Penetration Testing mailing list archives
Re: Just getting started in pen-testing
From: "Yiming Li" <nicneo925 () gmail com>
Date: Mon, 10 Nov 2008 13:12:05 -0800
Hi J, I'm a master student in computer science, I subscribe this mailing list because now I'm taking a network security class. To be honest, I'm really new to pen test and often I have no idea what is going on in the mails:) However, I understand this mail, and I do appreciate your deep insight and sincere advice. I think I know where I should start with. Thank you so much! Yiming On Mon, Nov 10, 2008 at 11:58 AM, J. Oquendo <sil () infiltrated net> wrote:
On Mon, 10 Nov 2008, Matt - MRS Security wrote:Hey J. I think that direction towards courses as a recommendation would be suitable for people so they could launch themselves towards getting certain qualifications. I think getting a few people to commit to helping out would be the way forwards. Thats if Erin wants a FAQ. Thanks Matt.Interesting but I believe it's dual-edged sword - the certificate approach. I started getting certs recently with an already established background in infosec. I don't and have never needed them not to mention to be honest about it the only thing they've gotten me so far is, more email, more paperwork... With this said there is also the flipside of things - I have learned to broaden my horizons with them, but this was post-cert. Pentesting to me as I said before is similar to an art. There are far and few courses worth looking into as far as certifications go. For example, my most "coveted" for lack of better terms cert is the OSCP because I actually re-learned things and saw them from a different angle. This does not mean it should be viewed as the "de-facto" cert to get however, I'd personally respect interviewing or meeting another OSCP over a CISSP, C|EH, etc., and this is not to take anything away from those cert holders so I don't need CISSP's to come complaining about apples and oranges. My problem with the cert route is - unless you're going to re-cert with that body, it will be useless as the industry changes at such a rapid pace. There would be too much to learn for one sitting period especially in a year.s time frame. Right now I'm doing CISM studies - which I could care little for (managerial) however, I enjoy learning the business processes involved with security governance. There is more to it all than just tools ;) Does this mean I want to revamp and push papers (not taking anything away from security managers)... The answer is no. I study and learn constantly to understand it all as in-depth as I can. I usually tell others who ask me to understand network and systems heavily before even focusing on tools. I believe in doing so, they'll be able to understand the inner workings of it all and quite possibly create their own tools, methods, etc., so am I wrong in thinking along these terms. Now let's go to the working class "Joe the Plumber" - the real "Joe the Plumber" who doesn't make 200k per year. You expect him to fork over X amount of money on "recommended" courses? Recommended by whom and why? Do you believe that everyone can recommend courses without introducing polit(r)ic(k)s into the mix? I sincerely doubt this. Also because pentesting is extremely broad, what course if you can actually find any - would you promote to say pentest a VoIP infrastructure? It's pretty much non-existent. You either understand the topology, technology, etc., from the top down, or you'll be lost in the sauce. And no "Hacking VoIP" (hello Dave/Mark) can only help you so much. However, if you understood the underlying framework of packets and protocols, you'd be able to determine what to look for on which layers of the OSI period, no matter what you're pentesting. I believe certs can definitely help, but they are of limited use on the learning phase. So you waste (or spend depending on your view) time learning about say web application security. You spend/waste time reading and re-reading Shellcoder's Handbook, learning C or some other language. You spend or waste time learning about fuzziers and all that you're trying is failing. You never took the time to learn about the networking side of things so you're not running tcpdump, snoop or any other sniffer on the wire to see that you're not trunked in the right VLAN. Then what? I believe a top down approach to it all - via books, trial and error labs is the way to go WAY before one invests money in any cert. It's what I believes separates the pros from the joes. You could tell me you possess all the certs in the world and unless you really know your stuff, I can point you out to plenty of "well certified" individuals whom I could mop the floor with on a CTF on any given day with one hand, no coffee, on a 486 running RH Hurricane. And I mean this not arrogantly, but I mean it as a matter of factual - truth is the truth - way. Not bringing any person down, any cert down... I have a friend (hello RR) who to this day I believe is possibly the best pentester I've met. Uses no one's tools. Prefers doing things the old school way. Maybe its how he feels comfortable doing it, maybe it's what he learned in Indiana (;)) who knows. I respect him for his ability and his very intimate knowledge. He has zero cert that I'm aware of. In fact, most of the pentesters I know and respect most... Don't have titles to their names ;) Does this mean they're cert illiterate, "unschooled", "unreliable" pentesters? Sorry I don't believe the cert route is necessarily the best route. Just my two cents - alas I rambled on enough, but if I had to recommend what you asked for, then I would be telling people to take the following route: Networking/Design: CCNA CCDA CCNP CCDP Systems: SCSA Linux+ MCSA Security: Security+ C|EH - to become exposed to tools OSCP OPSA CPTE Web-applications: What do you suggest here ;) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Each player must accept the cards life deals him or her: but once they are in hand, he or she alone must decide how to play the cards in order to win the game." Voltaire http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Just getting started in pen-testing m0rebel (Nov 09)
- Re: Just getting started in pen-testing Adriel T. Desautels (Nov 09)
- Re: Just getting started in pen-testing J. Oquendo (Nov 09)
- Re: Just getting started in pen-testing Matt - MRS Security (Nov 10)
- Message not available
- Message not available
- Re: Just getting started in pen-testing J. Oquendo (Nov 10)
- Re: Just getting started in pen-testing Yiming Li (Nov 10)
- Re: Just getting started in pen-testing m0rebel (Nov 11)
- Re: Just getting started in pen-testing Matt - MRS Security (Nov 11)
- Re: Just getting started in pen-testing Adriel T. Desautels (Nov 11)
- Re: Just getting started in pen-testing Matt - MRS Security (Nov 10)