Penetration testing course: 0x02 Prerequisites

I receive A LOT of private messages by people interested in “hacking”. 7 out of 10 are (sadly) people interested in learning how to hack a Facebook account, hack an email account, send spam through SMTP servers, find a good proxy for hiding their tracks while performing illegal activities (without having a clear concept of anonymity and privacy in mind) or spy on the cheating husband/wife looking for proofs to accuse them (without directly talking to their other half and with a clear lack of trust that make you wonder why they are still together, but hey this isn’t a love counseling service but an infosec website). The remaining 30% is composed by people interested in becoming an ethical hacker or penetration tester with a surprisingly various background: there are computer science students, programmers and people who studied anything but computer science at university and often are more motivated and less dumb than the first two). Often people ask: “HOW DO I BECOME A HACKER?” or “WHAT SHOULD I STUDY FOR BECOMING A HACKER?” or “WHAT PROGRAMMING LANGUAGES ARE THE BEST FOR HACKING?“.

Let’s try to shed some light:

If you read the introduction to this course you should have a clear idea of who a hacker is, anyway I want to reinforce the concept that for being a hacker one must have a deep knowledge, be curious by nature, smart, intuitive and be able to think out of the box. “Deep knowledge you said, but knowledge about what?”

Well if you hear this question, 9 times out of 10 it comes from someone who simply doesn’t want to use his brain and didn’t research deeply on his own (and won’t go very far unless he changes his attitude) or more rarely from a skilled person who recognizes your expertise and simply seeks an advice from an expert or is looking for a mentor.

Let’s try to use our brain and do some brainstorming:

What are you using for reading this? A BROWSER which is a program for accessing web pages on the INTERNET using a COMPUTER that is made of some HARDWARE and a set of SOFTWAREs needed for the primary functions of the computer called OPERATING SYSTEM.

So the main things that you need to study are OPERATING SYSTEMS (OS) INTERNALS* (Windows, Linux, Mac OS X, etc);

operating systems

NETWORKING* (topology, types of infrastructures, subnetting, ports, services, firewalls, internet protocols, ISO/OSI model, encapsulation, IP, routing, TCP, UDP, DNS, proxy, VPN, encryption schemes, etc);

networking

PROGRAMMING* (system, desktop and web programming, APIs, network programming, etc).

programming languages

This is the bare minimum required, is it enough? The answer is: it depends. If you are just starting it can be enough but beware, the infosec world is huge! You’ll need to study a lot more than this. If you want to become a security professional you need to know about EVERYTHING (although being specialized in a particular field is common). What else do you need to know? The answer is again: it depends.

Do you want to test the security of a Web Application? You’ll need to know about the HTTP protocol, cookies, sessions, databases, web programming languages and a lot more things. (See OWASP)

owasp

Do you want to work in the Incident Response and Disaster Recovery field? You’ll need to know about IDS (intrusion detection systems), firewalls, malware analysis, forensics, system administration and reverse engineering.

Incident Response

Do you want to be a Cyber Security Forensics Professional? You’ll need to know about, guess what? Forensics (disk imaging, data recovery, data analysis, file analysis, file formats, file systems, hardware, write blockers, encryption, gps, network forensics, OS fingerprinting, hidden channels, proxy servers, steganography, steganalysis, metadata extraction and analysis, being able to circumvent anti-forensics tools, legal issues).

forensics

Do you want to be a Security Analyst or a Penetration Tester? You’ll need to know basically everything. You’ll need to have the same skills of a hacker but there is a big difference: a hacker may be an expert in a field of interest, you as a professional must be able to test the security of the whole infrastructure of a company, know every technology and technique, be able to evaluate the risk of any possible attack, write a technical report, give advice on how to fix the problems, educate the company’s personnel. You as a professional have to use a proper pentesting methodology rather than running random attacks, in order to ensure efficiency, efficacy and safety. Before performing the test you normally have to define the scope, inform the company of any possible risk and ask them to do backups, avoid system damage, data loss and Denial Of Service, sign a NDA (Non Disclosure Agreement), contact a lawyer expert in the law of the company’s country and it is recommended to have a professional insurance to get you covered in case something goes wrong.

penetration testing

While I was writing this chapter I got a couple of questions from 2 hacker wannabes:

“WHAT PROGRAMMING LANGUAGES ARE THE BEST FOR HACKING?“

If you start programming my personal advice is to start with Python (or Ruby if you prefer) because it’s easier to learn. If you feel confident then you can try C++ or Java (to name a few). If also those are a piece of cake for you (lucky you!) then you may find Assembly quite interesting. The general advice is to start from high level programming languages and move towards low level languages in order to know better how the hardware – software interface works and achieve better speed and memory optimization. A programming language may be more suitable than another language for a specific task and if you are a programming polyglot you are free to choose the one that suits you best, but is there really a best programming language? I wanna ask you: who is 1337er? Someone who is able to code a Hello Word snippet in Assembly or someone who is able to code a packet sniffer in Python? If you read my words you probably know what I mean. My opinion is that the best language for you is the language you know best, the one you feel comfortable with and allows you to develop advanced and complex programs that respond to your needs.

The other question I received is this:

“ARE TOOLS IMPORTANT FOR HACKING?“

My answer is yes, for the simple reason that you need a “tool” or program for interacting with another system or program, but of course grabbing a random tool and clicking a few buttons or remembering a few commands for command line programs won’t make you a hacker, unless you know exactly how the program works, what’s the technology and technique behind it. That is fundamental and much more important than having a tool, be it an expensive one or a free open source tool. Knowledge is power. Money don’t buy knowledge, that’s why this course is free. A good security professional is also able to program anyway of course we can’t have the time and knowledge for developing programs to do any task and someone may be specialized in a particular field and have developed a tool that works really well so there’s nothing wrong in using it. There are great tools used by millions of security professionals everyday (see nmap for example). Using programs made by others and sharing programs developed by yourself is what makes the infosec community great.

Author: Fabio Baroni   Date: 2015-12-13 23:23:26