1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Penetration testing without networking knowledge?

Discussion in 'Training & Development' started by ibexy, Jun 15, 2011.

  1. ibexy

    ibexy Bit Poster

    11
    0
    12
    Can one be a successful penetration tester without having first earned any of the networking certs?
     
    Certifications: ISTQB
    WIP: A+, PRINCE2
  2. sheepluv

    sheepluv Byte Poster

    113
    1
    32
    It would obviously depend on your experience/knowledge but surely if you are new to networking then you would not have much experience so you would not be aware of all the things than can be setup, have holes in etc ..

    I know there is materials to become a certed Ethical hacker, so you would have to understand all this for it to be a decent pen test.
    Maybe you can run some program against a network with all the tests in (or maybe this is part of it), really not sure.
     
    Last edited: Jun 15, 2011
    Certifications: CCNA | HND | 70-646
  3. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yep. You'll find plenty of firms out there that will give you the opportunity to interview and/or test you on your skills. 'Experience' (ahem) in penetration 'testing' (ahem) gained in the real world is the most useful attribute a pen tester can have. However, be prepared for a lot of rejections from companies who require certification for compliance purposes. Most of the big players in IT Security are extremely reluctant to employ poachers turned gamekeepers because of the potential liability to them.
     
    Certifications: A few
    WIP: None - f*** 'em
  4. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    There are two conflicting bits of information here.
    The first is
    whilst the second is
    Depending on which one you really mean obviously depends on your chances but speaking as someone who works with a very strong security team (I work for a company who carry out regular compliance scans) I can tell you that they will require a lot of background checks and the right certifications before even considering giving you access to their environments.

    If you're a script kiddie wanting to grow up you're better off getting real world experience and working up to that kind of work because no one would honestly give you the time of day without demonstrable proof that you can be trusted and relied upon.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  5. ibexy

    ibexy Bit Poster

    11
    0
    12
    Thanks for the answers. What am getting from this is that I could become a good pen tester based, solely, on programming skills? No hardware/software knowledge about networking?
     
    Certifications: ISTQB
    WIP: A+, PRINCE2
  6. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    I would expect you will need intermediate knowledge of networking really to be a good pen tester.

    Its pretty common for programmers to be expected to have some general comm's as well as some networking knowledge.
     
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  7. jk2447

    jk2447 Petabyte Poster Moderator

    5,481
    352
    249
    My 2 pence worth. I'm no expert but you can be an application penetration tester who tests apps, systems, databases etc and you can be an infrastructure pen tester who tests if you need your servers harderning, passwords meet complexity standards etc. Or you can do both of these things. I'd imagine app and infrastructure specific pen testers still know a lot about each others job tho, but no one can know it all. Check out CREST
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  8. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    This

    You need very little networking knowledge to be able to pen-test applications. Anyone who has got to the level of knowing the advanced techniques required to test code will already have gained enough knowledge to understand most anything they need to know network-wise. There are plenty of peeps out there who do nothing but SQL injection, for instance.
     
    Certifications: A few
    WIP: None - f*** 'em
  9. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Yeah there are people that specialise in static analysis, virus detection, encryption, identity/SSO, anti-piracy, point is its not really 'pen testing' then so its more likely they would be called programmers or application security analyst or some such.

    Penetration Tester, generally infers penetrating at least some network infrastructure. You are expected to determine weaknesses in company systems either from an external attacker or an internal attacker. In both cases the applications under investigation could be on remote hardware or the weaknesses could be in details of how the applications use certain network protocols.

    Defence companies regularly get software accredited and this will involve testing the software in isolation from most infrastructure issues normally. Its quite likely penetration test companies will be involved.
     
    Last edited: Jun 15, 2011
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  10. AuRoR

    AuRoR Bit Poster

    35
    0
    14
    How can you possibly pen test networks without having knowledge of networks?!
     
    Certifications: GNVQ ICT, Nat Diploma IT Practitioners
    WIP: Head above water
  11. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Pay attention. The OP is talking about penetration testing, not specifically network penetration testing. The vast majority of compromises nowadays have nothing whatsoever to do with networking - they are directed at poorly coded applications. If the poster is a competent sofwtae developer, he doesn't need to know anything about networking (beyond the basic skills he will already have absorbed as a developer)
     
    Certifications: A few
    WIP: None - f*** 'em
  12. Monkeychops

    Monkeychops Kilobyte Poster

    286
    15
    25
    I'm just starting a role as a pen tester, I have some knowledge of network stuff but little experience with the hands on side of networks.

    As said pen tester is not just someone who tries to hack/attack the network, infact a lot of the stuff I'm going to be doing revolves around websites and web apps.

    Application testing would be something that a development background would be excellent for. You would still need some basic network knowledge, but it wouldn't be much and certainly not require network certifications for (although never a bad thing to have anyway).

    A company we use for some testing have specific teams for the app and infrastructure testing.

    I think part of the problem with some of the replies is that people just assume pen tester = someone who tries to hack into a network. That's one aspect of it yes, but there's also more to it than that.

    This new job has opened my eyes to what it entails.

    Check out OWASP, that's all about application security stuff which would suit a developer background

    https://www.owasp.org/index.php/Main_Page

    Have a read about on there, play with things like Webgoat to get an idea of what can be done.

    These people would never ever be called a pen tester imho, these are just other security based roles, and certainly not app pen testers. The type of thing zebulebu was talking about is applications testing, which is neither of those things.

    You don't! You test things you do have knowledge on, so in the OP's case applications testing (which is a massive massive area).

    People are way too hung up on network infrastructure when thinking about pen tests.

    Spot on.

    For instance take the latest Citibank breach, nothing to do with network security there just a poorly written web app that was open to URL manipulation. This should have been picked up in the security testing of that app....
     
    Last edited: Jun 19, 2011
  13. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    I was making the point that companies don't all follow the same definitions for job titles, but there are certain common perceptions. Penetration tester tends to infer penetrating physical infrastructure, software security testers can have many titles, hackers, crackers, application security specialist/analyst/engineer etc.

    Its also a common misconception that malformed query strings, cross site scripting and SQL injection are all there is to application security. These are just the 'low hanging fruit'. There are commerical suites that can automatically perform most of these tests on a web app, therefore negating a lot of your value add if this is your specialism.

    Web applications run over network infrastructure so you do need some infrastructure knowledge, you can have SSL offload, hardware cache devices, firewalls, CDN's, etc. The very nature of web applications tends to generate issues as the entire request can be manipulated. All server side input must be validated regardless of the client. Also the infrastructure is vulnerable to many attacks, DOS, DNS/ ARP poisoning, certificate theft, etc.

    Agreed, people without some knowledge of infrastructure are generally not classed as pen testers.
    There are many aspects of application security, applications can be tested in various ways, white box versus black box for instance. Using white box testing you can check more aspects of the applications design and look at many of the areas outlined. Static analysis, dynamic analysis and whitebox fuzzing should not be under estimated.

    This is because this is where the majority of the money generally gets spent, after physical security its probably the best ROI. It also most closely represents most peoples definition of a 'pen tester'.

    Only two references to pen tester, which makes my point that the term is not popular when referring to software security testing roles. When looking at popular job sites every penetration tester role mentioned an element of infrastructure or networking knowledge.
     
    Last edited: Jun 19, 2011
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  14. Monkeychops

    Monkeychops Kilobyte Poster

    286
    15
    25
    The point of the OWASP link with the OP being a dev was to show him what kind of things an app tester will be looking for.

    I'm well aware of the low hanging fruit in the different areas ;)

    As for the majority of money being spent on infrastructure pen testing, with the whole sony/citi/<insert the next one here> debacles if that is the case then I can see the shift changing a little more in favour of web app testing ;)

    Might be worth reading the the 'Pen Test Perfect Storm' series of presentations which have a little info on things

    Will Hack For SUSHI » Presentations

    First one in the series here, note the list of types of tester.

    http://www.willhackforsushi.com/presentations/PenTest_PerfectStorm_Part_1.pdf

    As it says, you do need a combined approach and I'm not saying at all that you don't need to test the network.

    My point was whilst having some knowledge of networks (and it doesn't have to be hugely advanced!) will help you, there are other areas you can get into (especially with a dev background) without that knowledge. Definitely doesn't require networking certs.

    Personally I don't think anyone would get into any of the technical pen testing stuff without a little knowledge of each area.

    Basic network knowledge is easy enough to learn so if I was the OP I wouldn't be worrying, just have a good read up on things.
     
    Last edited: Jun 20, 2011
  15. rickeybahl

    rickeybahl New Member

    5
    0
    1
    enetration testing involves identifying the weaknesses in your information networks. Traditionally, hackers are a few steps ahead of most network professionals in their knowledge of network weaknesses, so companies that ethically perform your Penetration Testing use the same techniques, tools and tricks that real hackers might use to breach your security.

    There are two stages to the Penetration Test itself. The first is finding potential weaknesses and vulnerabilities. The second is attempting to exploit those weak points in your systems. The company performing the Penetration Test must have your written approval to carry out the second part of the Test, as without consent, this is an illegal operation
     

Share This Page

Loading...