Skills needed for Pen test
Best of Luck.
What is the point should be remember to become a good pen tester.
1. Mastery of an operating system.
I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing. It’s common knowledge that once you’re on a target/victim, you need to somewhat put on the hat of a sysadmin. After all, having root means nothing if you don’t know what to do with root. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?
2. Good knowledge of networking and network protocols.
Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by W. Richard Stevens (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic?
3. If you don’t understand the things in item 2, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works. In short how can you violate or manipulate a process, if you don’t even know how the process works, or worse, you don’t even know the process exists! Which brings me to the next point. In general you should be curious as to how things work.
4. Learn some basic scripting. Start with something simple like vbs or Bash.
5. Get yourself a basic firewall, and learn how to configure it to block/allow only what you want.
Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.
6. Know some forensics!
This will only make you better at covering your tracks. The implications should be obvious.
7. Eventually learn a programming language, then learn a few more. Don’t go and by a “How to program in C” book or anything like that. Figure out something you want to automate, or think of something simple you’d like to create. For example, a small port scanner. Grab a few other port scanners (like nmap), look at the source code, see if you can figure any of it out.
8. Have a desire and drive to learn new stuff.
This is a must; It’s probably more important than everything else listed here. You need to be willing to put in some of your own time (time you’re not getting paid for), to really get a handle on things and stay up to date.
9. Learn a little about databases, and how they work. Go download mysql, read some of the tutorials on how to create simple sample databases. I’m not saying you need to be a DB expert, but knowing the basic constructs help.
10. Always be willing to interact and share your knowledge with like minded professionals and other smart people.
Download Backtrack4, or another Linux distro of your choice. First read some tutorials on using Backtrack to do some basic stuff. Since you said you have no technical skills, start with the basics. For example learn how to get an ip address in Linux/Backtrack4. Learn how to set a static ip address (one you assign).
Next get yourself VMware or some virtualization solution. Install Windows 2003, 2008, and XP and 7. Just installing these will teach you some things and you’ll start to get more comfortable just from doing it. As a matter of fact, install them all two or three times.
Learn how to do basic things in each. Like create user accounts, give permissions to users, lock user accounts, change ip address and network settings.
Next learn how to network your Windows machines to each other. Create some shares, store data there, move data from one to the other. Then move on to networking your Linux stuff with your Windows stuff. After you’ve got this all working, start reading up on how and why it works. After you’ve got some good theoretical knowledge on how it works, download wireshark, and tcpdump, for both Windows and Linux. Start studying the traffic between all the machines. First, study traffic of you transferring files and other activities. Then study the traffic that is generated even when the machines are not actually transferring data.
Once you’ve done all the above things, and understand most of what you’ve done, you should be feeling comfortable with networking in general/basics and have a working knowledge of the operating systems from at the very least a power user/desktop admin standpoint.
After this you’re ready to start delving into security a little bit. Go back to where you started with Backtrack4. By now you should be a lot more comfortable with it. Start learning how to use things like Nmap and other scanners. For example, if you set up a web server, scan it and prove it’s a web server. From Linux type the command man nmap. Read the ENTIRE man page. After reading, make yourself some notes of the things that really interest you. Now run nmap using EVERY option listed in the man page. Study it’s output, revisit man again to remind yourself of what a particular scan type is doing and what certain options are.
Next, start reading about vulnerabilities. Some of it won’t make sense yet, but that’s OK. After spending no less than 20 hours total reading about vulnerabilities (doesn’t matter how you stretch the 20 hours out), go back to Backtrack and learn how to exploit one of your unpatched Windows machines. Get a shell. Pat yourself on the back. Then ask yourself, “Now that I have a shell, what can I do with it?” Stop where you are and spend about 20 more hours learning how to do everything you’ve learned about Windows from the command line. Once you’ve done that, come back and exploit that target again. You should now be able to do some pretty decent stuff with that shell you’ve gained.
Your next move is find a rootkit and a trojan. Just one of each that you can spend some time mastering. Once you know how to use them, start planting them (via your exploited command shell only) on the compromised targets you’re practicing with.
At this point start playing with Perl, Python and Bash scripting to try and automate all the great stuff you’ve learned how to do via command line. This part will be painful at first, but it’ll get easier…trust me.
Start researching anti-virus/ids/firewall evasion techniques.
Apply everything else you’ve learned with these evasion techniques. Don’t worry about paying too much attention to “thinking like a hacker” because as you progress with the things I’m outlining, that will come naturally. You’ll find that part of thinking like a hacker is being able to think like the victim who’s system you just compromised (which means you’ll know their every move before they make it).
Then move to learning how to cover your tracks, getting rid of logs, skewing time stamps, modifying logs, etc. Then learn how to do it elegantly and non-destructively.
Eventually move to more advanced things like >learning some coding>discovering your own vulnerabilites>writing your own exploits.
Now let me say this. You can devote the next couple of years of a lot of your free time doing these things and you can pretty much Google “how to ‘whatever-i-said-learn-above’” and find it all.
We can teach it all to you. Here’s a class path I recommend for you.
1. A+ Class
2. Network+ class
4. MCITP track for Server Admin
7. Ethical Hacking
8. Advanced Ethical Hacking
9. Computer Forensics (you need to know what they’ll look for and how they are going to look for it to truly understand covering your tracks)
10. Coding for IT Security Professionals
11. Intro to Reverse Engineering
12. Reverse Engineering
13. Advanced Reverse Engineering
14. Malware Analysis
Understand that our classes are EXTREMELY hands on and lab based. You’ll be led by myself or another seasoned instructor who practices security for a living. I think our testimonials and evals speak for that.
It’ll really boil down to a few questions.
How much time do you have to invest?
How much money do you have to invest?
How much money will your future/current employer be willing to invest? (people are surprised at how often employers are actually willing to pay for this type of training, you have to ask and even ask in your interviews).
How serious are you and how much do you like security?
Answer these questions and you should be able to come up with what your plan of attack is. For some it works better if they just go the all-out class route to get started. Others just Google it all. It takes much longer, but it works for some. And most do a combination of taking classes and self teaching via Google and articles like this.
Hope this helps you and others.