Penetration Testing mailing list archives
RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)
From: "AEHeald" <arianheald () bellsouth net>
Date: Thu, 4 Aug 2005 21:30:51 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gentlefolk; Daniel's paean to "pure" pentesting (for lack of any other name) gave me a great deal of thought. I'm solidly in the "white-hat script kiddie" working my way into basic attack skills. I've been an engineer for 12 years and in infosec for the last five. What I have noted the most is the absolute lack of consistent training for this artform known as penetration testing. In fact, I'm not sure it _can_ be taught. It requires an insatiable curiosity and loads of patience, followed by some healthy adolescent glee. If that's what can be defined as a "spark," I'm in for the long haul. I love this stuff. I'm fundamentally self-taught, doing work for an office where no one else knows how to do pentesting, other than filling out an audit checklist **shudder.** My successes are solitary, and while consistent, I know I am plucking the low hanging fruit. Someone has to do it, and it's good training for me as I go. If every engagement means that I learn something, I am content. I am not in the rarified top ten by any means, but I don't know anyone who is! I, too, would like to work with someone who knows their stuff, but the people I meet know as much as me, rarely more. It's why I'm on this list. So bear with us lowly white hat scripters, we're at least on the learning curve. Regards Eigen Arian Eigen Heald, M.Div., MSIA, CNE, MCP, CISA, CISSP "A little knowledge is a dangerous thing...." - -----Original Message----- From: Daniel Miessler [mailto:daniel () dmiessler com] Sent: Wednesday, August 03, 2005 12:37 AM To: Hagen, Eric Cc: Stephane Auger; Security Professional; pen-test () securityfocus com Subject: Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) On Jul 15, 2005, at 5:08 PM, Hagen, Eric wrote:
Learn the difference between a cracker, hacker and a script-kiddie. FYI, good pen-testers are BY DEFINITION, good hackers. Bad pen-testers are almost always uhhh "white hat script-kiddies".
Dude, this is perhaps the best description of pentesting skillsets that I've ever seen. I am quite unhappy with where I personally fall on that scale, but I'm working to improve my position. :) Well said, man...well said.
but being a good pen-tester is basically akin to being a good cracker.
Exactly, and I'd add to this that true cracking starts only when you've run every packaged tool and found NO MAJOR OPENINGS. If you can get in after finding out that there aren't any massive vulnerabilities, *then* you can call yourself a pentester. Until then you're mostly just running tools and pressing buttons. I've cracked a decent number of networks in my time as a professional and I always get praise for it. Although I may have done something pretty cool stuff to get control of a network (in the few cases where there was at least *some* challenge), the openings I had were always too large to earn myself any self-respect. It's not cracking if your first foothold was a vulnerability that lets you use an attack already in Metasploit. That's just too easy, and if it's easy -- it's not true cracking. The absolute worst, though, is being called a hacker. It's despicable. I feel like screaming, "You shouldn't even be allowed to use that word, let alone give the title to someone else." The Princess Bride always comes to mind: Presenter: "This is Daniel, he's a hacker." Me: "I do not think that word means what you think it means." So yeah, the differences are very important, as is knowing where you truly stand. The vast majority of "pentesters" are just security professionals running security tools; there's no creativity, no innovation, no spark. Most are actually just kiddies, the next lot falls above kiddies and below true crackers, then there's the real elites -- those with 1) the cracker mentality, and 2) the cracker skillsets. I'm in the upper part of level two I'd say, constantly heading toward where I need to be. :) It's interesting that you, Eric, don't call yourself a pentester either. I do becasue it's my job, but I can't help but feel like the eternal student with no rights to call myself anything. I use this feeling to continue growing.
Being a good cracker is about patience, knowledge, intuition, knowledge, experience, knowledge and most importantly, all of the above.
Amen, brother.
FYI, FOUR semesters of Graduate Level network infrastructure, network design and "information warfare" classes didn't come close to covering all of this material.
Yes. This is what I'm talking about. It's like the most qualified people have the lowest opinions of their skills. In short, we know best how little we really do know.
And I'm no pen-tester. I wouldn't even put my foot down to claim that I could be. I have 4 years experience in network design, down to writing bare C on raw Ethernet frames and up to designing a WAN topography and I wouldn't feel comfortable selling myself as a "pen-tester". In my opinion, the pen-tester has to be close to the elite of the crackers or their test does nothing.
Completely agreed. There's only one problem with your definition -- it only leaves a few hundred people worldwide. I'd submit that you *can* have people below this uber-elite level offer something tangible to clients. If you can perform a "pentest" for a client and uncover deficiencies in their security which they then go on to fix, you've performed a service that's worth paying for. Would it be better if it were done by one of the true elites? Sure -- but that's not to say that the former isn't valuable to some degree. The problem is there are very few who are even capable of doing *that* among those that call themselves pentesters. As discussed, most people with the title are simply running tools. They're the CORE IMPACT class. Point and click, point and click.
If all you do is run some tools and see that the tools can't do any damage, you're a script-kiddie, not a pen-tester.
Yup.
I occasionally refer to myself as a "security professional" but even that sometimes feels like a stretch.
Seriously...me too. I feel like being a student of the discipline and a "professional" are almost mutually exclusive, and I'm *definitely* the former. The thing you have to consider, though, is how you compare to the other "professionals". :) Think of the benefit to the client moreso than your own personal ranking. If I went by my own personal standards, I wouldn't be in the field at all. I'd be huddled up over my personal computer lab "getting ready" for the next 15 years.
I would love to be an assistant with someone far more experienced than myself. I love learning. :-)
Same here, and thanks for the most excellent post. Regards, - -- Daniel R. Miessler M: daniel () dmiessler com W: http://dmiessler.com G: 0x316BC712 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBQvLBSwGhZ4M3hyK+EQKXWACgz0EGyIzYrqPwwboj9UFM+qQvCLQAni6z 0sLoQ0TnJjZjvyXnzi92G6Kp =V902 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Daniel Miessler (Aug 03)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Bernhard Mueller (Aug 04)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AdamT (Aug 04)
- RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AEHeald (Aug 04)
- <Possible follow-ups>
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Omar Herrera (Aug 05)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) s0u1d13r s0u1d13r (Aug 06)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Matt Reid (Aug 06)
- What are some good sources to keep me up top :) ? Pigeon (Aug 06)
- Re: What are some good sources to keep me up top :) ? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 07)
- Re: What are some good sources to keep me up top :) ? AdamT (Aug 07)
- Re: What are some good sources to keep me up top :) ? Pigeon (Aug 07)