.

Help me understand

<<

Preestar

Newbie
Newbie

Posts: 14

Joined: Sat Sep 24, 2011 3:59 pm

Post Sat Sep 24, 2011 4:09 pm

Help me understand

First off, hello all I have some questions about what skills network pen testers have to have and which you need to be able to do you job effectively.

Should I be learning programming? Can a network pen tester find exploits in a network, fix them and know how to avoid more attacks in the future or would that require the pen tester to know a programming language, write some code and apply the fix?

A prime example are a group such an anonymous or lulzsec who hack into networks and websites, gain access to databases and all sorts.

When I think of programming I think of making applications but with so many applications out there already, why would you need to make your own?

I think 90% of hackers exploit websites in order to get into servers and databases? So maybe a strong understanding of a web based language would be good to learn so I can search for exploits, patch them and avoid more attack in the future?
<<

Preestar

Newbie
Newbie

Posts: 14

Joined: Sat Sep 24, 2011 3:59 pm

Post Mon Sep 26, 2011 7:25 am

Re: Help me understand

Anybody?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Sep 26, 2011 10:29 am

Re: Help me understand

This is a very common question on the forums. Do some searching and pay particular attention to Sil's post. He's spent time compiling a long list of what you need.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Sep 26, 2011 11:04 am

Re: Help me understand

Good short answer, in my opinion, a good pen tester should have experience in many disciplines since it is never known what you will be asked to do.  As for remediation, absolutely, if you discover vulnerabilities that are exploitable then your report should include steps to fix or prevent exploitation of the vulnerabilities.  Some are not simply fixed by patching but configuration.  As for knowing how to program, well knowone expects you to code Operating systems, but if you have that knowledge on top of networking and web app testing, well you may have a pretty good arsenal to throw at the environment.  I think now-a-days most IT security folk come from one background or another, there are few that come right out of gates as security pros.  Though if we were all doing our first jobs correctly, many of us could say we've been practicing security for how ever many years.  But now we get to concentrate on it and our opinions tend to mean more to management when they come from someone with a Security title.

So learn some code, learn about networking and learn your systems.  Learn how to use some tools to help you figure out the best path of exploitation.  Learn how to hack people.  If you are lucky enough to be part of a pen testing team, well then you can concentrate more on an aspect of the job.

And yes, anything posted by Sil is always worth the read.  He has a great writeup on getting into ethical hacking.
Certs: GCWN
(@)Dewser
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon Sep 26, 2011 12:19 pm

Re: Help me understand

Your question is similar to "what skills does an administrator need"?

And the answer is- It depends. There are a lot of specialties already and it is becoming more specialized every day. Networking? Wireless? Database?

Web applications? Learn programming...but what programming? ASP, Cold Fusion, SQL, AJAX?

As pointed out, pentesters usually have a wide range of experience with specializations in certain areas.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Mon Oct 10, 2011 7:28 pm

Re: Help me understand

Ever since I started my pentesting/ Info Assurance journey, I feel like the list of stuff you need to know is endless. I thought "hey, Ill learn to hack in a year, get some certs, then bam! job here I come". Wow, was I sadly mistaken. There is so much to learn and the learning never stops.

Once I started learning about exploits, I needed to learn programming and assembly language (which doesnt happen over night). And to go along with WCNA, there are so many different types of languages..you need to figure out exactly what you want to do, then someone can tell you whats the best language to learn.
OSCP in progress
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Tue Oct 11, 2011 3:26 pm

Re: Help me understand

YuckTheFankees wrote:There is so much to learn and the learning never stops.


This statement is true.  Very, very true.  I usually tell people they need to know a little bit about everything.
Poking at security since 1986.  +++ATH
<<

impelse

Hero Member
Hero Member

Posts: 619

Joined: Mon Feb 16, 2009 3:40 pm

Post Tue Oct 11, 2011 5:30 pm

Re: Help me understand

I begin three years ago:

Go deep in windows servers
Security and Cisco certifications
I read somebooks about pentest (I never did one outside of my lab yet).
Now Linux
Later some programing and script
After some scripting/programming OSCP
Everytime I said, I need to learn more of this......
CCNA, Security+, 70-290, 70-291
CCNA Security
CEH
Online Pentest lab: http://www.thehost1.com/
Blog: http://blog.thehost1.com/
<<

millwalll

Post Thu Oct 13, 2011 5:17 am

Re: Help me understand

I agree this has been answered so many times and there are lots good resources about.

However
having some programing languages skills would be good
Understanding TCP/IP
OSI 7 layer model
over a good understanding of kit like CISCO stuff windows,Linux etc
Understanding and being able to use tools like nmap, wireshark etc 

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software