Basic Penetration Tester skills

Red and black Alliance: Want to learn penetration testing can participate in our vip training, see the http://vip.2cto.com for details (penetration engineer to develop the road)

With the sharp increase in the number of major information security incidents at home and abroad, security continues to increase throughout the IT industry, and penetration testing practitioners at home and abroad are also increasing. However, the security system is huge and complex, you are not able to master relevant professional knowledge and skills overnight. I recently saw a security expert on a blog outside China who summarized the necessity of penetration testing based on his years of security experience, some translation may be missing. I hope you can make some corrections. Thank you!
1. proficient in an operating system. I don't want to emphasize how important this is. Too many people want to be a hacker or system security expert, but in fact they do not have a deep understanding of the systems that support their hacking and security protection. However, if you wear a system administrator's hat, this is the most basic knowledge. As a hacker, even if you get the root permission, but you don't know how to use it, it means nothing is done. If you don't know what clues you have left in the system, how can you erase them? If you do not know enough about the system, how do you know how everything is recorded in the log?
2. Good network knowledge and protocol knowledge. The OSI model can be used as an example to demonstrate a better understanding of networks and protocols. You need to understand the TCP protocol in depth, not just the transmission control protocol. You need to know the structure of the TCP packet, the content loaded in it, and the detailed process of its work. In addition, the difference between TCP and UDP; Understanding routing can describe in detail how a packet is sent from one place to another; understanding how DNS and ARP work; Understanding DHCP, learn how your terminal dynamically obtains the IP address, and think about what happened when you inserted the network cable? What type of path does NIC establish when you insert a network cable to try to obtain a dynamically assigned IP address? Is it Layer 2? Or the third layer?
3. If you do not understand what we have mentioned above, you are unlikely to understand how ARP Spoof and MITM attacks are implemented. In short, if you don't know how a process works, how do you know how to attack and operate it? Or even worse, you don't even know how a process exists. This makes us have to remember that you should have enough curiosity about how things work, every time we see something very good, I should turn around quickly in my mind. How does he work?
4. Learn Several Basic Scripting languages. Start with something simple, such as vbs or Bash.
5. Understand A basic firewall. Learn how to configure it to achieve access control, and then try to defeat it. You can find a cheap or used router and firewall to do experiments, buy one or ask your company for an old one. Start with configuring the access control table and learn how to scan them through simple IP Spoofing and other basic technologies. In addition to applying them, you can gain a deeper understanding of these concepts. Once you have mastered this, you can switch to the PIX or ASA.
6. Have a certain understanding of forensics. This will better conceal your traces, and the impact on you is obvious.
7. Learn a programming language. Find out what you want to automate or something you want to create. For example, for port scanning, you can find some similar tools to check their source code and try to make your own port scanning tools.
8. have a clear goal to drive yourself to learn new things. This is more important than everything else, because you need to spend your time on it and stay enthusiastic at any time.
9. Learn a small number of databases. Learning about databases and how they work, downloading various databases, looking for information, and trying to design a simple database, without having to become a database expert, the basic knowledge will be of great help.
10. Maintain enthusiasm for sharing and communicating with others. It is best to set up your own blog to record your learning process.


Author: blackvan