As a professional penetration tester I often get asked questions like What are the top 10 tools you use or How do you get to be a pentester. Since I become a SANS instructor more and more these questions come frommedia and they get to reword my responses to make their story. I would like to post here my direct and accurate answers to some of of questions I have been asked recently.
Q: What are the top five skills that a penetration tester must possess?
A: Interesting question in that we tend to think in terms of a single lone wolf penetration tester, when the truth is that the best engagements are run with teams. Some of the skills that are required on that team are project management, creativity, being methodical, analysis, and writing. They will all need an extensive background in information security, and tend to be very technical in their areas of expertise. Team membership will vary based on the specifics of each engagement, expertise in network testing is not as useful in a wireless or web application test. and
- analysis and report writing.
A superlative pentester knows when to exactly follow the methodology and derived checklist, and when to get creative and document where the team goes off the path.
Q: What three tools are typically first in a pen testers arsenal?
A: It really depends on the scope and nature of the engagement. The only required tool is the matter most people have between their ears. As my friend James Jardine puts it I thought it was just a mindset? The rest is just pretty accessories.The honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in. Probably not the sexy answers you were expecting. For Internet based testing a port scanner such as massscan, nmap or unicornscan, a vulnerability scanner such as OpenVas or Tenable Nessus, and an exploitation kit such as Core Impact Pro or Metasploit. For web applications, wireless, or other forms of testing the tools are quite different.
The real ingredients for a successful penetration test by a good team are people, process, and technology.
People with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner.
Process includes determining the rules of engagement, project management, logistics, scope, policies, procedures, and methodology of the pentest.
Technology. Finding the tools is not difficult, often they are free and open source readily available for download by anyone. In the hands of a skilled penetration tester they are incredibly useful. In the hands of a wannabe they are a disaster waiting for a place to happen.
Q: What is the single biggest mistake that a pen tester can make?
A: Violating the rules of engagement or going out of scope. The rules of engagement include the laws and ethical guidelines as well as those types of tests that are allowed to be performed in that engagement. The scope are those things that you are allowed to test in that engagement. Going out of bounds on either of these can not only be career limiting, but also freedom limiting. When in doubt always go back to the written rules of engagement and scope. Ask for clarification or modification if required. There is no cheating in penetration testing. Only those things that are illegal, immoral, unethical, or illogical.
I have always described penetration testing as attempting to find an alternate functionality or data. Or identifying an alternate method of accessing functionality or data. Both of these are often not placed there deliberately, but they sure are handy.
I am never quite certain how to respond to the question of how to become a penetration tester. Honestly, it seemed to have found me as a career. My first degree is in political science. However my true interest has always been in exploring new ideas, and playing with things until they broke. Most people I know have found many different paths to this one. The many creative arts and scientific methods required in a team make for eclectic mixes of people thats for sure!
Please let us know what you think are the tools, techniques, and skills required for penetration testing!
Cheers,
Adrien de Beaupr">">">
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.