unicityd wrote:Most of that guide is about building IT skills generally rather than pentesting skills specifically.
Curious to know what you perceive as being an overall good pentester? My definition of a thorough, good, and reliable pentester is someone who is versatile, can adapt and is experienced in a wide array of technologies. Because SECURITY is nowadays a broad term, I noticed that far too many pentesters are nothing more than tool-testers. Tool testers who know little about the layers associated with what they are doing. This is why many fail and this is why the current market is saturated with individuals running metasploit, Nessus, GFI and other tools passing themselves off as pentesters.
Books like Counterhack Reload, Hacking Exposed and Professional Pentetration Testing offer you examples on "staged" systems. Systems that are loaded for you to be able to compromise. While they have their place, they are minimal in real world exploitation and often the exploits used in those books are worthless. Many are written from the LAN perspective as nmap'ing a CIDR nowadays gets you nowhere.
When I wrote penetration testing 101, it was meant to introduce people to systems administration, networking and then security. Many in fact, I want to say 75% of the so called penetration testers I have met, spoken with, picked their brains are little more than tool jockeys. Without their tools, they're lost. They know little about what to do in the event they become tool-less so what is their real value?
Let me put you in a "cyberwarfare" scenario right now. You're deployed to a foreign country, your platoon is under fire and the enemy is jamming your signals. You managed to get a hold of an enemies laptop. Its a Tadpole running Solaris... What do you do? Call it a day because 1) you don't know Solaris 2) You don't know the common tools on Solaris 3) Call it a day because you don't know or understand what IKE and or aggressive versus main mode is? What do you do?
Let me give you another real world example, you're thrown into ANY environment that is contained on say a C2 style level of security. You cannot install ANYTHING, IPS is logging via syslog remotely. How do you get in and out undetected without using your favorite tool of choice?
The reality is, most SYSTEMS contain all the tools you would need, you just have to know what tools are doing what and have a thorough understanding about different layers of the OSI. How things interconnect, what is responsible for what. This is the reality of pentesting. Not a quick nmap scan followed by metasploiting. This is real world when in the real world, the system you are analyzing/testing/compromising will have security mechanisms to detect you, there may be a live individual halting or slowing down your progress. Not some "fire and forget" voodoo you see in a book.
It takes more than labs to make a good pentester. Labs are like shooting fish in a barrel. Trying to "replicate" your target is worthless since you will NEVER have the same configuration files, accounts, network layout and so forth. So while you can wet your feet with content in books like CounterHack reloaded, that's all they're really good for.
When I took my RWSP exam, for those who've done the OSCP, think of it as the OSCP with an enemy on the fly countering you. Was a seriously hard exam. While I took it, no one could figure out what I was doing and where I was coming from because I followed NOTHING from a book. Everything was improvisation. I still accomplished my objectives during that exam and that to me makes a good pentester. Someone who you can plop into a drop zone with zero that can accomplish their objective. Not someone whose proficicient at metasploit, or scapy, or Nessus. On the counter, I would see those tools a mile away and you'd be stopped dead in your tracks.