Penetration Testing mailing list archives
Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)
From: Bernhard Mueller <research () sec-consult com>
Date: Thu, 04 Aug 2005 10:27:52 +0200
Daniel Miessler wrote:
Being a good cracker is about patience, knowledge, intuition, knowledge, experience, knowledge and most importantly, all of the above.Amen, brother.FYI, FOUR semesters of Graduate Level network infrastructure, network design and "information warfare" classes didn't come close to covering all of this material.
I would not put too much emphasis on "knowledge". I mean, there's so much stuff around that you can't just be an expert in everything. practically, we face new and different hard- and software combinations with every test. IMHO what makes a good pentester is creativity and the skill to look at things in the right way, i.e. the "cracker" way. for example, even a non-guru-java-programmer can be able to spot any vulnerability in a java application when doing a code review, if he has a good understanding of programming languages and knows what to look for. Personally, I don't give much on any "hacking classes" or "hacker certificates". My approach to "becoming a cracker" is the following: 1) find a task i want to solve (pentest, idea for a new tool/ vulnerability research, etc..) 2) gather all information needed in books, google and newsgroups 3) solve the task Certainly, as a pentester you need a profound basic knowledge of networking protocols, OSes, programming etc. But the learning process will never stop, and you can never ever know every detail of everything. When conducting a pentest, i think creativity and intuition is most important. it's just not enough to rely on reports from automatic security scanners. i'm relatively new to this business, yet my experience has shown that 90% of all networks can be compromised even if nessus reports no critical vulnerabilites. specific things may be not be a flaw in one context but can be important in another one. IMHO, a pentester must have the ability to recognize any vulnerability if he sees one, and to creatively conduct custom attacks tailored to the system he is working with. the only way to learn this skill of "seeing things from an attacker perspective" is to practice cracking systems, where "systems" includes any OS/application/protocol/bla available. Regards, -- _____________________________________________________ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 ______________________________________________________ ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Daniel Miessler (Aug 03)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Bernhard Mueller (Aug 04)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AdamT (Aug 04)
- RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AEHeald (Aug 04)
- <Possible follow-ups>
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Omar Herrera (Aug 05)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) s0u1d13r s0u1d13r (Aug 06)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Matt Reid (Aug 06)
- What are some good sources to keep me up top :) ? Pigeon (Aug 06)
- Re: What are some good sources to keep me up top :) ? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 07)
- Re: What are some good sources to keep me up top :) ? AdamT (Aug 07)