Home page logo

basics logo Security Basics mailing list archives

Re: Penetration tester skill set,
From: Ayaz Ahmed Khan <ayaz () pakcon org>
Date: Wed, 26 Jul 2006 22:07:12 +0600 (PKST)

scott typed:
IRM wrote:
Straight to the point, I would like to know; what is the 'typical'
skill set that a penetration tester should have. The reason why I
asked this question is because part of penetration testing is a
vulnerability assessment. On most of the penetration testing report
it's required you to insert the "proof of concept" section on how
to get in to the specific condition maybe in this case an
administrator/root privilege.
So back to my question; what is the typical skill set that a
penetration tester should have?

Can anyone in here give me some light about this?

That is a question that's pretty hard to answer.  First off,I
believe any pentester should know alot of os'es,i.e.Different
flavors of windows,linux and all the different bases of *nix,and
understand how they work.  Next,I would say some kind of background
in network security,firewall configuration for everything from small
to large LAN's,how IT works in general,plus have a lot of people
skills.  Programming skills aren't mandatory,but if you don't have
the experience to be able to decipher the code you may have to
examine for holes,you will probably have a real hard time
interpreting what the tools are telling you.  IMHO,some degrees are
a waste of time for pentesting,but others are essential.Learning how
systems interact,all the different protocols,ways information are
fed thru a system.  These skills take time and patience to learn
well.  A good mentor,i.e. school professor,mathematicians,anyone
with strong analytical skills can sometimes help in your hard to
come by insights.  Ther is so much more,I don't have enough time,or
space to get into.  Maybe some other members of this forum can set
you on a better course than me.  Good luck,if this is something you
would like to get into.I hope your path is made easier by good
guidance by quality people.

Apropos what you've said, I believe a pentester should have, first and
foremost, a thorough understanding of the workings of and familiarity
with not only -- I won't say all -- nearly most popular operating
systems in use today, but also most popular switching devices. The
pentester ought to have a solid background in Networking and TCP/IP,
as well as advanced know-how of Firewalls.

It is easy to deduce the skill-set required for a pentester if the
task of a pentester is analysed. Loosely speaking, I believe the end
goal of a pentester is to find a way or ways to penetrate into a
target network. After a complete network reconaissance, what is the
next most likely thing a pentester would lurche at? Default password
guessing. Mind you, I am not talking about mindless password guessing,
and definitely not about password cracking or brute-forcing. Almost
all switching devices and most operating systems are deployed with
manufacturer supplied configurations, which include default passwords
preset by the manufacturer. Anyone who is familiar with a particular
switching device or operating system is well aware of default
password(s) set on it. Next, if the target network is protected by a
series of perimeter firewalls, not only is the detection of the
presence of the firewall(s) imperative, but also remotely deducing the
firewall rules is the next required step. Without a thorough
background in and knowledge of TCP/IP, I doubt a pentester would get
anywhere. Most networks employ commerical firewall products of one
brand or the another. Most of these products have had bugs, and bugs
in them continue to be discovered with the lapse of time. Know-how of
these firewall products and their security history, as well as the
current bugs in them, then becomes a requirement for a pentester, as
these bugs can be used a stepping stones for penetrating into a
network. From here on follows the path to vulnerability assessment.

I wouldn't include auditing of application code as part of the job of
a pentester, but if a pentester is desired to perform
application-level auditing, then, obviously, a pentester should not
only be a programmer, but should be well aware of the secure
programming practices and everything else associated with it.

These are merely my views on the subject under discussion.

Ayaz Ahmed Khan

There's too much beauty upon this earth for lonely men to bear.
                -- Richard Le Gallienne

This list is sponsored by: Norwich University

The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]