Slashdot Mirror
Ask Slashdot - Breaking Into Penetration Testing At 30
An anonymous reader writes I currently work for a small IT MPS in the Southern USA. Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet. My role in the company is that of a proactive systems administrator. I have strong troubleshooting skills, a moderate knowledge of Linux, and a strong grasp on Windows systems. My working knowledge of networks is a bit rusty, but I've started working on my CCNA again, and skill/knowledge of any kind of programming language is extremely lacking as I have slacked off in that department. However, I've been working with Powershell scripting, and have picked up some resources on Python. Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?
At 30?
You're young.
Do whatever you want.
If you don't know where to start, try something like Kali. Have a play around with Metasploit as well.
I think penetration testing requires pretty good programming skills, particularly low level type stuff.
The fact that you have not maintained any programming skills suggests that it is not something which interests you sufficiently to pursue it in your free time. I am skeptical that a person without an intense curiosity to understand how systems work at a low (i.e., code and assembly level) would find the motivation to develop the necessary programming skills and reverse engineering know-how to discover holes in systems.
But perhaps I am wrong and these skills are not required to be a successful penetration tester.
Why would it? Pen testers jobs are not to write vulnerabilities. True, someone who knows how to write vulns will make a pretty good pen tester, but you don't need to know how to refine petroleum to be good at pumping gas. A basic pen tester needs these skills (in this order): 1) knowledge of current vulns across a wide variety of platforms, and a channel to keep up to date on the latest new vulns that come out, 2) knowledge of how to find if a vuln is present across a variety of platforms, using methods that don't involve "just give me root so i can check your versions" and 3) knowledge of how to actually run some/all of the exploits when the customer looks at your report of 13 high risk issues in disbelief.
To be a great pen tester you need one of two skills: programming knowledge to put together unique exploits on the fly, or diverse systems knowledge to know how to multiply existing vulns (exploit, pivot, repeat) in order to move from system to system.
Hi, I work in the general cyber security industry. I would advise against heading this type of project given your current lack of experience. Penetration testing largely involves running scripts and tools that are mostly automated, and then interpreting the results to determine how to proceed (running the scripts and tools again but against a more well defined target) and repeating until you are in. That is one part of it. A second part is analyzing a company's complete security posture, this involves more than the technical systems, it involves the people that run/maintain/protect the technical systems and analyzing how well they do (or dont) do that (how easy they fall victim to social engineering, who has a level of access that is unwarranted, where the weak points are in terms of people/policy/implementation, etc.
I would not go into this with little previous experience. I would definitely hire someone with experience to be a part of this before proceeding.
Now, on to learning. If you want to be competent in cyber security, you should know the following (this is my opinion, don't take this is gospel, compare my suggestions to others):
Networking. Be intimately familiary with layers 1-4 of the stack. Know all aspects of TCP/IP (V4, V6 is still not widespread and will not be too hard to learn if you master V4). All aspects, not the basics, this is a necessity. You will not be able to identify that one odd TCP packet with a weird flags set or the malformed DNS request if you don't know what a normal TCP packet looks like.
As a test, answer this question with an essay: "What happens when I open up a browser and type google.com and hit enter." (assume all caches are flushed on all devices, your own equipment and the network equipment you are traversing). If your answer is not very long, then you most likely are missing some of the interactions that took place)
Tools. You need to know tools for analyzing network traffric, and diving deep into network traffic. Wireshark is one of the most popular programs for inspecting pcaps, get very familiar with this tool. Learn how to do the same sort of searching and poking about you do in wireshark with command line tools. Learn what BPF's are. Most useful security tools are *nix based. You absolutely need to become at least comfortable with operating out of the *nix command line (no gui) and know basic *nix tools. There is no way around this.
Knowledge of python and shell scripting has been very helpful to me. You do not necessarily need to know how to program in python or in the shell script of your choice (though it helps bunches) but you do need at a minimum to be able to read and figure out what code is doing, and to make minor modifications to get programs to do what you need.
Hacking. You need to know how hacking takes place. Not at the script-kiddie level of "run this and the system is hacked" but closer to the hardware level. Know how different hack attacks work, know what features or lack of features of the hardware/OS (things like DEP, ASLR, protectected memory pages/ring 0-3, userspace vs kernelspace) make the hacks even possible (buffer overflow, stack smashing, heap sprays, unsanitized inputs, etc). This requires some understanding of computer architectures.
Become familiar with internet RFCs. Know what the popular options are for intrusion detection. Learn how to read snort signatures since there are many of them (when I say learn to read the snort sig, that means you can take a snort signature,understand what it is trying to detect, and then be able to write a rule or signature based off of that in whatever IDS system you are using, if you have something different/in addition to snort).
Read alot. Do whatever work in the field you can. Learn. Don't stop learning, because the adversaries are not, and your intimate knowledge of computer security Circa 2014 is not going to protect you or your organization from the new hacks happening now. (lots of hacks are recycled and reused long after they have been patched/mitigated (due to poor patch managment/security procedudes), so knowing what was happening in previous years does help alot, but still never stop learning)
And this is why there are a ton of shitty 'pentesters' out there who seem to mistake running nessus or nmap scripts as a penetration test. No, it's not 'secret' knowledge and can easily be learned if want to spend the time but running metasploit doesn't make you a pentester.
Like defenders, pentesters generally need to find all the vulnerabilities (sadly many customers accept the first one which ends up being a scoping issue) and understand how to mitigate anything that was discovered/exploited. That requires an understanding of protocols, networking, applications, web frameworks, etc.. I have found that the best tend to have the capacity to think maliciously. IMO, that is a critical skill. I have seen far too many people that just don't understand why anyone would want to abuse a protocol, which makes them substandard pentesters.
As for the original question, there are plenty of tools out there that can help you learn. Metasploitable, WebGoat, Kali, SamuraiWTF (disclosure, I am good friends with the lead for that), ZAP, Burp Suite (pro is great and super reasonable). If you have corporate funding, there are some decent trainings out there Offensive Security has their classes (and certs, I have heard mixed results). There is also SANS, which I have been increasing disappointed with but if you want a bunch of knowledge shoved in your head (at a pretty high dollar cost), they tend to do it. Also, some drift more towards network pentesting or application, personally, I think people should be versed in both (leveraging a remote code execution bug in a webserver is great unless you have no clue what to do within the OS).
For cheaper options there are bunch of books that can teach you a ton of 'tips and tricks' around pentesting (web Hackers Handbook 2nd Edition is particularly good). Having a solid background as a sysadmin makes it much easier IMO (my background is similar), since you are most likely familiar with troubleshooting, networking, multiple OS's and what not.
The software industry just isn't a place for changing direction or starting new things. I mean, come on - learning a new skill is disloyal to the older skills. If everyone just learned things willy-nilly, who would sort the punch cards anymore?
Just keep your head down - you probably only have 2 or 3 more good typing years left before you're too old to sit up or retain bowel control.