Last Updated: 2015-09-18 01:37:08 UTC
by Adrien de Beaupre (Version: 1)
As a professional penetration tester I often get asked questions like "What are the top 10 tools you use" or "How do you get to be a pentester". Since I become a SANS instructor more and more these questions come from media and they get to reword my responses to make their story. I would like to post here my direct and accurate answers to some of of questions I have been asked recently.
Q: What are the top five skills that a penetration tester must possess?
A: Interesting question in that we tend to think in terms of a single lone wolf penetration tester, when the truth is that the best engagements are run with teams. Some of the skills that are required on that team are project management, creativity, being methodical, analysis, and writing. They will all need an extensive background in information security, and tend to be very technical in their areas of expertise. Team membership will vary based on the specifics of each engagement, expertise in network testing is not as useful in a wireless or web application test.
Q: Are there typically broad steps that a pen tester follows? Like a playbook that they follow? What do these steps look like?
A: Penetration testers tend to all follow the same high level methodologies, often tailored for a specific organization or engagement. Many of them are free and available for download. Examples are the SANS PenTest methodology, the Open Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP) Testing Guide, and NIST Technical Guide to Information Security Testing and Assessment SP 800-115. The steps are generally:
- planning and logistics;
- reconnaissance and intelligence gathering ;
- identification and enumeration of targets;
- vulnerability assessment and validation;
- post exploitation - pillaging and pivoting; and
- analysis and report writing.
A superlative pentester knows when to exactly follow the methodology and derived checklist, and when to get creative and document where the team goes off the path.
Q: What three tools are typically first in a pen tester's arsenal?
A: It really depends on the scope and nature of the engagement. The only required tool is the matter most people have between their ears. As my friend James Jardine puts it " I thought it was just a mindset? The rest is just pretty accessories". The honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in. Probably not the sexy answers you were expecting. For Internet based testing a port scanner such as massscan, nmap or unicornscan, a vulnerability scanner such as OpenVas or Tenable Nessus, and an exploitation kit such as Core Impact Pro or Metasploit. For web applications, wireless, or other forms of testing the tools are quite different.
The real ingredients for a successful penetration test by a good team are people, process, and technology.
–People with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner.
–Process includes determining the rules of engagement, project management, logistics, scope, policies, procedures, and methodology of the pentest.
–Technology. Finding the tools is not difficult, often they are free and open source readily available for download by anyone. In the hands of a skilled penetration tester they are incredibly useful. In the hands of a wannabe they are a disaster waiting for a place to happen.
Q: What is the single biggest mistake that a pen tester can make?
A: Violating the rules of engagement or going out of scope. The rules of engagement include the laws and ethical guidelines as well as those types of tests that are allowed to be performed in that engagement. The scope are those things that you are allowed to test in that engagement. Going out of bounds on either of these can not only be career limiting, but also freedom limiting. When in doubt always go back to the written rules of engagement and scope. Ask for clarification or modification if required. There is no cheating in penetration testing. Only those things that are illegal, immoral, unethical, or illogical.
I have always described penetration testing as attempting to find an alternate functionality or data. Or identifying an alternate method of accessing functionality or data. Both of these are often not placed there deliberately, but they sure are handy.
I am never quite certain how to respond to the question of how to become a penetration tester. Honestly, it seemed to have found me as a career. My first degree is in political science. However my true interest has always been in exploring new ideas, and playing with things until they broke. Most people I know have found many different paths to this one. The many creative arts and scientific methods required in a team make for eclectic mixes of people that's for sure!
Please let us know what you think are the tools, techniques, and skills required for penetration testing!
Adrien de Beaupré, @adriendb #bsidesottawa
If you are in Ottawa or can be nearby and enjoy information security check out bsidesottawa.ca! The conference is 2-3 October 2015.
I will be teaching penetration testing next in Dubai, Florida, and at the Hackfest!