Calling all Penetration Testers

Hi

I was hoping to get some advice from anyone in, or pursuing a career as a penetration tester.

How rewarding do you find the job?

Does the job keep you interested or can it become boring?

What skills make a good pen tester?

What study path would you recommend to someone starting out?

To be a good pen tester what level of scripting and Linux skills do you need? (I don't have either)

I come from a network and network security background which I think will serve me well as a pen tester. I have performed vulnerability assessments and remediation for a few years with Nessus but not performed any pen tests. It sounds like I may need to get some Linux skills and was thinking of doing the comptia Linux+ course. I'm not sure where to start with scripting though. I have also been looking at CEH, or a CREST course. I'm also reading Hacking Exposed at the moment.

If anyone can give any advice around this it would be much appreciated. I'm currently considering where to take my career next and pen testing could be an option.

Find more posts tagged with

Comments

Cyberscum

What about pen testing interests you? For most pen testers I know, it is not a job to them. They love to do this stuff in their free time etc...

MrAgent

You will definitely need a solid understanding of Linux. Having some scripting skills is also beneficial as it can really help when trying to modify exploits for your needs.

I would suggest learning python, and start working with Linux.

lsud00d

L+ and CEH will kind of help you with pen testing, but that's just more so book knowledge. OSCP is of more pertinent value towards this line of work. Linux is crucial though. Python is great for scripting (and tools like Scapy) and Metasploit is written in Ruby so both are great tools to have in your toolbox.

Since you have CCNP:S you obviously understand the TCP/IP stack, ports, tunneling, VLAN's, ACL's, firewall, etc side of things. That gives you a big leg up. In addition, the Cisco way of things gives you a jump on the *nix CLI.

Also, doing vuln assessments + remediation via Nessus is good because you should be familiar with the typical classes and types of vulnerabilities.

I recommend getting familiar with OWASP: https://www.owasp.org/index.php/Category:Attack

RTFM is a good field guide: Rtfm: Red Team Field Manual: Ben Clark: 9781494295509: Amazon.com: Books

Run through Metasploit unleashed : http://www.offensive-security.com/metasploit-unleashed/Main_Page

And Malware Forensics is great for analyzing code, namely in memory. It goes into varying detail of how to spot intrusions/attacks (typically post-mortem) and gives a lot of good ideas of what kinds of things to do in a pen test, depending on the extent and scope of the engagement. http://www.amazon.com/Malware-Forensics-Investigating-Analyzing-Malicious/dp/159749268X

Disclaimer: I'm not a pen tester and I don't work in security, however I do this for fun on the side and participate in various events/groups outside of work geared towards cyber security.

cjthedj45

Cyberscum wrote: »

What about pen testing interests you? For most pen testers I know, it is not a job to them. They love to do this stuff in their free time etc...

I have recently found myself doing a security management role this involves planning security strategy, developing policy and procedure, some people management, risk management, and delivering PCI compliance. I was fortunate enough to be offered the role as it was an old company I used to work for. However I really miss the hands on stuff. I used to do a lot of hands on security management such as firewall reviews, IPS management, System Hardening and vulnerability assessments and remediation. I Enjoyed all the vulnerability assessment work and got quite good at remediating vulnerability or applying mitigation or compensating controls. I like the idea of penetration testing because its hands on technical work and a new discipline for me to expand on.

cjthedj45

MrAgent wrote: »

You will definitely need a solid understanding of Linux. Having some scripting skills is also beneficial as it can really help when trying to modify exploits for your needs.

I would suggest learning python, and start working with Linux.

cool, thanks for the advise. Do you think Python would be a good starting point for someone with no programming experience? There seems like a lot of free training for Linux online so may utilise this initially.

cjthedj45

lsud00d wrote: »

L+ and CEH will kind of help you with pen testing, but that's just more so book knowledge. OSCP is of more pertinent value towards this line of work. Linux is crucial though. Python is great for scripting (and tools like Scapy) and Metasploit is written in Ruby so both are great tools to have in your toolbox.

Since you have CCNP:S you obviously understand the TCP/IP stack, ports, tunneling, VLAN's, ACL's, firewall, etc side of things. That gives you a big leg up. In addition, the Cisco way of things gives you a jump on the *nix CLI.

Also, doing vuln assessments + remediation via Nessus is good because you should be familiar with the typical classes and types of vulnerabilities.

I recommend getting familiar with OWASP: https://www.owasp.org/index.php/Category:Attack

RTFM is a good field guide: Rtfm: Red Team Field Manual: Ben Clark: 9781494295509: Amazon.com: Books

Run through Metasploit unleashed : http://www.offensive-security.com/metasploit-unleashed/Main_Page

And Malware Forensics is great for analyzing code, namely in memory. It goes into varying detail of how to spot intrusions/attacks (typically post-mortem) and gives a lot of good ideas of what kinds of things to do in a pen test, depending on the extent and scope of the engagement. Malware Forensics: Investigating and Analyzing Malicious Code: Cameron H. Malin, Eoghan Casey, James M. Aquilina: 9781597492683: Amazon.com: Books

Disclaimer: I'm not a pen tester and I don't work in security, however I do this for fun on the side and participate in various events/groups outside of work geared towards cyber security.

Great reply thanks. I have been doing some more research today and it would seem that the CEH is a bit fluffy! It may look good on the CV but does not really give you the in depth training. CREST look like they offer some decent certifications. I think this would be more comparable to OSCP. To pass the CREST exam you need to do a practical and written exam. They also offer and entry level exam CRT (Crest Registered Tester) and the next certification up is called the CCT (Crest Certified Tester) and you can either do the CCT in infrastructure or application. I would do infrastructure as this is where my strengths are. Thanks for all the links I will check them out.

--chris--

lsud00d wrote: »

RTFM is a good field guide: Rtfm: Red Team Field Manual: Ben Clark: 9781494295509: Amazon.com: Books

There is also a BTFM now: Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder.: Don Murdoch GSE: 9781500734756: Amazon.com: Books

Rev 2 of the book is supposed to be out before Christmas, fyi.

Good list in this thread so far...

cjthedj45

--chris-- wrote: »

There is also a BTFM now: Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder.: Don Murdoch GSE: 9781500734756: Amazon.com: Books

Rev 2 of the book is supposed to be out before Christmas, fyi.

Good list in this thread so far...

Thanks for the link. Looks like a good book and lots of good reviews on Amazon. Thank you.

MrAgent

Python is a great starting language.
I would also suggest taking a look at The Hacker Playbook
http://www.amazon.com/The-Hacker-Playbook-Practical-Penetration/dp/1494932636/ref=sr_1_1?ie=UTF8&qid=1414689563&sr=8-1&keywords=the+hacker+playbook

cjthedj45

MrAgent wrote: »

Python is a great starting language.
I would also suggest taking a look at The Hacker Playbook
http://www.amazon.com/The-Hacker-Playbook-Practical-Penetration/dp/1494932636/ref=sr_1_1?ie=UTF8&qid=1414689563&sr=8-1&keywords=the+hacker+playbook

Cool, thanks. Looks like another good book. Lots of reading to be getting on with then! This is the first review of the book on Amazon which sound encouraging.

"I have been a Pentester for over 10 years so when I read The Hacker Playbook I wasn't expecting much difference from the previous books I have read. After finishing the book I was pleasantly surprised to find this is a true playbook. This book covers a pentest from the beginning to the end covering go to techniques to some new ones. This book will be by my side during my next pentest to help me navigate any binds I get in or techniques I forget about."

Nersesian

I don't know if this will help or not, but I'm in something of the same boat. For the next 18 months, I'm going to be concentrating exclusively on security completing WGU's MS Information Security and Assurance program which outlines the ten CISSP domains. I expect to feel the same way about the CEH and CHFI, but its part of the curriculum and why not right? At the conclusion of the program, I'll sit for the CISSP and then start work on the OSCP. I'm going to focus on the management side of the house since it matches my background a little more closely, so YRMV.

cjthedj45

Nersesian wrote: »

I don't know if this will help or not, but I'm in something of the same boat. For the next 18 months, I'm going to be concentrating exclusively on security completing WGU's MS Information Security and Assurance program which outlines the ten CISSP domains. I expect to feel the same way about the CEH and CHFI, but its part of the curriculum and why not right? At the conclusion of the program, I'll sit for the CISSP and then start work on the OSCP. I'm going to focus on the management side of the house since it matches my background a little more closely, so YRMV.

Hi Nersesian my understanding is that the CEH and CHFI are good entry level qualifications, but do not make you a pen tester by any means. As a manager these certs should complement your role as they will give you a broad understanding, but wont go deep enough to make you a fully versed pen tester. Do you have managers experience? I made the jump from techie to security manager but I have not got on well with the role at all. It may also be to do with where I work at the moment as things are hectic and people are walking each week. My experience as a manager has been frustrating and very stressful. It has involved managing projects, managing people and trying to get them to do things they don't really even care about and a hell of a lot of chasing people. The manager type roles to seem to be more lucrative as you are accountable for more. I do feel there is less skill involved in being a manager though in my opinion. If you are a good project manager and have a fairly good IT background you could possibly do the job, but this would not be the same for a technical role. To become a techie takes time a lot of experience and learning and I sort of resent this manager type role I have found myself in as I'm not utilising all my techie skills. If your background is in management though its probably a good way to go for you. I have only been doing it for a year but have struggled.