Penetration Testing mailing list archives
RE: VMware and pen-testing
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Sat, 22 Jul 2006 17:05:46 +0100
Hi Zach,
-----Original Message----- From: wymerzp () sbu edu Sent: Friday, July 21, 2006 6:59 PM Hello, I am a student of computer science trying to learn more about the art of pen-testing. I have several tools at my disposal: nmap, enum, Metsploit Framework, Cain and Abel, ect. I obviously cannot test these against commercial networks (I could but I certainly don't want to go to jail) I have used nmap though due to it's unobtrusive nature. I therefore downloaded the evaluation version of VMware. I set up virtual machines with a host only connection; furthermore, I see the virtual machines network connections in network connections. I am running windows XP. I cannot figure out, probably due to my inexperience at networking, how to connect to the machnies once I have them up and running so I can run nmap scans against them (among other things). Any help would be appreciated, including links or whatever knowledge you guys could pass on.
Setting up your isolated environment for training is fine. Practice there with tools and using the information that you find on the Internet and in books and it will give you some technical experience. Remember that technical knowledge becomes obsolete very quickly, so if you don't keep up reading and trying yourself things your proficiency as a pentester declines with time. This is the reason many of us don't believe that saying that you have N years of experience in the field is a good measure our current technical proficiency (a record of technical training and active participation in pentest communities, projects and forums is better for this, in my opinion). What you don't get from your isolated environment and that is something that people with N years are more likely to possess (although still very difficult to measure) is the set of non-technical skills and complementing knowledge that you need to be a good pentest professional, such as: communication and presentation skills, report writing skills, legal knowledge (you can always have a lawyer on your side to deal with legal issues, but at least you need to know when it is appropriate to call him/her), characteristics that are specific to some sectors where you might work (e.g. financial, telecommunications, retail,...), skills to understand the business process of any company, and the most difficult of them all, dealing with other (potentially non-friendly) human beings ;-). The last one is quite hard because you are going to be in a position where even being technically capable, it might not be in the best interest of someone that your report says certain things, so you need to be firm (being absolutely sure of the things you say, documented proofs and activities is the best way to start dealing with these issues). But not only that, you also need to be careful about the wording in your reports and what you say, not only for legal reasons but simply because the way we say things can make our work easier or harder. So, honestly, I wouldn't worry too much on the technical part. With enough time, effort and the right background knowledge (yes, you need some background, e.g. if you are testing networks it is expected that you know how these networks work) anybody can achieve a decent technical proficiency. My only advices from the technical side: * Avoid trying to be good at everything (you won't have enough time in your life to learn and still claim that you are an expert at testing everything), reduce your scope and select some applications, platforms and technologies for a start (if you know the fundamentals you will be able to change to others if needed, in fact, be prepared for it because technology will change). * Avoid trying to be just a hacker. You need to act professionally, which is much more difficult than simply emulating a hacker's behavior (and that just doesn't mean getting a bunch of academic titles and certifications, it doesn't mean those aren't useful either). I would put also some serious effort in developing some non-technical skills. This is where I believe that the industry in general lacks an offer in training. There are many courses that include hands on labs to assess and improve your technical skills but there is almost no effort to assess and help improve non-technical skills. A suggestion to get the feel of what it is like: try to involve other people (include an experienced pentester if possible) and arrange some mock tests (including the whole cycle: planning, proposals, execution and reports) and then let the others act as a very critical client that tries to blow your work to pieces, in the worst conceivably scenario you can think of (if it helps, think of this exercise as something similar to presenting and defending a thesis). For human interactions this is the best I can think off: Try to get to talk to a sales person; many of these persons depend on what they are able to sell to keep their jobs, so they need to be aggressive but also very careful with what they say if they intend to sell anything. Then try to talk to people in companies that are in charge of buying products or hiring services and look at their point of view, what really matters to them and what they like and dislike from vendors. Finally, read all about morale and ethics that you can (talk to a philosopher if you wish) and try to sort out how you can combine the aggressiveness/effectiveness of the vendor (to sell your work), with solving the needs of the client and the ethical behaviour that will be expected from you. That is more or less what you will need :-). Nobody said this is an easy job and you can't achieve perfection, but you can be successful in these 3 areas of human interaction to some extent. Last: keep reading this and other forums and participate. We sometimes have heated discussions or philosophical discussions (where everybody knows that nothing is to come out of them, which doesn't make them less interesting) but we also try to care for each other and share our limited experience and knowledge so that we all can keep learning. You can't get better training than discussing relevant things with other professionals, many of which will know something you don't. By interacting with others you put to test your knowledge and ideas, and this is also a way in which we all improve. I hope this helps to answer your question, Cheers, Omar Herrera ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- VMware and pen-testing wymerzp (Jul 21)
- Re: VMware and pen-testing Christine Kronberg (Jul 22)
- Re: VMware and pen-testing M Bealby (Jul 22)
- Re: VMware and pen-testing Curt Purdy (Jul 24)
- Re: VMware and pen-testing Shreyas Zare (Jul 22)
- Re: VMware and pen-testing Rory Savage (Jul 24)
- RE: VMware and pen-testing Omar A. Herrera (Jul 22)
- <Possible follow-ups>
- Re: Re: VMware and pen-testing wymerzp (Jul 24)