Looking for a Pen Testing Mentor

tombowyer2007tombowyer2007 Registered Users Posts: 1 ■□□□□□□□□□
I am new to the IT cert process, been working in IT for about 6 years now without a degree or a single cert. I will be enrolling into WGU here in August for the B.S IT program with an emphasis on security. I am looking for a sort of road map into the Pen Testing field, as this is my dream job. Here is a little background information on me: Veteran, did 5 years in the Air Force. Worked as an IT Specialist for the DHS. Working in the gaming IT market now, which I hate. I have been playing with BackTrack 5 a lot but really can't do the things I want to try as they are illegal without premission. icon_cheers.gif I also have been working on my programming skills icon_study.gif. My first cert I want is Net+ then Sec+ and CCNA after that. I have two 2500s and a 2950 at my disposal (b-day present from the wifey). I guess what I'm trying to get at here is that I am looking for a sort of mentor to teach me the do's and dont's of pentesting.

Thanks

Comments

  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    I would suggest getting your CCNA, Sec+, and possibly some Linux certification before you start pushing for a Pentest mentor. Those certification will put you in a good position to start pentesting, as well as asking the right questions to a mentor.

    I was in your position a while ago, wanting to do pentesting but there's soo much you need to know to become just a "decent" pentester. I would get a firm foundation in networking, windows, Linux, and possibly BASH/Python...then you'll be in a good place to start pentesting.
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAMod Posts: 4,133 Mod
    I agree with YuckTheFankees. After you have some decent skills, I would recommend downloading BackTrack and learning the basics from the forums at backtrack-linux.org. If you get the basics down, you could always go for formal training at Offensive Security Training and Professional Services. I also saw a booth for thehackeracademy.com before but I've heard lukewarm reviews on them and they'd not pentest specific. Hopefully that gets you on the right track
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
    I'd say go ahead and finish your CCNA: Security and MCSE: Security while getting active in your user community. Check back in with us after you have that cert under your belt. These cores skills will certainly help.
    -Daniel
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • the_hutchthe_hutch Banned Posts: 827
    If you are wanting to start PenTesting, I highly recommend these two books. One covers wireless hacking with backtrack 5. The other covers PenTesting with Backtrack 4 (the 5 edition for this has not been released yet). If you get the ebooks, they are really cheap. I paid approx $40 for both. Each book will go through step by step instructions on how to set up your lab so that you can practice different types of attacks. The labs do assume the reader has at least a basic understanding of bash shell commands and TCP/IP fundamentals.Amazon.com: BackTrack 5 Wireless Penetration Testing Beginner's Guide (9781849515580): Vivek Ramachandran: Books

    Amazon.com: BackTrack 4: Assuring Security by Penetration Testing (9781849513944): Shakeel Ali, Tedi Heriyanto: Books
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    There's a lot of interest in becoming a pentester these days, but I think a lot of people who are thinking of pursuing it don't realize that the technical aspect is a small part of the it. You really need to document and research well. Perhaps in many cases, you have to be able to really explain your findings and back up your claims because clients may not always agree, in which case you better be prepared to detail and defend your methodology.

    Exploitation is probably the smallest part of the exercise.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • the_hutchthe_hutch Banned Posts: 827

    The EH network has a decent community. But the website is run by retards...
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    REMOVED UNNECESSARY QUOTE FROM PREVIOUS REPLY

    What do you mean?
  • the_hutchthe_hutch Banned Posts: 827
    REMOVED UNNECESSARY QUOTE FROM PREVIOUS REPLY

    I tried to apply for an account. They then send me my password back to me in plain text. I then pointed out to them that for a security website, they aren't really following best practices. Then I'm pretty sure they deleted my account because I was never able to log on. When I emailed them and told them, they said they couldn't find an account for me. At that point...I just gave up.
  • the_hutchthe_hutch Banned Posts: 827
    "Have you seen my baseball?" icon_cheers.gif

  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    docrice wrote: »
    There's a lot of interest in becoming a pentester these days, but I think a lot of people who are thinking of pursuing it don't realize that the technical aspect is a small part of the it. You really need to document and research well. Perhaps in many cases, you have to be able to really explain your findings and back up your claims because clients may not always agree, in which case you better be prepared to detail and defend your methodology.

    Exploitation is probably the smallest part of the exercise.

    Excellent point
  • zenhoundzenhound Member Posts: 93 ■■□□□□□□□□
    Doing the documentation portion sounds fun to me, too. I've always wondered if having communication/writing skills could be useful in IT.
  • joshmadakorjoshmadakor Member Posts: 495 ■■■■□□□□□□
    the_hutch wrote: »
    The EH network has a decent community. But the website is run by retards...
    I laughed at this. I always wonder why organizations store passwords in plain text icon_rolleyes.gif. I feel like websites that do this will take advantage of the fact that many people use the same password for everything and get into your ****.

    "Oops, we have your email address that you registered with as well as your password you use for everything, thanks for that!"
    WGU B.S. Information Technology (Completed January 2013)
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    I forgot to add to look for "metasploitable". It's a vm image of a vulnerable machine. You can use backtrack to break into the machine. I also suggest reading Metasploit: The Penetration Testers Guide.

    Metasploitable - Metasploit Unleashed
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • the_hutchthe_hutch Banned Posts: 827
    I forgot to add to look for "metasploitable". It's a vm image of a vulnerable machine. You can use backtrack to break into the machine. I also suggest reading Metasploit: The Penetration Testers Guide.

    Metasploitable - Metasploit Unleashed

    +1 ....awesome recommendation
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    Thanks!

    Its really fun trying to break into this machine. There are some guides to do it online but its even better tying to break in without the guides.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • noobsrevengenoobsrevenge Member Posts: 29 ■□□□□□□□□□
    Listen close and you'll be able to practice hacking away till your hearts content

    Install VMWare
    Install GNS3
    Setup something like the following




    The clouds only represent virtual network adapters connecting my GNS topology to actual VMWare images. Thus you can connect as many OS's as your computer can handle to GNS. Throw a metasplotable webserver in there, a windows server, either throw backtrack on the same LAN or across a WAN and practice different scenarios etc.
Sign In or Register to comment.