Submitted 4 months ago by Early_To_Risa@sh.itjust.works to greentext@sh.itjust.works
https://sh.itjust.works/pictrs/image/1be19bb4-6173-467b-9712-1ff08720b46c.jpeg
I’m pretty lazy, but I’d at least run a port scan so I have something to submit in a report. That takes a few minutes to run and can be scheduled to run daily so there’s something in their logs.
That said, our audits always turn up something new (usually benign), so I’d be very suspicious of an “all clear” result.
Also, even without a prior pentest the admins should have a rough idea where problems areas are (or maybe even know them for a fact but cannot completely patch/disable them to not lock out legacy systems or so). A completely empty report would definitely raise suspicions
Just copy some report from online and change a few characters. Easy to do on the toilet.
As a professional pen tester myself, you have to test at least some of the pens to make sure the ink isn’t all dried up or run out. It’s not hard.
So which is your favourite flavour?
Only the best marines are able to become pen testers.
Sharpies smell great.
It’s not hard.
well, unless the ink has dried
Get a lighter
And the company doesn’t ask for references, or proof of what was done?
“How do I know you won’t use my techniques to become bad hackerman to hack your competitors? Sorry, I’m a professional”
LOL. I wish it was that easy. Also, if you say you did a pen test bjt didn’t, then the client gets hit through an exploit you said you checked or should have checked for, you and your company are done.
Not me, just my company Try-N-Hack LLC.
Luckily I’ll be back on my feet as ThisGuyHacks LLC in no time!
Not how that works. They will go after the company and individuals. You can bet that fraud charges will be filed with the police and don’t think that wire fraud with the feds is out of the question.
/>get sued a week later when a real hacker breaks into their system and the IT department notices a security flaw that would easily be addressed by first few staps in pen testing
It’s in crypto and I’m in Portugal.
Points out where working with me give no security guarantees, that they accept when agreeing to allow me to hack them, either in person, writing, or electronic communications, along with allowing the terms to change at any time, for any reason, without notice.
This is why you should hire me, the pen tester tester. For $2000 I’ll make your network slightly less secure to see if the pen test catches it.
With the exception of Girl Scout cookies, I don’t buy anything from anyone that shows up unannounced.
If I didn’t know I needed it until now, I need to do research before I buy into it.
If I did know I needed it and you showed up randomly, I have no reason to expect that you provide any reasonable value with your services.
Door to door sales are as dead as cold calls and email.
At least do some auto scans with WebCheck, Shodan, nmap + vulnerability scans and some basic OSINT on their boss so you can report something and at least spook them a little bit.
Providing one half of a double blind study.
I’ve always wanted to start a ghost busting business.
Just explain that after I’m done, all the strange sounds they hear have a perfectly logical explanation.
Cornelius_Wangenheim@lemmy.world 4 months ago
echodot@feddit.uk 4 months ago
You hope it’ll set off alarms. Sometimes it doesn’t, mostly because they don’t have monitoring setup.
Cornelius_Wangenheim@lemmy.world 4 months ago
Pen tests aren’t cheap. Even basic ones are ~$20k. There’s only 2 types of companies that bother with them: ones that care about cybersecurity and ones that have to do it for compliance (PCI/CMMC/etc). Both will have some kind of IDS and a SIEM.
jol@discuss.tchncs.de 4 months ago
Or because you hacked into the wrong company. This has happened multiple times.
CaptainHowdy@lemm.ee 4 months ago
Most folks dgaf about certs, and I agree with them. Certs are BS. I only have certs because employers paid for them and in tech (especially security) there’s a LOT of free time if you know what you’re doing. Certs only prove you can pass a test.
Bold of you to assume most companies have intrusion detection systems and that their monitoring isn’t muted half the time.
Findings come from an automated report generated by a scanner that does literally all the work.
OP post is really not that far off. It’s an easy gig.
Source: I’ve worked on both sides.
expr@programming.dev 4 months ago
Uh, certs are a huge deal in cyber security. Absolutely useless in most fields, but cybersecurity is not one of them.
SaharaMaleikuhm@feddit.org 4 months ago
So pen testing is a scam? I knew it! Opening all my ports right now.
ameancow@lemmy.world 4 months ago
You’re implying that people who post on 4-chan have no clue how the real world works and no idea what business is like and how people make money!