What goes into a Penetration tester

[machv]

I'm sure that title can generate a lot of jokes anywho movin' on...

I want to become a Penetration Tester. And the more I research the subject the more confusing it seems to become. I also want to be able to write my own tools etc... So I have started learning Python2.7, MIT's 6.00 Computer Science course youtube lectures, and downloaded a bunch of PDF's on Computer Science, Ethical Hacking, etc...

I have also looked into various courses on the subject and found a mountain of information that will take me well on into my 70's to finish reading. So I have come here to ask you guys where and what I need to learn in order to become a certified Pentesting nerd (and I say nerd lovingly). I live in Canada so any course/certification needs to hold weight in my country. I am also poor as hell and cannot afford to waste money on courses that will not help me achieve my goal. Thanks for your time and have a great day

[sickness]

Here are the best of the best. Truly worth it, take my word on this.

http://www.offensive-security.com/

[scottm99]

Let me first give the disclaimer that I don't do pen-testing for a living (yet), but computer/network security is part of my job I can recommend Gray Hat Hacking: The Ethical Hacker's Handbook (still gleaning good nuggets of info from that). Also will recommend any of the Hacking Exposed books (specifically Hacking Exposed 6, Hacking Exposed: Windows, Hacking Exposed: Web Applications, Hacking Exposed: Wireless). Perhaps attending some local hacking conferences would help.

Do you currently have the I/T background to do security? What I mean is stuff like: networking skills, programming experience, hardware experience, etc. If not, I'd definitely get comfortable with the pre-requisites before plunging into security.

[Dudeman02379]

Here are the best of the best. Truly worth it, take my word on this.

http://www.offensive-security.com/

Agreed. I have both my OSCP and OSCE. The courses are inexpensive and will give you a great starting point for Pentesting.

[Reamer]

How much programming knowledge is required to feel comfortable? I basically don't have any but I am working on a degree in computer networking and will have my CCNA after this Fall semester. In the Spring I am taking a course that touches on script coding but doesn't go much in depth. Depending on how it goes I will take the second one as well but there is only these 2 classes at my college that even touch programming in Python, Ruby, or the other popular one (getting late, memory failing). After I graduate and have the time is when I will be taking the OSWP AND OSCP courses and I just want to be prepared the best I can in a reasonable manner.

[ewiget]

Just fyi, you can take all the courses in the world for pentesting and you can read all the documentation on the internet about pentesting, and I am sure you will at least have the basics methodology down. However, I have stated numerous times that pentesting and any other IS field is more a frame of mind than anything, i.e. thinking outside the box. Its more than just book smarts and trying to cover everything is asking for disaster. Pick a subject that interests you and MASTER IT. I am saying this after having been in the field since late 90's and also having taught numerous college courses in the subjects. Some people have the necessary book smarts but don't have the desire to apply it outside of the classroom.

[NoxSec]

I am kind of in the same boat as you. From the advice I have been getting a 4 year degree really helps, even if it isn't a infosec degree. As far as classes I have been told that you get a lot more out of boot camps than traditional college classes. I have not yet been to one, mainly because they are so damn expensive, but will eventually. As for just learning things on your own, there's tons of resources online. However, I would look into books as well, it seems people tend to forget about them and they are usually ten times better than the stuff you find online. I would also say don't be afraid to practice in the real world, because you are going to have to learn anything. Just do not do any thing too stupid. At least that's what I am trying to do.

Oh, and pick up a programming langue even if you don't want to.

[scottm99]

Good points, ewiget I, too, am a relative graybeard in computing. Most of my professional life has been in programming, so that's my main strength. However, having a good networking background, and hardware experience has helped my coding skills, and vice versa.

[hitmen]

A little off topic here but where can I hack to get income of probably 500-600 a month.
I am a student and short of cash. Do something legal and within my interest will be good.
Anyone know of a good place to start?

[scottm99]

You might be able to hire on, part-time, with a local computer repair shop. In many places like this, the staff is light on security experience. But these places always getting in boxes that have been blitzed with some sort of malware, or customers asking "How can I protect myself?". This comes second-hand, and you definitely won't get rich doing this kind of work, but it'll mean some money in your pocket.