Penetration Testing mailing list archives
All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Fri, 15 Jul 2005 15:08:04 -0600
Read and learn about network protocols. Be able to quickly recognize things like.... a TCP session SYN, SYN ACK, ACK, - data - FIN, FIN ACK handshake. Read about text-based network protocols, IE SMTP, POP3, TELNET, FTP, HTTP etc and be able to manage a session by hand without relying completely a script (referencing some commands on a 'cheat sheet' or manual is OK by me). Learn to look at the output of NMAP and know within 10 seconds what the purpose of each machine shown is. Learn which ports do what and what ports don't do anything. What ports are common and what ports are not. What ports are static and what ports are dynamic. Learn what ports are reserved and which aren't and what ports are superuser only and which ports are open season for any process. Learn about firewalls and what brands are out there. Read about stateful packet inspection and absorb its usefulness and danger. Read about NAT and how it can impact security and accessability. Learn how the shape of the headers on a packet can determine many things ranging from the host OS to the presence of a virus. Learn about network topography and the difference between routing and switching and broadcasting. Learn about IP subnetting and the difference between public/private IP addresses. Learn about routers and how they work.. and WHY they work. And WHERE they work. Read about the programming of the IP stack and how TCP/UDP on IP works in terms of windows and responses and learn how IP fits in with other network protocols and where TCP differs from UDP. Learn how to code in C. Know what a buffer is and how it might overflow. Be able to read complex C code (try the Linux kernel, last I looked at it, it was a spaghetti ball and ugly as hell, but beautiful at the same time) Learn the difference between a virus and worm and the difference between a rootkit and a Trojan. And the difference between a cracker, hacker and a script-kiddie. FYI, good pen-testers are BY DEFINITION, good hackers. Bad pen-testers are almost always uhhh "white hat script-kiddies". Man, I could keep going... there's lots more. but being a good pen-tester is basically akin to being a good cracker. Being a good cracker is not like TV where someone click buttons for 45 seconds and WHAM, they broke into the IRS mainframe (if there is such a thing). It's about patience, knowledge, intuition, knowledge, experience, knowledge and most importantly, all of the above. FYI, FOUR semesters of Graduate Level network infrastructure, network design and "information warfare" classes didn't come close to covering all of this material. And I'm no pen-tester. I wouldn't even put my foot down to claim that I could be. I have 4 years experience in network design, down to writing bare C on raw Ethernet frames and up to designing a WAN topography and I wouldn't feel comfortable selling myself as a "pen-tester". In my opinion, the pen-tester has to be close to the elite of the crackers or their test does nothing. If all you do is run some tools and see that the tools can't do any damage, you're a script-kiddie, not a pen-tester. If you can't say with some certainty that a highly skilled black hat would have a hard time (never impossible) to crack your defenses, then you can claim it. I occasionally refer to myself as a "security professional" but even that sometimes feels like a stretch. Always improving... Always accepting job offers too :-) I would love to be an assistant with someone far more experienced than myself. I love learning. :-) Eric -----Original Message----- From: Stephane Auger [mailto:sauger () pre2post com] Sent: Friday, July 15, 2005 7:43 AM To: Security Professional; pen-test () securityfocus com Subject: RE: Pen Test Basic Needs No offence taken :) I know I'm still a beginner, which is why I'm doing research. The "pen-test" I'm talking about is more a practice then anything else. In this case, the "client" is a friend of mine. So no, I'm not selling these services professionally, and don't intend to for a while. Sorry if I was misleading, but I really am just looking for a place to start. I totally agree with what you're saying, which is why I'm trying to figure out the basics so I don't do anything stupid when I really have to do one... Thanks to everyone who gave me their input, I appreciate it. Stephane -----Original Message----- From: Security Professional [mailto:redteamer () gmail com] Sent: July 15, 2005 7:02 AM To: Stephane Auger; pen-test () securityfocus com Subject: Re: Pen Test Basic Needs Steph, Judging by the types of questions you have asked, I would be willing to bet that you haven't actually performed a penetration test "professionally" before. No worries, everyone has their first time ;) Anyway, as I was saying, my guess is that you don't have a lot of experience in this area. Just an honest assessment. The problem you run into is, did you tell the company that is having you do this that you have never done one before? One common mistake I have seen is that people get this bug to start doing pen-tests and try to make money the first few times they do one. What should be happening is that you actually learn the things you are asking first, then decide to do this professionally as a service once you get some experience. Don't put the cart before the horse here. Also, you state that you are well aware of the legal ramifications. But honestly speaking...Are you? Have you consulted a lawyer and had them explain everything to you? If so, why didn't they draft a contract up for you? A contract ultimately comes down to what you want to do in your test and what you do / do not want to be liable for. You state in one of your questions that you would use Snort in a pen-test. You ask about hwere one would "start". You ask about what type of information you would begin with. All of these questions are things that, as a "pen tester", you should already know. If you don't know them, you shouldn't be doing assessments on networks where you have to worry about legal ramifications. Quite honestly, I hope that the company you are referring to is reading this list and realizes they aren't getting what was probably pitched to them. Please do us all a favor and actually learn how to do these types of things before you decide to do one as a service to a company. P.S. - In no way is this e-mail intended to be hurtful or insinuate that you don't know anything. I am just stating my opinion on what I think is going on here and calling you on it. It is people like what I have described above, that give this profession a bad name.
Current thread:
- All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Hagen, Eric (Jul 15)