Re: Penetration tester skill set,

[Ayaz Ahmed Khan <ayaz () pakcon org>]

scott typed:
> IRM wrote:
> > Straight to the point, I would like to know; what is the 'typical'
> > skill set that a penetration tester should have. The reason why I
> > asked this question is because part of penetration testing is a
> > vulnerability assessment. On most of the penetration testing report
> > it's required you to insert the "proof of concept" section on how
> > to get in to the specific condition maybe in this case an
> > administrator/root privilege.
> > [...]
> > So back to my question; what is the typical skill set that a
> > penetration tester should have?
> >
> > Can anyone in here give me some light about this?
>
> That is a question that's pretty hard to answer.  First off,I
> believe any pentester should know alot of os'es,i.e.Different
> flavors of windows,linux and all the different bases of *nix,and
> understand how they work.  Next,I would say some kind of background
> in network security,firewall configuration for everything from small
> to large LAN's,how IT works in general,plus have a lot of people
> skills.  Programming skills aren't mandatory,but if you don't have
> the experience to be able to decipher the code you may have to
> examine for holes,you will probably have a real hard time
> interpreting what the tools are telling you.  IMHO,some degrees are
> a waste of time for pentesting,but others are essential.Learning how
> systems interact,all the different protocols,ways information are
> fed thru a system.  These skills take time and patience to learn
> well.  A good mentor,i.e. school professor,mathematicians,anyone
> with strong analytical skills can sometimes help in your hard to
> come by insights.  Ther is so much more,I don't have enough time,or
> space to get into.  Maybe some other members of this forum can set
> you on a better course than me.  Good luck,if this is something you
> would like to get into.I hope your path is made easier by good
> guidance by quality people.

Apropos what you've said, I believe a pentester should have, first and
foremost, a thorough understanding of the workings of and familiarity
with not only -- I won't say all -- nearly most popular operating
systems in use today, but also most popular switching devices. The
pentester ought to have a solid background in Networking and TCP/IP,
as well as advanced know-how of Firewalls.

It is easy to deduce the skill-set required for a pentester if the
task of a pentester is analysed. Loosely speaking, I believe the end
goal of a pentester is to find a way or ways to penetrate into a
target network. After a complete network reconaissance, what is the
next most likely thing a pentester would lurche at? Default password
guessing. Mind you, I am not talking about mindless password guessing,
and definitely not about password cracking or brute-forcing. Almost
all switching devices and most operating systems are deployed with
manufacturer supplied configurations, which include default passwords
preset by the manufacturer. Anyone who is familiar with a particular
switching device or operating system is well aware of default
password(s) set on it. Next, if the target network is protected by a
series of perimeter firewalls, not only is the detection of the
presence of the firewall(s) imperative, but also remotely deducing the
firewall rules is the next required step. Without a thorough
background in and knowledge of TCP/IP, I doubt a pentester would get
anywhere. Most networks employ commerical firewall products of one
brand or the another. Most of these products have had bugs, and bugs
in them continue to be discovered with the lapse of time. Know-how of
these firewall products and their security history, as well as the
current bugs in them, then becomes a requirement for a pentester, as
these bugs can be used a stepping stones for penetrating into a
network. From here on follows the path to vulnerability assessment.

I wouldn't include auditing of application code as part of the job of
a pentester, but if a pentester is desired to perform
application-level auditing, then, obviously, a pentester should not
only be a programmer, but should be well aware of the secure
programming practices and everything else associated with it.

These are merely my views on the subject under discussion.

-- 
Ayaz Ahmed Khan

There's too much beauty upon this earth for lonely men to bear.
                -- Richard Le Gallienne


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------