Just A *few* Question

[Qsl1pKNOTP]

I'm not sure if this is in the right forum, but it seemed to be the best place to ask. I'm a Sophomore at a local university here and I'm majoring in "Computer Forensics," But basically I want to do pentesting as my job. So I just a few questions to ask. There's quiet a few though. Thanks for any responses

1) Is it worth knowing how to code Exploits from scratch? And assuming so, is there a specific platform that it's better to learn to code for/learn how to use intimately? Also seeing as most make a good use of Assembly in them, Does it come up very often where you actually *need* to code an exploit from scratch for a pentest?

2) Are there any Certifications that "stand out" from the others? I have considered taking a few of the ones offered here (Such as PWB/CTP), but are there any others that may not be "required" but look good/ are actually good to take? Also are there any certain types of "internships" I should look into doing instead of others?

3) I also realize I probably won't start off with the pentesting, so what other "jobs" would I be doing until the company allowed me to?

4) Kinda with Question 1, is there a baseline that companies use more than others? (For example, do more companies seem to choose Nessus over Metasploit?)

5) Do companies generally help with "research" in things? Like when the OSX Kernel expoitation paper was published on Phrack, would a company see it and request an exploit for it, or would one generally make something like that on their own time and use it at work?

Thanks for any answers . And I tried searching for these things, but some of the pages were sketchy to say the least. That and you guys are smarter!

[sickness]

Where do you guys get these questions from. They are not related to Backtrack and there are like 4 different topics with the same questions.

1. Everything you want to learn is worth learning, depends on your time. And the question about the pentes, depends on who you are pentesting.

2. The offensive security certs are very cool, you can also do CEH if you want and I'm pretty sure that if you used google you might have come up with the answeres.

3. Man that really depends on the company, I mean if you're working in a Pentesting Company you can't be a salesman.

4. Nessus is a vulnerability scanner and Metasploit is an exploitation framework ... they work great together.

5. I'm not sure if I understand this question very well but ... Depends on every exploit and if they are good the will just make their own exploits.

[lupin]

1) Is it worth knowing how to code Exploits from scratch? And assuming so, is there a specific platform that it's better to learn to code for/learn how to use intimately? Also seeing as most make a good use of Assembly in them, Does it come up very often where you actually *need* to code an exploit from scratch for a pentest?

Its a nice thing to know, but it may not be needed for the majority of pentests, especially web app pentests. If it doesnt interest you, and you want to pick up skills required for basic pentesting, it wouldn't be the first thing Id suggest you learn.

2) Are there any Certifications that "stand out" from the others? I have considered taking a few of the ones offered here (Such as PWB/CTP), but are there any others that may not be "required" but look good/ are actually good to take? Also are there any certain types of "internships" I should look into doing instead of others?

Depends who you ask and what job market you are thinking of applying in. I like the OSCP, GPEN and GWAPT as pentesting credentials, but thats just my opinion. Id recommend checking the job ads in the location in which you want to apply for these sort of jobs and check what they ask for. I think you'll find its probably more likely that they will focus on skills and experience rather than certs.

3) I also realize I probably won't start off with the pentesting, so what other "jobs" would I be doing until the company allowed me to?

Development, systems/network administration, computer security grunt work, helpdesk, etc. Any of those would be reasonable jobs to start in if you're thinking of eventually getting into pentesting.

4) Kinda with Question 1, is there a baseline that companies use more than others? (For example, do more companies seem to choose Nessus over Metasploit?)

Not really, although some products in certain niches are more popular than others. Some of the main product niches in the space are exploitation frameworks, vulnerability scanners, web application scanners, host/port scanners, service and OS detection scanners, and interception proxies. There are also a bunch of other niche tools that are important to know about in the areas of information gathering and exploitation.

If you're asking because you want to know which tools you should learn, Id say definitely learn Metasploit and nmap, because its very likely that you will have a use for both in a future penetration testing career. For the other tools in the other categories there are valid reasons for chosing one of a number of different options.

5) Do companies generally help with "research" in things? Like when the OSX Kernel expoitation paper was published on Phrack, would a company see it and request an exploit for it, or would one generally make something like that on their own time and use it at work?

What type of companies are you talking about? A big company (multiple 1000's of employees) with a dedicated in house security team might do this. A company that specialised in providing IT Security services might as well. The majority of companies probably wouldn't.

[Qsl1pKNOTP]

Where do you guys get these questions from. They are not related to Backtrack and there are like 4 different topics with the same questions.

1. Everything you want to learn is worth learning, depends on your time. And the question about the pentes, depends on who you are pentesting.

2. The offensive security certs are very cool, you can also do CEH if you want and I'm pretty sure that if you used google you might have come up with the answeres.

3. Man that really depends on the company, I mean if you're working in a Pentesting Company you can't be a salesman.

4. Nessus is a vulnerability scanner and Metasploit is an exploitation framework ... they work great together.

5. I'm not sure if I understand this question very well but ... Depends on every exploit and if they are good the will just make their own exploits.

Well Honestly I asked because it seemed like the best place to ask with people I KNOW have real experience. Or at least fake it incredibly well enough to put together BT/host a forums/have multiple tuts etc.

Also by baseline I meant something that a company would derive most of its exploits from.

But thanks to you both for answering

[sickness]

Well I don't think they will make an exploit on their own if that exploit exists already ... they could search on the exploit-db ^^

[thorin]

I'm not sure if this is in the right forum, but it seemed to be the best place to ask. I'm a Sophomore at a local university here and I'm majoring in "Computer Forensics," But basically I want to do pentesting as my job. So I just a few questions to ask. There's quiet a few though. Thanks for any responses

1) Is it worth knowing how to code Exploits from scratch? And assuming so, is there a specific platform that it's better to learn to code for/learn how to use intimately? Also seeing as most make a good use of Assembly in them, Does it come up very often where you actually *need* to code an exploit from scratch for a pentest?

Being able to code is always a good thing. Whether you just need to be able to read some javascript during a web application assessment, tweak an existing exploit so that it'll work against a particular target, or writing shell scripts to make your life easier you'll never be upset that you took time to do a few coding classes. An important thing to remember is almost all languages are the same, there is no right or wrong language to learn (a loop, is a loop, is a loop....each language may use slightly different syntax but the concept is always the same).

2) Are there any Certifications that "stand out" from the others? I have considered taking a few of the ones offered here (Such as PWB/CTP), but are there any others that may not be "required" but look good/ are actually good to take? Also are there any certain types of "internships" I should look into doing instead of others?

This can depend where you live and what you plan to do. CISSP is widely recognized as an industry standard, unfortunately it requires some experience ahead of time. The ISECOM/OSSTMM certs are a very good basis for methodical approach to testing and are popular in Europe and Mexico and gaining in North America. CEH is also a industry standard that is often asked for on Gov't contracts and RFPs (personally I think CEH is kinda weak but that's just my opinion...anyone can memorize tool switches if needed).

3) I also realize I probably won't start off with the pentesting, so what other "jobs" would I be doing until the company allowed me to?

Really anything in IT is good, especially positions that build your trouble shooting skills.

4) Kinda with Question 1, is there a baseline that companies use more than others? (For example, do more companies seem to choose Nessus over Metasploit?)

Nessus and Metasploit are apples and oranges (not apples and apples).

5) Do companies generally help with "research" in things? Like when the OSX Kernel expoitation paper was published on Phrack, would a company see it and request an exploit for it, or would one generally make something like that on their own time and use it at work?

Google seems to have some people that do this type of "research", MS probably does too, not many other companies really do (i.e.: researching kernel or other vulnerabilities/exploits).
Development of exploits is usually not something general companies do. Some companies may have IT folk that will throw something together that later gets contributed to metasploit and as a nessus plugin etc but I'd say this is the exception rather than the rule.
It's hard to make time for "research" or "exploit development" when you're trying to make money.

[lupin]

Also by baseline I meant something that a company would derive most of its exploits from.

OK, the products that Im aware of that provide exploits are Core Impact, Canvas, Saint Exploit and Metasploit (there are commercial services that offer access to exploits too, as well as exploit packs for Canvas and maybe the other apps as well, but Im not listing those). Nessus doesn't include any exploits, its a vulnerability scanner. If a company had copies of any of those tools that is the most likely place they would look first for their exploits, depending on what they were trying to achieve. Using exploits from those tools means you don't have to check it first see if its doing something bad (although you should still test it before using operationally), AND it means you can integrate the exploit with the other capabilities of the tool you are using (sometimes you don't want this however).