TL;DR
I have joined
Hacklabs
as an Associate Security Consultant!
Looking forward to learning more things from my colleagues/seniors
Environment
The HackLabs office is currently based in Manly, although they’ll be moving soon. It’s great for random 10 minute walks along the Corso or beach
Since Manly is a tourist destination, there’s tons of food options nearby, definitely won’t be as much variety around the new office
The office uses a “Hotdesking“ concept which is pretty cool. Everyone gets a laptop and you can simply go to any desk and plug in your peripherals to work. Mouse, keyboard, headphones, external monitor included
The staffroom has free fruit, tea/coffee and biscuits which are restocked every week, it’s really great if I’m bored/sleepy/hungry…
People/Culture
So far I’ve met people from a variety of different backgrounds/culture — It’s pretty great as I don’t feel like I don’t belong in a sense. Furthermore, most of the sec people are memelords
There’s no need to wear full formal in office, decent clothing is enough!
Also — every login is done with SSO and accompanied with 2Factor Auth.
Workload
I just completed an external test recently and subimitted a report with the help of @Tophat. I also helped/shadowed other consultants in their tests and did security research in general. (ie. playing Pentesterlab)
Commute
Right now my commute consists of train + ferry, which realllllly sucks:
- It’s 1.5hr so I have wake up super early
- It’s fairly expensive (I meet the weekly/daily caps! )
- But sometimes you get nice views on the way back home
What’d I learn/use so far?
-
Nessus
vulnerability scanner is awesome, although it may generate false positives/negatives sometimes -
Word Report
Template, fancy word functions like split-window editing, Document/Outline view, and Macros -
Burp suite Pro
license:- I now have unthrottled Intruder!!
- Saved projects
- Active scanner
- Pro plugins
- I now have unthrottled Intruder!!
-
Learning how2MACOS, took awhile to get used to the COMMAND+Thing style, but iTerm2 is neat
- Network discovery tools such as:
-
nmap
(I actually had to read a book about it!) hping
-
-
AWS boxes
for phishing campaigns, grepping through password dumps, running Nessus scans from office is whitelisted for IPs and stuff -
Using a
SOCKS Proxy
to continue working if a WAF IP-bans you - Real world stuff that CTF’s dont test your knowledge on:
- Insufficient mail spoofing protection:
SPF
,DKIM
,DMARC
- Microsft Exchange Server Internal IP Disclosure
- Insecure TLS Configurations
- and many others…
- Insufficient mail spoofing protection:
- Be aware of bad password policies and also Account Lockout policies