Getting into Pentesting, using this strategy?

Viewing 21 reply threads
  • Author
    Posts
    • #7455
      pharmerjoe
      Participant

      I read this and was intrigued. I have decided to learn from the ground up again, and I’m on the networking books currently. Just wondering what you guys think with the pathway this guy set out to become a competent pentester, as its the first time I’ve seen someone actually take the time to set out a complete pathway with specific examples and references. While there is no right answer to the question, it sure does help to have someone experienced who has layed out like this.
      http://www.infiltrated.net/pentesting101.html

    • #46544
      unicityd
      Participant

      Most of that guide is about building IT skills generally rather than pentesting skills specifically.

      There is a big jump in difficulty from Step One (learn the OSI layer) to Step 2 (read five non-introductory Cisco books).  I’d recommend getting the CCNA study guides from Cisco (two volumes) and also Practical Packet Analysis (once you get further in).  Once your Cisco and TCP/IP skills are solid, pick up the Cisco security titles the guide author mentions.

      I don’t know what Linux books are considered good right now, but get Absolute BSD if you want to learn FreeBSD.  For programming, check out http://programming-motherfucker.com/become.html .  Learn Python or Perl to start.  Along the way, plan to learn C and SQL to a basic degree.  You need to understand how to read code, craft SQL statements, and automate basic tasks.  If you want to be a good programmer and develop complex tools, put aside everything else and just program for a couple of years.

      The guide author suggests building a lab and learning to hack them from Bugtraq posts, but I think you should start with a book so that you have a little more structure.  I’ve read several Hacking Exposed volumes and enjoyed them.  Others have recommended Counter Hack, and Professional Penetration Testing Vol. I by Thomas Wilhelm.  Professional Pen Testing is probably your best bet to start: it actually focuses on setting up a lab and learning with it.  After you’ve read one book, read another and spend more time reading the mailing lists.  Read lots of articles, Google, play.

    • #46545
      Dark_Knight
      Participant

      hmmmm why not direct your questions to the author himself………Sil where u at  ;D ;D ;D ;D

    • #46546
      sil
      Participant

      @unicityd wrote:

      Most of that guide is about building IT skills generally rather than pentesting skills specifically.

      Curious to know what you perceive as being an overall good pentester? My definition of a thorough, good, and reliable pentester is someone who is versatile, can adapt and is experienced in a wide array of technologies. Because SECURITY is nowadays a broad term, I noticed that far too many pentesters are nothing more than tool-testers. Tool testers who know little about the layers associated with what they are doing. This is why many fail and this is why the current market is saturated with individuals running metasploit, Nessus, GFI and other tools passing themselves off as pentesters.

      Books like Counterhack Reload, Hacking Exposed and Professional Pentetration Testing offer you examples on “staged” systems. Systems that are loaded for you to be able to compromise. While they have their place, they are minimal in real world exploitation and often the exploits used in those books are worthless. Many are written from the LAN perspective as nmap’ing a CIDR nowadays gets you nowhere.

      When I wrote penetration testing 101, it was meant to introduce people to systems administration, networking and then security. Many in fact, I want to say 75% of the so called penetration testers I have met, spoken with, picked their brains are little more than tool jockeys. Without their tools, they’re lost. They know little about what to do in the event they become tool-less so what is their real value?

      Let me put you in a “cyberwarfare” scenario right now. You’re deployed to a foreign country, your platoon is under fire and the enemy is jamming your signals. You managed to get a hold of an enemies laptop. Its a Tadpole running Solaris… What do you do? Call it a day because 1) you don’t know Solaris 2) You don’t know the common tools on Solaris 3) Call it a day because you don’t know or understand what IKE and or aggressive versus main mode is? What do you do?

      Let me give you another real world example, you’re thrown into ANY environment that is contained on say a C2 style level of security. You cannot install ANYTHING, IPS is logging via syslog remotely. How do you get in and out undetected without using your favorite tool of choice?

      The reality is, most SYSTEMS contain all the tools you would need, you just have to know what tools are doing what and have a thorough understanding about different layers of the OSI. How things interconnect, what is responsible for what. This is the reality of pentesting. Not a quick nmap scan followed by metasploiting. This is real world when in the real world, the system you are analyzing/testing/compromising will have security mechanisms to detect you, there may be a live individual halting or slowing down your progress. Not some “fire and forget” voodoo you see in a book.

      It takes more than labs to make a good pentester. Labs are like shooting fish in a barrel. Trying to “replicate” your target is worthless since you will NEVER have the same configuration files, accounts, network layout and so forth. So while you can wet your feet with content in books like CounterHack reloaded, that’s all they’re really good for.

      When I took my RWSP exam, for those who’ve done the OSCP, think of it as the OSCP with an enemy on the fly countering you. Was a seriously hard exam. While I took it, no one could figure out what I was doing and where I was coming from because I followed NOTHING from a book. Everything was improvisation. I still accomplished my objectives during that exam and that to me makes a good pentester. Someone who you can plop into a drop zone with zero that can accomplish their objective. Not someone whose proficicient at metasploit, or scapy, or Nessus. On the counter, I would see those tools a mile away and you’d be stopped dead in your tracks.

    • #46547
      Triban
      Participant

      I want to spend a day with Sil  ;D  Alot of folks believe they can just jump into pen testing, but it is not an entry level environment.  You need a good base to build on and that base comes from working the trenches and building up a good chunk of knowledge.  OSI is a great example, it is reviewed in every entry level cert and even in some higher level certs.  It is everything we work with.

      One thing I would like to say about tools like nmap and such is it makes the job easy for those who know how to do it the hard way.  Time savers I suppose.  Way back when I would teach teachers how to build web pages.  First thing I would do is give them a primer on coding HTML.  I explained it that if you know the code, then it is much easier to tweak your pages.  Learn the code and use the tools like Dreamweaver to save you time.  Then go in and tweak.

      The advanced attackers are not always using pre-maid tools.  They are writing custom code and in some cases doing it on-the-fly.  This is why the defenders are having a tough time catching some of these targeted attacks.  Tools will not always help.  Knowledge will.  Oh why is that packet attempting to go out on TCP 53???  etc…

    • #46548
      dynamik
      Participant

      @3xban wrote:

      I want to spend a day with Sil  ;D

      Maybe the next monthly giveaway should be a dinner date 😉

    • #46549
      sil
      Participant

      @ajohnson wrote:

      @3xban wrote:

      I want to spend a day with Sil  ;D

      Maybe the next monthly giveaway should be a dinner date 😉

      I’m actually working and have been working on getting some stuff together a-la Moodle and GoToMeeting to train people but its not based on any cert. More like a “hacking without borders” type of class using Rosetta Stone like methods of penetration testing, forensics and counterforensics all rolled in one. Zero fluff and no re-hashed information but not sure of the appeal it would have since there would be no cert to achieve in taking the course.

      Been throwing the idea around for some time, actually made the Moodle site, some modules, and so forth, just been swamped with other training priorities.modules, and so forth, just been swamped with other training priorities.

    • #46550
      unicityd
      Participant

      Most of that guide is about building IT skills generally rather than pentesting skills specifically.

      Curious to know what you perceive as being an overall good pentester? My definition of a thorough, good, and reliable pentester is someone who is versatile, can adapt and is experienced in a wide array of technologies.

      I didn’t mean to imply that general IT skills weren’t necessary. I was only commenting that  your tutorial assumes that someone is starting from the beginning rather than from a strong networking/sysadmin skill base.

      So while you can wet your feet with content in books like CounterHack reloaded, that’s all they’re really good for.

      No argument there.  I think the road you laid out would be a little hard-going for a beginner and many people would be better served by reading a book or two first to give them a bit of a foundation.  I wouldn’t expect anybody to become a professional anything just by reading a book.

    • #46551
      sil
      Participant

      @unicityd wrote:

      I was only commenting that  your tutorial assumes that someone is starting from the beginning rather than from a strong networking/sysadmin skill base.

      I did label it “Pentesting 101” and I did start off by stating: “so you want to break into…” (which now that I think about it, is Ironic)… There was no assuming when I wrote it, was to give people a primer on which route to go.

      Even if I had NOT done so (started with the “newb”) commentary, weeks 19 and up covered a lot more than most networkers and sysadmins know about and I based that on experience.

      I’ve been meaning to actually update and or modify that entire thing, but my ADD/ADHD and cluster***k schedule won’t allow for it

    • #46552
      Triban
      Participant

      @sil wrote:

      I’m actually working and have been working on getting some stuff together a-la Moodle and GoToMeeting to train people but its not based on any cert. More like a “hacking without borders” type of class using Rosetta Stone like methods of penetration testing, forensics and counterforensics all rolled in one. Zero fluff and no re-hashed information but not sure of the appeal it would have since there would be no cert to achieve in taking the course.

      Been throwing the idea around for some time, actually made the Moodle site, some modules, and so forth, just been swamped with other training priorities.modules, and so forth, just been swamped with other training priorities.

      That actually sounds pretty cool.  Certs are just a bonus to some of those decent technical courses, honestly the main reason I am currently taking eCPPT is just for the knowledge.  In my market it is not that well known of a cert.  But the content is decent and a great way to get a better understanding of the material.

      As for what you are trying to do, I think that would be a great way to learn.  Then afterwards the students can take that knowledge back to their current jobs and making their pen tests worth that much more or for the beginners to go and maybe pursue some entry level certs.  I look forward to hearing more about this when you find time in the busy schedule.

    • #46553
      lynoharvey
      Participant

      Hi,
      As someone trying to break into security I have found this thread really insightful.
      I have an MSc in forensics but it is not enough on its own. I look at all the certificates there are and all the areas of knowledge and it is hard to decide which to do or look at first.
      After reading this thread I realised that I am often overwhelmed because there is so so much to learn. However that is the nature of the beast and probably any of the certificates help.
      I appreciate Sil’s comments on the importance of knowing the technologies and think that is a very important point.
      all the best

    • #46554
      RichFalcon
      Participant

      Hi lynoharvey,
      I agree with you. There is so much to learn. I am at a crossroad right now. I’m trying to get my foot in the door but do not know what direction to go in or where to start. App Security and Forensics are the most interesting to me. So I may continue on the EC-Counsil route and get the CHFI or get a Masters. Where did you go for your Masters?
      The advice Sil offers at his site is great. Thanks Sil.

    • #46555
      dynamik
      Participant

      You guys need to focus on getting into the professional market place ASAP and stop trying to land your dream job right out of the gate. It will probably be extremely humbling to go for an entry-level position when you have an advanced degree, but the sooner you can start gaining any experience, the better (i.e. even saying you spend 20% of your time configuring access controls or managing firewalls is going to look better than someone that only has certs or college coursework). A certification or degree isn’t just going to magically open doors for you, and honestly, you’re going to be selling yourself short if you move right into a very focused security position without first establishing a well-rounded background.

      Edit: If you’re feeling overwhelmed, you’re more concerned with reaching a destination (i.e. knowing everything about everything) than simply enjoying the journey. You’re never going to achieve the former, so quit wasting your time worrying about unrealistic goals and focus on enjoying whatever you can learn by the end of the day. It’s about attitude and perspective. If you’re making yourself miserable, you’re doing something very wrong.

    • #46556
      hayabusa
      Participant

      ^ ++1  🙂

    • #46557
      sil
      Participant

      @ajohnson wrote:

      Edit: If you’re feeling overwhelmed, you’re more concerned with reaching a destination (i.e. knowing everything about everything) than simply enjoying the journey.  … If you’re making yourself miserable, you’re doing something very wrong.

      Just reminded me about a post I recently read on another forum. Individual wants/intends on spending 7 days a week on CCIE labs (avg of 3-5 hours per with weekends at 8-11 hrs per day). I felt sad for the person because he will likely fail from burnout. I’m still (yes still after a decade) on CCIE Security studies and jump in and out of CCDE studies but I am not even planning on taking either cert (evar!). I went that approach about 6 years ago (20+ hours studying) and it got tiring very fast and there was so much lost from jumping too quickly into things.

      But I agree, starting off small if you have zero experience is the best approach. I still feel the methodology I wrote was a great approach in the sense that whomever would follow it has a lot more options than falling flat on their behinds… They learn systems, networking and so forth. Even at work I still play the role of Network Admin/Network Engineer/Network Architect, Systems Admin/Engineer/Arch, VoIP Architect/Admin/Engineer/Analyst, Forensic IR/Analyst/Investigator… But I work at an MSSP so its different for me.

    • #46558
      Triban
      Participant

      @hayabusa wrote:

      ^ ++1  🙂

      and another ++1, great point ajohnson!  Security is not an entry level job.  Those that can swing past the HR screens and senior management to tag a manager spot will need to tread lighly around the technical team.  Nothing loses respect more than an ISO/CISO trying to tell the technical team with years of experience, how to do their job when the manager clearly has no idea what they are doing. 

    • #46559
      RichFalcon
      Participant

      Thank you all for the great advice.
      I’ve been looking for entry level positions but they
      are hard to come by in a small city. In the interim I will
      take this advice to heart and start off small.
      Thanks again.

    • #46560
      T_Bone
      Participant

      @3xban wrote:

      @sil wrote:

      I’m actually working and have been working on getting some stuff together a-la Moodle and GoToMeeting to train people but its not based on any cert. More like a “hacking without borders” type of class using Rosetta Stone like methods of penetration testing, forensics and counterforensics all rolled in one. Zero fluff and no re-hashed information but not sure of the appeal it would have since there would be no cert to achieve in taking the course.

      Been throwing the idea around for some time, actually made the Moodle site, some modules, and so forth, just been swamped with other training priorities.modules, and so forth, just been swamped with other training priorities.

      That actually sounds pretty cool.  Certs are just a bonus to some of those decent technical courses, honestly the main reason I am currently taking eCPPT is just for the knowledge.  In my market it is not that well known of a cert.  But the content is decent and a great way to get a better understanding of the material.

      As for what you are trying to do, I think that would be a great way to learn.  Then afterwards the students can take that knowledge back to their current jobs and making their pen tests worth that much more or for the beginners to go and maybe pursue some entry level certs.  I look forward to hearing more about this when you find time in the busy schedule.

      This sounds excellent Sil, I really couldn’t care less about getting a certificate of any kind, all I could care about is gaining the knowledge from yourself. keep us updated 🙂

    • #46561
      lynoharvey
      Participant

      Hi
      Falcon–I wish you luck in your efforts at getting a job. I would be interested to hear how you get on as time passes.
      I am currently doing volunteer IT work with a charity—I really enjoy it and I am learning lots at the same time.
      In the UK people are not taking their jobs for granted at the moment and many people in all types of careers are having problems finding work.–I am not sure what the situation is like in the USA.
      Many people on the Masters were taking the course to boost their chances in the employment market. I did the course at De Montfort and I also did a year’s placement in the IT department of a large organisation.  The Master’s was challenging and expensive and it definitely takes a lot of effort.
      I think it was worth doing and I am proud of the achievement but there are other ways of learning. I like the look of the Sans courses and am saving up to take one or even challenge one of them.
      One thing I do enjoy is doing some of the challenges that are posted on the Internet– on this forum someone has posted about the Honeynet Challenge—I am also taking part in the US Cyber security challenge and also the UK version—and also the Forensic challenge. They are all free and open to everyone whether you have been years in the profession or not.
      I enjoyed Sil’s web guide because it gave an experienced view of what is helpful in the path towards a security role.

    • #46562
      RichFalcon
      Participant

      Thank you lynoharvey,
      I think it’s great that you volunteer your time and services.
      Today I applied for two entry level Security Analyst positions. The company is asking that CISSP cert is obtained within six months of hire.
      Even though this is a small city the job market isn’t bad here.  I will probably put off a MSc. Hopefully I can get on with a company that will pay part of that.

    • #46563
      lynoharvey
      Participant

      Hi Falcon,
      I wish you good luck with your applications.
      I am currently going through the graduate recruitment process for a large networking organisation. If I get the post I will be over the moon.  I enjoy anything to do with networks and think security is a part of any job in this area. If I don’t get it I will just keep applying for jobs.
      take care

    • #46564
      Anonymous
      Participant

      I agree with lot the comments here just to give you idea my situation. I left uni and all I wanted to do was work in pentesting I was lucky enough to get a break with a company only to find there was a big gap in my learning. The company sadly had to let me go as they felt I was not ready to be put out as consultant so they could not make money from me I am not trying to work on the areas I identified where I need some improvement.

      Getting a job in security in no easy task and I would say your better to get a job as helpdesk ssyadmin and try work your way into security than leaving uni and getting a job in security straight away unless you lucky and get in with big company that can afford to spend money on training you. 

Viewing 21 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?