Penetration testing without networking knowledge?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Can one be a successful penetration tester without having first earned any of the networking certs?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

It would obviously depend on your experience/knowledge but surely if you are new to networking then you would not have much experience so you would not be aware of all the things than can be setup, have holes in etc ..

I know there is materials to become a certed Ethical hacker, so you would have to understand all this for it to be a decent pen test.
Maybe you can run some program against a network with all the tests in (or maybe this is part of it), really not sure.

 

Yep. You'll find plenty of firms out there that will give you the opportunity to interview and/or test you on your skills. 'Experience' (ahem) in penetration 'testing' (ahem) gained in the real world is the most useful attribute a pen tester can have. However, be prepared for a lot of rejections from companies who require certification for compliance purposes. Most of the big players in IT Security are extremely reluctant to employ poachers turned gamekeepers because of the potential liability to them.

 

There are two conflicting bits of information here.
The first is

whilst the second is

Depending on which one you really mean obviously depends on your chances but speaking as someone who works with a very strong security team (I work for a company who carry out regular compliance scans) I can tell you that they will require a lot of background checks and the right certifications before even considering giving you access to their environments.

If you're a script kiddie wanting to grow up you're better off getting real world experience and working up to that kind of work because no one would honestly give you the time of day without demonstrable proof that you can be trusted and relied upon.

 

Thanks for the answers. What am getting from this is that I could become a good pen tester based, solely, on programming skills? No hardware/software knowledge about networking?

 

I would expect you will need intermediate knowledge of networking really to be a good pen tester.

Its pretty common for programmers to be expected to have some general comm's as well as some networking knowledge.

 

This

You need very little networking knowledge to be able to pen-test applications. Anyone who has got to the level of knowing the advanced techniques required to test code will already have gained enough knowledge to understand most anything they need to know network-wise. There are plenty of peeps out there who do nothing but SQL injection, for instance.

 

Yeah there are people that specialise in static analysis, virus detection, encryption, identity/SSO, anti-piracy, point is its not really 'pen testing' then so its more likely they would be called programmers or application security analyst or some such.

Penetration Tester, generally infers penetrating at least some network infrastructure. You are expected to determine weaknesses in company systems either from an external attacker or an internal attacker. In both cases the applications under investigation could be on remote hardware or the weaknesses could be in details of how the applications use certain network protocols.

Defence companies regularly get software accredited and this will involve testing the software in isolation from most infrastructure issues normally. Its quite likely penetration test companies will be involved.

 

How can you possibly pen test networks without having knowledge of networks?!

 

Pay attention. The OP is talking about penetration testing, not specifically network penetration testing. The vast majority of compromises nowadays have nothing whatsoever to do with networking - they are directed at poorly coded applications. If the poster is a competent sofwtae developer, he doesn't need to know anything about networking (beyond the basic skills he will already have absorbed as a developer)

 

I'm just starting a role as a pen tester, I have some knowledge of network stuff but little experience with the hands on side of networks.

As said pen tester is not just someone who tries to hack/attack the network, infact a lot of the stuff I'm going to be doing revolves around websites and web apps.

Application testing would be something that a development background would be excellent for. You would still need some basic network knowledge, but it wouldn't be much and certainly not require network certifications for (although never a bad thing to have anyway).

A company we use for some testing have specific teams for the app and infrastructure testing.

I think part of the problem with some of the replies is that people just assume pen tester = someone who tries to hack into a network. That's one aspect of it yes, but there's also more to it than that.

This new job has opened my eyes to what it entails.

Check out OWASP, that's all about application security stuff which would suit a developer background

https://www.owasp.org/index.php/Main_Page

Have a read about on there, play with things like Webgoat to get an idea of what can be done.

These people would never ever be called a pen tester imho, these are just other security based roles, and certainly not app pen testers. The type of thing zebulebu was talking about is applications testing, which is neither of those things.

You don't! You test things you do have knowledge on, so in the OP's case applications testing (which is a massive massive area).

People are way too hung up on network infrastructure when thinking about pen tests.

Spot on.

For instance take the latest Citibank breach, nothing to do with network security there just a poorly written web app that was open to URL manipulation. This should have been picked up in the security testing of that app....

 

I was making the point that companies don't all follow the same definitions for job titles, but there are certain common perceptions. Penetration tester tends to infer penetrating physical infrastructure, software security testers can have many titles, hackers, crackers, application security specialist/analyst/engineer etc.

Its also a common misconception that malformed query strings, cross site scripting and SQL injection are all there is to application security. These are just the 'low hanging fruit'. There are commerical suites that can automatically perform most of these tests on a web app, therefore negating a lot of your value add if this is your specialism.

Web applications run over network infrastructure so you do need some infrastructure knowledge, you can have SSL offload, hardware cache devices, firewalls, CDN's, etc. The very nature of web applications tends to generate issues as the entire request can be manipulated. All server side input must be validated regardless of the client. Also the infrastructure is vulnerable to many attacks, DOS, DNS/ ARP poisoning, certificate theft, etc.

Agreed, people without some knowledge of infrastructure are generally not classed as pen testers.
There are many aspects of application security, applications can be tested in various ways, white box versus black box for instance. Using white box testing you can check more aspects of the applications design and look at many of the areas outlined. Static analysis, dynamic analysis and whitebox fuzzing should not be under estimated.

This is because this is where the majority of the money generally gets spent, after physical security its probably the best ROI. It also most closely represents most peoples definition of a 'pen tester'.

Only two references to pen tester, which makes my point that the term is not popular when referring to software security testing roles. When looking at popular job sites every penetration tester role mentioned an element of infrastructure or networking knowledge.

 

The point of the OWASP link with the OP being a dev was to show him what kind of things an app tester will be looking for.

I'm well aware of the low hanging fruit in the different areas ;)

As for the majority of money being spent on infrastructure pen testing, with the whole sony/citi/<insert the next one here> debacles if that is the case then I can see the shift changing a little more in favour of web app testing ;)

Might be worth reading the the 'Pen Test Perfect Storm' series of presentations which have a little info on things

Will Hack For SUSHI » Presentations

First one in the series here, note the list of types of tester.

http://www.willhackforsushi.com/presentations/PenTest_PerfectStorm_Part_1.pdf

As it says, you do need a combined approach and I'm not saying at all that you don't need to test the network.

My point was whilst having some knowledge of networks (and it doesn't have to be hugely advanced!) will help you, there are other areas you can get into (especially with a dev background) without that knowledge. Definitely doesn't require networking certs.

Personally I don't think anyone would get into any of the technical pen testing stuff without a little knowledge of each area.

Basic network knowledge is easy enough to learn so if I was the OP I wouldn't be worrying, just have a good read up on things.

 

enetration testing involves identifying the weaknesses in your information networks. Traditionally, hackers are a few steps ahead of most network professionals in their knowledge of network weaknesses, so companies that ethically perform your Penetration Testing use the same techniques, tools and tricks that real hackers might use to breach your security.

There are two stages to the Penetration Test itself. The first is finding potential weaknesses and vulnerabilities. The second is attempting to exploit those weak points in your systems. The company performing the Penetration Test must have your written approval to carry out the second part of the Test, as without consent, this is an illegal operation