Common mistakes every newbie pentester makes

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
in Other Security Certifications
We get a lot of new-comers who want to get into pentesting, so this might be of interest:

https://rawhex.com/2014/12/the-common-mistakes-every-newbie-pentester-makes/
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
· Share on FacebookShare on Twitter

Comments

  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Thanks docrice, great article.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
    · Share on FacebookShare on Twitter
  • cgrimaldocgrimaldo Member Posts: 439 ■■■■□□□□□□
    Great article!
    · Share on FacebookShare on Twitter
  • philz1982philz1982 Member Posts: 978
    Thanks for the share but seriously? These are the common mistakes? Holy crap batman! I thought the issues were going to be things like accidentally dos'ing networks or wiping out databases with a bad insert statement.

    -Phil
    Read my blog @ www.buildingautomationmonthly.com
    Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
    · Share on FacebookShare on Twitter
  • JDMurrayJDMurray Admin Posts: 13,091 Admin
    The "Not Storing Evidence" section should be renamed to "Document and Save as You Go."

    I would also add sections on "Not Able to Reproduce Results" for not having a resettable testing environment (usually provided by working from VMs) and "Not Knowing Time Saving Tricks." There are a lot of tircks not specific to pentesting, but useful to pentesting, that save a lot of time, such as how to easily convert between data formats (e.g., CSV to SQL), write useful SQL and LDAP queries, carving (log) file data using Excel, and Google hacking for information. Few things are more time-wasting than having to stop pentesting so you can teach yourself how to do something new that you need to get the job done. Those are expensive lessons learned on a fixed-rate job.
    Forum Admin at www.techexams.net
    --
    Credly
    LinkedIn
    Twitter
    · Share on FacebookShare on Twitter
  • impelseimpelse Member Posts: 1,237 ■■■■□□□□□□
    Good article. When I took one pentest training the instructor always repeat the saying: if I am going to cut a tree and will take three hours then I will spent more of my time sharping my tools

    I cannot imaging updating your tools onsite and your vm cashed, lok
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

    · Share on FacebookShare on Twitter
  • john13619john13619 Member Posts: 10 ■□□□□□□□□□
    Thanks for this article
    · Share on FacebookShare on Twitter
  • octobersveryownoctobersveryown Member Posts: 7 ■□□□□□□□□□
    as a wannabee pentester, this is great for me. Thank you!

    p.s. I have create a thread at http://www.techexams.net/forums/security-certifications/107789-am-i-going-down-right-path.html. Any guidance would be appreciated!
    · Share on FacebookShare on Twitter
  • yzTyzT Member Posts: 365 ■■■□□□□□□□
    I completely disagree with the using of the output of tools in a report. In fact, I consider this is a must-have, just you have to put it at the right place. At one place, you provide intelligence on the findings, at the other (usually, an annex) you **** the output of the tools.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.