Metasploit mailing list archives
Pen-Testing and Metasploit Question
From: mtgarden at gmail.com (Matt Gardenghi)
Date: Thu, 23 Apr 2009 16:09:39 -0400
You asked the wrong question.... Now you will get everyone answering what "they personally" consider to be the most important skill sets. Companies often don't know what they want. They are simply required to have a pen test (or it sounds cool). So, a good pen tester finds out what the company wants and meets that need in a manner that is efficient and reasonably thorough. For starters, a pen tester should be able to use the standard tools and understand the output. These tools would be vulnerability scanners (network and web), exploitation frameworks, general port scanners, and the ability to use the CLI on a variety of OSes. Anyone can run a tool or exploit, but being able to interpret the output, determine false positives and false negatives, and further prod the systems is critical. Secondly, a pen tester should have a good understanding of methodologies so holes aren't overlooked. Thirdly, a pen tester should be able to write a good report. The report is the most important piece. A customer should be able to take that report and make pertinent changes to tighten up their infrastructure. If there aren't reasonable actionable elements, they didn't get their money's worth. At the end of the day, the report is the most important part. What exact skills you need depends on what your are testing. Some people specialize, some do a general checkup on the network but all bill themselves as a pen tester. Just don't claim to be a pen tester if all you do is run a vulnerability scanner and db-autopwn and then spit out the results. Write, write, write. Consolidate the information. Give them the raw data if they want it, but also summarize and make reasonable recommendations. That should be a start to answering your question. Matt Gardenghi pandini pandini wrote:
I'm in the same boat that professor, trying to get into pentest industry but I don't know "where to start". I agree with what max said, imho methodology is the center of the thing, know how and why, is really better than know "where to click" or what command to run. My questions are, "What the industry expect from a pentester" (audit database, software source code, networks, servers , etc..), "What is generally done in a basic pentest", and what certifications are "good" to proof some basic knowledge. Just say to a company that "I'm able to do a pentest, can you give me a change ?" will don't work. I think that I need some formal proof of knowledge, as I haven't any professinal experience in pentest, this is the only one way that I see. Thanks in advance, Pandini. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Pen-Testing and Metasploit Question, (continued)
- Pen-Testing and Metasploit Question MaXe (Apr 22)
- Pen-Testing and Metasploit Question Simon Taplin (Apr 22)
- Pen-Testing and Metasploit Question pandini pandini (Apr 23)
- Pen-Testing and Metasploit Question Kevin Beaver (Apr 23)
- Pen-Testing and Metasploit Question Ben Nell (Apr 23)
- Pen-Testing and Metasploit Question pandini pandini (Apr 29)
- Pen-Testing and Metasploit Question Matt Gardenghi (Apr 30)
- Pen-Testing and Metasploit Question chuks Jonia (May 02)
- Pen-Testing and Metasploit Question Matt Gardenghi (May 04)
- Pen-Testing and Metasploit Question Kevin Beaver (May 04)
- Pen-Testing and Metasploit Question pandini pandini (Apr 23)
- Pen-Testing and Metasploit Question Matt Gardenghi (Apr 23)
- Pen-Testing and Metasploit Question Edward Bjarte Fjellskål (Apr 22)
- Pen-Testing and Metasploit Question MaXe (Apr 22)