This thread is for the discussion and support of those anons who have accepted the Quest to become remote pentesters. I am OP, my email is OSCPanon at protonmail. You may contact me via email with any questions related to hacking professionally, or learning to do so.
Link to the last General thread: Link to original thread that prompted creation of this general: So what are you doing to further your Quest this weekend user? Here are some good resources and things you could start working on:
Free ebook downloads for several of the books I cover: b-ok.org/
Thanks to everyone who replied to my email with the guide. My protonmail inbox is now a beacon of hope. I really appreciate your warm regards, and your positivity proves to me this is going to be a worthwhile venture.
I will also be updating the guide as we go, and I am currently working on writing a guide for monetization options for this skill. Since it is not complete yet, we can discuss a little in today's thread. For starters, you can check out:
Bug bounty site (hack large companies and websites for bounty rewards): hackerone.com
Hackerone also runs this site, which is for learning: hacker101.com/
I will post the guide from last week here. This is the last time I'll post it in the /RPG/ thread. After, I will direct you to the previous threads. As always any questions are welcome, and I will answer them as soon as I can throughout the day. If you want to discuss other remote work opportunities in tech, outside of hacking, that is fine too. And anyone who wants to chime in with advice on such a topic is welcome to join in.
Bump OG user. Thanks for the work. Going to practice on BurpSuite today.
Julian Perry
Ah! I forgot to add the Burp Suite course to General!
Thanks for the reminder user. I'm adding it now so I don't forget next week. Thanks for the update on your progress, too! Burp Suite is a great tool. I use it for every web app test.
Hey OP. What would be your advice to someone who has 0 linux experience but wants to get used to it? Would you recommend just jumping into a hacker friendly distro like kali or starting with something else? And also checking your holy dubs.
Christopher Harris
Physical pentestng is also a potential career choice.
Compsci requirements are much lower but it usually requires either blue collar experience or an innate chadness.
Good question user. Kali is a fine way to learn, and forces you to get into the command line. But if you really want to learn quickly, then my suggestion is to change your daily driver OS to a linux distro, such as ubuntu or linux mint. I started on Linux Mint. It's an easy switch, as it has a very modern GUI.
Don't use kali as your daily driver, as it is not secure, and not meant to be.
You don't have to wipe your current OS, but you should at least spin up a VM of ubuntu or linux mint, and start doing your usual computer tasks and browsing in that machine. The best way to really learn linux is to force yourself to use it regularly. Also try to do as much from the command line as you can. If you don't know how to do something in linux, google how to do it from the command line, and do it that way.
none of that shit has anything to do with hacking. it's all script kiddie shit. learn C/C++ and the win32 API and the you can call yourself a hacker. fag.
Adam Phillips
Indeed, physical security testing is very important. None of your technical controls mean anything if I can convince the doorman to let me into the server room. There is certainly a career opportunity there, but it does require someone who can lie easily, and convincingly, and is generally good with people. (or good with tricking people?)
Check out Defcon's Social Engineering village and annual contest for more interesting info on this. The contest is done over the phone, but the champions could do this stuff in person with ease: youtube.com/watch?v=yhE372sqURU
thanks user
well first of all, this thread is about helping anons get into the field, and get work. The things I am suggesting will do just that. If someone already has the experience I have mentioned, and wants to become an exploit developer, then your suggestions would be a nice start. Honestly though, you have a very narrow view of what "hacking" is. It's not just developing windows app exploits. You should expand your horizons. And personally, I don't enjoy digging through and debugging C# to develop exploits.
Jose Lopez
Cope harder you fucking code monkey
Leo Anderson
Britbong RPT reporting in. You are doing Gods work OP. Anything that changes the convo around here from muh crypto to business / career stuff is top tier.
(That said, my link and btc appreciating nicely so...)
Liam King
>Defcon
it's good stuff. off hand do you remember the name of the guy that did the bank somewhere in the middle east? talks about spinning around in a chair waiting to get caught. i can't remember the name and i really want to look up the video again.
Thanks user! I am certainly not against crypto. I am also very happy to see the LINK gains. I'm holding BTC, ETH, LINK, and VIDT right now. Crypto is great, but its good to have a steady income stream. If you have to wage, then its best to try to do something fun and interesting. And my work provides me a level of freedom that few other jobs do.
Mmm, I cannot remember user. If you do remember, please share! I would be very interested in that story. I'll likewise let you know if I find it first.
Dominic Watson
Most metasploit shit requires at least LAN access to pull off. There are a few remote exploits but that shit is getting harder to do now that most email providers are pretty good at scanning documents. You could just as easily learn C and write yourself a RAT then send dumb normies the download link to it. works the same as metasploit without having to use shitty metasploit.
Also windows 10 sends binary files that come from the internet to its servers that scan it before it's allowed to be ran in windows 10. it does this by default now so the chances of your exploit lasting very long are slim unless you know how to hide it right.
You've been putting in work. I don't remember last week's general having this in the OP.
Much appreciated
Alexander Wright
lol wut? You are sorely mistaken. You sound n00bish. Metasploit has plenty of remote code execution and other useful modules that do not require LAN access. Though I do not use metasploit a lot in my day to day work, it is a useful tool that does help on many engagements. What I don't hardly ever use is phishing, which is what you are describing with emailing documents. lol. You need to learn more. If you are willing, then I can help. Feel free to email me and describe your current knowledge / background, and I can send you some good resources to expand your knowledge. Or maybe you haven't "hacked" anything since Windows XP and the golden days of RATs? I dunno, but I'm more than willing to help.
I think I'm on my way. Depends on what you define as "rich." I have plenty of liquid assets, big house, and I spend money on things if I feel like it. I live well, but I wouldn't consider myself rich. Even if I do manage to "make it" as some would say here... I would probably just start a penetration testing firm and manage it myself. I truly enjoy hacking and everything related to it. If I had more money, I wouldn't stop, I would just be able to pick my own projects.
good stuff user. Social Engineering / Physical Penetration testing is very cool. I may enter the defcon CTF next year. This year I already have too many onsite engagements and other cons scheduled. Feel free to share a few resources! But anons should do their own research, too.
I didn't get as much done as I had hoped. It was a very busy week for me. I will definitely update the guide and General posts more in the future, and I am putting together a guide on monetization, and audio-only resources as well. Stop by each saturday and I am sure you will find some new stuff each week!
Nathan Smith
I see that there is no discord/slack/IRC. Anons who are picking up Linux, or intermediates who are going for OSCP, give me some who's if there is mutual interest for a chat server so we can get together and decide what we would like to use.
Ian Rogers
This Opt me in if its remote gig
Thomas Jones
Thanks big time for the reply. With that in mind I'll probably start with mint then, and I'll be definitely trying to get myself accustomed to using the command line as much as possible. Another question that I thought of. As a pentester, do you choose your own working hours, or what? What kind of schedule do you keep?
Carter Jenkins
Great idea. Another user asked about something like this in email, but I doubt I have time to run anything like that. I know a lot of people use discord, I used to use IRC (still like it. OSCP uses IRC) and professionally, I like slack, so those are all good options. If you guys do start a channel for this, I would certainly stop in when I can. Keep me updated!
So it depends on the gig. I did some work for a while that required me to be onsite in person from 8-4. But I knew I wanted to go remote, so I changed jobs once I had OSCP. If you are working a remote gig, you should be able to pretty much set your own hours. As of now, I have complete control over my hours. My schedule is however I want it set up. I generally work 9-5 or 10-6 just because it works for me, but I could work whenever I want. Basically, as long as my project is done by Friday night, it doesn't matter when I do the work.
Sometimes if I can't sleep or something, I get up and do some of my work for the next day, which then lets me either sleep or do whatever I want that day. If I want to hang out with a friend middle of a the day on a Thursday, I just do my work at another time that week. It's full flexibility.
Evan Kelly
To add to this, let me also mention that many conventions and other events/orgs do remote CTFs nowadays. I recently did one for a conference, without losing the house. So we could also do some online CTFs, which would be great practice for intermediates, and good learning experiences for beginners. I'll put together a list of upcoming online CTFs, and try to put together a list for the whole upcoming calendar year. I'll also add discord, slack, or whatever you guys want to use, to the General OP post, and add info for upcoming CTF events.
Evan Wilson
I feel like since anyone who is willing to be serious about making this happen in their lives will be living in the terminal from now on, IRC seems like a very stylish and patrician outlet for our comms. but other anons please chime in on this. Discord and slack do have interesting capabilities and trade offs, I just like the idea of IRC being itself a network with as bare of a UI as you like(I used to use telnet in command prompt to jump into IRC rooms to impress my friends).
Robert Long
Subscribed
Samuel Ramirez
"pentesters" will never even be close to the power level of an elite C++ programmer who knows the Win32 API in and out, you have no idea what they are capable of
I agree with this. Learning to properly use IRC would be a good learning experience for those working on improving their command line skills. Plus IRC just has a special place in my heart. Feel free to email me on this topic and we can work out the details. Or you can just set it up and let me know where to jump in. Either way. I just will not be available enough to own/properly manage such a channel, but I am willing to moderate and hop in the chat as often as I am able.
Ian Walker
I do have some old user guides for anonymity while using IRC. I will dig up this old info and share here / add to the General OP post next time, along with the IRC info. Since you should definitely take the extra precaution with IRC.
Jeremiah Martin
I would appreciate this since I don't have experience with securing myself on IRC, seems like the natural mindset to have going into this though
Jacob Diaz
yeah that sort of stuff would be good.
also it's not a good idea to just go walking into random IRC channels.
>Full flexibility. That's awesome. The idea of having a schedule like that for myself is good motivation for doing this. How long does it generally take for you to complete a project? Agreed.
Blake Price
It was a huge part of my motivation as well. >how long does it take to complete a project Depends on the project. Most are scheduled for a 5 day / 40 hour block. Not many actually take that long. I've had some difficult engagements that I am still wrapping up on a Friday afternoon, but for the most part, I am actively testing for about 5-6 hours Monday - Thursday. The other time I am checking my schedule, responding to emails, talking to former clients, and lurking on /biz. Friday I am writing the report for the testing I did that week. I would guess most tests get 30 hours of active testing, minus the report writing and other random stuff I mentioned. It depends though. Some tests are wrapped up on day 2, and later in the week I'm either working on writing a new tool in python to share with the team, or offering to help with other engagements. It's pretty chill.
