Re: Just getting started in pen-testing



I believe and have stated before in the past that some sort of FAQ needs to be created which can be sent when joining this list and when questions of this type are made then the FAQ should be referred to.

By all means certain questions wont be able to answered with the FAQ but would be worth compiling with a few peoples help.

Erin? Thoughts?

Matt.

J. Oquendo wrote:
On Sat, 08 Nov 2008, m0rebel wrote:

I just started a penetration testing company called Bandit Defense. My
website is http://www.banditdefense.com and it has a lot of
information on services that I offer.

Take this as constructive criticism or whatever you'd like for
that matter.

For starters I didn't know if was looking at a retro throwback
to the mid-late 90's and was expecting a blink tag to pop up
and smack me across the screen. Your site has zero professional
appeal to it and the only "scare" appeal it would have would be
to pre2k AOL'ers who were getting IM punted. Horrible design.

Secondly, your wording shows further lack of experience:

/*
I conduct internal penetration tests from your office and the surrounding building. I do detailed scans of all hosts on your network and try exploiting any vulnerabilities I find, then show you how to fix them
*/

Do you have permission to be in the surrounding building
for starters? If you came near me, I'm sure the people in
Sycamore Networks would escort you out.

Here is some productive advice - take the time to go out
and understand it all. You seem to think a company is going
to shiver in horror and demand your services (skulls, black,
horror) when they discover they need a penetration test.
This is and will never be the case for serious companies.

The processes involved with performing penetration testing
on a professional level go farther than:

nmap -sS -O -P0 j0orDoMaInh3r3.com

If I were you I would chuck the site so you don't put
yourself in a position to be forever ridiculed as a sort
of scriptkiddiot. After chucking the site, I would spend
some time reading ISECOM's OSSTMM over and over.

There is more to this industry than loading up X amount
of tools running them and calling it a day. Personally
if you came across any of the networks I have, you'd be
sandboxed for kicks and giggles while my admins fed you
false positives, forced you to find Irix exploits for
Windows machines.

Then... Since I typed it all up before, go read the
following posts in their entirety:

http://www.professionalsecuritytesters.net/article941.html
http://techexams.net/forums/viewtopic.php?t=38694
http://techexams.net/forums/viewtopic.php?t=38485
http://techexams.net/forums/viewtopic.php?t=38547
http://techexams.net/forums/viewtopic.php?t=40222

For those on this list with experience, I would hope
you would not promote the use of idiotic tools to
people who don't know what to do with them. How about
we educate people in an art, something respectable as
opposed to this muck its coming to. When someone is
requesting "what's the uber duper hax0r tool" how about
pointing them to an RFC, to a book, to something more
productive then what I've been seeing.

I don't know about anyone else here, but every time I
see these questions/comments, I feel the profession is
degrading a-la old MCSE days of the 90's where everyone
has it.

This field is an art, its not really meant for everyone
seriously. There is nothing wrong with wanting to learn
trying to understand, but I believe too many times too
many individuals, the garbage they throw out makes us
all in the profession look bad. I don't know about
anyone else, but personally I get tired having to explain
to someone - after I mention my position - that no I won't
"hack into a bank", "change their traffic tickets", etc..
This is the appearance being given: Stupid movie-like
(Hackers, Swordfish, Die Hard, etc., etc.) where everyone
is trying to jump in the car without learning how to drive.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • Re: botched NVIDIA 10.1 installation
    ... I have added this to my FAQ. ... My explanation was that atheists are better people, ... That is why believer kill more and atheist kill less and thus ... I've sort of applied something like that one on the phone before. ...
    (alt.os.linux.suse)
  • Re: Apple Games Disassembly Project
    ... It's actually sort of interesting to compare it with CiderPress. ... The FAQ has an API that is hard to change -- people occasionally link ... CiderPress Apple II archive utility for Windows - http://www.faddensoft.com/ ...
    (comp.emulators.apple2)
  • Info on club
    ... Sorry if this is the wrong sort of question for here, I did google for a ... FAQ but to no avail. ... I have some clubs I am going to get rid of, a full set and a half mish ...
    (uk.sport.golf)
  • FAQ 4.52 How do I sort an array by (anything)?
    ... This message is one of several periodic postings to comp.lang.perl.misc ... from the documentation provided with Perl. ... How do I sort an array by? ... Asked Questions" or FAQ for short. ...
    (comp.lang.perl.misc)
  • FAQ 4.52 How do I sort an array by (anything)?
    ... This message is one of several periodic postings to comp.lang.perl.misc ... from the documentation provided with Perl. ... How do I sort an array by? ... Asked Questions" or FAQ for short. ...
    (comp.lang.perl.misc)