Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Security Search Coderanch
Advance search Google search
Register / Login
granny thread boost advertise on coderanch book review grid polymorphism
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
thread boost advertise on coderanch book review grid meaningless drivel building better world book
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • paul wheaton
  • Ron McLeod
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:

Question for Ric Messier

 
Thomas Haze
Greenhorn
Posts: 3
posted 8 years ago
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Greeting Ric.
Thanks for hanging out at the ranch.
I took an introduction to penetration testing class and it primarily dealt with using Kali Linux with Metasploit.
I didn't feel like I got enough information about what I need to know to find network and system vulnerabilities and more importantly how to mitigate the vulnerability.
If a person is considering a career change to be a pen-tester, I don't think it's enough to just know how to use tools already written that attempt to exploit known vulnerabilities.
Can you please describe the types of skills a pen-tester must have to be marketable?
 
Ric Messier
Author
Posts: 17
5
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Such a broad range of questions. I'm not sure there are easy answers. One way to get into penetration testing is to learn Kali and Metasploit. That may be okay for entry level penetration testing. That and being good at running and interpreting scans from Nessus, Nexpose, Qualys, etc. In terms of actually identifying new vulnerabilities that have been previously undiscovered, well, that's a whole different can of worms and that's not necessarily penetration testing. I'd say a good penetration tester should have knowledge of networking, systems administration, various protocols down to manual manipulation as just a starting point. More importantly, there are a lot of soft skills that are really useful. Curiosity. Persistence -- lots of things simply aren't going to work even if they are supposed to. Troubleshooting. Problem solving.

You aren't going to know how to remediate vulnerabilities without a broad range of knowledge and experience. It takes time to acquire that and isn't something that you can just insert a funnel and acquire quickly. What I generally tell people, whether I'm talking to them, teaching them in class, writing a book or doing a video training title is that it's essential to get your hands on a small lab setup. Some virtual machines work fine. Get a copy of Kali, Metasploit and Nexpose. Get some broken systems. Play with them and see what works and doesn't work. Learn more about how programs are put together and how they are placed into memory. Get some experience just managing systems since there is nothing like having to fix something to teach you how systems work.

That's just as a starting point. But everyone needs somewhere to start.

Ric
 
Consider Paul's rocket mass heater.
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...