The most important thing in penetration testing is the process, the technology continues to evolve, but the process is the same - Interview with Kevin Cardwell


Hi Folks,

4771OSToday we would like to introduce you to Kevin Cardwell, the author of „Building Virtual Pentesting Labs for Advanced Penetration Testing”. We talked with him about his experience and how it influenced the process of writing a book.  

The book „Building Virtual Pentesting Labs for Advanced Penetration Testing” will teach you how to build your own labs and give you a proven process to test these labs; a process that is currently used in industry by global pentesting teams. You will also learn a systematic approach to professional security testing, building routers, firewalls, and web servers to hone your pentesting skills.

Take a read, it’s worth it! 


[Hakin9 Magazine]: Hello Kevin! Could you introduce yourself to our readers, just in case they are not familiar with your work?

unnamed[Kevin Cardwell]:Ok, I have been working in the IT field for almost 30 years now. I had my first programming class in 1987, and went on to obtain a Bachelors in Computer Science, and a Masters in Software Engineering. I was a member of the US Navy while obtaining these, and even though my job in the Navy was SONAR (the original ping ☺), once it was discovered that I knew computers that is normally what I did. I was stationed in Hawaii in 1995 and at that time the Navy was looking for someone (a sailor) to work with the team that had the challenge of bringing Internet access to ships at sea. Based on the fact that at that time I had a degree in Computer Science I was nominated to work on that project. For the sake of time I will not elaborate on this further. From there I was sent to the United Kingdom, and once there I was told about another project. Since I had my Masters degree, they asked me to lead the project, and it was running a Network Operations Security Center (NOSC). We built it, and then I was in charge of the operations for six years. During that time, I lead red team engagements and tested sites around the world. The requirements for the NOSC was to provide Internet access to ships in the North Atlantic Ocean and the Norwegian Sea. We basically provided them their service from Internet all the way to email. Early on during this tour of duty, I formed my own consulting company and started to train and provide services around Europe. I did this all at my own time, and the Navy was happy they were not paying to keep my skills up, and they had me as a pseudo-free consultant. I retired from the Navy in 2005 and have been a freelance consultant working for my own company ever since. One of the challenges I had with the NOSC was that in Europe, an unaccompanied sailor has a tour of just 2 years, so I had a guaranteed high turnover rate. This required me to develop effective training, and I came up with a Strategy and Training Development Plan that focused on the skills required for the job within the NOSC. This allowed us to build teams, and we ran this program for the six years until I retired, and for two years after my retirement until the NOSC was shut down. I took this concept and used it to help the OMAN Computer Emergency Readiness Team develop their first team and also for the first commercial Security Operations Center (SOC) there. Finally, I just finished a project that created the custom security baselines for the existing and the two new airports in Oman. I will stop there, and tell the readers like I do everyone else, do a search on the Internet and about half of what you find will be true!

[H9]: What challenges did you face while writing the book? Any bad instances of writer’s block?

[KC]: I really did not face any writer‘s block. At the start of the book when the target size was 400 pages, I was concerned if I could write a book of that size, but half way through the process, we were approaching 500 pages! This showed me I had to write more succinctly and precisely. The one other challenge was trying to decide how to engage the reader. One of the concerns is that if you ask someone: “what is Advanced Penetration Testing?” you will get a lot of different answers. I tried to focus more on the process and not any specific tool. I do this with my training, that is teach the process. Once the student can do that, they can practice and gain experience and then they can make a more informed choice about which tools they want to have.

[H9]: Where did the idea for the book come from? What inspired you?

[KC]: I cannot take credit for this, I had written a mini book for Packt about Beginning Wireless Network Security and one day I received an email inquiring if I would be interested in writing another book. I believe some of this has come from the fact that I developed a Capture the Flag (CTF), first at DEFCON, then at Hacker Halted and finally at Showmecon in St Louis, and it is my understanding that many of the people who participated in the ranges tweeted, posted blog entries, etc. about it, and that was the foundation for the book. That is, how do we teach people to build their own range, so they can practice a CTF any time they desire?

[H9]: Do you think that such textbook was needed? That pentesters need guidance?

[KC]: Absolutely, once I observed contestants at the CTF events, I realized many of them did not know how to work against first network layers, and then second when defenses were present. This was the intent of the book, as a professional tester you should be able to analyze the network and determine what the network is telling you. This is key, you have to observe things at the packet level. Tools are helpful, but you need to really understand what either the tool is seeing, or be able to analyze it yourself. The tool is a written software and like any software it will make mistakes. I also wanted to show people how they can take a laptop, build a range and then any time a new vulnerability or exploit comes out, they can test it, and as I mention in the book, they can first attack it flat and then if successful, move on to attacking it with defenses in place. The thing is, if you cannot get access with it on a flat network, do not waste your time with filters in place.

[H9]: What is the key to building an effective penetration testing lab?  

[KC]: Establishing the network architecture. To this day, I see people struggle with the networking aspects. You have to understand this, and at the packet level. I teach all the time, that the key is to develop the core skills you have to have for penetration testing, or learning really any security, and they are

  1. TCP/IP

    1. You have to know this as well as the alphabet, everything is going to be coming in packets, so we have to know these

  2. UNIX/Linux

    1. The majority of the tools and attacks will have some form of UNIX/Linux flavor when it is first released; therefore, it is critical you acquire these skills

  3. Virtualization

    1. Whatever platform you select, you have to understand the switches and the configuration of the machines. This is the quintessential element when it comes to build a range

[H9]: There is a section in the first chapter of your book entitled “Myths and misconceptions of pen testing.” Could you share the one you find the most frustrating?

[KC]: Well there are actually two that are kind of tied, but since you asked for one, it has to be so many do not understand what penetration testing is. This is because they hear the term, and do not realize it is one component of professional security testing. That is validation of vulnerabilities, and that is exploitation. That is it, one component of this detailed process is actually penetration testing. Most get it confused with vulnerability assessment.

[H9]: What should every self-respecting pentester know?

[KC]: The most important thing in penetration testing is the process, the technology continues to evolve, but the process is the same, focus on understanding the process and applying it to the different targets and that is the most important thing in testing. The experience and skills will come in time just to perfect the process.

[H9]: Did your international experience influence you while writing?  Did your military experience help you?

[KC]: Absolutely, both have played a role in my writing. I have been part of so many different engagements, and you cannot go in and say here are all your vulnerabilities, so turn off all of this and then you are OK. All clients have either a business need or a mission need, and that has priority over every other thing when it comes to the test. Our jobs as testers is to assist our clients in finding that comfort level with respect to risk and their ability to do either the business or the mission. Early on I would just say fix it, and then when everything broke I was the one that took the blame. It is true security is a concern for everybody, but whether it be international or military, we as testers have to understand our clients’ needs.

[H9]: How do you think penetration testing will evolve in the near future? What should we expect?

[KC]: I think it is already happening, that is the Operating Systems are getting more challenging to break into, so the majority of the access is through the “click here” vector. That is, we need client side interaction to get the access that we have taken for granted for a very long time. As this evolves, the clients will have to include in the scope social engineering, so they can practice against this vector. We know the deterrent against this is training and user awareness, but we have never been able to stop everyone from clicking, so that vector is and will be there for some time. As of this interview, we still are not patching the human brain … I think ☺.

[H9]: If you could give one piece of advice to every aspiring penetration tester, what would it be?  

[KC]: Learn the foundation, as I stated earlier, master those 3 things, and that will assist you as you become a tester. Build your lab and play, practice the process, record the packets, replay them. It is all part of mastering the “lower” layers. The exploitation is nice, but the key for getting engagements and follow on work is to take what you discover and report it to the client, so they have the opportunity to improve their security process and reduce their attack surface. Finally, take a minimum of one hour a day and do something related to security. This will be sufficient to maintain your proficiency, the lower the layer you can compromise the rest of the layers are owned. Also, do not blindly run binary executables on client sites. Thoroughly test and examine them at the packet level; moreover, build and compile them from source. If you run a binary exploit on a client site without following this, make sure your errors and omissions (E&O)/liability insurance is paid and up to date. That is more than one thing, but that is definitely advice I would give them.


2015-11-06I hope that you enjoyed the interview, because we prepared for you a very special gift! 

Until 20th November we give a discount - 50% -  on all ebooks! Just visit Packt Publishing and use this code: Hakin9

January 26, 2016


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023