What is a pen tester?

A penetration tester's job is to demonstrate and document a flaw in security.

In a normal situation, a pen tester will perform reconnaissance to find some vulnerabilities, exploit those vulnerabilities to gain access, then possibly extract some small piece of data of value to prove that the system is not secure.

The piece of data is often a part of the sales pitch for the company looking to fix their problems. It's one thing to see a vulnerability and ask the boss for $10,000 to upgrade the firewalls. It's a different thing to say to the boss "look at these results, the tester was able to get at our credit card numbers, which is a million dollar liability lawsuit waiting to happen! Please give me $10,000 to upgrade the firewalls."

Note that this doesn't say which vulnerability the tester will exploit, and the tester might be free to try anything from a social engineering attack to a WiFi sniffer to a physical break-in.

However, pen testers generally must work within limits or boundaries. Often this is at the request of the clients: "Please demonstrate that you can or can't get inside our network, but we don't want you to send any phishing emails to our employees." And the security company may have a policy of never installing certain types of malware. (There's little reason for a pen-tester to install a botnet client or to hide his tracks behind a rootkit, for example, unless he's demonstrating the need to scan for botnets and rootkits.)

Some clients will place many limits on the tests, such as "just test the security of my application server." These clients may be under the impression that a hacker will be thwarted by the magical firewalls they bought that will protect the app server from every conceivable form of external attack. Or it could be that they have a different team focused on firewall defenses, and a third team working on social engineering awareness campaigns. The client may also ask that the pen tester not exfiltrate the valuable data - knowledge of the holes themselves is enough for them.

Either way, the pen tester must carefully stay within the limits given, even when the tester can identify a more effective avenue of exploitation. The pen tester is usually only reluctantly given a position of trust, because they're often viewed as "criminal hackers". By carefully documenting and exposing every flaw they exploited, they gain trust through professionalism. If a tester sees a flaw he is not authorized to explore, he should point it out, but not explore it unless he first obtains permission.

Also note the goal of the pen tester is not to "install malicious software". The goal is to demonstrate the adequacy of the security guarding information of value (credit cards, trade secrets, marketing plans, server administration, etc.) Malware is just one technique used by hackers.

For starters, I would recommend you read, practice, and learn what you can at home and on line. Check out the Certified Ethical Hacker books and training available. Try to attend local, regional, or national security conferences and events. You may have local "white-hat" groups like OWASP that have meetings you can attend and people you can meet. You may also have a more "gray-hat" DEFCON chapter nearby, again, these would be people you could learn from. These are all people who might be able to help you get into the business, if they see an aptitude or skill in you.

As has been said, a pen tester is only somebody who tries to penetrate security defences of one sort or another. People specialise in all sorts of stuff, and it's the specialism that leads to your confusion.

It's worth noting that quite often, a client will impose limits on a pen-tester's scope of practice. They may hire someone to test their network, their physical security, or even just their reception staff's reaction to suspicious characters; so quite often the difference between two jobs is what the client wants doing.

It's such a potentially broad field, that to give a more specific answer isn't really possible, people do pen testing at all different types of security system, from firewalls and networks, to the physical security measure of military facilities.

It's a broad field. The name describes it exactly though - to test for the possibility of penetration where none should exist.

So, to take your first example, if someone is hired to run a "pen test" against a file server, he might indeed spend all his time checking to see if there are any unpatched SAMBA exploits that can be used.

To take your second example, a company may want an overview of vulnerable areas in staff awareness, internal security, and policies/procedures. So then the pen tester would try a range of common techniques - phishing or spear phishing emails, USB drives with malware left in parking lots, tailgating into buildings, calling the receptionist pretending to be IT staff...

So pen testing does involve both aspects that you asked about - the very technical side, and the human side, and everything in between.

I would suggest that to get started, you should try and get an entry-level position in IT security, and never stop learning.