Stefan Nicula is a threat researcher and pentester with over 5 years of experience. His areas of expertise are in penetration testing, malware analysis, reverse engineering, and exploitation techniques. With a passion for Windows internals, vulnerability research, exploit development, and mitigation techniques. He has around fives years of pentesting experience and is currently pursuing his PhD in Information Security.
Stefan joined the Cobalt Core, our highly-experienced, geographically-diverse community of pentesters, in 2018. He is one of the 250+ pentester worldwide who has helped Cobalt secure over 2000 assets.
We had a chance to hear from him to learn more about his pentester origin story and what he enjoys about being a part of Cobalt’s pentest community.
Pentester Origin Story: How did you get into security?
SN: I started becoming curious about security in the final year of my Bachelor’s degree in programming. Working with different technologies and trying out various programming languages has always been something I enjoyed; however, I was struggling to pick just one standalone focus to pursue. I have a passion for understanding how things work on a deeper level and enjoy learning how everything fits together. And that’s how I found security. I would say security is an area with an unlimited number of IT technical fields that allows you to never stop learning.
I managed to land a pentesting job shortly after my Bachelor’s degree. Since then, I have dedicated all my time to a career that would also become my passion. This passion for security led me to get my Masters in IT&C Security and further translated into learning about other offensive security areas outside pentesting. It has also inspired me in my current pursuit of a Ph.D. in Information Security with a focus on reverse engineering, exploit development, and fuzzing on Windows.
What motivates you when it comes to pentesting?
SN: My greatest motivation for pentesting comes from my curiosity, desire for knowledge, and passion for technology. I believe that most people in this field are motivated by the challenge that pentesting offers which is accompanied by a lot of learning. There is no greater feeling than overcoming a tireless obstacle. On occasion, there are those one-of-a-kind engagements like testing a custom hardware component, a complex never-before-seen application, highly classified stuff, or a huge internal domain that offers unique learning opportunities. Pentesting gives me the opportunity to interact with a variety of technologies and continue learning.
What does a good pentest engagement look like?
SN: The recipe for a good pentest engagement comes in many different shapes and flavors. Essentially, it comes down to the target you are testing. However, there are a few general principles that make up a good pentest including continuous team communication and strong scope coverage which generally helps lead to finding more and impactful vulnerabilities.
One of the most overlooked aspects in a pentest is having the ability to share ideas, findings, and testing results with the team, including pentesters and the customer. As I’ve learned from Cobalt, a busy pentest comms channel is a happy channel, and strong coverage always pays dividends. A strong scope allows pentesters to focus their efforts and limited time on what truly matters to the customer. In addition, open and active communication helps ensure focus is distributed efficiently across the team, combining ideas and results in order to obtain testing depth.
What are the top 3 traits that a pentester should possess to be successful on Cobalt?
SN: A pentester should possess a combination of strong technical skills with professional social skills. One distinction about working for Cobalt is the customer<>pentester interaction, as well as synergy between the pentesters. In a traditional pentest approach, perhaps a lot of questions remain unanswered, or there are knowledge gaps that documentation cannot answer. It’s extremely useful to have the opportunity to ask the customer questions and receive valuable feedback from pentester peers. A pentester should try to utilize this benefit to its full potential which is why strong communication skills and professionalism are so important to possess.
Deep technical knowledge is also essential, a pentester should be able to explain the full potential of a vulnerability to a customer who is interested in understanding the impact. Advanced technical skill is important when testing in a more focused manner on specific components for leveraging deeper coverage. Application know-how is also crucial for creating targeted test cases, especially for complex platforms and APIs.
How do you organize yourself during a pentest? How do you manage your time and avoid burnout?
SN: I’m a huge fan of multiple monitors. I try to keep information as segregated as possible, assigning different monitors for specific tasks. This helps me keep things organized and is especially useful when testing starts taking you in different directions with lots of information to keep track of. Labeling as much as possible and taking quick notes is also beneficial but avoid documenting extra unnecessary information that can be time-consuming to sift through later on. Be detailed but also concise.
To avoid burnout, I try to maintain a healthy lifestyle and take some days off whenever I feel it is needed. I find that it helps taking some week breaks between learning sessions. It’s important to not overwork yourself, take breaks, and reset. This will help you perform better in the long run.
What kind of targets excite you the most? Do you have a favorite vulnerability type?
SN: In terms of pentesting, I enjoy working on large complex solutions. These kinds of solutions offer a unique challenge when it comes to pentesting. Because of their size, one needs to think creatively and efficiently to set up good coverage. I enjoy the challenge of understanding complex architectures and creating unique test cases. With complex applications also comes the importance of leveraging business logic when creating opportunities for exploitation. In terms of reversing and native vulnerability research, I enjoy working on Windows-based applications the most, preferably drivers, DLLs, and browsers.
How do you learn about different security concepts?
SN: I tackle each new subject I learn by immersing myself in the topic. When approaching a new concept, I start with the fundamentals and link learnings with familiar concepts. I like to leverage resources that offer deep technical dives– anything from blog posts, research papers, conference talks, whitepapers, and book references. I’ll often use academic indexing search engines like Google Scholar to find high quality articles. Finally, it’s important to put what you learn to use which is where pentesting comes into play for me. I am all about learning the theory before going in and testing it out. Consolidating what I’ve learned allows me to be fluent and consistent.
How do you conduct research and recon for a pentest?
SN: I normally start by going through the documentation provided and try to get a full picture of the scope. I follow-up with a light manual recon on targets and try to map the technology stack used. Looking for particularities, common frameworks or libraries. Exploration of UI can only provide so much, so I go for manually and automatically analyzing different resources or artifacts that would help me in identifying potential inputs.
Other key aspects that I look for are functionalities that implement cross-data communication and processing. I find that input passing throughout an application can oftentimes lead to interesting bugs, especially where mechanisms are interconnected.
Do you leverage any tools? What are your go-to tools?
SN: For pentesting, my go-to tool would be Burp Suite but I also leverage the old trusty DirBuster. Generally, I like to keep things plain and simple. Manually looking through the inputs and the scope. Depending on the need, I go for different situation-specific tools and plugins. Nmap, Metasploit, and other general tools included in Kali Linux for network related activities. Also, I like to use Flare VM for malware analysis sessions. And for exploit development I mainly use native debuggers like WinDbg and disassemblers such as IDA and Ghidra.
What do you enjoy the most about being a part of the Cobalt Core?
SN: I enjoy working with like-minded offensive security professionals. It is amazing that Cobalt allows me to collaborate on interesting projects, meet people from around the world, and work on unique and challenging architectures. Cobalt encourages this collaborative environment and helps foster a community centered around learning. When you are a part of the Cobalt Core it feels like you’re part of a bigger team.
What advice would you offer to someone who is interested in getting into pentesting?
SN: Find your passion within pentesting, but I would recommend starting with web applications. The learning curve is pretty consistent, they are the most fun, and can provide real results relatively quickly. I would also recommend starting with the fundamentals– I cannot emphasize this enough– some of the most interesting bugs begin by leveraging the basics combined with a deep understanding of the environment. Lastly, when testing real targets, it’s best to go for something different rather than trying the same popular payloads or attack paths. It is likely that someone before you, with more experience, has already covered that, so get creative!
What do you wish every company/customer knew before starting a pentest?
SN: Customers should be aware that the pentesting process offers a way to collaborate and improve their products. The more open and collaborative the customer is, the better the pentest results will be. Good documentation and explanation of the scope are invaluable to pentesters, especially for complex solutions. An extensive dive into API consumption or a quick run-through of the application will go a long way in understanding the scope.
What do you like to do outside of hacking?
SN: It may sound a bit cliche, but for me hacking is a way of life in many ways. It is not just a career and a hobby but a passion. Once you get a taste of it, it can grab you. It is a major part of my life but I balance my life by spending time with others, gaming, driving, and disconnecting.
What are your short term and long term personal or career goals?
SN: My future career goals are to continue to improve myself in pentesting and keep up with the latest trends. In the long run, I plan on going further into exploit development, reversing, fuzzing, and vulnerability research topics. For my personal goals, I would like to see more of the world and try to have as many unique experiences as possible.