Penetration testing

Ideal skill set for the penetration testing

August 27, 2010 by Keatron Evans

Based on questions I’ve gotten over the years and specifically in class, I’ve decided that we need to address some basic skills that every penetration tester should have. While we can’t realistically expect everyone to have the exact same skill set, there are some commonalities.

1. Mastery of an operating system. I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing. It’s common knowledge that once you’re on a target/victim, you need to somewhat put on the hat of a sysadmin. After all, having root means nothing if you don’t know what to do with root. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?

2. Good knowledge of networking and network protocols. Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by W. Richard Stevens (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic?

3. If you don’t understand the things in item 2, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works. In short how can you violate or manipulate a process, if you don’t even know how the process works, or worse, you don’t even know the process exists! Which brings me to the next point. In general you should be curious as to how things work. I’ve evaluated some awesome products in the last 10 years, and honestly, after I see it work, the first thing that comes to my mind is “how does it work”.

4. Learn some basic scripting. Start with something simple like vbs or Bash. As a matter of fact, I’ll be posting a “Using Bash Scripts to Automate Recon” video tonight. So if you don’t have anywhere else to start, you can start there! Eventually you’ll want to graduate from scripting and start learning to actually code/program or in short write basic software (hello world DOES NOT count).

5. Get yourself a basic firewall, and learn how to configure it to block/allow only what you want. Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.

6. Know some forensics! This will only make you better at covering your tracks. The implications should be obvious.

7. Eventually learn a programming language, then learn a few more. Don’t go and by a “How to program in C” book or anything like that. Figure out something you want to automate, or think of something simple you’d like to create. For example, a small port scanner. Grab a few other port scanners (like nmap), look at the source code, see if you can figure any of it out. Then ask questions on forums and other places. Trust me, it’ll start off REALLY shaky, but just keep chugging away!

8. Have a desire and drive to learn new stuff. This is a must; It’s probably more important than everything else listed here. You need to be willing to put in some of your own time (time you’re not getting paid for), to really get a handle on things and stay up to date.

9. Learn a little about databases, and how they work. Go download mysql, read some of the tutorials on how to create simple sample databases. I’m not saying you need to be a DB expert, but knowing the basic constructs help.

10. Always be willing to interact and share your knowledge with like minded professionals and other smart people. Some of the most amazing hackers I know have jobs like pizza delivery, janitorial, one is a marketing exec, another is actually an MD. They do this strictly because they love to. And one thing I see in them all is their excitement and willingness to share what they’ve learned with people who actually care to listen and are interested in the same.

These things should get you started. Let me know if you have questions or comments.

Keatron.

Interested in learning more? Check out our Penetration Testing Course. Fill out the form below for a syllabus and pricing information.

Posted: August 27, 2010
Articles Author
Keatron Evans
View Profile

Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry, including Infosec Skills live boot camps and on-demand training.

47 responses to “Ideal skill set for the penetration testing”

  1. m0th3r says:

    Great base skill list.. #8 is the most important, you have to be passionate about learning new stuff..its a requirement

  2. I’d go a step further, and highly suggest working as a network admin, Windows admin, Linux/Unix admin, DBA, and any other position before going after a security position. It is one thing to download and play with MySQL & quite another to be responsible for a production Oracle database. The more experience you gain as a defender, the better attacker you will make.

    I suppose, in other words, I’m saying that I don’t think InfoSec should be viewed as an entry-level field, but a good stepping stone from the SysAdmin level.

  3. Dave says:

    Nice list, but in my opinion a slightly modified version of it is needed for Web application security testers. I therefor took the liberty of shamelessly copying the good bits of your list and provide the webappsec analogies. You can find it here.

    How you don’t mind the plagiarism and/or copyright infringement (I provided a link to this blog as source).

  4. kevin says:

    I agree to a point. This is the ideal set for the team but not necessarily for the individual. I think we are past the single, expert operator era.

    Making a physical attack comparison, special operators aren’t usually capable of building a firearm from raw materials or performing surgery on a human. They are, however, very capable at shooting and knowing where to shoot. Most demolitions experts don’t understand the chemistry behind the explosives but are very good at placement and handling.

    Bringing this back to the computer discussion…
    Doom was developed by a very small team that all knew each other’s jobs. I doubt anyone currently involved in game development could perform more than a small subset of the required development.

    That being said, there is definitely a discussion to be had on the best tactical training and composition of a pen test team. I see it as the maturing of the coach/strategist/architect role.

    (Great book, by the way.)

    • Kevin, you certainly make a valid point. However if you look at the way most penetration tests run these days (specifically in the private enterprise world), not many are willing to or have the budget to pay for a 5 person Red Team anymore. Sure if we’re doing a half million dollar comprehensive full scope black box test, then yes, I’ll send out 4 or 5 people. But these types of tests are more the exception than the rule. I think the best approach from a training perspective is at least get a “deeper than basic” understanding of each required skill set, then if you choose to specialize in one phase/skill set, go for it. This makes one more well rounded while still being a specialist, in addition to giving the the across the board foundation you need to easily switch gears and go in another direction. Thanks for the great dialog. And thanks for reading the book!

    • Adrian, I couldn’t agree more. However my list is making the assumption that you already have some sysadmin level experience or you’re at least gaining it. Your message has been a theme of mine for years. Thanks for the comments!

    • m0th3r, True indeed! And it’s up to us who work in this field to lead and inspire new talent.

  5. adrien says:

    Please note the actual authors name that you have mis-quoted above!

    TCP/IP Illustrated, Volume 2: The Implementation, Addison-Wesley, 1995.
    TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, 1994.
    TCP/IP Illustrated, Vol. 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols

    W. Richard Stevens (Author)

  6. ‘@Adrien. I did add the s to Richard’s last name and his first initial. We good now? 🙂

  7. adrien says:

    Groovy! As far as scripting I would add Perl and/or Python. Knowledge of at least one or both are needed. There are actually 3 Stevens books. I would add another element, reverse engineering.

    Cheers,
    Adrien

  8. adrien says:

    One last point, no person is an island, and no one single person possesses all of the required skill sets, work as a team. Lone wolves get shot. Well run packs overwhelm.

  9. AustinDM says:

    Great list, thank you.

    Did anyone else think of Snow Crash when reading “Some of the most amazing hackers I know have jobs like pizza delivery…”?

  10. Nichole says:

    I am about to graduate with my MS in Information Assurance. However I am at a great disadvantage….I do not have any technical skills. It is obvious to me that I will need to self-educate. Does anyone have any suggestions on where I should start building practical skills?
    Are the companies out there willing to give people like me a chance?

  11. ‘@Nichole. One place to start is here! I would suggest reading through as many of the articles here as possible. Watch the videos and all that stuff. Don’t be overwhelmed by the fact that you won’t understand it all. Just stay plugged in.

    Download Backtrack4, or another Linux distro of your choice. First read some tutorials on using Backtrack to do some basic stuff. Since you said you have no technical skills, start with the basics. For example learn how to get an ip address in Linux/Backtrack4. Learn how to set a static ip address (one you assign).

    Next get yourself VMware or some virtualization solution. Install Windows 2003, 2008, and XP and 7. Just installing these will teach you some things and you’ll start to get more comfortable just from doing it. As a matter of fact, install them all two or three times.

    Learn how to do basic things in each. Like create user accounts, give permissions to users, lock user accounts, change ip address and network settings.

    Next learn how to network your Windows machines to each other. Create some shares, store data there, move data from one to the other. Then move on to networking your Linux stuff with your Windows stuff. After you’ve got this all working, start reading up on how and why it works. After you’ve got some good theoretical knowledge on how it works, download wireshark, and tcpdump, for both Windows and Linux. Start studying the traffic between all the machines. First, study traffic of you transferring files and other activities. Then study the traffic that is generated even when the machines are not actually transferring data.

    Once you’ve done all the above things, and understand most of what you’ve done, you should be feeling comfortable with networking in general/basics and have a working knowledge of the operating systems from at the very least a power user/desktop admin standpoint.

    After this you’re ready to start delving into security a little bit. Go back to where you started with Backtrack4. By now you should be a lot more comfortable with it. Start learning how to use things like Nmap and other scanners. For example, if you set up a web server, scan it and prove it’s a web server. From Linux type the command man nmap. Read the ENTIRE man page. After reading, make yourself some notes of the things that really interest you. Now run nmap using EVERY option listed in the man page. Study it’s output, revisit man again to remind yourself of what a particular scan type is doing and what certain options are.

    Next, start reading about vulnerabilities. Some of it won’t make sense yet, but that’s OK. After spending no less than 20 hours total reading about vulnerabilities (doesn’t matter how you stretch the 20 hours out), go back to Backtrack and learn how to exploit one of your unpatched Windows machines. Get a shell. Pat yourself on the back. Then ask yourself, “Now that I have a shell, what can I do with it?” Stop where you are and spend about 20 more hours learning how to do everything you’ve learned about Windows from the command line. Once you’ve done that, come back and exploit that target again. You should now be able to do some pretty decent stuff with that shell you’ve gained.

    Your next move is find a rootkit and a trojan. Just one of each that you can spend some time mastering. Once you know how to use them, start planting them (via your exploited command shell only) on the compromised targets you’re practicing with.

    At this point start playing with Perl, Python and Bash scripting to try and automate all the great stuff you’ve learned how to do via command line. This part will be painful at first, but it’ll get easier…trust me.

    Start researching anti-virus/ids/firewall evasion techniques.

    Apply everything else you’ve learned with these evasion techniques. Don’t worry about paying too much attention to “thinking like a hacker” because as you progress with the things I’m outlining, that will come naturally. You’ll find that part of thinking like a hacker is being able to think like the victim who’s system you just compromised (which means you’ll know their every move before they make it).

    Then move to learning how to cover your tracks, getting rid of logs, skewing time stamps, modifying logs, etc. Then learn how to do it elegantly and non-destructively.

    Eventually move to more advanced things like >learning some coding>discovering your own vulnerabilites>writing your own exploits.

    Now let me say this. You can devote the next couple of years of a lot of your free time doing these things and you can pretty much Google “how to ‘whatever-i-said-learn-above'” and find it all.

    OR………

    We can teach it all to you. Here’s a class path I recommend for you.

    1. A+ Class
    2. Network+ class
    3. Security+
    4. MCITP track for Server Admin
    5. CCNA
    6. CCNP
    7. Ethical Hacking
    8. Advanced Ethical Hacking
    9. Computer Forensics (you need to know what they’ll look for and how they are going to look for it to truly understand covering your tracks)
    10. Coding for IT Security Professionals
    11. Intro to Reverse Engineering
    12. Reverse Engineering
    13. Advanced Reverse Engineering
    14. Malware Analysis

    Understand that our classes are EXTREMELY hands on and lab based. You’ll be led by myself or another seasoned instructor who practices security for a living. I think our testimonials and evals speak for that.

    It’ll really boil down to a few questions.

    How much time do you have to invest?
    How much money do you have to invest?
    How much money will your future/current employer be willing to invest? (people are surprised at how often employers are actually willing to pay for this type of training, you have to ask and even ask in your interviews).
    How serious are you and how much do you like security?

    Answer these questions and you should be able to come up with what your plan of attack is. For some it works better if they just go the all-out class route to get started. Others just Google it all. It takes much longer, but it works for some. And most do a combination of taking classes and self teaching via Google and articles like this.

    Hope this helps you and others.

    Good day

    Keatron.

    • ryanchou says:

      Awesome Job!,i not just only read your article,but also read the comments by other readers , i have got deeply known about the basic skills that the security worker should master.especially for the pen testing.after i read the reply to the Nichole,i got comprehensive view to the information security.All i want to say is Thanks so much,As a rookie, could you give us a booklist to recommend some good books for the information security.on Pen testing and Fuzz Vulnerability.Thank you Keatron Evans ^_^

  12. Nichole says:

    Oh Wow! Thank you so much!
    I am going print off your suggestions and start working up a plan to get started. I graduate in August and had plans to start working on getting my Security plus. But I am going to restructure my goals now.
    You’ve been a great help!

  13. You’re very welcome. Glad I could help.

  14. James says:

    Great article! I’m in a security mamagement role at the moment and feel I have lost a lot of my technical skills over the past few years and want to revisit it in anger.. this article is great because it provides a bit of structure to the development, kind of like a road map, awesome stuff!

  15. Keatron says:

    Thanks James. And thanks for stopping by!

  16. June Storie says:

    It sounds like you’re creating issues yourself by trying to solve this issue instead of searching at why their is often a difficulty inside first place

  17. Daryl says:

    id like to say a massive thanks and kudos is due to you Keatron for providing this, and many other helpful “guides” or incite, the information is invaluable and motivational! and definetely inspirational! 🙂 thanks again!

  18. Keatron says:

    ‘@June Storie. I don’t follow?

    @Daryl. Thanks for stopping by.

  19. MagicFruit1@hotmail.com says:

    Hey Keatron, just came across your resource and its really good and is the kind of thing I have been looking for…right now I am learning from the Hacking Exposed books and developing minor programs but like your post says automate processes…will defo check this on a regular now…

  20. ramesh says:

    Oh Wow! Thank you so much!

  21. Keatron Evans says:

    Thanks for the visit MagicFruit and ramesh!

  22. Sanath says:

    Thank you Keatron, you have answered lot of questions I was struggling to resolve. It’s really great!!. I will visit this site frequently and be in touch with you. Thank you again.

  23. Beverly Rich. says:

    You must also have some basic understanding of TCP packets and how they transverse a network. There are many things that can be missed by not understanding this basic principle. Thanks Keatron good information.

  24. Lentil says:

    why CCNP? Doesn’t that focus on Cisco equipment/gear/proprietary protocols? Would make sense if someone was going into networking as a network engineer or soemthing but for security, I would think even CCNA is enough to get the networking foundations in place…CCNP is quite an investment in time/money, so I would think putting that amount of effort would be better if it were geared towards other security certs like GSEC/GPEN, etc. Thoughts?

  25. Keatron Evans says:

    ‘@Lentil – The Cisco recommendation is based on the amount of that equipment you’re likely to see in the real world. Also, NP deals with a ton more than just Cisco equipment and proprietary protocols. A lot of those protocols you’ll master are industry standard and not proprietary at all. Additionally, with NA, you will never get exposed to things like MPLS, real VLAN tagging, etc. One problem I see often in this field is people having all this “security” knowledge, without having any knowledge of how the things they’re trying to “secure” or “exploit” actually work.

  26. Joseph Alila says:

    Keatron .I have read ya advice and fired ready to start…..I have already finished A+,N+,MCITP,CCNA and RHCE…..But global Certifications are still pending….is it okay if I certify CEH before da rest..and will I have a good Job Scope….Plz lead me to the path to be one of the best…Thanks in Advance…..

  27. cd1zz says:

    A lot of what you’re referring to is a solid operations background in networking. I completely agree. Here was my road to pen testing:

    http://www.pwnag3.com/2011/12/my-road-to-pen-testing.html

  28. Bright says:

    You guys have said it all…and I have learnt so much. I started teachin myself infosec thru a forum and after 6years,I did my first hack and actually helped a company resolve them. But I still have a long way to go with the look of things. Keatron you have been of great help reading about you everywhere and will keep learning.
    I will like to make it a point to take your course soon. I have no certification but a company gave me a chance to do infosec and in one year I have learnt a lot.
    Will always look out for this forum

  29. Judyta Leputa says:

    Hello,

    I noticed you are interested in Penetration Testing! Have you heard about PenTest Laboratory, on-line IT Security training portal for all those, whose aim is to master their infosec skills.

    If you have a free minute please check our website http://pentestlorb.org/ .

    Would you like to get practical skills in Penetration Testing and add a great certificate to your CV?

    If you have any questions just let me know.

    I’m looking forward to hearing from you.
    Cheers,
    Judyta

  30. Abir says:

    I have a question. How many CEH certified by EC council have these skill sets.
    They have no eligibility criteria for the course. I know many CEH they have no knowledge of Database or programming yet they are CEH. They can never give innovative solutions to companies. They simply uses some automated tools and submit the report to companies. unfortunately they prepare security audit reports for companies.

  31. basnet says:

    wow..wow…looking forward..

  32. keatron says:

    ‘@Abir. I can only attest to one thing concerning your question; If they came through my class, they most definitely have these skill sets when I’m done with them. It should be understood that a lot of my student/mentor relationships extend far past the class. I still communicate with students I had many years ago. Some of them end up being clients! And some even employees!

  33. ink says:

    I very rarely comment on blogs but I just wanted to say that this is one of the best articles I’ve read in a while.

    The points you’ve outlined above go beyond pen testing, the approach and attitude described are key to progressing, to learning more about whatever your chosen discipline.

    +1 excellent article.

  34. It's not me says:

    Excellent article, excellent comments. Like ink, I never comment on blogs either, but this one is just great. Thank you.

  35. Keatron Evans says:

    Ink and “it’s not me”. Thanks for reading!

  36. Amit Gupta says:

    Keatron,

    You are amazingaly talented. The way you responded to each comment and specially to NIchole, I highly appreciate your time and efforts for educating new comers. I am definitely gonna make the most out of this article.

    Thank you very much for such an useful article.

  37. Mike says:

    Could you tell me about other security websites similar to this one?

    Thanks,

  38. Ed says:

    Yes. Similar websites or even similar articles?

  39. Mark says:

    Thanks Keatron, I think this is the best article I have come across on Penetration Testing. Great Work, Where can I read more of your articles?

  40. Julian says:

    Every house should be built on a solid foundation. Information technology is the same.

  41. Bhaskar Ganjiwale says:

    Hi Keatron Evans, thanks for your article on “Ideal skill set for Penetration testing”. I want to start services of Penetration testing. Please guide me. I don’t have deep knowledge. During my long IT service, I have gone through the Unix, Informix, VMware. During my service period I designed Topology and IP addressing for Bank’s network ; and configured several routers and switches and was working on live network. Now I owning my own firm providing consultancy, your guidance how to go ahead in penetration testing will definitely help me.

  42. bhaskarg says:

    Hi Keatron Evans, thanks for your article on “Ideal skill set for
    Penetration testing”. I want to start services of Penetration testing.
    Please guide me. I don’t have deep knowledge. During my long IT service,
    I have gone through the Unix, Informix, VMware. During my service
    period I designed Topology and IP addressing for Bank’s network ; and
    configured several routers and switches and was working on live network.
    I am MCSE, CCNA, VCP, ISO 27001:Lead Auditor, Data Center and many more. Now I owning my own firm providing consultancy, your guidance how to go
    ahead in penetration testing will definitely help me. ( I am reentering my question after registering)

  43. Syed Sajjad Mehdi says:

    Respected Sir,
    I am a student of Btech 3rd year and dedicated to penetration testing..for that i learned networking,python scripting,worked on linux and practiced kali linux automated tools..I am striving hard to gain in depth and practical knowledge but what concerns me is penetration testing scope in indian market..can u plz provide me with available options and what certifications should i do..what should be my first job profile to enter the world of pentesting.what should be the first job i should seek for.
    Would be highly grateful for ur answer and waiting eagerly for it

Leave a Reply

Your email address will not be published. Required fields are marked *