company simply said they'd done the test but never gave any of the tasks to their employees then the employees would be in the clear. You can't be sued for something you never even knew about.

But if the company had taken the contract on in good faith given the task to an employee and then they'd just lied to their managers and said they'd done it then yeah the employee could be gone after.

[–] JoMiran@lemmy.ml 2 points 6 days ago

Lawsuits will name the company and specific individuals they believe are complicit. The company by default because they are the ones with insurance.

[–] HeyThisIsntTheYMCA@lemmy.world 16 points 6 days ago

Just the same method I employ when people want refunds

[–] rumba@lemmy.zip 19 points 6 days ago

With the exception of Girl Scout cookies, I don't buy anything from anyone that shows up unannounced.

If I didn't know I needed it until now, I need to do research before I buy into it.

If I did know I needed it and you showed up randomly, I have no reason to expect that you provide any reasonable value with your services.

Door to door sales are as dead as cold calls and email.

[–] nebulaone@lemmy.world 11 points 6 days ago

At least do some auto scans with WebCheck, Shodan, nmap + vulnerability scans and some basic OSINT on their boss so you can report something and at least spook them a little bit.

[–] milicent_bystandr@lemm.ee 7 points 6 days ago

Providing one half of a double blind study.

[–] ch00f@lemmy.world 7 points 6 days ago

I’ve always wanted to start a ghost busting business.

Just explain that after I’m done, all the strange sounds they hear have a perfectly logical explanation.