From: Omar A. Herrera (omar.herrera@oissg.org)
Date: Sat Jul 22 2006 - 12:05:46 EDT
Hi Zach,
> -----Original Message-----
> From: wymerzp@sbu.edu
> Sent: Friday, July 21, 2006 6:59 PM
>
> Hello, I am a student of computer science trying to learn more about the
> art of pen-testing. I have several tools at my disposal: nmap, enum,
> Metsploit Framework, Cain and Abel, ect. I obviously cannot test these
> against commercial networks (I could but I certainly don't want to go to
> jail) I have used nmap though due to it's unobtrusive nature. I therefore
> downloaded the evaluation version of VMware. I set up virtual machines
> with a host only connection; furthermore, I see the virtual machines
> network connections in network connections. I am running windows XP. I
> cannot figure out, probably due to my inexperience at networking, how to
> connect to the machnies once I have them up and running so I can run nmap
> scans against them (among other things). Any help would be appreciated,
> including links or whatever knowledge you guys could pass on.
Setting up your isolated environment for training is fine. Practice there
with tools and using the information that you find on the Internet and in
books and it will give you some technical experience. Remember that
technical knowledge becomes obsolete very quickly, so if you don't keep up
reading and trying yourself things your proficiency as a pentester declines
with time.
This is the reason many of us don't believe that saying that you have N
years of experience in the field is a good measure our current technical
proficiency (a record of technical training and active participation in
pentest communities, projects and forums is better for this, in my opinion).
What you don't get from your isolated environment and that is something that
people with N years are more likely to possess (although still very
difficult to measure) is the set of non-technical skills and complementing
knowledge that you need to be a good pentest professional, such as:
communication and presentation skills, report writing skills, legal
knowledge (you can always have a lawyer on your side to deal with legal
issues, but at least you need to know when it is appropriate to call
him/her), characteristics that are specific to some sectors where you might
work (e.g. financial, telecommunications, retail,...), skills to understand
the business process of any company, and the most difficult of them all,
dealing with other (potentially non-friendly) human beings ;-).
The last one is quite hard because you are going to be in a position where
even being technically capable, it might not be in the best interest of
someone that your report says certain things, so you need to be firm (being
absolutely sure of the things you say, documented proofs and activities is
the best way to start dealing with these issues). But not only that, you
also need to be careful about the wording in your reports and what you say,
not only for legal reasons but simply because the way we say things can make
our work easier or harder.
So, honestly, I wouldn't worry too much on the technical part. With enough
time, effort and the right background knowledge (yes, you need some
background, e.g. if you are testing networks it is expected that you know
how these networks work) anybody can achieve a decent technical proficiency.
My only advices from the technical side:
* Avoid trying to be good at everything (you won't have enough time in your
life to learn and still claim that you are an expert at testing everything),
reduce your scope and select some applications, platforms and technologies
for a start (if you know the fundamentals you will be able to change to
others if needed, in fact, be prepared for it because technology will
change).
* Avoid trying to be just a hacker. You need to act professionally, which is
much more difficult than simply emulating a hacker's behavior (and that just
doesn't mean getting a bunch of academic titles and certifications, it
doesn't mean those aren't useful either).
I would put also some serious effort in developing some non-technical
skills. This is where I believe that the industry in general lacks an offer
in training. There are many courses that include hands on labs to assess and
improve your technical skills but there is almost no effort to assess and
help improve non-technical skills.
A suggestion to get the feel of what it is like: try to involve other people
(include an experienced pentester if possible) and arrange some mock tests
(including the whole cycle: planning, proposals, execution and reports) and
then let the others act as a very critical client that tries to blow your
work to pieces, in the worst conceivably scenario you can think of (if it
helps, think of this exercise as something similar to presenting and
defending a thesis).
For human interactions this is the best I can think off: Try to get to talk
to a sales person; many of these persons depend on what they are able to
sell to keep their jobs, so they need to be aggressive but also very careful
with what they say if they intend to sell anything. Then try to talk to
people in companies that are in charge of buying products or hiring services
and look at their point of view, what really matters to them and what they
like and dislike from vendors. Finally, read all about morale and ethics
that you can (talk to a philosopher if you wish) and try to sort out how you
can combine the aggressiveness/effectiveness of the vendor (to sell your
work), with solving the needs of the client and the ethical behaviour that
will be expected from you. That is more or less what you will need :-).
Nobody said this is an easy job and you can't achieve perfection, but you
can be successful in these 3 areas of human interaction to some extent.
Last: keep reading this and other forums and participate. We sometimes have
heated discussions or philosophical discussions (where everybody knows that
nothing is to come out of them, which doesn't make them less interesting)
but we also try to care for each other and share our limited experience and
knowledge so that we all can keep learning. You can't get better training
than discussing relevant things with other professionals, many of which will
know something you don't. By interacting with others you put to test your
knowledge and ideas, and this is also a way in which we all improve.
I hope this helps to answer your question,
Cheers,
Omar Herrera
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:22 EDT