Thanks Ed and EHNet,

Congrats to the winners.

This was also my first challenge here and I had fun! Knew I wouldn't win but mighty chuffed to get an honorable mention. Small problem tho', I'm now hooked and want more (let me guess the first one's free then you pay, sort of "Challenge Crack" )

When's the next hit coming?

plik

Cheers shawn,

I'm glad to see there's a sizable portion of testing new things in there. Too many jobs have "keeping up to day with new technology" in the job description then give you no time to do it in work (I'd be doing it anyway, but it's nice to see it recognised).

Thanks
plik

Since I'm looking at this as a career path I wanted to ask "what's an average day at work for a pentester?"

I know the answer will vary from job to job (and skill set), but I'd like to know the range of tasks out there. Do you just run standard tools against an IP? Poke holes in web apps by hand? Social your way into a building and install hardware keyloggers? Spend 80% of your time writing up reports? Is your life more "office space" than "war games"?

Obviously I'm after generals rather than NDA-breaking specifics

Thanks,
plik

What's the accuracy like? I've used two similar things the first was a very cheap bit of software that I can't remember the name off that missed about 1/3 of installed apps. The other, M$ SMS, would report multiple copies of Office etc making any reports practically useless. 

I'll have a pop at this  . Most of this is based on what I know and am comfortable with now, in real life there'd be a lot more training and research into new tech etc.

$20,000(~£40,000) 5 - 20 users

Servers:
fairly middle of the road servers: HP DL380 or similar, Win 2k3 R2. Couple of DCs, one File and print, mabye one SQL if needed, one exchange box, one backup/AV/patch box, one web running Apache 2 on Redhat and one for Asterisk VoIP.
what's that about so far, £15k inc licences?

Workstations/Desktop:
Bog standard, of the shelf running XP SP2 (I'm not touching vista with a barge pole for the next year or so), locked down to the point of being almost unusable through AD. Except mine which would be the top of the line with as much memory as I could cram into it, dual booting XP & slackware maybe Ubuntu.
that takes the total up to about £25k.

Infrastructure:
2Mb ADSL moving up to 4 or 8 as needed. Cisco 1700 series router feeding into PIX 515e (Probably overkill, but DMZ is so easy with it and it will scale nicley when I need hot fail over on a fatter pipe later.), 48 port 3560 series for PoE to VoIP phones, one gig swicth for server (may be a cisco express as I'm running out of cash now...). All switch ports hard coded to accept one MAC. AC in server room.
That's about me spent up, if there's anything left I might treat my workers to a desk or two, maybe even a chair

Most of the money spent at this level would be actual kit to get the company running, the security coming mostly from policy and configuration.



$100,000
More of the same, scaling up with the users, maybe letting them have laptops if needed, but if wireless, certificates and RADIUS, EAP. If VPN required by now RSA type tokens. IDS sat somewhere, one in the DMZ first, maybe a second on the internal network.

$1,000,000
Now we're talking! put half of it to one side, we'll come to that in a second. Probably move a few of the servers to blades, for heat and space reduction, hot swapable/fail over everything  two net pipes from different providers. Move some of the services off Windows and on to *nix. Probably by some nice Macs for the arty types in the design dept. Couple of machines in the networks as honeypots. IPS installed (Cisco self healing network? with the client on the workstations that stops your machine from getting on the network if you're not patched up to the eyballs - I forget the Apps name). Open view running to keep an eye on things.

The half I put to one side would be given to HR and the legal dept to handle the occasions when we're sued/have to rehire because I've sacked people on the spot for leaving passwords on postits, propped open security doors with old power supplies, left hardcopies of confidential info in bins without shredding and generally done all the stupid things that you can't control with technology.

Well I got them to agree to paying for the Sec+ and CPTS exams (no training tho' boo!) and giving me some time to study which is a win! The trade off was doing ITIL and Project Management training too, which don't grab me but will keep them happy and look good on the CV. (there was also a rather ominous sounding "and any other training we think you'll need"....)

Thanks again guys for the input.

plik

I'm halfway through the latest of this series:
http://www.amazon.com/Hackers-Challenge-Incident-Response-Scenarios/dp/0072193840/sr=1-1/qid=1166744321/ref=pd_bbs_sr_1/105-7574492-3466844?ie=UTF8&s=books
 and I thought they could do with a mention here.

Each book has 20 scenarios and the story that goes with it, presented with all info you need to work out how the intrusion happened  (the excerpts from logs, clues droped into the dialouge, etc.). At the start of each chapter you get a breakdown of attack/prevention/mitigation difficulty and at the end you get a few questions on things like how it happend which machinesere compromised. The second half of the book supplies you with the answers in the same story style.

Each scenario differs from the others, ranging from insecure Wi-fi conections to SQL injection to someone getting socialed. It's also interesting that as the series has gone on they've change the problems to fit with the bigger security issues of the day (book 3 has quite a few phishing related chapters where as book one that's been out for about 5 year has non)

The problems aren't going to tax the more advanced security expert but they a nice  change from doing a crossword or sudoku and might introduce the novice reader to one or two things they'd not considered before. It's also good for the beginer as you just get a small amount of the logs rather than page after page, so it's quite easy to spot the relivent entries even if you don't know what it means or why it happend. 

They do have big "from the people who brought you hack exposed" on the front cover, but I think that really refers to the publisher (I'll check the authors when I get home) 

Well thanks for the input, I've got a better idea about what to ask for now.

And on top of that I've found the exams are cheaper that I first thought, so I might just take a couple anyway! 

I'll let you know how it goes.

From an general admin point of view, (and i do hate to say this because I love my open source) I prefer Windows. Although that may be down to the lack of enterprise linux experience.

But from a more hacker point of view, use the right tools for the job, windows, linux OS X whatever. At home I use all of them but tend to use OS X more than others. Why? It does *nearly* everything I could do on a Linux machine, but I don't have to worry about will I have to reinstall a bunch of stuff next time there's a gcc update (I had bad experience with gentoo) AND my wife thinks it's pretty enough to get her email on (and I don't have to worry about the state of it when she's done with it). That might not be the best business case for moving to mac if you due a technology refresh soon though.

I'd give my vote to Sophos, very simple to set up and the enterprise manager is very intuitive. I'd back RichM with the different product on your gateway, belt and braces might not be stylish but stop your pants from falling down, there are even single products that use multiple scanning engines out there.

There are several routes when it comes to web filtering, black/white lists, content scanning, clever AI that combines a bit of everything. If you're looking at playing at home and not having to shell out five or six figure sums then have a look at dans guardian and/or squid guard. We've just implemented netsweeper here for a hugh amount of users and it seems to be a lot more robust than Symantec IGear (now depreciated) that it replaced. Damn-sight quicker too.

Again if you're just labbing stuff up at home, then you can't go wrong with snort, binaries available for most OSs (if you're using OS X it's called henwen) and huge amounts of tutorials online and books out there.

Cheers, I'll read and inwardly digest.


Don: Yeah I'm quite aware that forensics would probably lead to me seeing a few things that would be f'd up. I'd think that it's one of the most likely professions for that. The few times I've had to pull data together for the police have creeped me out, and that was just logs.

It is possible to get googlebot to do these kind of things, they're all GET requests that you've posted there. Now I've no idea how you'd get it to carry session info, unless it's all done within the arguments of the url.

But a page of nefarious urls in a web page submitted to google to crawl and voila, googlebot's the bad guy. I've seen it done with SQL injection.

Bit more info on the reg's article (but not much more)

http://www.theregister.co.uk/2006/12/13/ubs_logic_bomber_sentenced/

That's the thing, I'm not totally sure. Closest thing to security I've done have just been bits of roles in the past, it's been server and data, currently it's more internet/network security, but I've always had a thing for finding holes in things so pen test would be a logical step. I do spend time with IDS and honeypots/nets at home, I also like following the latest ways the underground find to keep under the radar (but I never find out until it's on the radar!) but I've not got any expert knowledge in any one field so doubt I could get into research.

Forensics might be another path, it seems a bit sadistic but give me a dir of logs or packet captures and an incident to piece together and I'm a happy bunny

If you enjoyed this my I suggest:

http://www.hackergames.net/ is a big list of similar sites my favourite was http://www.hackthissite.org some fun challenges there most but not all hacking related, nice "real world" senarios, and logic puzzles. Lost a lot of sleep with that one. If memory serves there were about 50~60 challenges.

As with most of these sites you'll get a mix of idiot script kiddes and very helpful people using them. (not all whitehats, you have been warned)