Ask Slashdot - Breaking Into Penetration Testing At 30

An anonymous reader writes I currently work for a small IT MPS in the Southern USA. Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet. My role in the company is that of a proactive systems administrator. I have strong troubleshooting skills, a moderate knowledge of Linux, and a strong grasp on Windows systems. My working knowledge of networks is a bit rusty, but I've started working on my CCNA again, and skill/knowledge of any kind of programming language is extremely lacking as I have slacked off in that department. However, I've been working with Powershell scripting, and have picked up some resources on Python. Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?

Start doing penetration tests

[Muros]

If you don't know where to start, try something like Kali. Have a play around with Metasploit as well.

Re:Start doing penetration tests

[Fire_Wraith]

More specifically, don't use it against anything other than a system (or better yet, a virtual machine) you yourself personally own. Do NOT run any of it on your company's network without written authorization.

Re:Start doing penetration tests

[sumdumass]

Written authorization is extremely important. And save it.

I did some work for a lawfirm once who kept getting their email servers blacklisted. One or more of the workstations were infected with some spamming trojan. Anyways, to make a long story shorter, I set up a system between the router and switch and logged every packet for a day or so after i ran wireshsrk and found the offending workstations. I created an Email account on their server with the CTO's verbal permission and had the logs sent to it. This was primarily to avoid flooding my account and so i didn't need access to the admin account. I was looking for unsolicited incomming connections but found the trojans went to an IRC channel and downloaded a list of commands yto specify the spam and if it couldn't complete that task, they blasted copies of itself to contacts and the last lists of addresses it did download.

I cleaned the computersand updayed them. I did a run with Nmap with the results going to that same email address. I ran a few other scans with the same email address and then the existing IT and I updated all the workstations and servers, turned off unnesecary services and ran the MS hardening tool on the one server new enough to support it.

Fast forward two years and i have a sheriff knocking on my door claiming to have a warrant to take my computers and arrest me. Turns out a new IT took over that law firm, someone got bored and started snooping through people's email accounts and stumbled on all the logs. In that account was a few emails i sent from my real address saying is this working. And of course my sig wiyh my name and phone number. No one remembered what we did and they were trying to charge me with a felony.

I spent 4 hours at the sheriffs office while they tracked down thhhe old IT guy who vouched for me. That wasn't enough and the CTO from that time got cancer or something and wasn't around to say anything. I had to get a coworker to find the billing for the time and bring it in. The prosecuter told the sheriff to release me but it was another 3 days before i was notified all charges were dropped and got the papers to pick my conputers up.

If something would have happened to the old IT guy or if he decided he didn't remember, i likely would still be screwing with it. I made sure i had written authorization ever since.

cybrary.it/course/advanced-penetration-testing/

http://www.cybrary.it/course/advanced-penetration-testing/

OSCP Cert

I would say look at a cert like Offensive Security Certified Professional (Penetration testing with Backtracks) It's been a while since I did the curriculum I think it was worth it and learned a lot.

Its Never Too Late

Hi, I work in the general cyber security industry. I would advise against heading this type of project given your current lack of experience. Penetration testing largely involves running scripts and tools that are mostly automated, and then interpreting the results to determine how to proceed (running the scripts and tools again but against a more well defined target) and repeating until you are in. That is one part of it. A second part is analyzing a company's complete security posture, this involves more than the technical systems, it involves the people that run/maintain/protect the technical systems and analyzing how well they do (or dont) do that (how easy they fall victim to social engineering, who has a level of access that is unwarranted, where the weak points are in terms of people/policy/implementation, etc.

I would not go into this with little previous experience. I would definitely hire someone with experience to be a part of this before proceeding.

Now, on to learning. If you want to be competent in cyber security, you should know the following (this is my opinion, don't take this is gospel, compare my suggestions to others):

Networking. Be intimately familiary with layers 1-4 of the stack. Know all aspects of TCP/IP (V4, V6 is still not widespread and will not be too hard to learn if you master V4). All aspects, not the basics, this is a necessity. You will not be able to identify that one odd TCP packet with a weird flags set or the malformed DNS request if you don't know what a normal TCP packet looks like.
As a test, answer this question with an essay: "What happens when I open up a browser and type google.com and hit enter." (assume all caches are flushed on all devices, your own equipment and the network equipment you are traversing). If your answer is not very long, then you most likely are missing some of the interactions that took place)

Tools. You need to know tools for analyzing network traffric, and diving deep into network traffic. Wireshark is one of the most popular programs for inspecting pcaps, get very familiar with this tool. Learn how to do the same sort of searching and poking about you do in wireshark with command line tools. Learn what BPF's are. Most useful security tools are *nix based. You absolutely need to become at least comfortable with operating out of the *nix command line (no gui) and know basic *nix tools. There is no way around this.

Knowledge of python and shell scripting has been very helpful to me. You do not necessarily need to know how to program in python or in the shell script of your choice (though it helps bunches) but you do need at a minimum to be able to read and figure out what code is doing, and to make minor modifications to get programs to do what you need.

Hacking. You need to know how hacking takes place. Not at the script-kiddie level of "run this and the system is hacked" but closer to the hardware level. Know how different hack attacks work, know what features or lack of features of the hardware/OS (things like DEP, ASLR, protectected memory pages/ring 0-3, userspace vs kernelspace) make the hacks even possible (buffer overflow, stack smashing, heap sprays, unsanitized inputs, etc). This requires some understanding of computer architectures.

Become familiar with internet RFCs. Know what the popular options are for intrusion detection. Learn how to read snort signatures since there are many of them (when I say learn to read the snort sig, that means you can take a snort signature,understand what it is trying to detect, and then be able to write a rule or signature based off of that in whatever IDS system you are using, if you have something different/in addition to snort).

Read alot. Do whatever work in the field you can. Learn. Don't stop learning, because the adversaries are not, and your intimate knowledge of computer security Circa 2014 is not going to protect you or your organization from the new hacks happening now. (lots of hacks are recycled and reused long after they have been patched/mitigated (due to poor patch managment/security procedudes), so knowing what was happening in previous years does help alot, but still never stop learning)

Re:Get certified

[jeffmeden]

Get certified.

>> my boss approached me about offering security evaluation and penetration testing to customers in our area

Because it might at least mitigate the damage after your company get sued by customers who get hacked after you tried to learn on their dime. (Google "Target Trustwave"...)

Seriously, if there's a real business opportunity in your market, your management should either hire an experienced guy/gal and/or partner with an existing firm. Then, you'd have the opportunity to learn along them...while picking up the certs you'll need to be credible when talking to other companies. (And if your management is too cheap to buy your security certs, that's a BIG red flag!)

That's a bit overgeneralized. Trustwave is under fire because the breach in question was of a (supposedly) PCI-DSS compliant system, which Trustwave was partly responsible for setting up and validating, a basically impossible task when the system has that much surface area. So, the lesson learned is don't work on PCI-DSS unless the system is so small that you can personally verify each component yourself. I really doubt this anonymous company is going to be winning a contract with a major national retailer to install/validate a PCI-DSS network, considering many larger companies are already in that market with, you know, actual credentials.

The takeaway should also be, before selling your service, get a lawyer (or a bunch of them) to draft a very detailed customer agreement to protect you. Also, get insurance just in case.

Re:NMAP

[valdezjuan]

And this is why there are a ton of shitty 'pentesters' out there who seem to mistake running nessus or nmap scripts as a penetration test. No, it's not 'secret' knowledge and can easily be learned if want to spend the time but running metasploit doesn't make you a pentester.

Like defenders, pentesters generally need to find all the vulnerabilities (sadly many customers accept the first one which ends up being a scoping issue) and understand how to mitigate anything that was discovered/exploited. That requires an understanding of protocols, networking, applications, web frameworks, etc.. I have found that the best tend to have the capacity to think maliciously. IMO, that is a critical skill. I have seen far too many people that just don't understand why anyone would want to abuse a protocol, which makes them substandard pentesters.

As for the original question, there are plenty of tools out there that can help you learn. Metasploitable, WebGoat, Kali, SamuraiWTF (disclosure, I am good friends with the lead for that), ZAP, Burp Suite (pro is great and super reasonable). If you have corporate funding, there are some decent trainings out there Offensive Security has their classes (and certs, I have heard mixed results). There is also SANS, which I have been increasing disappointed with but if you want a bunch of knowledge shoved in your head (at a pretty high dollar cost), they tend to do it. Also, some drift more towards network pentesting or application, personally, I think people should be versed in both (leveraging a remote code execution bug in a webserver is great unless you have no clue what to do within the OS).

For cheaper options there are bunch of books that can teach you a ton of 'tips and tricks' around pentesting (web Hackers Handbook 2nd Edition is particularly good). Having a solid background as a sysadmin makes it much easier IMO (my background is similar), since you are most likely familiar with troubleshooting, networking, multiple OS's and what not.

Re:NMAP

if I thought it was insecure I'd either bring the service offline or make it report garbage on their scans

That is like hiding broken parts from your mechanic.