An Interview with a Penetration Tester: Yehia Mamdouh [Career Advice]

An Interview with a Penetration Tester: Yehia Mamdouh [Career Advice]

Henry Dalziel | General Hacking Posts | July 24, 2016


What is this post about?
We often get asked by students, ‘How Do I Get Started In Cyber Security’, or ‘How Do I Become A Penetration Tester or Ethical Hacker’ and in fact we’ve blogged on the subject before, but then it occurred to us, who better to ask then someone who is already an established and experienced Pentester!

How will this post help you?
This post will help you by sharing experience and expertise of a professional who is already active in the Cyber Security profession. In this post we ask Yehia Mamdouh questions relating how to someone new to this industry can get started as a “Penetration Tester”. Yehia’s has extensive experience, and amongst his numerous responsibilities with his current employer, including being responsible of conducting external and internal vulnerability assessment activities, he has also found the time to create a Cross Site Scripting Scanner which you can find on github. We are really delighted to be able to share such knowledge with you and hope that you can benefit from such experience.


Henry, Concise
You’re a really well established Penetration Tester. What key skills would you encourage a young person interested in securing their first job as a Pentester? Aside from TCP/ IP knowledge and understanding hacking tools, what character-type would you be looking for if you were hiring a young enthusiastic ‘hacker’?

Yehia, Penetration Tester
First of all I would spot a light on a very important point, there a lot people have the same title, which is penetration tester – but every one of them is pentester with different path he follow, there is no one specific path you follow to become a penetration tester, you may find some them didn’t take any courses you may find others take courses with good experiences and others is hired by companies as Pentester by the projects he/she created and got a good reputation.

Of course, there is skills a penetration tester should have, he should understand (TCP/IP at the packet level – understand how web applications works – good knowledge with networks and computer systems specially UNIX/Linux at a lower level than most of the people – good knowledge with networks devices – the most important thing that every penetration tester should know at least one low level programming languages and one scripting language like Perl, Python, Ruby which allow any pentester not depend only on existing tools because every pentester deal with dynamic and different environments which sometimes require to write special script for special task and last he/ should be updated with latest vulnerability and zero-days that’s been discovered.

I would like to hire people who have curiosity to know and learn new technology, have the ability to be creative as most of the time creativity is required to deal with different environments and different security implementations

Henry, Concise
How did you get your get your break in Cyber Security? Was it an accident or was it done by design?

Yehia, Penetration Tester
I got my first computer on 90’s at that time I was obsessed with programming my start learn visual basic, I start creating some basic programs, then I was hit by Melissa at that time I was amazed how a few KB can cause that damage after that I start make a lot of researchers on Worms, backdoor’s etc. I learned how to write them, and then I continued learning about hacking and security, so yes I can say by accident!

Henry, Concise
We note that you’re a pro with Metasploit! What other hacking tools are a ‘must’ for today’s cyber professional?

Yehia, Penetration Tester
Metasploit is one of the important tools the pentester should know, there others important like burpsuite and OWASP-ZAP for web traffic interception and fuzzing, John-The-Ripper and Hydra for password cracking – aircrack-ng for WFI security test – maltego for information gathering – sqlmap for SQL Injection – NMAP for network fingerprint and port scan – Wireshark for connection analysis – Nesuss and OpenVAS for vulnerability scanner, Social engineer toolkit (SET) for client side attack and social engineer assessment.

There other many tools used today’s for cyber security and in my opinion pevery entester should have the ability to find vulnerabilities without any tools; imagine yourself in the 1990’s what would you have done?!

Henry, Concise
And lastly, where do you see the greatest demand for cyber professionals? Perhaps in SCADA, healthcare – or in compliance?

Yehia, Penetration Tester
I see great demands on different technology like mobile applications which is arising every day and become very important for every user, SCADA have big spot light especially now day’s hackers focused on attacking countries’ infrastructure as we know what happened to Estonia on 2007 and Stuxnet, and I see also great demand will come on IOT. More and more ‘uses’ for this type of technology are being developed. We see smart Buildings being created already.


Again, we’d like to thank Yehia for his time and effort in answering our questions and wish him all the best for the future.

Leave a comment or reply below...thanks!