PenTest Career. How to Begin
Content
PENETRATION TESTING
Pentester Career: How to Begin
Someone starts with talking about degree, another says that nothing except fundamentals matters. You can get some significant part of whole knowledge before college even or do not anything useful after degree even.
hat is not a talk about how your degree affects your skills, it does not affect, because the practical skills might have something with 'fundamentals' if they are on the same way and lead you to the same goal. Not every country has such educational institutes (maybe Germany has). You are allowed to argue against both sides or choose your own where there is a place to solve different problems instead of misplacing them. This case is often extended by certifications; it matters, no doubt, especially when you know that someone who hires you looks for it. However, you may find another way to tell them you can manage with such projects that depend on your additional skills such as programming. I mean you can develop your own tools/exploit by yourself, participate in opensource groups that aims it too, you can improve some tool/exploitation mechanism or automatize it, mix several tools, redevelop it even. It helps to understand how OS components link and work together as well as break into system. In course of debates which languages must be learnt, there are two kinds that depend on OS (under Windows OS – C/C++, Assembler, under Linux/RedHat/CentOS – Python, Ruby). However, it does not mean you should limit yourself to these languages, as a software develops with many other languages, software may have popular add-ons written by someStartKit 01/2013(01)
T
one who prefers .Net or have to use it. Besides, do not forget you should not only develop something but pentest too. It does not mean you should stop to improve your skills; there are many out-of-box tools or solutions you have to learn and use, like BackTrack. It must be a need to improve or custom them in order to network, system or other specifications. Being a part of team, like Hacker for Charity (http://www.hackersforcharity.org/), helps to collect all skills among system security, network security, application security, etc. On the another hand, getting forensics skills may help too. Therefore, learning and practicing with home networks, corporate sandboxes, bypassing NAC, VLANs and finding loopholes in isolated segments that helps understanding stacks, buffer and memory and their vulnerabilities. In addition, you can learn specific technology such AVR: this kind of programming involves a C/C++ knowledge as well. Anyway, first steps on this field might involve reading books, but almost all of books (except Syngress Publishing house) are rewritten, redesigned of each other that brings old techniques, and old tools. So, it is better to find books such as shellcoders and grayhat-coders books and Pentest guidelines (e.g. http://www.pentest-standard.org, http://www.vulnapps.com/) and standards (NIST
http://pentestmag.com
Page 6
SP 800-42). As said earlier, you can not focus on certain language, software or technology not to end with pure knowledge. No one loves Delphi but enough tools to research applications implement Delphi libraries (and written too). You should collect information about every technology, system, software from any possible sources: • Infosecurity blogs, news (like http://www.vulnapps.com/ or http://exploit-exercises.com/ ) • Books and ebooks (like The Art of Software Security Assessment, or The Art of Exploitation) • Vulnerabilities domains (like http://www.exploitdb.com/ ) • security conferences/events (each possible, not only top known such DefCon) • templates and charts (http://pentestmonkey. net/category/cheat-sheet) • special guidelines and frameworks (like OffSec guidelines) It is quite important to have all of these (and not only them) skills, because the key difference between such tester and someone else is an ability to answer and explain vector attacks, potential ways to attacks, and discreet information you have per each who you interact. It means don’t overload CEO with full-detailed technical reports generated by Nessus or another tool. As final thoughts, you should have different broad skills on • Networks solutions (software, protocols, and hardware); • Techniques of attacking and defensing of IDS, Firewalls, AV, embedded and third party security software; • Top known tools and software to gathering data; • Forensics and intelligence techniques to get evidence; • Human security techniques (social engineering and physical security); • Participating at the CTFs and conferences; • Simply be involved to gain and share knowledge with smart guys; Good luck,
YURy CHEMERKIN
StartKit 01/2013(01)
Pentester Career: How to Begin
Someone starts with talking about degree, another says that nothing except fundamentals matters. You can get some significant part of whole knowledge before college even or do not anything useful after degree even.
hat is not a talk about how your degree affects your skills, it does not affect, because the practical skills might have something with 'fundamentals' if they are on the same way and lead you to the same goal. Not every country has such educational institutes (maybe Germany has). You are allowed to argue against both sides or choose your own where there is a place to solve different problems instead of misplacing them. This case is often extended by certifications; it matters, no doubt, especially when you know that someone who hires you looks for it. However, you may find another way to tell them you can manage with such projects that depend on your additional skills such as programming. I mean you can develop your own tools/exploit by yourself, participate in opensource groups that aims it too, you can improve some tool/exploitation mechanism or automatize it, mix several tools, redevelop it even. It helps to understand how OS components link and work together as well as break into system. In course of debates which languages must be learnt, there are two kinds that depend on OS (under Windows OS – C/C++, Assembler, under Linux/RedHat/CentOS – Python, Ruby). However, it does not mean you should limit yourself to these languages, as a software develops with many other languages, software may have popular add-ons written by someStartKit 01/2013(01)
T
one who prefers .Net or have to use it. Besides, do not forget you should not only develop something but pentest too. It does not mean you should stop to improve your skills; there are many out-of-box tools or solutions you have to learn and use, like BackTrack. It must be a need to improve or custom them in order to network, system or other specifications. Being a part of team, like Hacker for Charity (http://www.hackersforcharity.org/), helps to collect all skills among system security, network security, application security, etc. On the another hand, getting forensics skills may help too. Therefore, learning and practicing with home networks, corporate sandboxes, bypassing NAC, VLANs and finding loopholes in isolated segments that helps understanding stacks, buffer and memory and their vulnerabilities. In addition, you can learn specific technology such AVR: this kind of programming involves a C/C++ knowledge as well. Anyway, first steps on this field might involve reading books, but almost all of books (except Syngress Publishing house) are rewritten, redesigned of each other that brings old techniques, and old tools. So, it is better to find books such as shellcoders and grayhat-coders books and Pentest guidelines (e.g. http://www.pentest-standard.org, http://www.vulnapps.com/) and standards (NIST
http://pentestmag.com
Page 6
SP 800-42). As said earlier, you can not focus on certain language, software or technology not to end with pure knowledge. No one loves Delphi but enough tools to research applications implement Delphi libraries (and written too). You should collect information about every technology, system, software from any possible sources: • Infosecurity blogs, news (like http://www.vulnapps.com/ or http://exploit-exercises.com/ ) • Books and ebooks (like The Art of Software Security Assessment, or The Art of Exploitation) • Vulnerabilities domains (like http://www.exploitdb.com/ ) • security conferences/events (each possible, not only top known such DefCon) • templates and charts (http://pentestmonkey. net/category/cheat-sheet) • special guidelines and frameworks (like OffSec guidelines) It is quite important to have all of these (and not only them) skills, because the key difference between such tester and someone else is an ability to answer and explain vector attacks, potential ways to attacks, and discreet information you have per each who you interact. It means don’t overload CEO with full-detailed technical reports generated by Nessus or another tool. As final thoughts, you should have different broad skills on • Networks solutions (software, protocols, and hardware); • Techniques of attacking and defensing of IDS, Firewalls, AV, embedded and third party security software; • Top known tools and software to gathering data; • Forensics and intelligence techniques to get evidence; • Human security techniques (social engineering and physical security); • Participating at the CTFs and conferences; • Simply be involved to gain and share knowledge with smart guys; Good luck,
YURy CHEMERKIN
StartKit 01/2013(01)
