Penetration Tester

Hallucinate

I think the idea of penetration testing is exciting. Eventually, I wouldnt mind working my way into something along those lines.

What should be my next certification? I just finished MCP (290) and security+ today. (I kind of posed this question in the middle of another thread, but I wanted to get it out there to this forum).

Thanks in advance!

dynamik

Getting into pentesting is a big endeavor; you should set it as a long-term goal. While you might get a lucky break like Paul Boz and have a company train you, that's not the norm (granted, Paul busted his ass beforehand and already had a few pro-level Cisco certs).

I'd focus on developing a solid understand of *nix and/or Windows, networking, a programming language or two (Python would be a good place to start), and pentesting tools. You're not going to be able to adequately hack or secure something you don't fully understand, which is why it's imperative that you master the fundamentals first.

As far as pentesting certs go, I'd go CEH > OSCP > GPEN. It would probably be advantageous to add something broader like the SSCP in there as well.

Hallucinate

dynamik wrote: »

Getting into pentesting is a big endeavor; you should set it as a long-term goal. While you might get a lucky break like Paul Boz and have a company train you, that's not the norm (granted, Paul busted his ass beforehand and already had a few pro-level Cisco certs).

I really want to be able to get myself a resume that will get me interviews for jobs within the penetration testing realm. I am the biggest people person ever. I'm overly confident

I'd focus on developing a solid understand of *nix and/or Windows, networking, a programming language or two (Python would be a good place to start), and pentesting tools. You're not going to be able to adequately hack or secure something you don't fully understand, which is why it's imperative that you master the fundamentals first.

That makes sense. I can't wait to start the computer science degree. I am sure that will help tons for the programming. I really should mess with our unix servers more. I don't really have to do much on them that would get used outside the military life. We have ... other .. purposes for them.

As far as pentesting certs go, I'd go CEH > OSCP > GPEN. It would probably be advantageous to add something broader like the SSCP in there as well.

I always hear that C|EH is extremely outdated. Is that so? At least it is becoming more well known.

dynamik

v6 of the CEH came out a little while ago, and v5 gets retired at the end of this month, so it's about as up-to-date as can be reasonably expected. I don't think it has the reputation of being outdated as much as it does for lacking depth (which it does). It should be called something like, An Overview of Ethical Hacking or EH+ They include waaaay too many things to be able to go into adequate depth: Ethical Hacking and Countermeasures Course

I think it's a good introductory cert to get. However, it's not going to make you an ethical hacker/pentester or land you a job on it's own.

You should also start playing around with Backtrack and getting acquainted with those tools.

UnixGuy

What's your job experience ?

I suggest you master the technologies you're working with, and get certified on it. Then you can move to Pen testing or to a security related position.

Say if you are windows admin, get MCSE: Security, and then you can do security related tasks. It will be easier to move from that to Pen testing.

the_Grinch

I think CEH is an excellent start for trying to get into pen testing. It is great for teaching the methodology involved in a pen test. Dyn is correct that is it very broad, but so is security in general. Some of the information is old (such as viruses, backdoors, etc), but overall it is worth while. Rumor is the US Government will be using it as a gauge for the level of it's security people. OSCP (and now they have a Master level) is the best next step. Finally, the Wireshark Certification has actually begun so that might be a good one to look at.

As far as getting a job, getting a degree and having some security coursework will help you a lot. Experience is the most important thing though. I've interviewed for a couple of security positions and it always came down to experience (which kept me from getting the jobs). Final thing is to try to get an idea of what security area you'd like to focus on. Network (get Cisco or Juniper certs), Operating Systems (Linux and Windows Certs), looking over code (knowing a language helps), Physical Security (military experience helps), Risk Assessment, Disaster Recovery (those two usually go hand and hand).

Your military background, clearance, and IT job have you setup perfectly. Get a degree and certs, then you will be beating employers off with a stick. You are heading in the right direction and I believe you will be very successful. Good luck! (now let the security people on here give you the wisdom you seek!)

Hallucinate

UnixGuy wrote: »

What's your job experience ?

4 years as a network admin on W2k3 Server, Solaris, HP-UX (far more knowledgable with windows), XP, and 2k. I've been getting involved with IDS more and more lately. I also have about 80 college credits. Just took the MCP/Sec+ exams today.

Say if you are windows admin, get MCSE: Security, and then you can do security related tasks. It will be easier to move from that to Pen testing.

Is it still worth getting MCSE? My most recent plan is to stop working in August 2010 and be a full time computer science student at the University of Washington. Will MCSE still hold merit by then? If so, would it hold more merit than say working on C|EH and SSCP, and maybe a SANS cert (i can get a voucher for it)?

Hallucinate

dynamik wrote: »

v6 of the CEH came out a little while ago, and v5 gets retired at the end of this month, so it's about as up-to-date as can be reasonably expected. I don't think it has the reputation of being outdated as much as it does for lacking depth (which it does). It should be called something like, An Overview of Ethical Hacking or EH+ They include waaaay too many things to be able to go into adequate depth: Ethical Hacking and Countermeasures Course

I think it's a good introductory cert to get. However, it's not going to make you an ethical hacker/pentester or land you a job on it's own.

You should also start playing around with Backtrack and getting acquainted with those tools.

Roger dodger on the C|EH. I have a copy of backtrack. Only messed around with it for about all of an hour though.

Hallucinate

the_Grinch wrote: »

I think CEH is an excellent start for trying to get into pen testing. It is great for teaching the methodology involved in a pen test. Dyn is correct that is it very broad, but so is security in general. Some of the information is old (such as viruses, backdoors, etc), but overall it is worth while. Rumor is the US Government will be using it as a gauge for the level of it's security people. OSCP (and now they have a Master level) is the best next step. Finally, the Wireshark Certification has actually begun so that might be a good one to look at.

Sounding pretty good...

As far as getting a job, getting a degree and having some security coursework will help you a lot. Experience is the most important thing though. I've interviewed for a couple of security positions and it always came down to experience (which kept me from getting the jobs). Final thing is to try to get an idea of what security area you'd like to focus on. Network (get Cisco or Juniper certs), Operating Systems (Linux and Windows Certs), looking over code (knowing a language helps), Physical Security (military experience helps), Risk Assessment, Disaster Recovery (those two usually go hand and hand).

My interests definitely lie very strongly in networking and operating systems.

Your military background, clearance, and IT job have you setup perfectly. Get a degree and certs, then you will be beating employers off with a stick. You are heading in the right direction and I believe you will be very successful. Good luck! (now let the security people on here give you the wisdom you seek!)

I appreciate the kind words. Sometimes just a few words can lead to a lot of motivation.

UnixGuy

Hallucinate wrote: »

4 years as a network admin on W2k3 Server, Solaris, HP-UX (far more knowledgable with windows), XP, and 2k. I've been getting involved with IDS more and more lately. I also have about 80 college credits. Just took the MCP/Sec+ exams today.


Is it still worth getting MCSE? My most recent plan is to stop working in August 2010 and be a full time computer science student at the University of Washington. Will MCSE still hold merit by then? If so, would it hold more merit than say working on C|EH and SSCP, and maybe a SANS cert (i can get a voucher for it)?

I recommend you become part time Computer Science student and never stop working, if you can.


you're plan is better, yes a CEH and SSCP will help you much more to land Pen testing job, 4years experience are enough to understand the technologies you worked on.

So good luck.

Personally I recommend:

CEH, OSCP, GPEN, CISSP.


CISSP will get you the money

Hallucinate

I decided that I am going to knock out the MCSA before I start on C|EH. Here is my reasoning:

1. The navy wont pay for C|EH, but will give me a voucher all the way to MCSE.
2. I feel somewhat comfortable with the objectives of 291.
3. If I choose vista as the OS (i have 0 experience with vista), Ill get two certs at once.

astorrs

Probably a good idea. Having at comfortable understanding of Windows (and *NIX) will benefit you in an IT security career.

shednik

I'd love to comment more but I think everyone has made some great suggestions. The only thing I would add is just start testing anything your interested in....setup a lab at home and hack your own machines.

Paul Boz

If you want to get really good at pen testing focus on less on "generalized" courses and go straight for the specialty stuff. The SANS GPEN certification is excellent. I read the first book last week and I'm about half-way done with the 2nd book, scanning. I do pen testing on an almost daily basis and I'm actually learning a lot.

Another course, which is significantly less expensive, is the Offensive Security class by Offensive-Security.com - Professional Security Training and Services. These are the guys that actually put together the backtrack CD. My co worker is doing both the GPEN and the offensive-security stuff and its outstanding also.

All of that being said, the only way to get any good at pen testing is to actually do it. The material is all good but without the application its nothing. Get used to the process of network scanning (sweeping, port scanning, vuln scanning), exploiting, then documenting. Set yourself up a pen testing lab. I am currently running Win2k SP2, Win2k SP4, WinXP SP2, and Server 2k3 Enterprise in VMWare. I also have damn vulnerable linux with some vulnerable services running as well. Having a wide array of target machines to hit will improve your skills greatly.

Learn NMAP, Nessus, and Metasploit. These three tools will at least get you down the right track to scanning, identifying vulns, then breaking the boxes.

unsupported

UnixGuy wrote: »

... CISSP will get you the money

UNIXGuy: Money? What's that? Just kidding. I'm up for my first promotion since my obtaining my CISSP in December. So, we will see how valuable it is to my company. If nothing else, I need the promotion so I can look jobs that are above the next job code to really make the money.

In regards to a pen testing career, do yourself a favor and check out the DIY Ethical Hacking career over at The Ethical Hacker, The Ethical Hacker Network - DIY Career in Ethical Hacking. You can also check out the Pen Testing Summit (The Ethical Hacker Network - Interview: SANS Pen Test Summit Part 1 - Ed Skoudis) with some of the most notable pen testers in the industry like Ed Skoudis (Counter Hack), HD Moore (metasploit), and Johnny (I Hack Stuff) Long.

Hallucinate

Thanks for all the advice everyone; it is certainly appreciated. I am determined to reach my goals.

I wish that the Navy would pay for the GPEN. It pays for GSEC though I guess I will have to start going out of pocket soon enough.