Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Pen Testing, No Experience.

  • 10-02-2016 11:28am
    #1
    Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,242 Mod ✭✭✭✭


    I'm not trying to get into Security, but I want to build my skills in the area for the purposes of Development and Devops. What would everyone recommend to get started? I'm thinking of a VM, but is it possible to simulate a Network on a local machine for testing?


Comments

  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    You can simulate a full network with GNS3. Other than that, there's a compiled list of practice sites/VM's/CTF's here.

    If you are willing to invest a bit though, you could do the OSCP. They give you a full simulated network, so it's totally hands on, plus it teaches you the underlying vulnerabilities and how to code exploits, rather than some courses where you'd just be using click and point tools.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    I'll stick up some stuff tomorrow when I'm at my laptop. I have loads of stuff I can share with you.


  • Moderators, Society & Culture Moderators Posts: 9,768 Mod ✭✭✭✭Manach


    Not directly relevant to Pen Testing but for the OP, might I suggest the following for some Devops tools: Splunk, Puppet & Jenkins.


  • Registered Users, Registered Users 2 Posts: 1,215 ✭✭✭harney




  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer




  • Advertisement
  • Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,242 Mod ✭✭✭✭L.Jenkins


    Thanks for all the posts, links and advice lads. Much appreciated.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Itzy wrote: »
    Thanks for all the posts, links and advice lads. Much appreciated.

    Have you an area of pen testing you are interested in? Web, Wireless, OS/System, Network?

    I read a great book years ago called "InfoSec Career hacking". A sexy title but it gave instructions for building the ideal home-based pen test lab.

    It has never, in the history of man, been easier to find resources to be a pen tester. There are vulnerable VDMs you can install to practice on and their a video walkthroughs of individual tools.


  • Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,242 Mod ✭✭✭✭L.Jenkins


    I'm somewhat interested in the area of Network and Web Security. I'll keep looking for resources online.


  • Closed Accounts Posts: 1,137 ✭✭✭veganrun


    I'm also interested in this area from a testing point if view but not sure where to start. I'm also a bit paranoid about googling the wrong thing around security/pen testing and getting arrested or something :)


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    veganrun wrote: »
    I'm also interested in this area from a testing point if view but not sure where to start. I'm also a bit paranoid about googling the wrong thing around security/pen testing and getting arrested or something :)

    As i said before, it has never before been easier to find information or get experience in this issue. You wont get arrested for googling "how to learn pen testing".

    I would say do the following:

    #1 If you dont have hardware capable of virtualising other OS, beg, borrow or steal some hardware. Install a few different OS, including Kali and metasploitable. Familiarise yourself with the tools and vulnerabilities. Get it so you can go from none to pwned in a couple of minutes.

    #2 Install the Damn Vulnerable Web Applications and learn to use Burp or other tools to exploit them

    #3 Review and learn the SQLi and XSS cheat sheets and then...

    #4 Join HackerOne or another BugBounty program and start using your knowledge to find bugs. You could earn some $$$ from it.

    #5 Rejoice! Your now a pen tester!


  • Advertisement
  • Closed Accounts Posts: 1,137 ✭✭✭veganrun


    syklops wrote: »
    As i said before, it has never before been easier to find information or get experience in this issue. You wont get arrested for googling "how to learn pen testing".

    I would say do the following:

    #1 If you dont have hardware capable of virtualising other OS, beg, borrow or steal some hardware. Install a few different OS, including Kali and metasploitable. Familiarise yourself with the tools and vulnerabilities. Get it so you can go from none to pwned in a couple of minutes.

    #2 Install the Damn Vulnerable Web Applications and learn to use Burp or other tools to exploit them

    #3 Review and learn the SQLi and XSS cheat sheets and then...

    #4 Join HackerOne or another BugBounty program and start using your knowledge to find bugs. You could earn some $$$ from it.

    #5 Rejoice! Your now a pen tester!

    Thanks. I have an old laptop that isn't much use so I could put Kali Linux on that.

    Has anyone joined Hack Forums? I read about it on the BBC website. http://www.bbc.co.uk/news/technology-32019260


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    veganrun wrote: »
    Thanks. I have an old laptop that isn't much use so I could put Kali Linux on that.

    Has anyone joined Hack Forums? I read about it on the BBC website. http://www.bbc.co.uk/news/technology-32019260

    Dont put kali on the old laptop, put metasploitable, and then try to hack it from your own laptop. Research the vulnerabilities, find exploits, and compromise that laptop.

    Too many people think that installing kali means they are a green belt in pen testing. Getting your first remote shell is where the magic is at.


  • Registered Users, Registered Users 2 Posts: 1,215 ✭✭✭harney


    You can always use something like UNetbootin to install Kali on a USB stick. Then just boot off the USB stick into Kali, and you don't have to modify your current PC.

    http://unetbootin.github.io


  • Closed Accounts Posts: 1,137 ✭✭✭veganrun


    Can I hack metasploitable from a Windows machine?


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    veganrun wrote: »
    Can I hack metasploitable from a Windows machine?
    Yes.


  • Registered Users, Registered Users 2 Posts: 2,626 ✭✭✭timmywex


    veganrun wrote: »
    Can I hack metasploitable from a Windows machine?

    It'd be like trying to peel a potato with a knife as opposed to a potato peeler. Possible but just trickier and more hassle


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    timmywex wrote: »
    It'd be like trying to peel a potato with a knife as opposed to a potato peeler. Possible but just trickier and more hassle
    I reckon it actually wouldn't be all that much more hassle, in fact I reckon for a few of the vulns you'd actually learn a hell of a lot more as you wouldn't just be able to throw a tool at it. You'd probably need to be at least somewhat capable of scripting/coding though.


  • Registered Users, Registered Users 2 Posts: 2,626 ✭✭✭timmywex


    Blowfish wrote: »
    I reckon it actually wouldn't be all that much more hassle, in fact I reckon for a few of the vulns you'd actually learn a hell of a lot more as you wouldn't just be able to throw a tool at it. You'd probably need to be at least somewhat capable of scripting/coding though.

    Well yeh this is it. Kali is a one click download, load up the VM and easy to follow online tutorials or whatever from there. Windows is just that bit more awkward IMO, but definitely very doable


  • Registered Users, Registered Users 2 Posts: 1,835 ✭✭✭BoB_BoT


    I've been very interested in this myself, so thanks all for the links. Tis a good start, more hobby than professional, always good to know the basics :D


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    veganrun wrote: »
    Can I hack metasploitable from a Windows machine?

    Nmap and netcat both available for windows will get you access to metasploitable via a few of the vulns. For example there is a backdoor in the IRC daemon which can be triggered via netcat. Its more important for you to learn what the vulnerabilities mean, how they are exploited and how to prevent them.

    Yes it can be done easily.


  • Advertisement
  • Closed Accounts Posts: 1,137 ✭✭✭veganrun


    Am I right to think metasploitable is just a VM image and can't be "installed" like a normal Linux OS?

    If so, what's the best way to run it on an old laptop?


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    veganrun wrote: »
    Am I right to think metasploitable is just a VM image and can't be "installed" like a normal Linux OS?

    If so, what's the best way to run it on an old laptop?

    Read the documentation. It says they recommend VM player which is free.


  • Registered Users, Registered Users 2 Posts: 134 ✭✭ishotjr2


    Check out this

    http://beefproject.com/


Advertisement