Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 36

Thread: Backtrack or Blackbuntu - ?

  1. #21
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Backtrack or Blackbuntu - ?

    Quote Originally Posted by Ms. Daisy View Post
    Agreed that simply having the tools does not make you skilled.

    I hope you mean there's no industry standard for tools. Because there is definitely an industry standard for pen testing. There are far too many "professional" pen testers oblivious to any standards.
    For a malicious hacker, what the meaning of industry standard for him? Doubt.

    The "industry standard" is a set of rules or procedure for the good guys (may be the stupid guys) to follow and then get the certified certificates in order to claim that they are professionals in that field. However, do those guys get the certified qualifications are professional? Doubt.

    There are many fake professionals of InfoSec in the wild. They even do not know how to create or write a exploit code to exploit a piece of software or OS. Or, some of them misunderstanding of some of the concepts. For example, this guy is misunderstanding of using Back|Track. However, he bears some InfoSec qualifications. Maybe you do not agree with me, that's fine, it is only my opinion.

    Malicious hackers are very creative and they are very amazing. They are very professional. I do say that even I am not one of them.

    Samiux
    Last edited by samiux; March 3rd, 2013 at 08:15 PM. Reason: fix typo

  2. #22
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Backtrack or Blackbuntu - ?

    I think we might actually agree on this, as much as that pains me to say.

    Scoping a pen test != following industry standards while pen testing

    I agree if you want to assess your $things then pen testers should follow the same rules as attackers. Pen tests need to be conducted by skilled pros, not just anyone who can launch metasploit.

  3. #23
    Join Date
    Mar 2013
    Location
    In the shadows, of course
    Beans
    37

    Re: Backtrack or Blackbuntu - ?

    Didn't realize the thread come alive this easy. Now allow me to clear some things up.

    dodo3773, I agree with your idea of "skills before tools". However, if you give me tools i will find out how to use them and how and why they work; and then i can improve them. Sort of like reverse engineering. Thanks for comment though (btw what is your home distro) I figure wifi would be a good starting place to begin pen-testing then on to more complex things.

    As far as the industry standard (the one regarding being a pen-tester instead of a malicious hacker), I dont want to do something illegal, I just want to help make things more secure.

    As far as the industry standard (the one regarding the normal abilities and skills of tools and their users), I dont care what the "industry" says, I set my standards crazy high even if I cannot YET reach them.

    Anyway, if you have any suggestions on reading material or other ways to get started hacking (lets just call it what it is), please let me know. Thanks for the fun comments.

  4. #24
    Join Date
    Jun 2011
    Location
    The Shadow Gallery
    Beans
    6,803

    Re: Backtrack or Blackbuntu - ?

    Quote Originally Posted by Ms. Daisy View Post
    I think we might actually agree on this, as much as that pains me to say.

    Scoping a pen test != following industry standards while pen testing

    I agree if you want to assess your $things then pen testers should follow the same rules as attackers. Pen tests need to be conducted by skilled pros, not just anyone who can launch metasploit.
    Sadly pen testers cannot and do not follow the rules of attackers, as attackers have no rules, no time constraints and no deliverables or legal agreements or defined scopes all of which are the bane of pen testing.

    As for the standards they are merely frameworks under which to work and not a compliance thing generally nor a legal requirement unless it is government work generally

    The standards you refer to I assume to be such as PSTE, OWASP, WASC-TC etc
    Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2

    Backtrack - Giving machine guns to monkeys since 2006
    Kali-Linux - Adding a grenade launcher to the machine guns since 2013

  5. #25
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Backtrack or Blackbuntu - ?

    Quote Originally Posted by Ms. Daisy View Post
    I think we might actually agree on this, as much as that pains me to say.

    Scoping a pen test != following industry standards while pen testing

    I agree if you want to assess your $things then pen testers should follow the same rules as attackers. Pen tests need to be conducted by skilled pros, not just anyone who can launch metasploit.
    No matter a guy who is a malicious hacker or pentester (good guy I mean) when he does not know how to write an exploit code himself, I will name him as "script kiddies", who using others' pre-made exploit codes to complete his tasks (no matter it is legal or illegal). Therefore, knowing how to launch a Metasploit is not a big deal. Some professionals in InfoSec do not use Metasploit. Some of them against it too.

    Pentester (good guy) should and must follows rules and standard while malicious hacker does not, such as written approval/consent.

    Samiux
    Last edited by samiux; March 3rd, 2013 at 09:27 PM. Reason: fix typo

  6. #26
    Join Date
    Jan 2008
    Location
    Manchester UK
    Beans
    13,636
    Distro
    Ubuntu

    Re: Backtrack or Blackbuntu - ?

    The fact that the "good" guys have to operate within the rules where as the bad guys don't is an age old problem which I imagine goes back to when rules were invented.

    To the question, I agree with the posters who've said it doesn't matter. The thing about linux is that distros are just a collection of things that the makers of those distros feel are a good starting point. Underneath though it's all the same. There is no best distro for this or that. They are all just variations.

  7. #27
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Backtrack or Blackbuntu - ?

    Quote Originally Posted by ShadowGuardian View Post
    Didn't realize the thread come alive this easy. Now allow me to clear some things up.

    dodo3773, I agree with your idea of "skills before tools". However, if you give me tools i will find out how to use them and how and why they work; and then i can improve them. Sort of like reverse engineering. Thanks for comment though (btw what is your home distro) I figure wifi would be a good starting place to begin pen-testing then on to more complex things.

    As far as the industry standard (the one regarding being a pen-tester instead of a malicious hacker), I dont want to do something illegal, I just want to help make things more secure.

    As far as the industry standard (the one regarding the normal abilities and skills of tools and their users), I dont care what the "industry" says, I set my standards crazy high even if I cannot YET reach them.

    Anyway, if you have any suggestions on reading material or other ways to get started hacking (lets just call it what it is), please let me know. Thanks for the fun comments.
    May be my suggestion is not professional or suitable, but I hope you can consider.

    Samiux

  8. #28
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Backtrack or Blackbuntu - ?

    Quote Originally Posted by haqking View Post
    Sadly pen testers cannot and do not follow the rules of attackers, as attackers have no rules, no time constraints and no deliverables or legal agreements or defined scopes all of which are the bane of pen testing.
    Agreed. I wish there were a way to fix that.
    Quote Originally Posted by haqking View Post
    As for the standards they are merely frameworks under which to work and not a compliance thing generally nor a legal requirement unless it is government work generally

    The standards you refer to I assume to be such as PSTE, OWASP, WASC-TC etc
    I was speaking more broadly- that there is a distinct difference between a quality penetration test and a Nessus scan launched by a script kiddie. It would be nice if there were a general standard/framework that purchasers of pen tests could actually understand and use to avoid charlatans. And it would be nice if ALL pros followed the existing frameworks such as the ones you pointed out.

    Pen testing and infosec in general are plagued with countless "professionals" that don't know their heads from their arses. When those guys sell crap to unsuspecting folks I get all grumpy about it and as a result I derail innocent threads on random forums

  9. #29
    Join Date
    Jun 2011
    Location
    The Shadow Gallery
    Beans
    6,803

    Re: Backtrack or Blackbuntu - ?

    Quote Originally Posted by Ms. Daisy View Post
    Agreed. I wish there were a way to fix that. I was speaking more broadly- that there is a distinct difference between a quality penetration test and a Nessus scan launched by a script kiddie. It would be nice if there were a general standard/framework that purchasers of pen tests could actually understand and use to avoid charlatans.
    Yes a big difference, one is a pen test and the other is a vulnerability assessment, two completely different things, but I get your point, you know I like to be pedantic

    As for the general standard then there is to a degree, the thing is it changes so much for example web app would be covered by OWASP pretty much everywhere these days, US DOD or UK MOD or Govt work has certain standards required also such as CHECK and CLAS here in the UK, in the US it is covered by various DOD standards.

    PTSE is coming along but stil needs lots of work. And not forgetting OSSTMM which is a globally recognised standard for security testing.

    Also how do you have a 'real' standard for something that is never standard in scope

    That being said if say it is required as part of SOX or PCI compliance then certain requirements do need to be met, and the pen testing teams do need to comply for the most part with some standards for verifcation with the things i mentioned such as CREST, CHECK, CLAS though these are validations and affiliations rather than a testing standard or framework like OWASP or OSSTMM


    Peace
    Last edited by haqking; March 4th, 2013 at 12:30 AM.
    Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2

    Backtrack - Giving machine guns to monkeys since 2006
    Kali-Linux - Adding a grenade launcher to the machine guns since 2013

  10. #30
    Join Date
    Mar 2013
    Location
    In the shadows, of course
    Beans
    37

    Re: Backtrack or Blackbuntu - ?

    @Samiux

    Thanks for the suggestion. One question though: Is it a course or just an exam. I like to learn on my own, so i tend to avoid courses, but an exam sounds okay. I just need a guide to show me what to learn.

Page 3 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •