Wednesday, May 11, 2011

Skill set for Penetration Tester

First, learn how to network your Windows machines to each other. Create some shares, store data there, move data from one to the other. Then move on to networking your Linux stuff with your Windows stuff. After you’ve got this all working, start reading up on how and why it works. After you’ve got some good theoretical knowledge on how it works, download wireshark, and tcpdump, for both Windows and Linux. Start studying the traffic between all the machines. First, study traffic of you transferring files and other activities. Then study the traffic that is generated even when the machines are not actually transferring data.
Once you’ve done all the above things, and understand most of what you’ve done, you should be feeling comfortable with networking in general/basics and have a working knowledge of the operating systems from at the very least a power user/desktop admin standpoint.
After this you’re ready to start delving into security a little bit. Start with Linux. Start learning how to use things like Nmap and other scanners. For example, if you set up a web server, scan it and prove it’s a web server. From Linux type the command man nmap. Read the ENTIRE man page. After reading, make yourself some notes of the things that really interest you. Now run nmap using EVERY option listed in the man page. Study it’s output, revisit man again to remind yourself of what a particular scan type is doing and what certain options are.
Next, start reading about vulnerabilities. Some of it won’t make sense yet, but that’s OK. After spending no less than 20 hours total reading about vulnerabilities (doesn’t matter how you stretch the 20 hours out), go back to Backtrack and learn how to exploit one of your unpatched Windows machines. Get a shell. Pat yourself on the back. Then ask yourself, “Now that I have a shell, what can I do with it?” Stop where you are and spend about 20 more hours learning how to do everything you’ve learned about Windows from the command line. Once you’ve done that, come back and exploit that target again. You should now be able to do some pretty decent stuff with that shell you’ve gained.
Your next move is find a rootkit and a trojan. Just one of each that you can spend some time mastering. Once you know how to use them, start planting them (via your exploited command shell only) on the compromised targets you’re practicing with.
At this point start playing with Perl, Python and Bash scripting to try and automate all the great stuff you’ve learned how to do via command line. This part will be painful at first, but it’ll get easier…trust me.
Start researching anti-virus/ids/firewall evasion techniques.
Apply everything else you’ve learned with these evasion techniques. Don’t worry about paying too much attention to “thinking like a hacker” because as you progress with the things I’m outlining, that will come naturally. You’ll find that part of thinking like a hacker is being able to think like the victim who’s system you just compromised (which means you’ll know their every move before they make it).
Then move to learning how to cover your tracks, getting rid of logs, skewing time stamps, modifying logs, etc. Then learn how to do it elegantly and non-destructively.
Eventually move to more advanced things like >learning some coding>discovering your own vulnerabilites>writing your own exploits.
Now let me say this. You can devote the next couple of years of a lot of your free time doing these things and you can pretty much Google “how to ‘whatever-i-said-learn-above’” and find it all.


We can teach most of it all to you. Here’s a class path recommendation.
1. A+ Class
2. Network+ class
3. Security+
4. Linux+
5. MCITP track for Server Admin
8. Ethical Hacking
9. Advanced Ethical Hacking
10. Computer Forensics (you need to know what they’ll look for and how they are going to look for it to truly understand covering your tracks)