Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)

From: AdamT (adwulf@gmail.com)
Date: Thu Aug 04 2005 - 22:29:58 EDT

• Next message: Isaias Calderon: "Re: Password lists"
• Previous message: Bruno Kovacs: "linux pen-test"
• In reply to: Daniel Miessler: "Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)"
• Next in thread: AEHeald: "RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 8/3/05, Daniel Miessler <daniel@dmiessler.com> wrote:
>
> So yeah, the differences are very important, as is knowing where you
> truly stand. The vast majority of "pentesters" are just security
> professionals running security tools; there's no creativity, no
> innovation, no spark.

Whilst creativity, innovation and 'spark' (enthusiasm?) are certainly
requirements, there does have to be a certain amount of 'predictable'
work done too.
I could turn around and say 'I spent 72 hours attacking your
network... invoice and findings are attached' but most clueful clients
will want more than this.
They'll want to know that you've used every conceivable script-kiddy
tool *as well* as crafting your own stuff by hand. You could discover
a huuuge vulnerability in their network (and perhaps gain kudos for
discovering a huuuge vulnerability in whatever software/hardware
they're using), and you could do this using previously unheard of
methods, the likes of which would put you on the front page of
slashdot - but if your client turns around and asks "you did run
KiddieScript 4.3 against it, right?" and you have to say "no" - you're
not going to inspire much confidence in your testing.

Much as we all love to despise the 14year-old, mostly talentless
copycat 'hackers' (as the media would label them), it is still
important to play the role of script kiddy during testing.
You may not get the same 'rush' from discovering a vulnerable version
of BIND during an ISS session as you would from hand-crafting some C
to overflow their custom-made httpd and launch some terrible fate upon
their entire infrastructure and eventually free mankind from a bizarre
machine-ruled world known as 'The Matrix', but it's still important
nonetheless.

-- 
AdamT
"Maidenhead is *not* in Kent"
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: Isaias Calderon: "Re: Password lists"
• Previous message: Bruno Kovacs: "linux pen-test"
• In reply to: Daniel Miessler: "Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)"
• Next in thread: AEHeald: "RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:42 EDT