Re: Where to start?

["Chris Halverson" <darus.integration () gmail com>]

Being a Team lead in the security practice hear at the place I work I
have gotten that question asked a few times and the best advice I can
give is that you have to try with some of the tools in your internal
network.  Port scanning is a good start for a basic examination but
you need to research what each open port represents and start there.
It takes time. Whereas Vulnerability Scanners such as Metasploit
Framework is one of the best tools that you can use to learn about
attack vectors.  They help show different vulnerabilities on different
systems. Prepare internal installations such as a base version of
Apache on your linux box and then attack it with a different host.
Install a default version of MySQL, or Squid and try attacking it, or
even a base fedora core 2 install or Windows 98.  Learn what default
instances of these components have problems and you will be able to
pentest 90% of companies infrastructure.  Scary thought...

I have to ask why 'C'?  I remember going through courses back in 1994
in college on my i386 learning ANSI C and creating word processors for
DOS.  Yuck...  I personally would look at Perl, Python or Ruby or
anything Object Oriented.  Even C++ would be better, because as soon
as you understand the concept of layout and theory it is far easier to
adapt the syntax between Languages.

On 29 May 2007 08:27:55 -0000, graciejj_82 () yahoo com
<graciejj_82 () yahoo com> wrote:
> Hello everyone,
>
>
> I'm looking forward to a career in the security field.  Specifically, I'm interested in Pentesting.  I concider myself 
> "early" in my education, and have alot to learn, but my biggest concern is, where do I need to start?
>
>
> I mean, what do I need to learn about to become a pentester, and where can i gather and explore my knowlage?
>
>
> In order to not leave this question TOTALLY OPEN, I'll give a quick background of what I know so far.
>
>
> I'm currently enrolled in classes to learn to be a Network/Server Admin, including classes in Cisco, Basic Hardware and 
> Microsoft Servers.  I currently hold certification for CCNA 1&2, and hope to get 3&4 in June of this year.
>
> Also, I have a linux server, and a couple of linux VM's that I've been learning on.  And I'm fiddling with "C" right now to get a basic 
> background in programming.  But with the knowlage I have, I don't think I could offer any value in a pentest.  I've done some port scans of various, 
> random IPs (sorry if I gave any of you a scare at work :), and I've seen open ports, but I dont' know what to do next...
>
>
> So, what information do i need to study to start getting a grasp of what I would be doing in my job?  (other than just start 
> hacking random computers, which I'd rather not do)
>
>
> I appreciate your help,
>
> Michael