wants to run without first learning how to crawl. You'll never get anywhere like that. I have no idea why I'm taking my time to help you, but I am so listen up. Penetration testing isn't simply a matter of being familiar or even fluent with the endless sleuth of automated or semi automated 'hacker' tools which have flooded the markets in recent years. Penetration testing is not an entry level role by any means what so ever. No one simply starts out pen testing without first have accomplished many prerequisites. In the real world, pen testing is a role that comes only after several years of experience in other roles such as system administration, incident response, network security, etc. The very first thing you need to do is ignore all the people telling you to jump right into playing with various tools that come pre-installed with Backtrack, but rather focus on the basics. First thing's first!
The first real prerequisite to any IT security role is a comprehensive understanding on network principles; namely TCP/IP aka the Internet protocol suite. Grab some books on TCP/IP and get to reading. You should throughly understand and familiarize yourself not only with the technical, engineering specifications, but also the actual vendor specific implementations of said specifications. Listing off the 7 OSI layers or telling me what layer traffic is generated when you do x or x r that x operating systems uses x default for TTL,etc doesn't mean anything. You actually need full master of the complete set of protocols that make up the suite and familiarity with the actual vendor implementations. This is the real key! Without networking then the realm of security in general is largely irreverent! You need to understand operating systems; namely, Unix and Windows. Although OS attacks are continually in decline (while application based attacks are more common) you still need to understand the systems themselves. This is why sysadmin experience is so useful. Once you really start to understand how these systems work then you can work into non-essential applications built on those systems like browsers. One thing that pentesters love to do in the field if they can is gaining access (once they've foot-printed, scanned, enumerated, etc) specifically though security software like AV. There is no better feeling in the world than pwning someone via the very software they use to secure themselves. Programming skills aren't really required per say in the field, though they can be certainly be helpful in situations like examining source for bugs or exploit development, etc. But that stuff is a long ways away for someone just wanting to get started. What is important is programming skills in the sense of scripting languages like bash, perl or python. Again, another obvious benefit of sysadmin experience.
Once you get to this point, where you comfortable enough with networking, operating systems and scripting- sysadmin stuff in general, then you should then and only then move on to playing with tools everyone is so eager to get their hands on. In order to get actual hands on, practical experience in some of the offensive tactics involved in pen testing you need to do so with great caution because you could seriously get yourself into a lot of trouble. I would suggest looking for a local hacker space you could get involved with. There you find group CTF exercises and isolated simulation environments that are safe to experiment on. If you can't find a hacker space then there are many books on the topic of setting up your own practice environments.. just like you will find at CTF tournaments and IT security training courses and bootcamps. If you have the money, then seeking out professional instruction is a major plus and advantage. Even when you think you know a lot about something, you will surprised how much you learn. Plus, you will get the chance to meet other like minded individuals and of course prepare yourself for professional certification
The first real prerequisite to any IT security role is a comprehensive understanding on network principles; namely TCP/IP aka the Internet protocol suite. Grab some books on TCP/IP and get to reading. You should throughly understand and familiarize yourself not only with the technical, engineering specifications, but also the actual vendor specific implementations of said specifications. Listing off the 7 OSI layers or telling me what layer traffic is generated when you do x or x r that x operating systems uses x default for TTL,etc doesn't mean anything. You actually need full master of the complete set of protocols that make up the suite and familiarity with the actual vendor implementations. This is the real key! Without networking then the realm of security in general is largely irreverent! You need to understand operating systems; namely, Unix and Windows. Although OS attacks are continually in decline (while application based attacks are more common) you still need to understand the systems themselves. This is why sysadmin experience is so useful. Once you really start to understand how these systems work then you can work into non-essential applications built on those systems like browsers. One thing that pentesters love to do in the field if they can is gaining access (once they've foot-printed, scanned, enumerated, etc) specifically though security software like AV. There is no better feeling in the world than pwning someone via the very software they use to secure themselves. Programming skills aren't really required per say in the field, though they can be certainly be helpful in situations like examining source for bugs or exploit development, etc. But that stuff is a long ways away for someone just wanting to get started. What is important is programming skills in the sense of scripting languages like bash, perl or python. Again, another obvious benefit of sysadmin experience.
Once you get to this point, where you comfortable enough with networking, operating systems and scripting- sysadmin stuff in general, then you should then and only then move on to playing with tools everyone is so eager to get their hands on. In order to get actual hands on, practical experience in some of the offensive tactics involved in pen testing you need to do so with great caution because you could seriously get yourself into a lot of trouble. I would suggest looking for a local hacker space you could get involved with. There you find group CTF exercises and isolated simulation environments that are safe to experiment on. If you can't find a hacker space then there are many books on the topic of setting up your own practice environments.. just like you will find at CTF tournaments and IT security training courses and bootcamps. If you have the money, then seeking out professional instruction is a major plus and advantage. Even when you think you know a lot about something, you will surprised how much you learn. Plus, you will get the chance to meet other like minded individuals and of course prepare yourself for professional certification
Comments
Post a Comment