The Hacker's Cache

#44 How to Hack What No One Teaches ft. Noah Pack

Kyser Clark - Cybersecurity Episode 45

In this episode of The Hacker’s Cache, I sit down with Noah Pack, an aerospace pentester with a ridiculous cert stack and an unconventional mindset. We talk about hacking obscure systems with no public tools or documentation, transitioning from SOC analyst to pentester, and why reading the manual might be your secret weapon. If you’ve ever wondered how to approach targets that no one teaches you how to test, this episode is a must-listen. Noah also shares insight on the value of multiple certifications, his experience with the SANS degree program, and tips for breaking into offensive security, especially when the path isn’t clearly marked.

Connect with Noah Pack on LinkedIn: https://www.linkedin.com/in/noahpack/

Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY


Music by Karl Casey @ White Bat Audio

Attention Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.

Opinions are my own and may not represent the positions of my employer.

[Noah Pack]

Read the manual. It's right there for you. A lot of these things where there's no information like how to pen test it, there's plenty of information on like how to do QA testing on it.

 

You can find really valuable things as a pen tester in those materials. What happens when you send in too much data and overflow the buffer? What happens when you send in too many requests?

 

Those are things that QA probably looked at in their QA testing. Read the manual for it and you'll have a huge leg up.

 

[Kyser Clark]

Hi, I'm Kyser Clark and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one bite at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

 

For certifications, it's a very long list, so get ready for it. He has... These are all GAC certs, I'll just throw that out there.

 

He has the GAC Cloud Pen Tester, the Web App Pen Tester, the Pen Tester, the Certified Intrusion Analyst, the Python Coder, Certified Insight Handler, Security Essentials, Information Security Fundamentals. And so those are all the GAC certs. And for non-GAC, he has the CompTIA Appendix Plus, the COISA Plus, Project Plus, and Security Plus.

 

He also has AWS Certified Cloud Practitioner and the ISC2 CC Certified in Cybersecurity. So Noah, thank you so much for stopping in and hanging out with me and providing your insights and wisdom to the show. Go ahead and introduce yourself to the audience and walk to your background.

 

[Noah Pack]

Hey, I'm Noah. I'm thrilled to be here. Thanks for having me on your show.

 

A little bit more about me. I spoke at a couple of conferences last year about 3D printing, pen test tools, like hacking stuff. Particularly kind of interested in space and satellite things lately.

 

So I've been playing with the HackRF. I've been playing with the Starlink that I got. I think there's a huge area of cyber kind of related to those things that's not really looked at as often as like traditional red teaming of Active Directory.

 

Yeah, that's a little bit about me and my interests. And I'm impressed that you were able to list all my certifications there. I don't think I would have done that.

 

[Kyser Clark]

I try to throw out all the certs that everyone does because I have a lot of certifications and every single one of them takes a lot of work. So I try not to leave people's certs out when they have a large stack. I just like, you know what, they worked hard for this.

 

So we're just going to sit here and listen to the large stack. I appreciate it.

 

[Noah Pack]

I appreciate it. Yeah, it was hard to get a lot of them.

 

[Kyser Clark]

Yeah, I always tell people like there's no easy certs, even the beginner level ones. And even, you know, when you have 10 certifications, you might fail your 11th one. Matter of fact, I had 16 certifications.

 

I failed my 17 certification. It took me two tries to get the SAL one from TriHackman. So even with 16 certs, like I still come across failures, you know, because none of them's easy.

 

[Noah Pack]

Yeah, I failed the GCIA the first time and the GPYC. So those are kind of my more recent ones. And my first attempt on both of them, I was not even that close.

 

[Kyser Clark]

Yeah, so let's talk about why you have so many certifications. So you are doing the SANS degree. And that is something that I kind of wish I did, to be honest with you, I wish I would have went through that and not did the degree I did.

 

But because you got a lot of certifications out of it, so it seems like there's a lot of value there. You know, you get all those certifications along the way. So what would you say, because you also went to another school before you graduated from SANS.

 

So what would you say is like the big difference? Obviously, there's a lot of certs involved, but what else like is a big differentiator between like a traditional degree and or a traditional school and going to SANS Institute?

 

[Noah Pack]

So I'd say there's a lot of differences between like where I started my degree at a brick and mortar university and the SANS degree programs. And a brick and mortar university might be better for some people than SANS or SANS might be better. For me, SANS was the clear choice.

 

What I, what made me choose SANS was that you're getting a GX certification with every class you take. And it's not like you're just getting it, you still have to earn it, obviously. But the classes are aligned with these certifications and they treat the exam as the final exam of the course.

 

And all of those courses are taught by somebody who's currently working in information security. So I think with cyber kind of being such a new field, there's kind of a shortage of universities that have professors who have worked in information security. And so I had some professors that their most recent kind of industry experience was they're a database admin in like the early 2000s.

 

And so when they're trying to speak on pen testing or something else, they kind of fell a little bit short for me. And it's no fault of their own. They were probably just told by the Dean that they've got to teach this class.

 

But at SANS, those instructors are vetted, they create the course and they're currently working. So a lot of them have their own consulting firms or they have a full-time job at like a big company.

 

[Kyser Clark]

Yeah, I actually forgot about that fact. Yeah, I do remember hearing or seeing somewhere that the instructors are currently working in the field, which is huge. Because like you said, most schools, they have instructors who are former IT database admins or like maybe they worked in cyber security a while back, but a lot of them, they're kind of retired and they're kind of just doing like the professor on as a side thing.

 

I mean, they're just doing their free time in retirement. That happens a lot. And I feel like I'm not associated by school, but I feel like some of my professors were in that category.

 

Matter of fact, when I introduced myself to one of my classes, started to introduce myself and the professor literally said like, oh, we have a lot to learn from you. I'm like, oh, and I said, we learn from you. Exactly.

 

[Noah Pack]

I'm paying to learn from you, man. And in most cases, it's a lot of money. So yeah.

 

[Kyser Clark]

Speaking of money, that's actually what I'm curious about. So with the SANS Institute, because like GX search of like $10,000 a pop, right? And you got nine certifications.

 

So, I mean, you do the math on that. That's like $90,000. Like you didn't spend $90,000 in a degree, right?

 

So what's the cost of that degree, Pat?

 

[Noah Pack]

So I'm not sure what it is right now. I graduated in, I think July last year, and they've raised the prices a little bit since then. I think they adjust the prices every year, every couple of years.

 

But it's still, I think, very reasonable to do the degree program, especially because a lot of employers will give you education credit, but they'll only let you spend that money on a degree program. So you can't use that benefit to pay for certifications or to pay for GAC. But if you're doing this program, you can.

 

And there's a huge population of people attending SANS who are former military. And so they're using things like the GI Bill to help pay for that school. And out of it, they're getting like nine GX certifications.

 

[Kyser Clark]

Yeah, I was actually, I'm glad you mentioned that because I was about to say that as a military vet myself, I always make sure I tell the military vets to use your GI Bill. And that's one thing you can use it on. I don't know where I saw it from, but there was some podcast, I saw some military vet.

 

He said, yeah, I got all these certifications for using my GI Bill. And I'm like, I kind of wish I would have done that. But you know, I got all my certs and my degree separately, which was like, I feel like double the work, but you know, it was worth it in the end though.

 

Okay, before we dive into the rest of our main discussion, let's go ahead and dive into a rap fire question. So Noah, are you ready for the rap fire round? Okay, let's do it.

 

I'm ready. All right. So for those who are new to the show, Noah will have 30 seconds to answer five questions.

 

If he answers all five questions in 30 seconds, he'll get a bonus six question unrelated to cybersecurity. His time will start as soon as I stop asking the first question. Here we go.

 

Noah, what is your favorite tool? Not many people know about. Kismet.

 

Multiple certifications or a degree? Which is more valuable to a cybersecurity career today? Multiple certifications.

 

Do you think biometrics are secure? Depends. Favorite security conference?

 

[Noah Pack]

St. Conn without a doubt.

 

[Kyser Clark]

Best way to learn about new exploits? By testing them out and reading about them. Nice.

 

That was 26 seconds. That was a very good time. Congratulations on your win.

 

Thank you. So the bonus question, you can provide as much or as little explanation as you want to. You can even dodge a question and just skip it if you want to.

 

If you don't feel like it's a conversation you want to have, that's okay too. This one's a little out of this world, literally. If aliens visited Earth and asked for our leader, who should we send?

 

[Noah Pack]

My coworker. His name is James. I think he'd be a great ambassador.

 

[Kyser Clark]

Do you want to provide any context there? Why James?

 

[Noah Pack]

I have no idea, honestly. Just the other day we had a conversation where he gave me his spiel about what he would say if he were to meet an alien. I thought it was great.

 

That's all I'll give you.

 

[Kyser Clark]

That's a good enough reason right there. You thought it was great. That's a good reason right there.

 

For me, the first thing that came to mind was Neil deGrasse Tyson. I think he would be a but I think it would just be kind of funny if we sent the history aliens guy. I'm holding on my hands like the meme.

 

I feel like he's more qualified than anybody. If we're going to send anybody, I feel like that he got to be it. People have been making fun of him for years.

 

[Noah Pack]

He deserves a little validation if he's right.

 

[Kyser Clark]

Yeah, but it's funny. He's been a meme for a while now. That's why it's funny.

 

He'd be like, dude, this was never a meme. This was for real. There's probably some viewers that don't like, man, he's talking about aliens.

 

What the heck? It's all for fun. If you don't believe in aliens, then that's okay.

 

I don't really know if I believe in aliens either. That's another discussion for another time. Okay, so your most interesting response, I would say, let's just talk about multiple certifications or a degree.

 

Obviously, both of us have multiple certifications and a degree. I think we can provide a lot of information, a lot of value here for the viewers and listeners. Which is more valuable, to assign a security degree today?

 

You said multiple certifications. Why did you say multiple certifications over the degree?

 

[Noah Pack]

A little caveat, I do think both are great paths. They're good for different kinds of things. The reason I said multiple certifications is because in my head, I'm thinking OSCP, CISSP, and AWS something.

 

I think that would be a great trifecta of certifications to have. It could really qualify you to get past a lot of HR filters and get some interviews. The other thing is that an OSCP and some of the SANS certifications, they're hands-on.

 

You've really got to touch the keyboard and make it do the things that you want it to do if you're going to walk out with that certification. I think those certifications really carry quite a bit of weight.

 

[Kyser Clark]

Yeah, I agree with you 100% there. That would be the answer I would give as well. I would say multiple certifications.

 

I think just like you, I think that both of them are great to have. My last guest said you want to tick all the boxes in the last episode. The more boxes you check off, the better off you are in landing a job or getting a new role.

 

That's what a degree is. That's what certifications are. They're check boxes.

 

There are more than that, obviously, because like you said, get an OSCP. You just don't get an OSCP by accident. I actually commented on LinkedIn.

 

There was a post that talked about the OSCP. Then someone was like, what about real-world experience? What about the skills?

 

I just commented. I'm like, you don't get the OSCP without having skills. It's not possible.

 

You do not accidentally pass OSCP. You do need to have real-world skills. That certification proves you have real-world skills, which is why they ask for those certifications on pentesting and office security jobs.

 

Like I said, if I had to pick one or the other, it's one or the other. Can I have multiple certs or I have a degree? I think multiple certs are going to get you further.

 

It's what's taught me way more. I've learned way more from the certifications than I did for my degree. If I had to choose one or the other, especially you can get multiple certifications for a fraction of the cost too.

 

That's another reason why I get multiple certifications.

 

[Noah Pack]

Then a fraction of the same amount of time. Unless you're going to WGU or SANS or somewhere where it's self-paced, that degree is going to take you four years.

 

[Kyser Clark]

Yeah. By the time this episode airs, I should already have my YouTube video about college degrees. I just finished my master's degree.

 

I have a lot to say because I know a lot of people are like, is your degree worth it? I'm going to talk about that in an episode. Like I said, if you're listening or watching, that YouTube video is probably already posted.

 

Moving on. You are currently a pen tester at an aerospace company. You told me you work on some obscure stuff.

 

Yes. Because there's no TTPs. That's tools, tactics, and procedures for those who don't know.

 

You said you can't really go in depth. I can understand you can't go in depth, but what mentality do you have when you're on a day-to-day job? More specifically, let's say a viewer or listener, they broke into their first pen testing position and they get into something that's obscure like you.

 

What advice could you give them when there's just not a lot of documentation on the type of pen testing you do? Yeah.

 

[Noah Pack]

I guess a little bit additional background. Yeah. I work for an aerospace company.

 

They make computers that go into airplanes, drones, satellites. Yeah, maybe. I don't know.

 

I haven't pen tested a UFO yet, but it's not off the table. They don't communicate the same way as like a Windows computer plugged into a network. They have their own protocols.

 

Some of those would be ARINC protocols like ARINC 429. There's also like some other protocols. One of them is called like MIL-STD.

 

But if you were to look up like pen testing ARINC, you'd probably find like four or five kind of semi-valuable articles about it and no tools. So some of those things you have to go into it and just really flex the hacker mindset. You have to understand like, I guess going back a little bit, all these different pen testing classes I've done.

 

So we mentioned earlier, I have like Pen Test Plus and G-Pen and some stuff. At the beginning of every one of those classes, they talk about like the hacking methodology. And it's like scoping something out and then testing things, furthering your access, trying to exploit stuff, like maintaining access.

 

You've got to take that and just run with it. Really try to apply it to whatever you're looking at. Because that's the core of pen testing right there.

 

That's why they have it at the beginning of all these classes is because it's the most important part. The tools will change, tactics will change, exploits, new exploits will come out. Some of them hopefully will become obsolete.

 

But those steps kind of pen test methodology, that's probably always going to stay the same.

 

[Kyser Clark]

Yeah, it's good you mentioned that. And yeah, this protocol you said I've never even heard of. Yeah, I don't blame you.

 

[Noah Pack]

You don't want to know.

 

[Kyser Clark]

That's really good and really cool. Because yeah, if there's not a lot of documentation on it, then going back to the fundamentals, it makes sense to go back there and you got to lean heavily on that. So when you're doing these like obscure protocols, do you feel like during your pen tests, do you feel slower?

 

Like, you don't make progress very fast. Is that frustrating to you, not making as much progress as like someone pen testing in a traditional IT asset?

 

[Noah Pack]

I would say it's not frustrating. And I also I don't know if it would be slower, you know, because the scope is way different. If you're pen testing, like, before we started recording the show, you talked about a device that only had Bluetooth.

 

So that's a pretty limited attack surface and limited scope. So a lot of these devices are like that. There's one port on it, or there's two ports on it.

 

And one of them is only data out. And it's got like, one way diodes on all the connections, stuff like there's no way to load data in through that port. So that really limits you.

 

And because of that, the pen tests kind of go a little bit at just a different pace. Yeah.

 

[Kyser Clark]

Yeah, that's I really like how you made that analogy how you brought up how I tested a Bluetooth device a couple weeks ago, a few weeks ago. And yeah, that I've never tested Bluetooth ever. I've never did any training on it.

 

I was all my own. Luckily, there was some documentation out there still not that much probably way more than than what you deal with. But it was like hitting a brick wall every day of that week because it was a one week pen test.

 

And I was frustrated I ain't gonna lie like because in a traditional IT pen test, like I have my methodology, I have my tools. And this is why you don't this is why they don't rely on your tools, because tools change. And then you know, I get on a pen test with tools change.

 

I'm like, well, my normal things that I normally do aren't working here. And I have to think outside the box for an entire week. And, you know, there's times where it's frustrating, but at the same time, that's where it gets fun too.

 

So yeah, there's a pro and a con to both. And if you're just someone who just constantly loves the thing outside the box, and you love solving problems, then that's not gonna be an issue with you. But for me, I'm kind of a routine type of person.

 

So when something's kind of like out of the routine of what I normally do, I get a little frustrated. And that's when I got to take a step back and take a breather. And then I'm like, Alright, we just got to approach this differently.

 

So that's definitely good information for people who's trying to break in to their first pen test position who hasn't really sat in that seat before.

 

[Noah Pack]

And a lot of these things where there's no information like how to pen test it, there's plenty of information on like, how to do QA testing on it, or how it works. So RTFM, read the manual, read the white pages, white papers, white page. But you can find really valuable things as a pen tester in those materials.

 

Like what happens when you send in too much data and overflow the buffer? What happens when you send in too many requests? Those are things that QA probably looked at in their QA testing.

 

And then in the documentation, it'll say things like, how does the communication protocol actually work? Is there a handshake? What data is exchanged?

 

What's the timing between data transmissions? Like, things like that would be really valuable to as a pen tester when you're looking at stuff that, you know, isn't mainstreamly hacked.

 

[Kyser Clark]

Yeah, that's, that's really good. Because, you know, the white pages, the white papers, they, they're not the most exciting thing to read all the time. I'm gonna lie, like dive into like, you got to be in a mood, I feel like for me anyways.

 

All right, moving on. So you move from sock analyst and blue teamwork to pen testing. What was some of the challenges you faced going from sock analyst to pen tester?

 

And what advice could you give to someone who is there in the sock? This is what I imagined. Because like, I know the sock is rough work.

 

I know it. I've never been a sock analyst. I just know it.

 

But you're like staring at logs all the time. You're probably working a night shift. You have like bloodshot eyes.

 

And there's there's bags under your eyes. And you're just like, man, I want to be a pen tester. What do you say to those people?

 

[Noah Pack]

You can do it. Honestly, like, getting into it is not the easiest thing ever. And if you can get into it, and then you get into cyber, and then you get into a sock, you're one step removed from your goal.

 

You're almost there. You're almost a pen tester. And although like, sock analyst work isn't really the most perfect transitionary kind of thing into pen testing is still super valuable.

 

And I think sock analysts are former sock analysts make some of the best red teamers. So really understanding like the logs and your SIM tool and EDR and detection rules, things like that will help you avoid them as a pen tester.

 

[Kyser Clark]

Yeah, that makes sense. As a former sock analyst being great red teamers, because red teamers, you know, they're evading detection, whereas a pen tester, like I'm not trying to evade detection every day. Which I would say, you know, former sysadmin has definitely helped me out a ton transitioning into pen testing.

 

But I would say going into red teaming, because my goal is to transition from a pen tester to a red teamer, I'm going to have some trouble bypassing those EDRs because I don't really know them in and out, like a sock analyst would, right? I'm not writing those rules. Now, I did do the Tri-Acme SA at one certification, that's like an entry level blue teaming role, but that's still not enough for me to be like, a really good sock analyst, right?

 

A really good sock analyst that knows what they're doing, that writes their own rules, and they're just, you know, MVP out in the field. They would probably make a really good red teamer, like you said. And, you know, I was kind of shining a light on sock analyst work as like, not so exciting, but it's super essential.

 

Sorry, I mean, sock analysts are...

 

[Noah Pack]

Parts of it can be exciting. But usually something's going wrong, if it's really exciting. And there's definitely roles within the blue team that do translate better to pentesting.

 

So like threat hunting, or like one of my responsibilities when I worked in a sock was triaging all the bug bounty submissions for our company. So part of that was I would read up how this bug bounty hunter allegedly got into one of our assets, like our website or web app or something. And then I would recreate it.

 

And that's hands on, that's real pentesting. So that's, I'd say that's pretty valuable experience. And then being able to take that and fully understand how each step of it worked.

 

Like there's nothing better to prepare you to be actually doing it.

 

[Kyser Clark]

Yeah, that makes a lot of sense. So if someone was a sock analyst, they want to be a pentester, what what should be their number one priority? Is it certifications?

 

Is it try hacking hack the box? Like what are your like top three things like you would recommend to someone that wants to make that shift that's already a good blue teamer?

 

[Noah Pack]

I'd say networking is probably your best or the number one thing you should be doing. You should probably go to your local info set conferences. My first pentesting job came from a connection, somebody that I had met, and he owned a company, and he gave me the job that I wanted.

 

And it was awesome. But I wouldn't have gotten that if I didn't reach out if I didn't talk to him. So I'd say networking is really valuable.

 

And if you're already working as a sock analyst, um, you can probably get an interview for like junior pentester somewhere.

 

[Kyser Clark]

So good to know. And for those who are not even in the field, what would you tell them? Like, so they're trying to get their first sock analyst position or you're starting from nothing?

 

Like, what would you say is the number one thing to start with?

 

[Noah Pack]

Um, get some skills. Get good. Get good scrub.

 

No, I would say, um, yeah, try hack me is really cool. Um, there's a ton of stuff to learn on there and most of it is free. So, uh, can't beat that value, but I would go through try hack me.

 

Um, I've maybe see if you can get like a security plus or pen test plus or something like that isn't expensive. I know, uh, TCM security, they have some very cheap hands-on pen testing certifications too, that aren't, you know, super well recognized yet, but, um, they have the potential to be. So, um, that's another option.

 

[Kyser Clark]

I think, I think they're going to start showing up on job postings. Yeah.

 

[Noah Pack]

I think so too.

 

[Kyser Clark]

Gotta give us some time, but yeah, they're really good. Solid training. I have one of their certs and I'm working on like two others right now simultaneously.

 

Why am I saying for two certs simultaneously? I don't know. Um, well hopefully I can get them.

 

[Noah Pack]

I'm sure you can. I mean, you got quite the, uh, display behind you there.

 

[Kyser Clark]

Yeah. I got a collection for sure. Uh, they told me, they told me not to collect certifications like Pokemon cards.

 

And I took that advice and do it right out the window. And, uh, it's been paying off for me collecting certs. Um, I will say it is nice to have a lot of certs.

 

You don't want to forget the information. Like you actually want to retain the information. That's the key, key thing.

 

Like, you know, if you're just getting certs to stack certs, that's not good. If you, but if you get the certification and you retain that information, or at least the majority of the information, then that's, that's the key to success for me. And that's been the number one thing that's helped me out of certification.

 

[Noah Pack]

I agree. And I think every certification has at least a little bit value, even if the value is just to you. So for me, I have some certifications that, you know, they're not getting me a job at this point.

 

Um, but it alleviated a little bit of imposter syndrome, gave me a little dopamine boost when I passed. And so to me, yeah, it was, it was worth it.

 

[Kyser Clark]

Yeah. That's another reason why I like certs. It helps with that imposter syndrome for sure.

 

For the final question here, do you have any additional tips for your hot takes or hidden wisdom you'd like to share?

 

[Noah Pack]

Hot takes or hidden wisdom? I'd say hidden wisdom is to read the manual. It's right there for you.

 

If you're going to pen test a firewall, read up on that firewall. If you're pen testing a piece of hardware, figure out how it works, read the manual for it, and you'll have a huge leg up.

 

[Kyser Clark]

That is some wisdom that I've never heard before, but it makes so much sense. I'm so glad you mentioned that. And, uh, yeah, because sometimes the manual can be boring and a lot of people do skip the manual, but yeah, if you dive into the manual, then you got that leg up, like you said.

 

So thank you for providing that insight and that wisdom. That was a gold nugget right there. Thank you.

 

All right, Noah. Well, thank you so much for your time and attention to the show. You definitely provided a lot of value to not only the audience, but me as well.

 

So thanks for being here. Where can the audience get a hold of you if they want to connect with you?

 

[Noah Pack]

Thanks for having me. I'm on LinkedIn, Noah Pack on LinkedIn, or you can find my 3D prints on Printables under the account, Noah Pack, and I can provide links and stuff for the notes below.

 

[Kyser Clark]

And audience, the best place to reach me is Kyserclark.com and LinkedIn as well. Audience, thank you so much for watching. Thanks for listening.

 

Thanks for having me. You are welcome. And thanks for being here in audience.

 

Hopefully I catch you in the next episode. Until then, this is Kyser signing off.

People on this episode