Becoming a Successful Pentester

[stevo937]

Being a pentester in my dream job. I'm just asking for a few pointers to complete the journey. Right now I'm currently in my third year of college shooting for a BS in computer science. But the school only really has one quarter of "internet security". I need more than that.

I know just for the heck of it I will shoot for a few certifications. I know some of you probably don't believe I need them and that's fine. But for those who do have some certs, what do you recommend?

What kind OS's for servers should I set up on a network? Obviously anything Windows, but I'm not quite sure what Linux OS's I should set up.

What kind of programs should I run on the servers? Web servers, mail servers, ftp, ssh... you name it. Any books on the subject of computer networks to setup would be greatly appreciated.

Right now I have a pretty extensive knowledge of network basics, particularly the OSI model, handshakes, the different types of packets and what's contained in the headers.

I also have a great deal of understanding of metasploit, sniffers, network scanners... My only real problem is a lack of knowledge of the things network administrators might screw up while setting up networks like forgetting to change admin passwords. That's what I am hoping to change.

Any responses are greatly appreciated.

[purehate]

1. Right now I'm currently in my third year of college shooting for a BS in computer science. But the school only really has one quarter of "internet security". I need more than that.

A college degree is almost crucial these days in my opinion. Even if you dont learn anything a degree says that you have the ability to complete 4 years of college which is no small feat in my opinion. Unfourtunatly you are right, most schools dont teach any thing cutting edge but its a great place to learn the fundamentals.

2. I know just for the heck of it I will shoot for a few certifications. I know some of you probably don't believe I need them and that's fine. But for those who do have some certs, what do you recommend?

No matter what anyone says, certs matter. Human Resources is trained to look for certs. Network + and Security + and all that type of stuff. I say get them if you can.

3. What kind OS's for servers should I set up on a network? Obviously anything Windows, but I'm not quite sure what Linux OS's I should set up.

Most Linux servers in the real world are Red Hat. Cent OS is the community fork of red hat so learning on these would be the way to go. You could also study for the red hat cert which is well respected.

4. What kind of programs should I run on the servers? Web servers, mail servers, ftp, ssh... you name it. Any books on the subject of computer networks to setup would be greatly appreciated.

Try them all and learn how to configure them. Once you learn why they failed then you can learn how to break into them.

5. Right now I have a pretty extensive knowledge of network basics, particularly the OSI model, handshakes, the different types of packets and what's contained in the headers.

Good! Most people miss the basics because they want to jump right into the "cool" hacker stuff.

6. I also have a great deal of understanding of metasploit, sniffers, network scanners... My only real problem is a lack of knowledge of the things network administrators might screw up while setting up networks like forgetting to change admin passwords. That's what I am hoping to change.

I would highly recommend the following things:

1. Setting up a test LAN at home
2. Signing up for the Offensive-Security Classes
3. Learn a scripting or programing language

All the best hackers I know were network admins and programmers first. Those are the essential skills.

[Liuser]

This is just my experience and the road that led me to becoming a pentester:

I did my Comp Sci undergrad at UC Santa Barbara (renowned for their security research) and took their security course. I thought they were going to teach me the magic to hack. It was an obscure skill at the time. Instead, they taught the high level aspects of security (similar to the material in CISSP). However, these fundamentals are important to understand, especially the sensitive ethics surrounding it. There were certain things where we went into detail such as creating your own buffer over flow exploit which was a great benefit later on. If you take the class, pay attention and don't be discouraged - the high level concepts they teach you are still very important. They're building your foundation so that you will have the necessary skills to go out there and do your own self learning on the subject.

You will be a sufficient coder when you finish your CS degree. That will benefit greatly when you need to read code or create your own tools. Take a Database course as well.

It really should go without saying, but the more you know the better. When I first graduated from college I worked as a developer. We have a security team at our company where they would take me out to shadow them during their pentests. I would help them with basic things like scanning, or doing whatever else they told me to do. It was humbling watching them, even though I had a CS degree and knew how to code, I felt like I knew absolutely nothing when I watched them work.

Then I transitioned from a developer to an IT consultant. The IT Consultant portion exposed me to a myriad of different technologies and environments. You pick up small things here and there on each gig (configuring AD, configuring syslog, using LDAP, pulling from Databases, using various flavors of linux and unix, etc.)

Soon, I started to sign up for online security courses and doing tons of reading on any book I can get my hands on.

In a nut shell, the above skills made learning security much more easier for me. Foundation, foundation, foundation!!!!

[stevo937]

This summer when schools out I'm gonna bust out my network+ textbook actually try for the cert. I actually remember the exact moment I figured out how sniffers work when my professor was explaining how routers ask for the mac addresses of the computers attached to it.

I also feel that I'm also fluent enough in Linux to try and tackle red hat. I'm also slightly new to scripting and prefer bash over dos, although I have yet to actually experiment with power shell. The only true experience I have in scripting is a simple script to help aide in capturing credit cards over open wifi.

Through school I'm also fluent in Java, the Structured Query Language, and currently studying C++. I understand SQL injections and buffer overflows. But I have yet to actually create the correct query or source for the exploits. Is Oracle very different from SQL?

My current setup includes my MacBook with Backtrack 4 Final in fusion, a netbook running Linux Mint 7, a Windows PC with BT4Final on vm , and an old but still running Thinkpad IBM laptop as my guinea pig victim. All of which is hooked up into my netgear cheap router. A small network, but enough to experiment with.

Also do pentesters actually develop exploits while testing a computer network specific to that network? Or is that job left to a different type of computer security that only develop exploits?

[brtw2003]

- really enjoy infosec and be 100% committed (means you will never have the usual 8x5 job)
- university is good, but far away to teach you the full picture of infosec - you need job practice, practice,practice

- learn as much basics as possible, a good pentester has to understand all OSI-Layers + the human

- research as much as possible and test your skills on a regular base (certifications, hacking challenges, home lab)

- don't focus only on pure technology, an advanced and great pentester also understands the necessary holistic view of infosec in these days (get the CISSP,CISM,CISA certification)

- learn to be organized and to love documentation (many times not really a strength of many pentesters!)

- create from the very beginning your local knowledge repository (organized documentation of the major infosec domains, ebooks, templates (highly recommended), past events presentations, cheat-sheets etc)

- read, read, read on a daily base infosec news (don't get lost and try to understand every bit what's going on, or you will be lost - focus is the key and to know where you get the right information, when you need it!


INFOSEC is so exciting, even if many people ignore the fact it is quite complicated, time consuming
and you will never get the 'banker bonuses' (I don't need it, I know at one point even bankers are online ;-)

/brtw2003

[lupin]

Is Oracle very different from SQL?

SQL as in MS SQL Server or as in ANSI SQL? You will find that each major DBMS has their own flavour of Structured Query Language, so you need to write SQL statements with your target database in mind.

Also do pentesters actually develop exploits while testing a computer network specific to that network? Or is that job left to a different type of computer security that only develop exploits?

Some pentesters will do that. It depends on the skill of the tester, the requirements of the job and the time available to perform it.

As to the general question of how to become a successful penetration tester, the others posting here have already made many good points. I will add that certifications are useful when actually getting past that first step of a hiring process. The certifications that I would consider to be good for a pentester are OSCP and some of the SANs certs such as GPEN, GWAPT and GAWN. CEH is well known but I don't think much of it (thats a fairly common point of view) and there are also a few from ISECOM that may be OK but which Im not too familiar with (OPS-T/A/E).

Id also mention that you would be very fortunate indeed for your first job to be as a pentester. As already mentioned most people do start as a developer or net/sysadmin before they start doing security work. I started as a systems admin, which I did for about 6 years before I moved to a security job.

Will also reiterate what others have already said about foundational skills being important. At a bare minimum you need an excellent understanding of TCP/IP networking, and the ability to navigate the command line to perform systems admin style tasks in Windows and Linux to be a successful pentester. You also need the ability to write and the ability to understand the higher level aspects of security so you can properly determine and explain to the client business impact and risk ratings for issues you discover during a test. And you need to know how to prevent the attacks that you have launched, so you can give actionable recommendations to the client, and you must be able to be meticulously document your work and stick to a proper testing methodology.

Hope that helps.

[stevo937]

Computer security is incredibly exciting to me. I love it. Packetstormsecurity.org is my homepage. I'm constantly checking their page with updates on recent news. theregister.co.uk is another website I like to visit. And as long as it's pentesting, or anything of that nature, I'm willing to work any hours. I once read an article on happyhacker.org about a guy that was 22 years old working on the 22nd floor of a building with all kinds of tools. He was legally breaking into banks earning a six figure salary, but would have easily done the job for free. That's exactly how I feel.

But I understand I'll have to be patient. Being a sys admin or developer wouldn't be a terrible thing to start out in, probably quite fun. As long as it'll aide me in the end I'm willing to do it.

And I have a huge folder with all my notes I've taken from the past few years. It's not really organized and I feel I should have a physical binder of some assortment.

Luckily my Father is a network admin/engineer and I've worked for him before and one of the biggest things he's taught is document everything. Not something I particularly enjoy, but I know it's important at least.

All the suggestions have been awesome and appreciated! Thanks guys!