New to pentesting and have a few questions...

[secz0ne]

First I'd like to say hello as this is my first post on this board. Just some background; I've been casually using linux on and off since around 2000. I've played with Fedora, Ubuntu and others. However, I am primarily a Mac OS X user. I have some experience working with C and ObjC as well as some shell scripting. I rarely use windows and have never been a fan. I've always had an interest in computer security but I am just beginning to explore it more seriously and it appears that BT is a great starting point. I have been tinkering with BT5 for about a week now and have managed to learn a few things.

Currently, with the help of a few tutorials, I've managed to figure out how to crack WEP, attempt to crack WPA 1/2 and conduct a couple different types of MiTM attacks. I've also played around a bit with Nessus and Metasploit as well. I've managed to conduct successful MiTM using sslstrip and arpspoof though I have run into a bit of trouble with that. The attacks have not been successful against an up to date ubuntu box using both FireFox and Chrome. It was entirely successful against IE under Win7 but only partially successful against chrome under Win7. For instance attacks against gmail and PayPal would NOT work against Chrome where with IE they did. I haven't researched it yet but I would guess that chrome will not allow gmail, paypal, etc. to be used via unsecured HTTP and though I haven't attempted an attack using WebMiTM with a forged certificate but I would assume that chrome likely has built in protection against that sort of attack. Also I can't seem to conduct a SSL/MiTM attack using ettercap...

If anybody has any input on the above or has experienced similar scenarios please let me know. Also if someone could suggest some good starting points for MiTM attacks it would be greatly appreciated. I'm interested in a straight forward method for forging legit looking certificates. Obviously they would be privately signed and thus untrusted but I'm curious to know if there is a database of commonly used legit certs(gmail, yahoo, etc.) that can be used for forging self-signed ones.

Nessus and MetaSploit are excellent tools, I managed to gain a root shell on a test router which was pretty cool. The problem is once I get there I'm not sure where to go next to maintain access, whether it be a linux system or a windows system. I'm trying to take this step by step but with the amount of available tools that are included with it can quickly become overwhelming. I'm not super familiar with backdoors and being fairly unfamiliar with windows(a quite common target system!) it makes maintaining access fairly difficult. I suppose in the above mentioned scenario of the router I could have compiled netcat for ARM and placed it on the target router to use as a future back door or could have installed sslstrip on the router itself. Just a thought.

Also if anybody is familiar with any useful scripts that would be great too. WiFite, for example is extremely useful and certainly speeds things up. Don't get me wrong, I'm not one to rely on scripts and if I do use them I generally like to understand exactly what they are doing as they don't always work properly, they aren't super dynamic and if I don't do that I don't really learn anything. I generally script complex tasks as its more convenient and much easier than memorizing complex syntax. I know this post is fairly broad but any help on any of the above would be much appreciated.

TIA,
secz0ne

[scottm99]

While I'm not a security pro (I wear the hat at work from time-to-time), here's my take...practice, study, and training. Definitely get comfortable with networking, and having a programming background would be good, too. If you have the $ and time, I'd check out Offensive Security (the training arm of BackTrack). I haven't taken any classes myself, but they are on my to-do list.

Here's another link which may help.