Penetration Testing mailing list archives
Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Mon, 11 Sep 2000 10:51:23 -0500
I know this thread's gonna get killed eventually, because each person has their own experience... but here's my story. It all started with a problem I had, that many hackers (See the Jargon file definition of this word) have... I couldn't learn enough about systems to satisfy myself. It started simple, but eventually I decided to focus on host-systems and network- level security (as opposed to application-level or physical security, although recently physical security has my attention as well). My neighbor, a CS instrcutor, gave me my first AT&T shell account when I was 12. I liked it, and he gave me some books to read, and sat down with me and showed me how to navigate directories, etc. I even learned how to use ed. (shudder). from the age of 13-15, I was pretty much the lame script kiddie exploit leech. I broke into BBS's, used my unix account (which had been switched over to 4.3BSD) to learn about unix security, etc... I got a clue when I was 16, but I didn't really stop tinkering with other peoples' systems 'till I was 17. I went through the lame high-school jobs with stupid retail computer and video game stores, and when I went to college, I got hired as a computer lab monkey (help users, make sure they don't steal the systems), then got promoted to a hardware monkey (troubleshoot system problems, install RAM, dig gummy-bears out of floppy drives, take floppy disks out of jammed CD-ROM drives), and all along I was practicing system security at home in my spare time. One day a friend asked me to test his dad's network, and I got paid for it. It was good money. I did pen-testing freelance for a while (most of my customers were willing to spread the word and give me a good reference). Eventually, a sales guy with my current employer asked me to apply, saying I could probably land a decent pen-testing job with a "real" network security company. Here I am. IMHO, all REAL Pen-Testers (not hackers-in-a-can with software on a laptop) are hackers. In order to be sucessful, you must stay on the bleeding edge of developing security problems, as well as tinker with your own ideas, and look for your own vulnerabilities, just like an "Enlightened System Cracker" would. Running Nessus, CyberCop, or ISS, and fixing what you see, will stop 80% of the script kiddies out there, but these products don't always check for that exploit that came out on bugtraq yesterday, and they most certainly can not think logically enough to exploit a minor bug or misconfiguration in order to make a larger scale exploit possible. Even a semi-dull-brained script kiddiot can think of stupid things like that. Rule-based, systematic software scanners can not. being a good pen-tester doesn't happen overnight. In my case, it was the logical next-step in my lifestyle of curiosity. I still persue every hour of every day, wondering what more I can learn before the next hour arrives. I lose sleep at night because my eyes are glued to something I didn't know 15 minutes ago, and I'm still looking for just one more thing before I feel satisfied. When I find something else, I just want more. I am almost comfortable saying I don't need Crack or Meth, cuz there's still stuff out there I don't know yet... Maybe when i know everything there is to know about everything, I will have to pick up some other habit... Most pen-testers I know in real life are at least as screwed up in the head as I am... That's my story and I'm stickin' to it. -----Original Message----- From: Lashley, Bryan [mailto:bryanl () EACIFS COM] Sent: Friday, September 08, 2000 4:07 PM To: PEN-TEST () SECURITYFOCUS COM Subject: How to "break into" the Pen-Testing field I am wondering how did the readers of this list get into the pen-testing field? What steps did you take to get from where you started in the field to where your at now? Did employers train you? Did you get promoted into it? Did you create the position yourself? Pen testing & security is a very interesting area of the IS field I would like to break into but many positions posted are requiring years of pen-testing skills which I just don't have outside of my personal lab at home (combo of Win95,NT Srv, RH Linux). Would you recommend starting at a big 5 firm? A small firm? Fortune 500's? Has anybody heard of any pen-testing firms in St. Louis? Anything posted will help Bryan Lashley
Current thread:
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field), (continued)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Carric Dooley (Sep 13)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Teicher, Mark (Sep 13)
- Re: [PEN-TEST] Visio bites Carric Dooley (Sep 14)
- Re: [PEN-TEST] Visio bites batz (Sep 14)
- [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) batz (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Jose Nazario (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Carric Dooley (Sep 13)
- [PEN-TEST] VMware Greg (Sep 11)