Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)

From: Daniel Miessler (daniel_at_dmiessler.com)
Date: 08/03/05

  • Next message: Thor (Hammer of God): "Re: Handling Sysads resignation/termination" 
    Date: Wed, 3 Aug 2005 00:37:28 -0400
To: "Hagen, Eric" <ehagen@DenverNewspaperAgency.com>

    On Jul 15, 2005, at 5:08 PM, Hagen, Eric wrote:

    > Learn the difference between a cracker, hacker and a
    > script-kiddie. FYI, good pen-testers are BY DEFINITION, good
    > hackers. Bad
    > pen-testers are almost always uhhh "white hat script-kiddies".

    Dude, this is perhaps the best description of pentesting skillsets
    that I've ever seen. I am quite unhappy with where I personally fall
    on that scale, but I'm working to improve my position. :) Well said,
    man...well said.

    > but being a good pen-tester is basically akin to being a good cracker.

    Exactly, and I'd add to this that true cracking starts only when
    you've run every packaged tool and found NO MAJOR OPENINGS. If you
    can get in after finding out that there aren't any massive
    vulnerabilities, *then* you can call yourself a pentester. Until then
    you're mostly just running tools and pressing buttons.

    I've cracked a decent number of networks in my time as a professional
    and I always get praise for it. Although I may have done something
    pretty cool stuff to get control of a network (in the few cases where
    there was at least *some* challenge), the openings I had were always
    too large to earn myself any self-respect. It's not cracking if your
    first foothold was a vulnerability that lets you use an attack
    already in Metasploit. That's just too easy, and if it's easy -- it's
    not true cracking.

    The absolute worst, though, is being called a hacker. It's
    despicable. I feel like screaming, "You shouldn't even be allowed to
    use that word, let alone give the title to someone else." The
    Princess Bride always comes to mind:

    Presenter: "This is Daniel, he's a hacker."
    Me: "I do not think that word means what you think it means."

    So yeah, the differences are very important, as is knowing where you
    truly stand. The vast majority of "pentesters" are just security
    professionals running security tools; there's no creativity, no
    innovation, no spark. Most are actually just kiddies, the next lot
    falls above kiddies and below true crackers, then there's the real
    elites -- those with 1) the cracker mentality, and 2) the cracker
    skillsets. I'm in the upper part of level two I'd say, constantly
    heading toward where I need to be. :)

    It's interesting that you, Eric, don't call yourself a pentester
    either. I do becasue it's my job, but I can't help but feel like the
    eternal student with no rights to call myself anything. I use this
    feeling to continue growing.

    > Being a good cracker is about patience, knowledge, intuition,
    > knowledge, experience,
    > knowledge and most importantly, all of the above.

    Amen, brother.

    > FYI, FOUR semesters of Graduate Level network infrastructure,
    > network design
    > and "information warfare" classes didn't come close to covering all
    > of this
    > material.

    Yes. This is what I'm talking about. It's like the most qualified
    people have the lowest opinions of their skills. In short, we know
    best how little we really do know.

    > And I'm no pen-tester. I wouldn't even put my foot down to claim
    > that I
    > could be. I have 4 years experience in network design, down to
    > writing bare
    > C on raw Ethernet frames and up to designing a WAN topography and I
    > wouldn't
    > feel comfortable selling myself as a "pen-tester". In my opinion, the
    > pen-tester has to be close to the elite of the crackers or their
    > test does
    > nothing.

    Completely agreed. There's only one problem with your definition --
    it only leaves a few hundred people worldwide. I'd submit that you
    *can* have people below this uber-elite level offer something
    tangible to clients. If you can perform a "pentest" for a client and
    uncover deficiencies in their security which they then go on to fix,
    you've performed a service that's worth paying for. Would it be
    better if it were done by one of the true elites? Sure -- but that's
    not to say that the former isn't valuable to some degree.

    The problem is there are very few who are even capable of doing
    *that* among those that call themselves pentesters. As discussed,
    most people with the title are simply running tools. They're the CORE
    IMPACT class. Point and click, point and click.

    > If all you do is run some tools and see that the tools can't do any
    > damage,
    > you're a script-kiddie, not a pen-tester.

    Yup.

    > I occasionally refer to myself as a "security professional" but
    > even that
    > sometimes feels like a stretch.

    Seriously...me too. I feel like being a student of the discipline and
    a "professional" are almost mutually exclusive, and I'm *definitely*
    the former. The thing you have to consider, though, is how you
    compare to the other "professionals". :) Think of the benefit to the
    client moreso than your own personal ranking. If I went by my own
    personal standards, I wouldn't be in the field at all. I'd be huddled
    up over my personal computer lab "getting ready" for the next 15 years.

    > I would love to be an assistant with
    > someone far more experienced than myself. I love learning. :-)

    Same here, and thanks for the most excellent post.

    Regards, 

    -- 
Daniel R. Miessler
M: daniel@dmiessler.com
W: http://dmiessler.com
G: 0x316BC712

  • Next message: Thor (Hammer of God): "Re: Handling Sysads resignation/termination"