Dhiraj Mishra is one of the 350+ Core pentesters worldwide who has contributed to the over 6000 Cobalt pentests. We had a chance to sit down with him to learn more about his pentester journey and what he enjoys about being a part of Cobalt’s pentest community.
Dhiraj is a speaker and presenter of compelling security information. Public speaking is no simple task, but he is compelled to share information with the community his passion is rooted in.
We’d like to give everyone a chance to get to know you better. Everyone has an origin story - so I’d like to know who you are and what brought you to a career in pentesting?
DM: It all started back in 2014 when I was pursuing bachelor’s in information technology. In a particular lecture I was introduced to the book "Cryptography & Network Security" by Atul Kahate. One of the chapters talks about 802.11ac, which is a wireless networking standard in 802.11. Meanwhile a friend of mine just whispered to me how exciting it would be if we could "hack" others' WiFi.
Later that night, I started browsing the internet to see if it was possible to "hack" someone's WiFi, and found a bunch of videos on YouTube introducing me to "Backtrack OS." By just replicating the same exact steps from YouTube on my home router, I was stoked when I began to see plaintext passwords the "aircrack-ng" tool caught. The next day, I started to fill everyone in. I was eventually challenged to get the password of our college WiFi. So, I sat down with all I had learned and replicated the same exact steps - but instead, introduced to a taste failure. I think at that stage, I didn’t have sufficient knowledge to understand the complexity of that particular network. That made me more curious to know how these things work.
Fast forward to 2016 - I had a bit more information about how pentesting in general works, so I started hunting for bugs on platforms such as Google and Facebook. This led me to a full-time career in web-application security. Then, eventually, joining the Cobalt Core.
What about pentesting makes it the ideal job for you?
DM: For me, pentesting is an opportunity to explore technologies, techniques, and processes. All while getting hands-on experience in multiple domains. Almost every industry is tied to some form of technology, too.
You can secure anything from massive enterprise companies, to satellites in space. Only a pentester can work in completely different areas of industry, but bringing it all together in the name of security.
What is the most rewarding part of working with the Cobalt Core Community?
DM: The most rewarding part of working in Core is our diversity. People here are from different global backgrounds and with unique skill sets. We are often sharing information and techniques to help elevate everyone's pentesting.
There is a wealth of information we share under the same roof. Our community is one of the best around!
You recently shared an extremely informative fuzzing workshop, co-hosted with fellow Core member Zubin Devnani. When did you first realize you wanted to start educating others this way? What was your first public speaking event?
DM: It was back in 2017 when I got in touch with Zubin for fuzzing, we had just got our first dedicated server. Together we began researching new techniques to fuzz binaries using multiple fuzzing frameworks, such as AFL.
In 2019, we finally decided to submit a workshop in PHDays, which is an annual conference that happens in Moscow, Russia. We got selected to present and it was the first public experience for me. It went better than we could have anticipated. This gave me the zeal to pursue speaking engagements further. In time since, fuzzing has become one of the subjects I regularly spend time on.
When did you know you were ready to start speaking at larger events?
DM: I didn’t know, and as a matter of fact, I still don’t know if I am ready. However, I knew I had to do it someday. So, why not now?
It could also be the experience I gained in teaching freshers(newbies), or from conducting OWASP chapters and Null sessions. I am sure all these experiences gave me a hand, but I never knew I was ready until I did it. Still, there are many more stages to stand on and research I want to share.
Getting on stage and presenting to a crowd isn’t an easy feat, so what have you done to prepare yourself to engage crowds looking for technical content?
DM: Before going on stage to present my research, I’d do this at local security chapters on almost a weekly basis. I’d present technical sessions on topics like web and mobile security to colleagues. These experiences became my foundation for presenting my own research and findings on a larger stage - regarding topics like browser security and fuzzing.
At the end of every presentation, I usually leave my audience something to practice and learn. Listening to someone speak is meant to invoke curiosity on topics. When someone practices and captures a flag from a CTF, then a real sense of learning is fostered. Visually appealing slides, explaining research results, and an activity provides a heuristic approach for the listeners to engage with material themselves. You give the audience something to see, hear, and touch.
Volunteer based education has always been at the heart of the hacking community. Being able to teach fellow colleagues helps foster growth all around, but how would you say being a trainer has impacted your life?
DM: Sharing knowledge has always been my motivation. I believe knowledge should be free and accessible by everyone. It is through sharing that the entire community has become what it is. I gained knowledge from researchers who chose to share their work, I am merely returning the favor to the community who naturalized my skills.
Learning by teaching is, for me, the best way to understand a topic. When you teach beginners, the questions they come up with are so broad. Quandaries that we might not have thought of before. Trying to find answers for questions gives a much deeper understanding on the subject. That’s the reason I won’t stop teaching and learning.
There are many great conventions and meet-ups out there. Which one are you excited to participate in each year?
DM: Although there are great hacking conventions out there and I’ve attended a few of them, I personally want to be at DEFCON and Sec-T.
Which area of pentesting do you enjoy discussing for hours on end?
DM: There used to be a time when I was crazy about web application security. All my seminars used to be web only - that's what got me into pentesting. In the past few years, I have found other interesting domains like reversing, fuzzing, and browser exploitation.
I have done multiple presentations and research on these topics; however, web security has a special place in my heart. If there’s a new vulnerability in web technology, I quickly spin up a test environment and dive in. I will even write NMAP scripts and Metasploit modules on it.
When you aren’t hacking, what are you doing with your spare time?
DM: I watch Netflix, dubbed movies, play table tennis, or squash, and hang out with friends. I do mimicry and watch stand-up comedy; I also enjoy trying new cuisines and discovering music on Spotify.
What advice do you have for someone getting into pentesting?
DM: For someone new and just getting their hands into pentesting, I would tell them to keep an open mind and have fun. Learn to be creative in your process, keep those “I wonder if” questions.
A Pentester’s mind must be open to approaching targets in the craziest ways. When you try things others haven’t thought of, you are rewarded with bugs/vulnerabilities others will miss. If you have fun with your learning process, then finding bugs will become second nature and enjoyable. Of course, learning the technical aspect of technologies is equally important.
A newcomer should also join communities, actively posting and discussing security. Places where you can openly ask and get multiple answers for a single question. It shows the diversity in thought of people in the field, and even gives veterans new things to question.
Join a discussion, try helping others and you will also learn in the process.
What are some of your goals for 2022?
DM: A better version of what I am today. Enhance my training course “Deep Dive into Fuzzing” by adding different fuzzing/reversing modules. Giving back and learning from the community.
Apart from infosec, I would love to spend time with my parents.