Pen-Testing and Metasploit Question

[mtgarden at gmail.com (Matt Gardenghi)]

You asked the wrong question....  Now you will get everyone answering 
what "they personally" consider to be the most important skill sets.  
Companies often don't know what they want.  They are simply required to 
have a pen test (or it sounds cool).  So, a good pen tester finds out 
what the company wants and meets that need in a manner that is efficient 
and reasonably thorough.

For starters, a pen tester should be able to use the standard tools and 
understand the output.  These tools would be vulnerability scanners 
(network and web), exploitation frameworks, general port scanners, and 
the ability to use the CLI on a variety of OSes.  Anyone can run a tool 
or exploit, but being able to interpret the output, determine false 
positives and false negatives, and further prod the systems is critical.

Secondly, a pen tester should have a good understanding of methodologies 
so holes aren't overlooked.

Thirdly, a pen tester should be able to write a good report.  The report 
is the most important piece.  A customer should be able to take that 
report and make pertinent changes to tighten up their infrastructure.  
If there aren't reasonable actionable elements, they didn't get their 
money's worth. 

At the end of the day, the report is the most important part.  What 
exact skills you need depends on what your are testing.  Some people 
specialize, some do a general checkup on the network but all bill 
themselves as a pen tester.  Just don't claim to be a pen tester if all 
you do is run a vulnerability scanner and db-autopwn and then spit out 
the results.  Write, write, write.  Consolidate the information.  Give 
them the raw data if they want it, but also summarize and make 
reasonable recommendations.

That should be a start to answering your question.

Matt Gardenghi


pandini pandini wrote:
>  I'm in the same boat that professor, trying to get into pentest
> industry but I don't know "where to start". I agree with what max
> said, imho methodology is the center of the thing, know how and why,
> is really better than know "where to click" or what command to run.
>
>  My questions are, "What the industry expect from a pentester" (audit
> database, software source code, networks, servers , etc..), "What is
> generally done in a basic pentest", and what certifications are "good"
> to proof some basic knowledge. Just say to a company that "I'm able to
> do a pentest, can you give me a change ?" will don't work.
>
>  I think that I need some formal proof of knowledge, as I haven't any
> professinal experience in pentest, this is the only one way that I
> see.
>
>
>
>  Thanks in advance,
>  Pandini.
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>