Pentester Origin Story: How did you first get involved in pentesting?
In my previous life, I used to work as a Java developer in the late 2000s, and I came across some forums related to that obscure dark thing called "Hacking," and it immediately caught my interest. Then I started to dig deeper and deeper until I realized that I understood some interesting things (and it was more fun than my job). Then, I changed my profile to Linux sysadmin for a few years to finally jump to offensive security.
What motivates you when it comes to pentesting?
As a retired developer, I love understanding how a site has been built and the logic behind it, to figure out how or why something is working that way, and then abuse it, of course. Furthermore, being in a field that requires constant updating and a great deal of specialization motivates me a lot. Also, as a FOSS-minded guy, I love contributing to the community by developing free tools and resources such as the reconFTW tool or the Pentest Book.
What do you feel makes a good pentest engagement?
From my experience, I believe that a good combination of a well-measured scope, a stable test environment as close as possible to the production environment, combined with teamwork between the pentesters and the technical managers of the audited application would be the ingredients of a perfect pentest.
What kind of targets excites you the most? Do you have a favorite vulnerability type?
I like to switch between different types of lenses, but I usually like new technologies that I know nothing about and require me to research on my own are the types of pentests I like the most. As for vulnerabilities, I like to go for high-severity findings like Remote Code Execution or SQL injections, they are also the most fun to find, exploit or find a specific bypass for the defenses in place.
Where do you go to learn about different security concepts? Are there specific pages/handles you follow?
I usually find the latest and most interesting topics on Twitter; some of my favorite profiles are @hacker_, @jhaddix, @MrTuxracer, @fransrosen, or @mrd0x. Also, some good references to learn new types of attacks or read different approaches to already known vulnerabilities is HackerOne's hacktivity page; the research done by the PortSwigger team is also a goldmine. I love Intigriti's Bug Bytes and @securibee's newsletter to stay up to date.
How do you conduct research and recon for a pentest?
I usually first try to fingerprint the application technologies while running some web fuzzing, crawling, and/or manual navigation through proxy to get the full picture of the whole application at a general level. Depending on the above results, I go for parts of the application that may have more functionality or user input.
What are the go-to tools you leverage?
I love OWASP's Amass tool for large targets; on small targets or web applications, I tend to rely on ffuf for multiple tasks, not just web fuzzing per se. Like most people in the industry, I use the Burp suite as the default web proxy and love to develop my own bash scripts for ad-hoc testing, depending on needs.
What advice would you offer to someone interested in getting into pentesting? What do you wish you had known before you started?
I would strongly advise learning at least the basics of networking, programming, Linux, and web servers, it's not mandatory to jump into the field, but it will go a long way in helping you understand what's going on under the hood and be more resolute when faced with any challenge.
When I started out, I wish I had known how important it is to do your own research to understand how everything works; it's good to read to learn, but get your hands dirty as soon as possible.
What do you wish every company/customer knew before starting a pentest?
The more information they provide to the pentesters, the more valuable the assessment time will be for both parties. In addition, having a contact person with complete technical knowledge of the application helps solve specific doubts.
What do you like to do outside of hacking?
When I'm not in front of the computer, what I like the most is to do any mountain sport, especially climbing and hiking. The feeling when you get to the top of the mountain is almost as pleasant as when you see that you have managed to be rooted in a remote target :P
What are your short-term and long-term goals?
For now, I want to keep researching, learning, and improving the things that interest me the most, like reconnaissance, asset discovery, and automation. I am also quite interested in Azure pentesting and red teaming, so I keep up to date in this field. Long term, I don't have anything planned, just to stay in this field and see what the future holds.