Ask Slashdot - Breaking Into Penetration Testing At 30

An anonymous reader writes I currently work for a small IT MPS in the Southern USA. Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet. My role in the company is that of a proactive systems administrator. I have strong troubleshooting skills, a moderate knowledge of Linux, and a strong grasp on Windows systems. My working knowledge of networks is a bit rusty, but I've started working on my CCNA again, and skill/knowledge of any kind of programming language is extremely lacking as I have slacked off in that department. However, I've been working with Powershell scripting, and have picked up some resources on Python. Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?

Get certified

[xxxJonBoyxxx]

Get certified.

>> my boss approached me about offering security evaluation and penetration testing to customers in our area

Because it might at least mitigate the damage after your company get sued by customers who get hacked after you tried to learn on their dime. (Google "Target Trustwave"...)

Seriously, if there's a real business opportunity in your market, your management should either hire an experienced guy/gal and/or partner with an existing firm. Then, you'd have the opportunity to learn along them...while picking up the certs you'll need to be credible when talking to other companies. (And if your management is too cheap to buy your security certs, that's a BIG red flag!)

Legal as well as Technical

[Fire_Wraith]

One thing you need to keep in mind is that Penetration Testing isn't just about the technical aspects. You need to be up to speed on all the legal aspects, not just in terms of know what laws govern the particular industry/company you happen to be conducting a test for, but in terms of liability. You really don't want to wind up finding yourself accused of breaking the law, whether state or federal, in the course of your job - and without a degree of caution, that's certainly not an impossible thing.

Remember, most of what gets done in any penetration test worth a damn would otherwise be illegal on any number of levels if you were doing it without the express authorization of the owner of those systems. Make sure you know what you're doing, and that the lawyers sign off on it first so that your company is covering your butt if anything goes bad.

Re:Depends

[cbhacking]

Pedantic, but... Writing a vuln is dead easy. Here's one (compile this into a world-executable program with setuid:root):
#include <stdio>
void vulnerable () {
    char buf[8];
    gets(buf);
}
int main () {
    vulnerable();
}

Writing a functional exploit, on the other hand, is a lot trickier, especially with all the exploit mitigation stuff found in modern operating systems (and libraries; some of them won't let you call gets() anymore by default). Fortunately, in my professional experience (4+ years of pentesting, both as part of a company's internal security team and as a security consultant), this is rarely requested. The client may want a PoC on occasion, if they think their stuff can't possibly be vulnerable, but even then it needn't do anything special or be robust across system configurations or anything.

Getting back to the core question: if you're going to be pentesting native code, especially whitebox testing where you are expected to review source code as well, you need to know C/C++, maybe Objective-C, maybe pre-.NET Visual Basic or even things like FORTRAN or COBOL if your client's codebase is old enough. For web apps, you need to know your HTML and JS, but it's also important to know HTTP - yes, the protocol - and browser security features like same-origin policy. For the server side of web stuff, there's a hundred different languages and probably ten times as many frameworks that you might need to know, but for the most part knowing PHP, Java, Ruby, at least one .NET language, and maybe Python is good enough for the vast majority of sites (add perl if you want to go old-school).

Scripting languages like Powershell and Python are actually really useful to a pentester, because you can knock together little utilities to try things out that way. Want to send a carefully crafted sequence of UDP packets, or decrypt all that stuff the client has "protected" with a hardcoded AES key and find their secrets? A few minutes of work will get you a tool that will save you lots of time in the future.