From: Hagen, Eric (ehagen@DenverNewspaperAgency.com)
Date: Fri Jul 15 2005 - 17:08:04 EDT
Read and learn about network protocols. Be able to quickly recognize things
like.... a TCP session SYN, SYN ACK, ACK, - data - FIN, FIN ACK handshake.
Read about text-based network protocols, IE SMTP, POP3, TELNET, FTP, HTTP
etc and be able to manage a session by hand without relying completely a
script (referencing some commands on a 'cheat sheet' or manual is OK by me).
Learn to look at the output of NMAP and know within 10 seconds what the
purpose of each machine shown is. Learn which ports do what and what ports
don't do anything. What ports are common and what ports are not. What
ports are static and what ports are dynamic. Learn what ports are reserved
and which aren't and what ports are superuser only and which ports are open
season for any process.
Learn about firewalls and what brands are out there. Read about stateful
packet inspection and absorb its usefulness and danger. Read about NAT and
how it can impact security and accessability. Learn how the shape of the
headers on a packet can determine many things ranging from the host OS to
the presence of a virus.
Learn about network topography and the difference between routing and
switching and broadcasting. Learn about IP subnetting and the difference
between public/private IP addresses. Learn about routers and how they
work.. and WHY they work. And WHERE they work.
Read about the programming of the IP stack and how TCP/UDP on IP works in
terms of windows and responses and learn how IP fits in with other network
protocols and where TCP differs from UDP.
Learn how to code in C. Know what a buffer is and how it might overflow.
Be able to read complex C code (try the Linux kernel, last I looked at it,
it was a spaghetti ball and ugly as hell, but beautiful at the same time)
Learn the difference between a virus and worm and the difference between a
rootkit and a Trojan. And the difference between a cracker, hacker and a
script-kiddie. FYI, good pen-testers are BY DEFINITION, good hackers. Bad
pen-testers are almost always uhhh "white hat script-kiddies".
Man, I could keep going... there's lots more.
but being a good pen-tester is basically akin to being a good cracker.
Being a good cracker is not like TV where someone click buttons for 45
seconds and WHAM, they broke into the IRS mainframe (if there is such a
thing). It's about patience, knowledge, intuition, knowledge, experience,
knowledge and most importantly, all of the above.
FYI, FOUR semesters of Graduate Level network infrastructure, network design
and "information warfare" classes didn't come close to covering all of this
material.
And I'm no pen-tester. I wouldn't even put my foot down to claim that I
could be. I have 4 years experience in network design, down to writing bare
C on raw Ethernet frames and up to designing a WAN topography and I wouldn't
feel comfortable selling myself as a "pen-tester". In my opinion, the
pen-tester has to be close to the elite of the crackers or their test does
nothing.
If all you do is run some tools and see that the tools can't do any damage,
you're a script-kiddie, not a pen-tester. If you can't say with some
certainty that a highly skilled black hat would have a hard time (never
impossible) to crack your defenses, then you can claim it.
I occasionally refer to myself as a "security professional" but even that
sometimes feels like a stretch.
Always improving...
Always accepting job offers too :-) I would love to be an assistant with
someone far more experienced than myself. I love learning. :-)
Eric
-----Original Message-----
From: Stephane Auger [mailto:sauger@pre2post.com]
Sent: Friday, July 15, 2005 7:43 AM
To: Security Professional; pen-test@securityfocus.com
Subject: RE: Pen Test Basic Needs
No offence taken :) I know I'm still a beginner, which is why I'm doing
research. The "pen-test" I'm talking about is more a practice then
anything else. In this case, the "client" is a friend of mine.
So no, I'm not selling these services professionally, and don't intend
to for a while. Sorry if I was misleading, but I really am just looking
for a place to start.
I totally agree with what you're saying, which is why I'm trying to
figure out the basics so I don't do anything stupid when I really have
to do one...
Thanks to everyone who gave me their input, I appreciate it.
Stephane
-----Original Message-----
From: Security Professional [mailto:redteamer@gmail.com]
Sent: July 15, 2005 7:02 AM
To: Stephane Auger; pen-test@securityfocus.com
Subject: Re: Pen Test Basic Needs
Steph,
Judging by the types of questions you have asked, I would be willing
to bet that you haven't actually performed a penetration test
"professionally" before.
No worries, everyone has their first time ;)
Anyway, as I was saying, my guess is that you don't have a lot of
experience in this area. Just an honest assessment. The problem you
run into is, did you tell the company that is having you do this that
you have never done one before? One common mistake I have seen is
that people get this bug to start doing pen-tests and try to make
money the first few times they do one.
What should be happening is that you actually learn the things you are
asking first, then decide to do this professionally as a service once
you get some experience. Don't put the cart before the horse here.
Also, you state that you are well aware of the legal ramifications.
But honestly speaking...Are you? Have you consulted a lawyer and had
them explain everything to you? If so, why didn't they draft a
contract up for you? A contract ultimately comes down to what you
want to do in your test and what you do / do not want to be liable
for.
You state in one of your questions that you would use Snort in a
pen-test. You ask about hwere one would "start". You ask about what
type of information you would begin with. All of these questions are
things that, as a "pen tester", you should already know. If you don't
know them, you shouldn't be doing assessments on networks where you
have to worry about legal ramifications.
Quite honestly, I hope that the company you are referring to is
reading this list and realizes they aren't getting what was probably
pitched to them. Please do us all a favor and actually learn how to
do these types of things before you decide to do one as a service to a
company.
P.S. - In no way is this e-mail intended to be hurtful or insinuate
that you don't know anything. I am just stating my opinion on what I
think is going on here and calling you on it. It is people like what
I have described above, that give this profession a bad name.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:35 EDT