Ask Slashdot - Breaking Into Penetration Testing At 30 205
An anonymous reader writes I currently work for a small IT MPS in the Southern USA. Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet. My role in the company is that of a proactive systems administrator. I have strong troubleshooting skills, a moderate knowledge of Linux, and a strong grasp on Windows systems. My working knowledge of networks is a bit rusty, but I've started working on my CCNA again, and skill/knowledge of any kind of programming language is extremely lacking as I have slacked off in that department. However, I've been working with Powershell scripting, and have picked up some resources on Python. Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?
NMAP (Score:3, Insightful)
Have you run Nmap.exe ever? If yes, you are a fully qualified security expert.
Seriously, nmap should let you find an unpatched internet facing system. Then you have a vulnerability to point at. Instant cred.
Enough for you to learn while being paid.
Re:NMAP (Score:4, Insightful)
Most of actual h4x0rs are too much of primadonas to ever get employed and (somewhat rightfuly) despise certs as corporate snake oil. Still, having a sysadmin certed to have at least vague idea about keeping boxes patched/default passwords of appliances changed/not exposed open is a good thing.
Re:NMAP (Score:5, Informative)
And this is why there are a ton of shitty 'pentesters' out there who seem to mistake running nessus or nmap scripts as a penetration test. No, it's not 'secret' knowledge and can easily be learned if want to spend the time but running metasploit doesn't make you a pentester.
Like defenders, pentesters generally need to find all the vulnerabilities (sadly many customers accept the first one which ends up being a scoping issue) and understand how to mitigate anything that was discovered/exploited. That requires an understanding of protocols, networking, applications, web frameworks, etc.. I have found that the best tend to have the capacity to think maliciously. IMO, that is a critical skill. I have seen far too many people that just don't understand why anyone would want to abuse a protocol, which makes them substandard pentesters.
As for the original question, there are plenty of tools out there that can help you learn. Metasploitable, WebGoat, Kali, SamuraiWTF (disclosure, I am good friends with the lead for that), ZAP, Burp Suite (pro is great and super reasonable). If you have corporate funding, there are some decent trainings out there Offensive Security has their classes (and certs, I have heard mixed results). There is also SANS, which I have been increasing disappointed with but if you want a bunch of knowledge shoved in your head (at a pretty high dollar cost), they tend to do it. Also, some drift more towards network pentesting or application, personally, I think people should be versed in both (leveraging a remote code execution bug in a webserver is great unless you have no clue what to do within the OS).
For cheaper options there are bunch of books that can teach you a ton of 'tips and tricks' around pentesting (web Hackers Handbook 2nd Edition is particularly good). Having a solid background as a sysadmin makes it much easier IMO (my background is similar), since you are most likely familiar with troubleshooting, networking, multiple OS's and what not.
Re:NMAP (Score:5, Insightful)
> leveraging a remote code execution bug in a webserver is great unless you have no clue what to do within the OS
Time for a car analogy.... because otherwise you are like a carjacker who can't drive stick.
Re: (Score:2)
Once we had a security audit, though I know I shouldn't have I ran a man in the middle on them and watched their packets, as I'd see them going places if I thought it was insecure I'd either bring the service offline or make it report garbage on their scans, to my knowledge they were never aware. They ended up dinging us on something stupid that wasn't even a vuln we had an out of date resource that was intranet facing and you'd have had to have physical network access to exploit it.
Re: (Score:2, Informative)
if I thought it was insecure I'd either bring the service offline or make it report garbage on their scans
That is like hiding broken parts from your mechanic.
Re: (Score:2)
Sometimes companies have to have an audit done (e.g. PCI or HIPAA), so they'll just disable vulnerable services while the audit is being done and re-enable them. I've seen it happen.
Re: NMAP (Score:2)
To get PCI having vulnerable apps behind a WAF is apparently sufficient. Because rule based detection is always effective.
Re: (Score:2)
this scales much better:
$IPTABLES -I INPUT -m set --match-set ipbl src -j DROP
$IPTABLES -I FORWARD -m set --match-set ipbl src -j DROP
$IPTABLES -I FORWARD -m set --match-set ipbl dst -j DROP
$IPTABLES -I OUTPUT -m set --match-set ipbl dst -j DROP
add an ip to ipbl set:
ipset add ipbl ${IP}
don't forget to block all ipv6 traffic if you don't need ipv6:
${IP6TABLES} -I FORWARD -i eth0 -j DROP
${IP6TABLES} -I INPUT -i eth0 -j DROP
${IP6TABLES} -I FORWARD -o eth0 -j DROP
${IP6TABLES} -I OUTPUT -o eth0 -j DRO
Re: NMAP (Score:5, Insightful)
I think these days the big security risk is layer 7. SQLi is still very common...especially 2nd order injection and injection into GET parameters. Admins know they need to sanitize POST/update/insert but they miss get/select.
Wordpress is generaly run without htaccess rewrites on WP-plugins..an attacker enumerates your plugins and finds an exploit.
Ive seen get parameters with filenames..oh yes thanks for letting me change that to web.config or ../../etc
Client side filtering is another, equally hilarious issue. As joe mccray says "youre putting the filtering in the hackers browser which he controls...does that pass the common sense test?"
The list goes on and on...its easy to patch everything else. Web apps on the other hand...are often written by the people in charge of the site.
Nikto, BURP as you said; and ZED are faar more useful than metasploit now. Novices just dont know what to do with the info.
And lets not forget sqlmap ;)
Re: (Score:2)
You need a WAF these days. I use mod_security. It can save your arse from zero days sometimes.
Re: (Score:2)
I've actually gotten to the point where I think WAFs are absolutely useless. As far as WAFs go though I would recommend against mod_security, as fingerprinting it via it's helpful errors is a cakewalk.
The upside to WAFs is that they prevent automated attacks...buuut snort's dynamic preprocessors seem to do this FAR better.
Either way an IDS/IPS/WAF just isn't enough. In a non-automated attack bypassing them is trivial. Half the time I can simply use URL encoding for an attack string. Some poor WAFs don't eve
Re: (Score:2)
I think these days the big security risk is layer 7.
Nope, that would be layer 8.
Re: (Score:2)
Spend some time viewing Defcon videos. If you don't understand everything, you may need training. If you don't know about attacking network printers or VOIP phone systems to get inside access from outside, study up.
Just get Kali Linux, it is set up for Pen Testing (Score:3)
But seriously, this is one of the BEST ways to start learning pen testing, all the tools you need in one place.
Install it and start testing on your own home network first to lea
BS! (Score:2)
Go ahead and run NMAP against a company. Even worse, go ahead and attempt to exploit what you find. After you get out of jail we can discuss why you were wrong in your advice and actions. Simply running nmap against someone is enough to result in at least one felony charge.
If you ever bothered to read the preface to the CEH course, CISSP course, or any other certification for hacking you would this exact thing spelled out very clearly. White Hat hacking is mostly paperwork to cover your ass, not just ha
Re: (Score:2)
Against your own employer after being asked to? Coming from an internal IP address? RTFS
I would get the order in writing.
Hello Pot? (Score:3)
From TFA Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet
Does not appear to be internal testing from internal IPs that is the question now does it?
Re: (Score:2)
You would be hired by them. Why are you being so dense?
I have a hard time believing we would be able to reach an employment agreement in either direction...
Not sure if serious... (Score:3)
Well, speaking as a professional "information security consultant" (who, on occasion, uses nmap and even more-destructive tools against clients), I guarantee you that mutually acceptable employment terms which permit and even expect the use of such tools is what has been paying my very comfortable standard of living for the past few years. From tiny companies that have a mobile app to supplement their primary business, to "stealth mode" silicon valley startups, to healthcare-related companies that are paran
Re: (Score:3)
I happen to have well over 15 years experience in the same field. My argument was not that you can't have agreements, but that you must have the agreements to even perform something as simple as a port scan. The CEH and CISSP course books first several chapters are dedicated to covering the legal issues (heavy US law, big ticket items with International Law). NMAP documentation [nmap.org] also points out that just port scanning may result in a felony charge at a maximum, but at a minimum you could be sued for damag
Re: (Score:2)
More BS (Score:2)
From the source in question [nmap.org], yes it may land you in jail. It all depends on the target and what they choose to do with you port scanning them.
Re: NMAP (Score:2)
For the most part nmap and metasploit will not suffice to pentest corporate networks.
Slightly less obvious things like WGETting wp-config.php, web.config, WebDAV methods enabled on the wrong dirs, using csrf+social engineering, fuzzing proprietary apps for stack overflows, etc.
That part is a little hard...exploit development is the REAL hard part though.
"Did this code get written into thr EIP register?" is hard to anwer remotely.
--- security SME at a consulting firm
Re: (Score:3)
We still run nmap scans with sN and sV flags up, but it's more of a formality for the assessment report. The most useful portion of nmap these days are the NSE scripts.
We also run generally run metasploit (particular for web crawling), and nessus, but they will only find (very) low hanging fruit. We also use metasploit to generate shellcode for payloads, because that's a huge pain in the ass.
By necessity everything is indeed automated, but the tools you are using is the most important part. We have our own
Re: (Score:3)
Their post was clearly this new thing called "sarcasm". Now, "sarcasm" was just invented last week so that's why you've probably not heard of it before.
Re: (Score:2)
Seriously? (Score:5, Insightful)
At 30?
You're young.
Do whatever you want.
Re:Seriously? (Score:5, Funny)
Re: (Score:3)
They made a movie about a 40 year old. He still has hope yet!
Re: (Score:2)
What about 40? :P
Tricky question (Score:3)
Re: (Score:2)
Re: Tricky question (Score:3)
Sadly this is too true. A lot of the shops out there don't understand mitigating controls or 'we tweaked a configuration so we aren't vulnerable, despite what the banner says and here's output from us actually using the exploit....see not vulnerable'. That's one of the major issues I have with PCI, it's far to common for the auditors to not understand the context of the controls, let alone how the network is configured. I remember having to argue with an auditor about how umask worked and sudo.
When we evalu
Re: (Score:2)
Start doing penetration tests (Score:5, Informative)
Re: (Score:3)
If you don't know where to start, try something like Kali.
Yes, exactly. Kali Linux has a huge load of tools. You might have to find information about how to use some of them elsewhere, but the tools are good.
Re:Start doing penetration tests (Score:5, Informative)
Re:Start doing penetration tests (Score:5, Informative)
Written authorization is extremely important. And save it.
I did some work for a lawfirm once who kept getting their email servers blacklisted. One or more of the workstations were infected with some spamming trojan. Anyways, to make a long story shorter, I set up a system between the router and switch and logged every packet for a day or so after i ran wireshsrk and found the offending workstations. I created an Email account on their server with the CTO's verbal permission and had the logs sent to it. This was primarily to avoid flooding my account and so i didn't need access to the admin account. I was looking for unsolicited incomming connections but found the trojans went to an IRC channel and downloaded a list of commands yto specify the spam and if it couldn't complete that task, they blasted copies of itself to contacts and the last lists of addresses it did download.
I cleaned the computersand updayed them. I did a run with Nmap with the results going to that same email address. I ran a few other scans with the same email address and then the existing IT and I updated all the workstations and servers, turned off unnesecary services and ran the MS hardening tool on the one server new enough to support it.
Fast forward two years and i have a sheriff knocking on my door claiming to have a warrant to take my computers and arrest me. Turns out a new IT took over that law firm, someone got bored and started snooping through people's email accounts and stumbled on all the logs. In that account was a few emails i sent from my real address saying is this working. And of course my sig wiyh my name and phone number. No one remembered what we did and they were trying to charge me with a felony.
I spent 4 hours at the sheriffs office while they tracked down thhhe old IT guy who vouched for me. That wasn't enough and the CTO from that time got cancer or something and wasn't around to say anything. I had to get a coworker to find the billing for the time and bring it in. The prosecuter told the sheriff to release me but it was another 3 days before i was notified all charges were dropped and got the papers to pick my conputers up.
If something would have happened to the old IT guy or if he decided he didn't remember, i likely would still be screwing with it. I made sure i had written authorization ever since.
Re: (Score:3)
As a web guy, I learned long ago, never work for lawyers, law firms, or relatives of lawyers.
One way or another, they are all stupid scum.
Get certified (Score:5, Interesting)
Get certified.
>> my boss approached me about offering security evaluation and penetration testing to customers in our area
Because it might at least mitigate the damage after your company get sued by customers who get hacked after you tried to learn on their dime. (Google "Target Trustwave"...)
Seriously, if there's a real business opportunity in your market, your management should either hire an experienced guy/gal and/or partner with an existing firm. Then, you'd have the opportunity to learn along them...while picking up the certs you'll need to be credible when talking to other companies. (And if your management is too cheap to buy your security certs, that's a BIG red flag!)
Re:Get certified (Score:4, Informative)
Get certified.
>> my boss approached me about offering security evaluation and penetration testing to customers in our area
Because it might at least mitigate the damage after your company get sued by customers who get hacked after you tried to learn on their dime. (Google "Target Trustwave"...)
Seriously, if there's a real business opportunity in your market, your management should either hire an experienced guy/gal and/or partner with an existing firm. Then, you'd have the opportunity to learn along them...while picking up the certs you'll need to be credible when talking to other companies. (And if your management is too cheap to buy your security certs, that's a BIG red flag!)
That's a bit overgeneralized. Trustwave is under fire because the breach in question was of a (supposedly) PCI-DSS compliant system, which Trustwave was partly responsible for setting up and validating, a basically impossible task when the system has that much surface area. So, the lesson learned is don't work on PCI-DSS unless the system is so small that you can personally verify each component yourself. I really doubt this anonymous company is going to be winning a contract with a major national retailer to install/validate a PCI-DSS network, considering many larger companies are already in that market with, you know, actual credentials.
The takeaway should also be, before selling your service, get a lawyer (or a bunch of them) to draft a very detailed customer agreement to protect you. Also, get insurance just in case.
Re: (Score:3)
He has a point... chances are businesses asking for those services are looking at certification in a specific standard do to a contractual obligation. If you are not certified, then you shouldn't be offering that service.
THIS! (Score:2)
I really don't see age as a qualifier for the question. If you want to be a MD at 60 go for it, let alone a Pen tester at 30. The biggest thing is to get certified. Personally I recommend CEH (Certified Ethical Hacking). Why? Because it will beat into your head how many laws you potentially break every time you do something, provides a rigid set of guidelines to follow to stay out of jail, and additionally demonstrates to potential customers that you have a clue.
CISSP is usually better for Auditors, no
Who certifies the certifiers? (Score:2)
Do you ask a deer how to hunt deer? No, you ask a hunter.
Re: (Score:3)
All GIAC certifications are solid. They are expensive, but they are very worth it. And if you can get a GSE you have a gold star something like only 50 people period have.
Re: (Score:2)
Past a certain level, certs are a pure waste of time. Relatively few people at my current employer (a large multinational InfoSec consulting firm; most of my work is pentesting) have any security-type certification except for the compliance blokes, and nobody could have gotten the job on the basis of certifications alone. They're probably worth it if you're coming from *no* security background, and they aren't worthless (though they may well be a relative waste of time) at the higher levels of the field, bu
Re: (Score:2)
It may not enable you to command respect from everyone, but GSE is an insanely difficult certification to get.
You have to have 5 provable years in IT security just to take the exam, the exam is extremely difficult, and the 48 hour lab is ridiculously hard. If you can't read packet dumps, you won't pass, if you can't write exploits yourself..you won't pass.
You get nmap, nessus, wireshark, metasploit, the SNORT source, and some low-level command-line tools. The boxes are pretty hardened so nessus and metasplo
Re: (Score:2)
The last thing the world needs is for you to learn on the job. That privilege is reserved for every other line of work (bar none), but not, I repeat, not and never ever IT security.
It is kind of a dick move to walk into a project with a negative deliverable (from the customer's perspective they are desiring proof that there are no security holes) and have no real idea what you are doing. Why do you think fortune tellers have such a bad rap? "oh yes, i can see it now, everything is fantastic! there are no issues anywhere! oh, and avoid Pisces" Sure, you can't be wrong (unless they are literally getting exploited while you audit), but then again you are almost certainly not right ei
Legal as well as Technical (Score:5, Interesting)
Remember, most of what gets done in any penetration test worth a damn would otherwise be illegal on any number of levels if you were doing it without the express authorization of the owner of those systems. Make sure you know what you're doing, and that the lawyers sign off on it first so that your company is covering your butt if anything goes bad.
learn to program (Score:3)
Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?
Learn to program, learn to hack. There are resources [amazon.com] available [amazon.com] for both. It will take years and it's hard work, but without that, you'll just be another consultant following a script.
If you're not willing to take time and work hard, then yes, you are beyond hope for reaching this goal. Your best option in that case is to continue your current career path and just enjoy what you can of life.
cybrary.it/course/advanced-penetration-testing/ (Score:3, Informative)
http://www.cybrary.it/course/advanced-penetration-testing/
Liability (Score:3, Insightful)
Your employer is going to be held liable/accountable if you miss a glaring hole in their information security infrastructure. I'm not saying you can't train to do this but I don't necessarily know that it's the kind of thing you can pick-up on the side or over a few weekends. I've dabbled in security over the years, am very familiar with *nix, worked in infrastructure as a sysadmin, am a fulltime well paid programmer and I am familiar with the variety of tools out there and I wouldn't consider myself for a role like this one. Too much risk.
One question (Score:2)
OSCP Cert (Score:4, Informative)
I would say look at a cert like Offensive Security Certified Professional (Penetration testing with Backtracks) It's been a while since I did the curriculum I think it was worth it and learned a lot.
Re: (Score:2)
Do you have funding? (Score:3)
If you do, take SANS 560. It's a good start, helps provide a framework, and fills in gaps in your knowledge.
If you don't have funding, why bother (for your company - since you'll be making them more money).
However, I'd recommend doing it on your own - learning is always good. But if your company won't fund your education, you shouldn't put in all that work to do it for them. If they will let you learn on company time, then, that's a different discussion (but that means part of your 40 hours will be dedicated to learning and breaking shit). And it will take months to get up to speed, since you won't have a mentor to help point things out to you.
Ethical Hacker and all those other cheap certs are worthless. Books can be useful, but again, sometimes you need someone to point out the pitfalls, etc.
Its Never Too Late (Score:5, Informative)
Hi, I work in the general cyber security industry. I would advise against heading this type of project given your current lack of experience. Penetration testing largely involves running scripts and tools that are mostly automated, and then interpreting the results to determine how to proceed (running the scripts and tools again but against a more well defined target) and repeating until you are in. That is one part of it. A second part is analyzing a company's complete security posture, this involves more than the technical systems, it involves the people that run/maintain/protect the technical systems and analyzing how well they do (or dont) do that (how easy they fall victim to social engineering, who has a level of access that is unwarranted, where the weak points are in terms of people/policy/implementation, etc.
I would not go into this with little previous experience. I would definitely hire someone with experience to be a part of this before proceeding.
Now, on to learning. If you want to be competent in cyber security, you should know the following (this is my opinion, don't take this is gospel, compare my suggestions to others):
Networking. Be intimately familiary with layers 1-4 of the stack. Know all aspects of TCP/IP (V4, V6 is still not widespread and will not be too hard to learn if you master V4). All aspects, not the basics, this is a necessity. You will not be able to identify that one odd TCP packet with a weird flags set or the malformed DNS request if you don't know what a normal TCP packet looks like.
As a test, answer this question with an essay: "What happens when I open up a browser and type google.com and hit enter." (assume all caches are flushed on all devices, your own equipment and the network equipment you are traversing). If your answer is not very long, then you most likely are missing some of the interactions that took place)
Tools. You need to know tools for analyzing network traffric, and diving deep into network traffic. Wireshark is one of the most popular programs for inspecting pcaps, get very familiar with this tool. Learn how to do the same sort of searching and poking about you do in wireshark with command line tools. Learn what BPF's are. Most useful security tools are *nix based. You absolutely need to become at least comfortable with operating out of the *nix command line (no gui) and know basic *nix tools. There is no way around this.
Knowledge of python and shell scripting has been very helpful to me. You do not necessarily need to know how to program in python or in the shell script of your choice (though it helps bunches) but you do need at a minimum to be able to read and figure out what code is doing, and to make minor modifications to get programs to do what you need.
Hacking. You need to know how hacking takes place. Not at the script-kiddie level of "run this and the system is hacked" but closer to the hardware level. Know how different hack attacks work, know what features or lack of features of the hardware/OS (things like DEP, ASLR, protectected memory pages/ring 0-3, userspace vs kernelspace) make the hacks even possible (buffer overflow, stack smashing, heap sprays, unsanitized inputs, etc). This requires some understanding of computer architectures.
Become familiar with internet RFCs. Know what the popular options are for intrusion detection. Learn how to read snort signatures since there are many of them (when I say learn to read the snort sig, that means you can take a snort signature,understand what it is trying to detect, and then be able to write a rule or signature based off of that in whatever IDS system you are using, if you have something different/in addition to snort).
Read alot. Do whatever work in the field you can. Learn. Don't stop learning, because the adversaries are not, and your intimate knowledge of computer security Circa 2014 is not going to protect you or your organization from the new hacks happening now. (lots of hacks are recycled and reused long after they have been patched/mitigated (due to poor patch managment/security procedudes), so knowing what was happening in previous years does help alot, but still never stop learning)
Re: (Score:3)
A good coverage of the technical stuff, I'll add some of my personal thoughts on "how to get there".
1) There is a community out there, find your place in it. Go to conferences, look for local meetup groups.
2) Become comfortable with PEOPLE. Many technical people are not, but you will be a LOT better at your job if you are. People build systems, people break them. A computer never wakes up in the morning and decides to hack something. If you understand people, you can guess what shortcuts they'll take a
You came to the right place! (Score:2)
Ignore them people saying your lack of programming "freshness" is a barrier. You could be the best/most productive programmer around here and still have no clue where to start digging for useful, relevant exploits you could abuse in any particular system you seem to be an expert in.
With that said, what you want to do is get yourself involved in the latest articles about zero day exploits, trojan horses, patch fixes, heartbleed, so on a so forth. You can get started right here on slashdot: any single search
Training resources (Score:3)
SANS training is pretty good, if you have the money (or can get work to pay for it). They start at the very basics and go up to advanced pen testing, reversing, etc.
Offensive Security has some good free tutorials and paid training, including lab work, for their OSCP/OSCE series of certifications.
Skip the CEH. I don't know anyone who takes that seriously, even if they have one. It's basically just an expensive way to prove you know netcat.
Re: (Score:2)
CEH is only a couple hundred bucks. Sure, having it doesn't mean you are an expert, but lots of paying "customers" like to see that kind of thing. And you can pass it in an afternoon if you have the skills.
Coursera course (Score:3)
You have limitations (Score:2)
You have limitations. Bad. You're aware of them. Good. Better than good, top quartile.
When you put the scare quotes round "new department" is that meant to imply that you're expected to do it all yourself? Hoping that's not the case, then the question comes down to what kind of person to recruit. If you're a Rolls, find a Royce. You'll get some management experience if nothing else.
Age is inconsequential, rock and roll! (Score:2)
I'm not going to entirely out my age, but I began my pen-testing career at age 42 - you must think I'm a wrinkled old grandpa; but I'm not....
Tell your boss you'll do it, but only if he sends you to several SANS training events, or at least coughs up for some SANS Ondemand training, then do the trainings, get the CERTS and rock and roll baby! SANS will get you up to speed on what yo
Mindset (Score:4, Insightful)
Probably the most important thing is to have the mindset for penetration testing.
You are no longer trying to keep things up and running, and making systems usable; you are looking for all of the ways to make things break in new and interesting ways. You have to think creatively - you have to think about what the system/network admin missed and/or how "best practices" fail in a given situation/on a specific system.
That's why a deep technical understanding in a lot of areas is very helpful - you learn how things interact, and how failures can occur in different areas. For example, does a software package add a user? Does it open a network port? How does it handle permissions? How is authentication done? How do systems rely on the network? How does the network rely on various systems (like a DNS server)? The more you know about all of the interactions between the system(s) and the network, the more attack vectors you can come up with.
30!?!? (Score:2)
I'm a 29 year old non-OS programmer who is learning Linux device drivers. My boss didn't ask me to learn it -- I told him I had to in order to continue doing my job. Get some textbooks, create a test/development environment you can use where you won't break anything, and go buckwild.
OWASP and PCI DSS (Score:2)
The Open Web Application Security Project [owasp.org] website is a great place to start browsing from, to investigate both pen testing and secure development.
I would also recommend getting some familiarity with the PCI DSS standard [pcisecuritystandards.org]. It is aimed at companies involved in online payments (and a bitch if you have to prove compliance.) However when used as a descriptive framework rather than a prescriptive one, it's great foundation for planning a company's IT security aspect.
I'm sure there's a bunch of other security stand
Re: (Score:2)
I would also recommend getting some familiarity with the PCI DSS standard.
PCI DSS is full of bad advice. Codifying specific technical measures, going off the deep end with dual control and unrealistic password management begging 4 proliferation of sticky notes and even promulgating dangerous advice on application of one way algorithms with inherently low entropy data.
It reads like a book of common wisdom written by someone who read security for dummies and now thinks they know everything.
Security standards for specific purposes tend to be so soaked in political calculations the
Go eat your applesauce, Grandpa (Score:5, Funny)
The software industry just isn't a place for changing direction or starting new things. I mean, come on - learning a new skill is disloyal to the older skills. If everyone just learned things willy-nilly, who would sort the punch cards anymore?
Just keep your head down - you probably only have 2 or 3 more good typing years left before you're too old to sit up or retain bowel control.
It's useless to learn pen testing... (Score:4, Insightful)
It's useless to learn pen testing... unless you also learn "pen fixing".
It's totally useless to know that there are problems there, but now how to fix them.
It's like going to a doctor, they tell you they have bad news and good news. The bad news is that you have cancer. The good news is that they scored 5 under par during their last round of golf. The second piece of information doesn't help resolve the first one. Unless you treat any disease you find, you haven't helped them, you've only made them feel like crap about something they can't do anything about on their own.
Typically, you want a "defense in depth" strategy, which means firewalls, DMZs, the whole nine yards. But learning how to use script kiddy tools to get in is not going to teach you the skills you are going to need if you want to keep someone else using those same script kiddy tools out.
It takes an almost entirely different mindset, and it does, in fact, take real skills -- almost the same skills you'd need to write those tools yourself, in order to write the code necessary to fix the problem so it can no longer happen. In other words, you not only have to know how the tool is getting in, to keep the tool from getting in. This can require substantial knowledge in systems and network architecture, and, if the way the tool happens to get in is via SQL injection, cross-site scripting, etc., etc., you will likely have to *minimally* know enough about the technology that's being exploited that you can fix it.
This is not the job for a single individual; it's a job for a team of at least several people (if they are incredibly good), or potentially a *lot* of people, if they are individually specialized to the point of being narrowly focussed in being able to go deep in only one or two areas.
The best advice I could give you is advice you are no longer able to take: learn this stuff while you are a minor, and unlikely to be put away for a felony, or learn this stuff prior to the electronic trespass laws going into effect in the mid to late 1980's. Both of these mean you've missed your window on getting a broad base of experience on a lot of disparate systems, of the type you'd be asked to pen test (or subsequently "pen fix").
Unless you are really wealthy - or your company is - and you are able to set up a lot of systems which, when you hack them, there's no risk that you'll end up in jail.
Other than that - there's some training available, but if you want to fix the problems you find, you have to think about systems as a gestalt, and you'll have to learn about networking and at least some types of programming, probably in considerable depth, to make up for your inability to legally acquire breadth, and then hire people to get breadth on your team.
Alternately, realize what I did the first day of kindergarten: I didn't want to go back after the first day "because they would not give me reading, writing, and arithmetic". In other words, this is not knowledge that someone can gift you with, it's knowledge that you'll have to fight to acquire, and it's not going to be easy for you.
Easy as 3.14159 (Score:2)
First off, start playing. Grab a free VM tool like VirtualBox, load up some raw Linux and Windows VMs in it, launch Kali, and start poking around. Break things, but in a manageable, recoverable, legal way. Never, ever, ever poke at something where you don't have written permission from the owner. If you want something a little less random, Lamp Security had some guided CTF exercises out there a few years ago that took you through the pen test process.
Look into formal training. In my experience, SANS has som
Do what everybody else does... (Score:2)
Just do what everybody else does.
Run Nessus on their stuff, put your name in the report, re-arrange a few things, and charge them $2500 for the "penetration test scan"
For extra bonus points, let it get caught in an infinite loop and submit the contact-us form 543,200 times before noticing it.
hope (Score:3)
Am I beyond hope?
Yes.
But not because you lack technical skills, those can be learnt. You're seriously working for a boss who thinks that he can turn a sysadmin into the head of a pentesting department by telling him to make it happen?
There's a lot that goes into a good pentest, and a reason that there are entire companies staffed with people who do essentially just that. It's not something you learn with a book on a few weekends. If your boss doesn't understand that, the result will be a disaster. And we already have too many people out there selling the printout of a Nessus scan as a penetration test.
What other comments said is spot on. Your boss needs to hire an experienced pentester, period. If he doesn't want to do that, there's no chance you'll be heading a pentesting department anytime soon.
PCI Compliance instead? (Score:2)
Get a book (Score:2)
Would be still doable if you were 60 (Score:2)
If you are passionate about the subject, it shouldn't take more than half a year to come up to speed. You will not be doing original research, just using existing tools. Your scripting background should come handy here. Furthermore, satisfying legal regulations may be more about ensuring patches are installed and best practices are followed. Again, not too far from system administrations. Relax and go for it.
Don't use the company as a playground (Score:2)
Your company needs to have proper penetration testing done. Hire/contract someone to do it.
This is one of those areas of computing where it is not a good idea to learn as you go and build up the skills and experience in-house, because any mistakes you make are going to leave the company liable and possibly cost them some serious money.
If you want to learn about it on your own time and play with the corporate systems to do it, and they have no problem with you doing that, then by all means go ahead and
If you're still breathing, you're not beyond hope (Score:2)
Penetration testing vs. vulnerability scanning (Score:2)
Penetration testing and vulnerability scanning are not the same thing.
It's not difficult to make vulnerability scanning a "value add", and then consult on how to fix the issues found. It's also a way to get your foot in the door to do more work, if you can create a good relationship with the client. Vulnerability scanning is reasonably easy (there are online services that you can resell). It's a good place to start, while you ramp up your skills.
Penetration testing is considerably more technical, and it
Re:Buy her a drink? (Score:4, Funny)
Re: (Score:2)
I think that would be a black hat approach.
Re: (Score:3)
I think penetration testing requires pretty good programming skills, particularly low level type stuff.
Not really. Running Metasploit doesn't require any programming skills. Writing your own tools, on the other hand, would.
Re: (Score:3)
Not really. Running Metasploit doesn't require any programming skills. Writing your own tools, on the other hand, would.
Yeah, pen testing, per se, can be scripted. It's what you do about it next that's usually part of the service.
The other day I found a security problem due to the way the linux and BSD kernels handle ARP in different circumstances, and the interaction there created an attack surface. If the guy doesn't know much about networks, he's going to have a hard time of getting into the nitty-grit
Re: (Score:2)
Hasn't ARP always been an attack surface (arp cache poisoning) ?
Re: (Score:2)
Running metasploit is "pentesting" only in the sense that microwaving a TV dinner is "cooking". If that's all you can do, you don't know jack.
Now, metasploit is a useful tool, in the same way that a microwave can be a useful tool even in a professional kitchen, but knowing when and how to use it to good effect is very different from just relying on it because you don't know how to do anything else. Finding the right target is a pretty important skill, for one thing. For another, there's a ton of stuff that
Re:Depends (Score:5, Insightful)
I think penetration testing requires pretty good programming skills, particularly low level type stuff.
The fact that you have not maintained any programming skills suggests that it is not something which interests you sufficiently to pursue it in your free time. I am skeptical that a person without an intense curiosity to understand how systems work at a low (i.e., code and assembly level) would find the motivation to develop the necessary programming skills and reverse engineering know-how to discover holes in systems.
But perhaps I am wrong and these skills are not required to be a successful penetration tester.
Why would it? Pen testers jobs are not to write vulnerabilities. True, someone who knows how to write vulns will make a pretty good pen tester, but you don't need to know how to refine petroleum to be good at pumping gas. A basic pen tester needs these skills (in this order): 1) knowledge of current vulns across a wide variety of platforms, and a channel to keep up to date on the latest new vulns that come out, 2) knowledge of how to find if a vuln is present across a variety of platforms, using methods that don't involve "just give me root so i can check your versions" and 3) knowledge of how to actually run some/all of the exploits when the customer looks at your report of 13 high risk issues in disbelief.
To be a great pen tester you need one of two skills: programming knowledge to put together unique exploits on the fly, or diverse systems knowledge to know how to multiply existing vulns (exploit, pivot, repeat) in order to move from system to system.
Re:Depends (Score:4, Interesting)
Pedantic, but... Writing a vuln is dead easy. Here's one (compile this into a world-executable program with setuid:root):
#include <stdio>
void vulnerable () {
char buf[8];
gets(buf);
}
int main () {
vulnerable();
}
Writing a functional exploit, on the other hand, is a lot trickier, especially with all the exploit mitigation stuff found in modern operating systems (and libraries; some of them won't let you call gets() anymore by default). Fortunately, in my professional experience (4+ years of pentesting, both as part of a company's internal security team and as a security consultant), this is rarely requested. The client may want a PoC on occasion, if they think their stuff can't possibly be vulnerable, but even then it needn't do anything special or be robust across system configurations or anything.
Getting back to the core question: if you're going to be pentesting native code, especially whitebox testing where you are expected to review source code as well, you need to know C/C++, maybe Objective-C, maybe pre-.NET Visual Basic or even things like FORTRAN or COBOL if your client's codebase is old enough. For web apps, you need to know your HTML and JS, but it's also important to know HTTP - yes, the protocol - and browser security features like same-origin policy. For the server side of web stuff, there's a hundred different languages and probably ten times as many frameworks that you might need to know, but for the most part knowing PHP, Java, Ruby, at least one .NET language, and maybe Python is good enough for the vast majority of sites (add perl if you want to go old-school).
Scripting languages like Powershell and Python are actually really useful to a pentester, because you can knock together little utilities to try things out that way. Want to send a carefully crafted sequence of UDP packets, or decrypt all that stuff the client has "protected" with a hardcoded AES key and find their secrets? A few minutes of work will get you a tool that will save you lots of time in the future.
Re: (Score:2)
You're confusing a penetration tester with a security researcher. Pentesters use existing tools and libraries of known exploits and test targets to see if they are vulnerable to those known exploits. There's lots of companies paying good money for that service.
Re: (Score:3)
That's right. Pen testers *could* have all those skills, and perhaps you want to hire that level of professional if you need solid gold security, but those people are usually researching new threats, not taking their time setting up testing for a stream of customers.
Most pen testers are there to fulfill pen test requirements in standards like PCI where something like Metasploit would be a sufficient "best effort", and actually pretty decent if you have someone who really knows how to use it. Companies are
Re: (Score:2)
Most pen testers are there to fulfill pen test requirements in standards like PCI where something like Metasploit would be a sufficient "best effort", and actually pretty decent if you have someone who really knows how to use it.
Pentester: "Authentication bypass, and remote code execution were found in your joomla installation, and SQL injection in just..every..field."
Admin: "So...what you're trying to say is put a WAF up?"
Pentester: "No..god no. Fix the issues, just run a couple patches and convert to prep
Re: (Score:2)
CISSP teaches you NOTHING about pen testing. If you want to really learn, go here: https://www.offensive-security... [offensive-security.com] It's good and cheap.
Re: (Score:2)
Re: (Score:2)
Too many people are focused solely on the "and pen testing" while ignoring the "security evaluation" part. Unless you can help mitigate the problems (which will often be in custom code) you'll embarrass yourself and your company on the first job. Which, since turds roll downhill, means you'll be out of a job, since your boss won't take any of the blame.
Your boss is clueless. Here's what you need to do
1. Agree with whatever he says
2. Use the time to find a new job
3. Result - Saved your Ass (which is a
Re: (Score:2)
Nah.. just be honest with the boss and tell him you aren't sure how to do it but are willing to learn. Then tell him from what you can tell so far, it will not be quick or cheap.
Write up a combination of the suggestions you get with an estimated time and costs so even if he decides to hire a pentester, he will have an idea of what to look for and salary as well as what to charge. If he decides to train you, you will have an idea if what to expect.
Re: (Score:2)
Except he's asking how to be a pen tester. What you suggest is not what he is looking for.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
You have no idea what you're talking about. And yes, I could say that more nicely, but that doesn't make your statement any less uninformed.
Yes, programming skills CAN be a bonus. A bonus. Not a requirement. Some of the best security people I know have a rather superficial knowledge of programming. Mostly, what you need is a way to automatize tasks. Python is the tool of choice today. And you hardly need any programming skills to use that.
Forget stuff like x86 assembler. Seriously. Forget it. Most of the st
Re: (Score:2)
You needn't be a crack driver to be a world class mechanic. You needn't be a master bricklayer to design a house. And you needn't be a coding wizard to be a good pentester.
Of course it helps. But it's not asked for. And, and this is the important part, it's not going to be paid for. That exploit you want to write, you won't. Nobody pays for this. What your customer wants is a report where you report that there is such a thing, preferably with a link to someone who already wrote one. Because that's the key t