From: krymson@gmail.com
Date: Mon Aug 07 2006 - 12:17:37 EDT
At the risk of opening up a VA vs pen-test argument, I really think there are some fundamental skills to have for pen-testing, and one of those is scanning for vulnerabilities.
Use a blended approach so that you know the tools for scanning. Run nmap, MBSA (Windows), Nessus. If you read about any other tools, try them out. You will always, always, always, always use scanning tools...so learn them like the back of your hand.
Take the output of them, and you'll get lots of hits on unpatched systems, and read up on each problem. Then research how to attack it. Sites like securiteam.com are highly useful to find exploit code. They're not as good at explaining things in detail though, but the code is good. Then research how to fix it. Put that one single patch on the system, or fix, or workaround, and attempt the exploit again. What changed? Did it just close a port? Try to find as much technical detail as you can. In doing so, you'll find a number of sites you'll eventually bookmark and use regularly. I encourage you to get a logbook and write down your answers or type them into some doc. This will get you used to documenting for reports. In doing so, hypothesize how attackers might get in...weak firewall rules, worm from a laptop offsite...? Put up a firewall and IDS and try to stop yourself. Being able to demonstrate a vulnerability is one thing, but always be able to explain how to fix it.
Definitely use metasploit. This is the hottest and easiest tool out there right now, and can give you a good feel for the exploits. You can even read the code and play with it. If you like code or find yourself growing attuned to it, metasploit will give you the framework to write your own exploit code. This is agreat way to go. I love metasploit because code newbies (me) can actually immediately see what is going on, making a great demonstration and introduction into coding one's own exploits. It also allows a pen-tester to quickly re-penetrate known holes, without having to rummage through one's own scripts or re-write anything on site.
Better yet, get used to looking at network traffic by always running a sniffer between your system and your victim. Just review it for what is going on, and you'll just slowly gain an affinity for that stuff. Wireshark is, of course, unequalled in ease of use. This will help when sniffing for actual traffic, cleartext protocols, and eventually more complicated authentication mechanisms.
I like the analogy about pool and practicing the simple shots. In addition, pen-tests are not always a leisurely thing, you typically have a time limit. Being able to snap off the simple shots, do the scans, verify the easy vulnerabilities, and spit out the reports in little time is valuable. That way you can spend time on the real kickers. I've seen pen-testers have enough time to try new tools on site, or to really beat on a couple "known-but-not-quite-penetrated" holes.
Once you've gotten the OS part down, install something like IIS, PHP, and an older version of some vBulletin/PHPbb bulletin board, something with known holes. Run web scans and attempt whatever you need to do to those.
I've found that reading books and sites gives one a lot of knowledge, but really, nothing beats actually having your own lab and going through the motions. Eventually you'll see you're not a newbie anymore, and can actually move forward in understanding complex topics and pens. I can read about playing pool and get really good at seeing geometry and physics on the table, but until I start getting my body in tune with the actual motions, and experience to verify the head-knowledge, you're not good at pool. :)
On a different note, if you have some buddies in your area with these interests, have a weekend LAN. Get some movies, beer, music, pizza, and just set up boxes and find creative ways to break into them. See who can grab admin rights on an unpatched Win 2000 RTM box fastest...and then defend it. Trade techniques, show each other new tools or sites to learn stuff, etc. Have fun! Even if some of your buds are just sysadmins or network types that aren't interested in security, per se, get them involved anyway. :)
Lastly, always be curious. Tinker, play, and have fun. I've been in a number of jobs you don't need to like in order to do well in, but pen-testing is one of those areas where everyone I've talked to truly enjoys the work and anyone that doesn't, doesn't do well.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:36 EDT