Penetration Tester

Location: Washington, DC
Date Posted: 04-17-2018
About Seneca Resources:
Seneca Resources is client driven provider of strategic Information Technology consulting services and Workforce Solutions to government and industry.  Seneca Resources is a leading IT services provider with offices in Reston and Richmond, Virginia and Birmingham, Alabama that service clients throughout the United States.  The key to our success lies within our strong corporate culture which drives our business.  We challenge our staff through engaging work, and we reward our staff through competitive compensation, extensive professional training, and excellent opportunities for career advancement.  In turn, we look for only the best and brightest to join our team. We are an Equal Opportunity Employer and value the benefits of diversity in our workplace.

Position Title:  Penetration Tester
Type: Long Term
Compensation: Very Competitive
Location: Washington, DC

The ideal candidate will have several years of penetration testing/red teaming experience in large-scale corporate environments. The candidate will be proficient with vulnerability discovery and performing actual exploitation of both Windows and Linux systems. Familiarity with APT-style tactics such as performing post-exploitation reconnaissance and covert data exfiltration is also desirable.
  • Support federal client’s enterprise penetration testing program to test all facets of client’s IT infrastructure for exploitable weaknesses on a continuous basis.
  • Conduct system-specific penetration tests in support of A&A cycles.
  • Conduct regular spear phishing campaigns using weaponized payloads (Cobalt Strike Beacons) to measure and improve SOC’s incident response effectiveness and test users’ security awareness.
  • Conduct Purple Team adversary simulation exercises to train SOC staff on recognizing and responding to APT-style TTPs, such as encrypted C2 communication, anti-virus evasion, and covert channel data exfiltration.
  • Compete as part of a team in various regional CTF competitions (BSides, ShmooCon, etc.)
  • Operate enterprise-grade and open-source penetration testing software, including:
    • Cobalt Strike
    • BloodHound
    • PowerShell Empire
    • Kali Linux tool suite
      • Nmap
      • Burp Suite
      • AirCrack-ng
      • Metasploit Framework
      • Veil Framework
      • SQLmap
      • Etc…
    • Windows Credential Editor/Mimikatz
    • Other tools as applicable
  • Develop custom proof of concept exploit code/scripts to illustrate exploitable vulnerabilities.
  • Effectively interface with federal management and system owners to facilitate the successful planning and execution of regular penetration tests on the client’s 50+ major applications.
  • Cross-train other specialist security engineers to enable them to assist with penetration testing activities.
  • Learn from other specialist security engineers to be able to assist with advanced incident response activities.
Required (Minimum) Qualifications
  • 2+ years of hardcore hands-on-keyboard penetration testing experience (running nmap and Nessus scans doesn’t count, must have experience actually exploiting target assets/popping shells)
  • 4+ years of Information Security-related experience
  • Must have OSCP certification or demonstrated experience in penetration testing
Knowledge, Skills and Abilities
  • Proficiency with common open-source penetration testing tools such as the Kali Linux tool suite, i.e. Metasploit Framework, SQLmap, PowerShell Empire.
  • In-depth knowledge of and proficiency with common exploitation techniques such as SQL injection, XSS, pass-the-hash, etc.
  • Ability to craft custom exploits to provide proof of concept vulnerability validation.
  • Proficient scripting skills in Python, PowerShell, and/or Bash.
  • In-depth knowledge of common enterprise networking protocols: TCP/IP, SMB, DNS, RDP, SSH, FTP/SFTP/SCP, RPC/WinRM, NetBIOS, HTTP/S, SMTP, etc.
  • In-depth knowledge of common enterprise operating systems: Windows, Linux/Unix
  • Essential that the candidate is a team-player.
  • Exceptional critical thinking and analytical skills – candidate must have the ability to fully learn and understand security measures and devise creative mechanisms to defeat them.
  • Ability to calculate and assess risk based on threats, vulnerabilities, and mitigating factors.
  • Self-starter with ability work with little supervision.
  • Binary exploitation skills
    • Ability to craft buffer overflow attacks against custom executables
    • Reverse engineering and debugging skills for both PE and ELF binaries, on both x86 and x86_64 architectures
    • Experience bypassing ASLR and DEP
  • Familiarity with non-Windows operating systems, i.e. Cisco IOS, Mac OSX, Android, Apple iOS, IBM Z/OS
  • Familiarity with NIST SP 800-53 controls
  • Bachelor’s degree or higher in Information Technology-related field
this job portal is powered by CATS