Penetration Testing mailing list archives
Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)
From: AdamT <adwulf () gmail com>
Date: Fri, 5 Aug 2005 03:29:58 +0100
On 8/3/05, Daniel Miessler <daniel () dmiessler com> wrote:
So yeah, the differences are very important, as is knowing where you truly stand. The vast majority of "pentesters" are just security professionals running security tools; there's no creativity, no innovation, no spark.
Whilst creativity, innovation and 'spark' (enthusiasm?) are certainly requirements, there does have to be a certain amount of 'predictable' work done too. I could turn around and say 'I spent 72 hours attacking your network... invoice and findings are attached' but most clueful clients will want more than this. They'll want to know that you've used every conceivable script-kiddy tool *as well* as crafting your own stuff by hand. You could discover a huuuge vulnerability in their network (and perhaps gain kudos for discovering a huuuge vulnerability in whatever software/hardware they're using), and you could do this using previously unheard of methods, the likes of which would put you on the front page of slashdot - but if your client turns around and asks "you did run KiddieScript 4.3 against it, right?" and you have to say "no" - you're not going to inspire much confidence in your testing. Much as we all love to despise the 14year-old, mostly talentless copycat 'hackers' (as the media would label them), it is still important to play the role of script kiddy during testing. You may not get the same 'rush' from discovering a vulnerable version of BIND during an ISS session as you would from hand-crafting some C to overflow their custom-made httpd and launch some terrible fate upon their entire infrastructure and eventually free mankind from a bizarre machine-ruled world known as 'The Matrix', but it's still important nonetheless. -- AdamT "Maidenhead is *not* in Kent" ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Daniel Miessler (Aug 03)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Bernhard Mueller (Aug 04)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AdamT (Aug 04)
- RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AEHeald (Aug 04)
- <Possible follow-ups>
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Omar Herrera (Aug 05)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) s0u1d13r s0u1d13r (Aug 06)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Matt Reid (Aug 06)
- What are some good sources to keep me up top :) ? Pigeon (Aug 06)
- Re: What are some good sources to keep me up top :) ? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 07)
- Re: What are some good sources to keep me up top :) ? AdamT (Aug 07)
- Re: What are some good sources to keep me up top :) ? Pigeon (Aug 07)