Common mistakes every newbie pentester makes

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
We get a lot of new-comers who want to get into pentesting, so this might be of interest:

https://rawhex.com/2014/12/the-common-mistakes-every-newbie-pentester-makes/
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/

Comments

  • JoJoCal19JoJoCal19 California Kid Mod Posts: 2,821 Mod
    Thanks docrice, great article.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • cgrimaldocgrimaldo Member Posts: 439 ■■■■□□□□□□
    Great article!
  • philz1982philz1982 Member Posts: 978
    Thanks for the share but seriously? These are the common mistakes? Holy crap batman! I thought the issues were going to be things like accidentally dos'ing networks or wiping out databases with a bad insert statement.

    -Phil
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    The "Not Storing Evidence" section should be renamed to "Document and Save as You Go."

    I would also add sections on "Not Able to Reproduce Results" for not having a resettable testing environment (usually provided by working from VMs) and "Not Knowing Time Saving Tricks." There are a lot of tircks not specific to pentesting, but useful to pentesting, that save a lot of time, such as how to easily convert between data formats (e.g., CSV to SQL), write useful SQL and LDAP queries, carving (log) file data using Excel, and Google hacking for information. Few things are more time-wasting than having to stop pentesting so you can teach yourself how to do something new that you need to get the job done. Those are expensive lessons learned on a fixed-rate job.
  • impelseimpelse Member Posts: 1,236 ■■■■□□□□□□
    Good article. When I took one pentest training the instructor always repeat the saying: if I am going to cut a tree and will take three hours then I will spent more of my time sharping my tools

    I cannot imaging updating your tools onsite and your vm cashed, lok
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

  • john13619john13619 Member Posts: 10 ■□□□□□□□□□
    Thanks for this article
  • octobersveryownoctobersveryown Member Posts: 7 ■□□□□□□□□□
    as a wannabee pentester, this is great for me. Thank you!

    p.s. I have create a thread at http://www.techexams.net/forums/security-certifications/107789-am-i-going-down-right-path.html. Any guidance would be appreciated!
  • yzTyzT Member Posts: 365 ■■■□□□□□□□
    I completely disagree with the using of the output of tools in a report. In fact, I consider this is a must-have, just you have to put it at the right place. At one place, you provide intelligence on the findings, at the other (usually, an annex) you **** the output of the tools.
Sign In or Register to comment.