[Constantinos Kaplanis]

My advice to anyone trying to break into the field is, as they say, your network is your net worth. Keep networking, attending conferences, keep applying and doing interviews until you are eventually hired.

[Kyser Clark]

Hi, I'm Kyser Clark and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Thank you so much for tuning in. Today I have Konstantinos Kaplanis, who has over three years of experience in cybersecurity and currently works as a senior penetration tester. For education, he has a bachelor of science in computer engineering.

For certifications, he has the BSCP, that's the Burp Suite Certified Practitioner, the CRTO, the OSCP, the PMPT, he's also completed the Zephyr and Dante Hypnotomox ProLabs, and he has the 1,000 day streak badge on TryHackMe, not a certification, but an impressive accomplishment nonetheless. So, go ahead and unpack your experience and introduce yourself to the audience.

[Constantinos Kaplanis]

Hello everyone, thank you very much for the invitation. So, who am I? My name is Konstantinos Kaplanis, a senior penetration tester from Cyprus with over three years of experience in the field.

I'm an early adopter of the PMPT certification from DHS Security, the OSCP from OSEC, the CRTO from Zero Point Security, and the BSCP from Port Suite.

[Kyser Clark]

Nice, so yeah, thanks for hopping on the show and doing this episode with me. So, one thing that really sticks out about your career is that you didn't have an IT background, you didn't have a job in IT, you wasn't a system administrator, you wasn't a help desk, you wasn't a network engineer, and you went straight into cybersecurity. Yes.

How did you do that?

[Constantinos Kaplanis]

To be honest, that was very hard. So, as someone who has done more than 500 applications worldwide, in order to enter the field, I would like to share what you will encounter in different formats of interviews for people trying to break into the field. So, I have done, let's say, 500 applications, and then I had only 10 interviews, only 10 invitations for the first stage.

And I only got one offer, and that was mainly due to my networking, because I was attending events and growing my network. And I had, as a last resort, I had to utilize my network so I did. So, I would like to categorize interviews in three different types.

The most common one, those asking any experience if you have, if you don't have any, you speak about your hack the box, tryhack.me, or any certificate you might have. You might be asked technical questions, or you will be asked on the second interview. The second one is a straight technical assessment without asking anything.

And the third one is technical questions, interview, practical assessment. For example, tell me the ports of FTP, SSH, DNS. Is DNS TCP or UDP?

What's the difference between encode encryption hashing? Explain and analyze the CIA triad. Five phases of penetration testing, or what's potent vulnerabilities?

Explain scenario where you are connected internally in a network. How you perform a penetration test, you know, this type of things. Yes.

So, my advice to anyone trying to break into the field is, as they say, your network is your net worth. Keep networking, attending conferences, keep applying and doing interviews until you are eventually hired.

[Kyser Clark]

So, you say there's multiple different types of interviews. Do you feel that one type is easier than others, or one that's harder than others? Or do you think they're all about the same difficulty?

Or what do you think is the most challenging type of interview?

[Constantinos Kaplanis]

I would say it will be better to ask the candidate questions to assess the assess the technique, I would say, knowledge first, and then give them the task to the challenge to prove himself.

[Kyser Clark]

And so you said you applied 500 times, and rejection is awful. What is the mentality that you took after getting those rejections? And what made you keep going and not giving up?

[Constantinos Kaplanis]

The try harder mentality.

[Kyser Clark]

Nice, nice. Yeah, that was me too. Like, I was like, well, if I quit, then I'm never going to get it.

I didn't put in 500 applications. I think when I was trying to get out of the military, I think I might have put in like 100 or so. So, 500 and that was a rough experience.

So, you did that 5x. So, that's a lot. That's 5x the pain right there.

That's good on you for overcoming those challenges. I'm excited to announce that memberships are now live for my YouTube channel. And if you decide to become a member, you'll get early access to videos, access to member only polls, loyalty badges for the YouTube channel chat, and priority reply to the YouTube comments.

Of course, if you can't or don't want to become a member, that is totally fine. I will always release the same free content you come to expect. And your support just by watching is more than enough to keep the channel going.

But for those who do join, your contribution helps invest into new tools, technologies, and people to help the channel go further. The goal is to create even more content and raise the quality of every video for everyone. Thank you for considering memberships.

And as always, thank you so much for your support. Okay, let's go ahead and jump into the rapid fire questions here. So, for those who don't know, Konstantinos will have 30 seconds to answer five questions.

And if he answers all five questions in 30 seconds, he will get a bonus six question unrelated to cybersecurity. So, are you ready for the rapid fire round?

[Constantinos Kaplanis]

Yes.

[Kyser Clark]

And for these, don't explain your answer. Just give me the first thing that pops in your mind. You'll get the chance to explain your most interesting answer when we're done.

Your time will start when I finish asking the first question. So, Konstantinos, what is, in your opinion, the most useful certification?

[Constantinos Kaplanis]

BSCP.

[Kyser Clark]

What is the worst advice you've ever received in cybersecurity?

[Constantinos Kaplanis]

I've never asked.

[Kyser Clark]

Favorite programming language? I would say C++. Most exciting part of your job?

[Constantinos Kaplanis]

New things pop up each time.

[Kyser Clark]

What was your first computer?

[Constantinos Kaplanis]

Eight years old, I think.

[Kyser Clark]

We just missed it. You had 32 seconds. So, not the worst time, but you're just over it.

So, unfortunately, we won't have the bonus question, but I appreciate you taking time to unpack some of those questions. So, you said your favorite programming language is C++. Why is it C++?

And yeah, what do you like about it?

[Constantinos Kaplanis]

Because now I'm studying for a certificate that has the derivation and stuff like that. The OSEP? The CRTL.

[Kyser Clark]

Oh, okay.

[Constantinos Kaplanis]

From zero point security.

[Kyser Clark]

Okay. So, it's your favorite programming language because it's what you're focused on right now. I guess, what languages did you learn before that?

[Constantinos Kaplanis]

I wouldn't say that. I have that much exposure. Python, the scripting languages, Bash.

[Kyser Clark]

Okay.

[Constantinos Kaplanis]

All right.

[Kyser Clark]

Let's move on to another topic that you're passionate about, which is what, in your opinion, is the most underrated attack vectors? What are you using that is in your day-to-day work that's underrated?

[Constantinos Kaplanis]

As you know, printers are a treasure trove of information. So, I have, let's say, obtained administrator-level privileges from just a printer. People, let's say, don't pay that much attention on the printers, and you can access them with unrestricted access, for example, or default credentials.

You can find their users. I even had a time where I could, multiple times, sorry, where I could perform a passback attack. So, what happens is you spawn an SMB server, for example, and you change the target host to your IP and obtain clear text credentials.

Then, you can use them to perform lateral movement. Yes. One time, I had a straight domain admin like this, and also, I've seen local admins with null passwords.

Meaning, I could, yes, I was playing with null passwords, and I see machines pop the spawn, you know, when you do the CrackMapExec with dash dash local auth.

[Kyser Clark]

Yes. Nice. Yeah, that's an attack that I've recently become familiar with through the printers.

But, yeah, like you said, you go into the printer, you might get, like, what are they, default credentials, and you log into the printer, and then, you'll see credentials store on the printer, and then, you just change the IP import to your attack host, and you can, like you said, send the clear text credentials to yourself, and then, you can use those, you know, throughout the network, like you said, CrackMapExec.

[Constantinos Kaplanis]

Sometimes, yeah, sometimes, it's not even, you don't even have to log in with default credentials. It's right there, the information, or the possibility to, the attack vector to perform the password attack. So, you don't even have to log in sometimes.

So, if you can't perform password attack, you can obtain usernames, generate the username list, and then, spray password spray. So, what's password spray is, is you have a list of users, and then, you use one specific password on each one of these, on the list, in order to prevent blocking out users.

[Kyser Clark]

Nice. Yeah, that's good to know. So, that's one attack vector that you've, you really like.

What are some other, some of your other favorite pentest stories that you can share?

[Constantinos Kaplanis]

I don't have any other that comes to my mind. I've seen a lot. I also, I suspect you also seen a lot.

Like, for example, extremely old Windows, but that's low-hanging fruit, you know?

[Kyser Clark]

Yeah, right. So, you have the 1000-day streak badge on TriHackMe, and I personally think that is a monster achievement, because I, I have the 365-day streak badge, and I think I got my streak to, like, I don't know, 390-something, maybe 400-something, and I quit. I just snapped the streak because it was getting rough.

So, you did that times, like, three. So, you did what I did times about three, maybe even a little more than that, and you got a 1000-day streak badge. So, what, how did you do it?

Because it's not easy to log in on TriHackMe and answer a question every single day. What kept you motivated? Why did you do it?

Just, yeah, tell me all about that 1000-day streak badge journey.

[Constantinos Kaplanis]

Yes, when I, when I was unemployed and trying to enter the field, I start, start in TriHackMe platform, and I get to a level where I land a job. I keep, I keep doing practice, I keep practicing on the TriHackMe platform, where I reached the level where I was, like, 800 days, but I was, back then, I was studying for the CRTO, and I didn't want to, to lose. So, I kept logging in and answering just one answer a day, in order to maintain that.

I think what happened, there was a day that I forgot to, to answer, to log in and answer the question, and I lose the, I lose the streak, because I, I have already used the freeze, that they give you freeze days, one freeze day, let's say, but people don't know that. If you, if you have a lot of days, you can inform the team of TriHackMe, and they will give you back your days streak, if you, let's say, forgot one, one, once in every couple of hundreds.

[Kyser Clark]

Yeah, that's, uh, advice that not a lot of people know. Like you said, you can email TriHackMe, and say, hey, my streak's snapped, can you bring it back? Yeah, so, for the 1,000 day streak badge, for me, I had to send an alarm every day.

I had an alarm at 10 o'clock every day, because the streak would snap at midnight, every day, and I had to do a question before midnight, and like I said, I'd have an alarm at 10, to give me two hours to go solve a question. Sometimes, I would get the question figured out before that, but the alarm would just remind me, because there was, um, I think I had like 80-something days in a row, and I snapped it on accident, because I was so caught up with, with life, right? I just wasn't thinking about TriHackMe at all, and I, I was, yeah, I was on vacation with my girlfriend at the time, and no, I wasn't on vacation.

We were just doing, we were just doing some outdoor activities, and I'm like, we're like hiking up this mountain, and I'm like, midnight hits. I'm like, I'm like, oh no, I just snapped my streak, and then I, it was gut-wrenching to have my streak at like 80, and having it reset, and I started from the beginning, and started over, and I was like, you know what? We're gonna, we're gonna get this 365-day streak badge, and I'm going to set an alarm, and I'm gonna do this, and uh, at the time, there was only the 365-day streak badge.

It was the only one on TriHackMe, and I was like, that's the goal to get, and then once they came out the 5,000-day, they had like, now they have the 500-day badge, the 1,000-day badge, they got like a 5,000-day badge. I don't even know how many badges they got. It's crazy.

[Constantinos Kaplanis]

When I reached 365, they didn't have 500. That's crazy. I said, I said, I will try 500, and they, before I was 500, they had a badge like 500, and when I reached them, I would say 1,000 definitely, and then they added the 1,000 badge.

[Kyser Clark]

Nice. Yeah, that's, that's really cool, man. So I applaud your, your commitment to being disciplined and your consistency, because like I said, the 365-day streak badge was very difficult for me, and you did it like, you know, times three, and that's a lot, and when you snapped it, did you choose a snapped streak, or is it, or is it still active?

It's still active.

[Constantinos Kaplanis]

I'm 1360 something.

[Kyser Clark]

It's still active, dude. That's crazy. I didn't even know that.

That's wild. So what's your, so what do you do? Do you, do you have, like, did you have an alarm like I do to remind you to do it, or you just, you just, first thing you wake up, like, how do you do it?

[Constantinos Kaplanis]

Yes, first thing I wake up, just to maintain the, or if I have time, I'll see, I'll see a room. Yes, I'm aiming the 1,500.

[Kyser Clark]

That's very impressive. Yeah, I tip my cat out to you, and hopefully we see a new badge, a higher one. What's the next one?

Is it 2,500? Is that the next badge that you get, um, or is it 5,000?

[Constantinos Kaplanis]

I'm not sure if they have 12, 1250, or they have, I'm not sure.

[Kyser Clark]

Yeah, I think, yeah, you're right. It might be 1250, but yeah, when you get the badge, let me know. I've, uh, I'll definitely celebrate your accomplishment with you.

So moving on to one of your favorite certs, which is the Burbs Fleet Certified Practitioner. Why, why do you like that certification so much?

[Constantinos Kaplanis]

I would say it's the most difficult of all that I have, because mainly due to time restrictions. It's not that expensive though, but it's pretty tough.

[Kyser Clark]

So what does that certification contain? Like, what's, what's the format? Like, what do you have to do to pass certification?

How much time do you have?

[Constantinos Kaplanis]

You have four hours to complete two web applications. Each web application has, has three stages. The first stage is to log in as a user.

The second one is to escalate to an admin, and the third one is to obtain a remote code execution and read the flags on the web server. Um, yes.

[Kyser Clark]

And that one doesn't require a report, right?

[Constantinos Kaplanis]

No.

[Kyser Clark]

Which is, do you think the lack of report hurts it at all, or do you think that just made it more, um, or more of a reason why you like it? Because you don't have to type a report at the end, because once you do enough reports, you just kind of get sick of them, in my opinion.

[Constantinos Kaplanis]

I wouldn't mind if they had a report, but, uh, after the four hours, you don't, uh, you can't concentrate to write the report. So if they had, they will have it like, uh, the OCP has 24 hours after to do the report, something like that.

[Kyser Clark]

And for that one, do you get your results immediately? Like once you get done with the exam, they'd say, Hey, you passed the field right then.

[Constantinos Kaplanis]

You know, you know, because you submit the flags, but the batch takes, uh, I think they, they send them up there to work in days or something.

[Kyser Clark]

Okay. So it takes a couple of days to get the actual certification.

[Constantinos Kaplanis]

I'm not sure if it's in the platform. I haven't checked the platform, but I received the email.

[Kyser Clark]

Yeah. And yeah, like you said, you know, you passed cause you got the flags. That's kind of how like an offset cert goes because you get the flags for an offset cert and you know, you pass, you just got to write a good report and their report requirements honestly, aren't that bad.

And so if you feel, because if you have all the flags for offset cert, but you feel because you had a bad report, then you really had a bad report because their reporting requirements aren't that strict in my opinion. But, uh, yeah, that's, uh, I mean, there's, there's part of you says, Oh, maybe I left something on the report. You know, you don't know for sure.

Do you get that? But that's, uh, that's nice to know that about the professional certification and then they have one cert, right. They don't have more than that.

Right.

[Constantinos Kaplanis]

They probably only have one.

[Kyser Clark]

Okay. Well, let's go ahead and move into our final question. Do you have any additional cybersecurity hot takes or hidden wisdom that you would like to share?

[Constantinos Kaplanis]

I have a message for gatekeepers, whether hiring managers of HR. So I have met people into cybersecurity field, uh, not specifically pen testers who are not willing to put in the effort. They just finish their work and that's it.

Uh, it's a pity because on the other, um, uh, I have met people trying to switch careers or a complete juniors without even a degree who are super talented, highly dedicated that can not let them job. I don't know, uh, how this happens, but, uh, please fix it as soon as possible.

[Kyser Clark]

Yeah. Uh, it is hard to break in the field when people are, they don't have any IT background. And that's why I asked you that really early.

It's like, how did you break in the field? Uh, what was you doing before you be, was in cybersecurity?

[Constantinos Kaplanis]

Me personally, I just, uh, um, graduated from the university and for six months I was studying, um, for, uh, for the PMPT. I was one of the earlier, uh, one of the earlier as I mentioned earlier. Um, so that was my, my goal to obtain the certificate and to have something to, to show.

But back in these days, they didn't have that much recognition that the OSCP has, for example, back in the day. Now they are, I, uh, I've seen that a lot of job postings that have the, the PMPT included, but back then only the, you know, people in the industry that are heavily involved knew that.

[Kyser Clark]

Well, Constantinos, thank you so much for being here and providing your insights to the audience. Where can the audience get ahold of you if they want to connect with you?

[Constantinos Kaplanis]

So LinkedIn profile.

[Kyser Clark]

In audience, LinkedIn is also a great way to get ahold of me. Also my website, Kyserclark.com. I will provide a link for Constantinos' LinkedIn profile in the show notes of this episode.

Audience, if you haven't reviewed the show, if you're on Apple or Spotify, please leave a five-star review on the show. If you're on YouTube, hit the like button, hit the subscribe button, and hopefully I see you in the next episode. Until then, this is Kyser signing off.