Re: RE: VmWare and Pen-test Learning

[krymson () gmail com]

I am very new to this too, but I thought I would throw some more comments in here, if I may.

At the risk of opening up a VA vs pen-test argument, I really think there are some fundamental skills to have for 
pen-testing, and one of those is scanning for vulnerabilities.

Use a blended approach so that you know the tools for scanning. Run nmap, MBSA (Windows), Nessus. If you read about any 
other tools, try them out. You will always, always, always, always use scanning tools...so learn them like the back of 
your hand.

Take the output of them, and you'll get lots of hits on unpatched systems, and read up on each problem. Then research 
how to attack it. Sites like securiteam.com are highly useful to find exploit code. They're not as good at explaining 
things in detail though, but the code is good. Then research how to fix it. Put that one single patch on the system, or 
fix, or workaround, and attempt the exploit again. What changed? Did it just close a port? Try to find as much 
technical detail as you can. In doing so, you'll find a number of sites you'll eventually bookmark and use regularly. I 
encourage you to get a logbook and write down your answers or type them into some doc. This will get you used to 
documenting for reports. In doing so, hypothesize how attackers might get in...weak firewall rules, worm from a laptop 
offsite...? Put up a firewall and IDS and try to stop yourself. Being able to demonstrate a vulnerability is one thing, 
but always be able to explain how to fix it.

Definitely use metasploit. This is the hottest and easiest tool out there right now, and can give you a good feel for 
the exploits. You can even read the code and play with it. If you like code or find yourself growing attuned to it, 
metasploit will give you the framework to write your own exploit code. This is agreat way to go. I love metasploit 
because code newbies (me) can actually immediately see what is going on, making a great demonstration and introduction 
into coding one's own exploits. It also allows a pen-tester to quickly re-penetrate known holes, without having to 
rummage through one's own scripts or re-write anything on site. 

Better yet, get used to looking at network traffic by always running a sniffer between your system and your victim. 
Just review it for what is going on, and you'll just slowly gain an affinity for that stuff. Wireshark is, of course, 
unequalled in ease of use. This will help when sniffing for actual traffic, cleartext protocols, and eventually more 
complicated authentication mechanisms.

I like the analogy about pool and practicing the simple shots. In addition, pen-tests are not always a leisurely thing, 
you typically have a time limit. Being able to snap off the simple shots, do the scans, verify the easy 
vulnerabilities, and spit out the reports in little time is valuable. That way you can spend time on the real kickers. 
I've seen pen-testers have enough time to try new tools on site, or to really beat on a couple 
"known-but-not-quite-penetrated" holes.

Once you've gotten the OS part down, install something like IIS, PHP, and an older version of some vBulletin/PHPbb 
bulletin board, something with known holes. Run web scans and attempt whatever you need to do to those.


I've found that reading books and sites gives one a lot of knowledge, but really, nothing beats actually having your 
own lab and going through the motions. Eventually you'll see you're not a newbie anymore, and can actually move forward 
in understanding complex topics and pens. I can read about playing pool and get really good at seeing geometry and 
physics on the table, but until I start getting my body in tune with the actual motions, and experience to verify the 
head-knowledge, you're not good at pool. :)


On a different note, if you have some buddies in your area with these interests, have a weekend LAN. Get some movies, 
beer, music, pizza, and just set up boxes and find creative ways to break into them. See who can grab admin rights on 
an unpatched Win 2000 RTM box fastest...and then defend it. Trade techniques, show each other new tools or sites to 
learn stuff, etc. Have fun! Even if some of your buds are just sysadmins or network types that aren't interested in 
security, per se, get them involved anyway. :)

Lastly, always be curious. Tinker, play, and have fun. I've been in a number of jobs you don't need to like in order to 
do well in, but pen-testing is one of those areas where everyone I've talked to truly enjoys the work and anyone that 
doesn't, doesn't do well.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------