EH-Net

What do you guys think you need to know or be to be a Pen Test Ninja?

Everything :lol:

Programming, Windows and *nix systems, networking, web apps, databases, etc.

<ramble>
Jesus... I've been going through AT&T syntax Assembly now for a few months interspersed with JNCIS-SEC (fast track leisure study) and a hodge-podge of other things... Definitely time consuming.
</ramble>

I'd have to say the following in order:

Operating Systems
Networking
Creativity
Programming
Applications
Databases

Operating Systems
Operating systems - You'd want to obviously know your way around most common operating systems. Any and all you can learn is beneficial. I had to puke RACF stuff for a while as it wasn't commonly used. I suggest for *nix based systems, familiarizing yourself with Rosetta Stone (http://bhami.com/rosetta.html). For Windows - whatever you can get your hands on. I'm definitely not as strong as I should be for Windows based systems from the administrative side however, from the compromise side I have no problems.

The difference in this (strength/weakness) is, on a *nix box, I'm versatile and stealthy. Penetration comes easier believe it or not via way of system administration. I'm familiar with the system itself. I know what perms, groups, filetypes, etc., to target. On a Windows machine there are many variables many don't take into account (DLL's, OCX, misconfigured groups, etc.)

Networking
If you don't know HOW it's connected. HOW would you know how to escalate throughout the network. Understanding networking topology, traffic patterns, packets, etc., can save you an enormous amount of time and resources not only from a penetration testing perspective, but also from a troubleshooting perspective. Imagine performing a pentest WITHOUT the usual network enumeration tools (netmap, hping, etc.) Can you garner information about another machine? How? TTL, Window Size, DF and TOS are your friend. Each OS has their own parameters, e.g.:

Linux 2.2.x TTL 64 Window Size 32120 DF n TOS 0
Windows 9x/NT TTL 32 Window Size 5000 thru 9000 DF Y TOS 0

This is information that could be gathered using tcpdump, Wireshark... *Sniffer of choice* without having to run nmap. So think about this for a moment... Do you ALWAYS need to use NMAP? Not really. Versatility!

Creativity
Life is too short, yet too long to be doing the same old same old. Use your brain and have fun with what you do. Don't be afraid to break from the herd and try out your own thing from time to time.

Programming
Must... Any language, any time, all the time. Pick your poison. Don't let zealots stop you from learning a particular language. Each has their own pro and cons and I don't believe any specific one is better than another. There are preferences. I use a combination of perl, python, expect, shell and ruby for "scripting" and automation. Depending on what I need done, I pick one suitable for the moment. From a pentest perspective, you may need to be this versatile. For example, suppose on a pentest you escalate to a machine where you don't have a specific language - say perl or python... Then what? Can you accomplish your task with normal system commands, awk, sed, etc?

From a "security research" point of view... Assembly (at least understanding it) helps immensely if you're into bug hunting, creating oh day, etc.

Applications
You don't necessarily need to be a grandwizard in applications however, I suggest learning about the OSI layer instead and understanding at which intersection do programs play with each other. Session Layer, Presentation Layer, Application Layer. Each has a distinct role at the end of the day and each WILL have a weakness.

DB/SQL
Personally, I feel this falls into programming. SQL syntax is pretty common across the board. Setting out to study say Oracle would be a full time job. Not to mention, for that might as well become an Oracle DBA (they make a killing!). I say, understand the general syntax.

Last but not least... Again, have FUN with what you learn. If you're doing it solely for the money, you'll fail. Sure there is money to be made as a pentester, security professional, ethical hacker, NAME_YOUR_ROLE however, when you're passionate about what you do and you enjoy it, you're likely going to retain more of what you learn and it will become easier to accomplish what you set out to do.

Thanks again for the information above Sil, you are on the same lines at Keatron.  For those interested check out what he thinks at the link below..

http://resources.infosecinstitute.com/ideal-skill-set-for-the-penetration-testing/

As a bit of completely shameless self promotion, you could always check out the book that Tom and I wrote  ;D

http://www.amazon.com/Ninja-Hacking-Unconventional-Penetration-Techniques/dp/1597495883/ref=sr_1_1?ie=UTF8&s=books&qid=1283734970&sr=8-1

It'll be out toward the end of this month.

mmm.... interesting...

Maybe we could get one of the guys on EH to review it?

I know I'm looking forward to getting it. It's just going to be a while before I get to read it. Still trying to find time to read Tom's build a lab book.

I read this post but I did not pay atention to this book.

@impelse

It does look good though doesnt it....:)

Yes, it looks a nice book to read.

@Sil: A few months ago, I would have been shocked to see "creativity" in third place. But now, I almost feel it should be in second place... (I miss a lot of that...)

For Operating Systems, what would you say is better: Know about 20% of 10 different OS or knowing very, very well Windows and Linux/Unix? (Although Windows XP and Windows 2008 Server are quite different!)

I ask this question because I know Windows and Linux "enough", maybe 50% of each. I am about to get my hands durty with FreeBSD and then focus more on the network side (online Cisco courses!!).

While this is certainly not a waste of time, could I use my time on more important things? (it depends of course, but still...)

You should put a proportionate amount of emphasis into whatever OS based on how much you work with it (or anticipate you'll work with it). The majority of our customers make heavy use Windows-based OSes and hardly any use Solaris. Guess which one I know pretty well and which one I ask stupid questions (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6029.msg32113/#msg32113) about on online forums.

That's not to say you shouldn't learn new things and broaden your horizons just for the sake of increasing your knowledge, but it would be foolish to gloss over things that are immediately beneficial or necessary for the sake of doing so. As you said, "it depends."

Seriously a tough call here so I will explain my take on this. For what it's worth and where it counts more, I say *nix based systems with my reasoning for this answer following.

Browse over to Netcraft and have a look at what most Fortune 100's are running. Take a pick at a specific industry and have a serious look at what's powering them. If you answered Windows + MSSQL, you're way off base.

Oracle + Linux or Solaris move data around for some of the biggest companies on the planet. Citigroup - Solaris, Major League Baseball which pushes some serious databases, Solaris + Oracle,

Chase - Solaris
http://searchdns.netcraft.com/?host=chase.com&x=0&y=0

Citibank - Solaris
http://searchdns.netcraft.com/?restriction=site+contains&host=citi.com&lookup=wait..&position=limited

Bank of America - Solaris
http://searchdns.netcraft.com/?restriction=site+contains&host=bofa.com&lookup=wait..&position=limited

Chevron - Linux
http://searchdns.netcraft.com/?restriction=site+contains&host=chevron.com&lookup=wait..&position=limited

AT&T - Linux
http://toolbar.netcraft.com/site_report?url=http://www.att.com

And the list goes on. This is not to say that Windows isn't used, but it's not truly used where the cash is flowing. This is where you'd want your client-base, where they won't balk at your fees as a pentester. Government work? Solaris + Other nix variants all the way.

With that said, this is the server side. Where the most precious data is housed/stored/transmitted. In the office environment, Windows rules but the harsh reality is, somewhere along the lines you WILL need to know *nix based systems. So ask yourself, do you want to pentest a webserver or some local desktops for a "fistful of dollars" or would you rather go with where you'll not only earn some serious money, but get around to playing with "big boy toys"

I know this response is not within the scope of this thread but just have to say.. SIL is like a god... everywhere I see a post from SIL on EH I just have to read it even if I am not specifically interested in the topic  :)... what does SIL stand for SECURITY I LIVE?

That's exactly what I though. In the government, I have seen many internal servers using Windows/MSSQL Server while their internet facing boxes have Solaris, Linux or AIX, all backed by Oracle.

But what about FreeBSD, OpenBSD and NetBSD? Have you seen them at least a little bit around? I haven't...

At one point in time, Yahoo was FreeBSD down as was Hotmail. BSD usage is there it just doesn't have as big a footprint (http://uptime.netcraft.com/perf/reports/Hosters?orderby=os_name) and you have to understand the business market to understand why... People want support and with Linux, there is a better chance to find a distribution with pay for play support (Redhat, SuSE, etc) whereas the BSD's are mainly "you're on your own." During the late 90's I worked exclusively on clusters of FreeBSD and Solaris spread out over 200+ servers. Linux wasn't even a thought to any of us at the time. My personal server for my website is running FreeBSD (http://uptime.netcraft.com/up/graph?site=infiltrated.net). I moved away from Solaris because my machine was too big and bulky. When I threw up Infitrated I started with a NetraX1, moved it onto a Netra240, then took it off of the machine entirely because of the power consumption and rackspace abuse (was too big).

Usage of BSD is not as big as Linux or Windows but it is a rock solid operating system once you can get past the distro zealotry (my BSD is better than yours!). Each have specific uses - even though they all can do the same thing - with Open obviously focused towards security, FreeBSD being the "everything" of them all, Net being able to run on everything from a server to a toaster (http://www.embeddedarm.com/software/arm-netbsd-toaster.php). Many people are intimidated with BSD's and often get comfortable with INSERT_SOME_buntu Linux distribution. To me there are slight differences in the syntaxes for applications. Other than that, if you used one, you've used them all. That is with the exception of DragonFLY BSD which is aimed at keeping things *Linuxlike*

Thanks Sil!


I think I will install OpenBSD on my internet proxy with my firewall and Snort. This way, I will learn "a little bit" how it works and get to know my way around without spending hours understanding all it's details.

So as a conclusion and to come back to the thred topic, you don't necessary need *BSD to be a Pen Test Ninja, but it doesn't hurt!

As I said before ;) It all depends... It will depend on what your core targets are on the MAJORITY. For example, if you wanna be like somebodydynamik we know and travel all over the country from company to company, chances are you will WANT to know it. You're never going to be in the same environment so it is good to know as it will save you a lot of time and frustration. Now, if you have a core set of clients or work specifically on say a red/blue team for a corporation, you can slack off a bit. The answer is it seriously depends.

When I tinkered/tampered with QNX (Neutrino is strange), I did so because a client of mine had servers and desktops running it. QNX is expensive and has a unique learning curve but not too far from BSD+BeOS so it was easy for me to get a grasp on it rather quickly. Did I want to learn it, not really, but I was better off in the end because of it.

Tinkering with as many operating systems as you can from an ADMINISTRATORS perspective should give you enough to accomplish the most fundamental tasks to validate a pentest... Pop a box, escalate, leave a token, copy the password file, etc., you should know enough at least to run rudimentary commands (even a JR. Admin level suffices to some degree).

I just wanted to help support what Sil is saying here about *BSD.  The company I work for (we have a couple high traffic sites), runs on a FreeBSD cluster and Oracle+Solaris.  FreeBSD is super stable and is excellent under load (beat the popular Linux flavors in our performance tests); which is why we run it.  Basically, you could run into a *BSD depending on the companies goals/needs.  I agree it isn't a bad idea to know your way around *BSDs.

Note: *BSD != Linux.  Although they share similarities, you will learn that many "linuxisms" are frowned upon in *BSD. 

There are so many things to learn! But one of the BSD family is on my list of TODOs.

Again, my plan is to start using it for some tasks, like a web proxy or a victim machine in my lab running apache, or a database server, etc... I am in no rush, so I will use it to learn/do something else. Within a year or two, I should be able to know my ways around.

Which one should I start with? FreeBSD, OpenBSD or NetBSD? (I know it depends ;), but as a target machine for example?)

FreeBSD is the easiest to get up and running. Personally, I would suggest NetBSD followed by Open followed by FreeBSD. I say this because FreeBSD over the years started adding one too many programs and package management tools similar to the point and click apt-get/yum install/yast in which is handy, but for one to seriously learn, I personally think one should sit through the pains of compiling everything.

1) You can get more granular
2) Oh those errors... Installing from tarballs is a pain but you gain a lot of experience having to edit includes, makefiles, etc.
3) apt-get update kernel? WTH Do it manually

I had some interviews where I asked the candidates how would they update a Linux kernel WITHOUT any package management tools... Their responses:

"You can do that?"
"Go to kernel.org and download a precompiled kernel"
"I don't know"
"What do you mean"

There are times when say you might need to load and unload a module, sometimes it pays to understand how things are done. E.g., suppose you made a specific module that targeted something... How would you load it on a BSD based system? How would you unload it. What's in /proc on both systems (BSD/Linux)

Sometimes it pays to get the punishment out of the way

I understand why I should go after NetBSD and OpenBSD before FreeBSD, but why NetBSD first over OpenBSD?

Thnaks a lot Sil...

I think Sil is recommending NetBSD because OpenBSD is designed to be secure by default.  Basically, the developers of OpenBSD assume the user/system admin know nothing about security and try and make the system as secure as possible out of the box.  When a system is secured for you, you aren't learning how to edit the configuration files to lock down the system.  Basically, a lot of the configuration tasks are already done for you in OpenBSD.

Fun fact: OpenBSD is a spin-off of NetBSD.

Open is rock solid for security. Even though its main author can be difficult and misunderstood, OpenBSD is my first choice at running secure ANYTHING just because right out of the box, one would have a hard time doing much against it. With that said, (difficulty) why waste time unless you're into BSDM + Hacking - you're looking at a mental beating attacking OpenBSD as an operating system. This does not exclude human error (misconfigurations)

FreeBSD + NetBSD have more flexibility installing applications and accomplishing things where as Open, you have to literally fight with it at times to compile things. It will spit out warnings against insecure software, won't allow certain calls to be made if done improperly. It's seriously audited which makes it a horrible move to learn anything from. IF ANYTHING, you learn that a proper framework and mental state leads to good security - which is what Open achieves above everyone else.

NetBSD before the both because if you're on a budget... Jesus, NetBSD will run on just about anything on this planet.

FreeBSD last because FreeBSD can be bloated and overwhelming with "wTH" kind of quirks that if one is not used to, would keep that person frustrated.

Bear in mind here, when I think of pentest on this forum and most of my posts, its not on a "fire and forget" method. I would hope some would take heed to things like defense as well. Offense isn't everything in fact, by understanding defense, you learn how to better build a better offense ;) Make sense?

Great explanation Sil, thanks!

So be it, NetBSD then OpenBSD then FreeBSD. I will start this weekend.

So much to learn :P but so fun at the same time!!  ;)

ALOT of time and dedication, an open mind, tight lips and confidence, mixed with a tad of paranoia ;)

@ MindOverMatter

Thanks for replying to the original thread as it has appearted to take a detour down the *BSD road  :)