Backtrack or Blackbuntu - ?

[samiux]

Agreed that simply having the tools does not make you skilled.

I hope you mean there's no industry standard for tools. Because there is definitely an industry standard for pen testing. There are far too many "professional" pen testers oblivious to any standards.

For a malicious hacker, what the meaning of industry standard for him? Doubt.

The "industry standard" is a set of rules or procedure for the good guys (may be the stupid guys) to follow and then get the certified certificates in order to claim that they are professionals in that field. However, do those guys get the certified qualifications are professional? Doubt.

There are many fake professionals of InfoSec in the wild. They even do not know how to create or write a exploit code to exploit a piece of software or OS. Or, some of them misunderstanding of some of the concepts. For example, this guy is misunderstanding of using Back|Track. However, he bears some InfoSec qualifications. Maybe you do not agree with me, that's fine, it is only my opinion.

Malicious hackers are very creative and they are very amazing. They are very professional. I do say that even I am not one of them.

Samiux

[Ms. Daisy]

I think we might actually agree on this, as much as that pains me to say.

Scoping a pen test != following industry standards while pen testing

I agree if you want to assess your $things then pen testers should follow the same rules as attackers. Pen tests need to be conducted by skilled pros, not just anyone who can launch metasploit.

[ShadowGuardian]

Didn't realize the thread come alive this easy. Now allow me to clear some things up.

dodo3773, I agree with your idea of "skills before tools". However, if you give me tools i will find out how to use them and how and why they work; and then i can improve them. Sort of like reverse engineering. Thanks for comment though (btw what is your home distro) I figure wifi would be a good starting place to begin pen-testing then on to more complex things.

As far as the industry standard (the one regarding being a pen-tester instead of a malicious hacker), I dont want to do something illegal, I just want to help make things more secure.

As far as the industry standard (the one regarding the normal abilities and skills of tools and their users), I dont care what the "industry" says, I set my standards crazy high even if I cannot YET reach them.

Anyway, if you have any suggestions on reading material or other ways to get started hacking (lets just call it what it is), please let me know. Thanks for the fun comments.

[haqking]

I think we might actually agree on this, as much as that pains me to say.

Scoping a pen test != following industry standards while pen testing

I agree if you want to assess your $things then pen testers should follow the same rules as attackers. Pen tests need to be conducted by skilled pros, not just anyone who can launch metasploit.

Sadly pen testers cannot and do not follow the rules of attackers, as attackers have no rules, no time constraints and no deliverables or legal agreements or defined scopes all of which are the bane of pen testing.

As for the standards they are merely frameworks under which to work and not a compliance thing generally nor a legal requirement unless it is government work generally

The standards you refer to I assume to be such as PSTE, OWASP, WASC-TC etc

[samiux]

I think we might actually agree on this, as much as that pains me to say.

Scoping a pen test != following industry standards while pen testing

I agree if you want to assess your $things then pen testers should follow the same rules as attackers. Pen tests need to be conducted by skilled pros, not just anyone who can launch metasploit.

No matter a guy who is a malicious hacker or pentester (good guy I mean) when he does not know how to write an exploit code himself, I will name him as "script kiddies", who using others' pre-made exploit codes to complete his tasks (no matter it is legal or illegal). Therefore, knowing how to launch a Metasploit is not a big deal. Some professionals in InfoSec do not use Metasploit. Some of them against it too.

Pentester (good guy) should and must follows rules and standard while malicious hacker does not, such as written approval/consent.

Samiux

[nothingspecial]

The fact that the "good" guys have to operate within the rules where as the bad guys don't is an age old problem which I imagine goes back to when rules were invented.

To the question, I agree with the posters who've said it doesn't matter. The thing about linux is that distros are just a collection of things that the makers of those distros feel are a good starting point. Underneath though it's all the same. There is no best distro for this or that. They are all just variations.

[samiux]

Didn't realize the thread come alive this easy. Now allow me to clear some things up.

dodo3773, I agree with your idea of "skills before tools". However, if you give me tools i will find out how to use them and how and why they work; and then i can improve them. Sort of like reverse engineering. Thanks for comment though (btw what is your home distro) I figure wifi would be a good starting place to begin pen-testing then on to more complex things.

As far as the industry standard (the one regarding being a pen-tester instead of a malicious hacker), I dont want to do something illegal, I just want to help make things more secure.

As far as the industry standard (the one regarding the normal abilities and skills of tools and their users), I dont care what the "industry" says, I set my standards crazy high even if I cannot YET reach them.

Anyway, if you have any suggestions on reading material or other ways to get started hacking (lets just call it what it is), please let me know. Thanks for the fun comments.

May be my suggestion is not professional or suitable, but I hope you can consider.

Samiux

[Ms. Daisy]

Sadly pen testers cannot and do not follow the rules of attackers, as attackers have no rules, no time constraints and no deliverables or legal agreements or defined scopes all of which are the bane of pen testing.

Agreed. I wish there were a way to fix that.

As for the standards they are merely frameworks under which to work and not a compliance thing generally nor a legal requirement unless it is government work generally

The standards you refer to I assume to be such as PSTE, OWASP, WASC-TC etc

I was speaking more broadly- that there is a distinct difference between a quality penetration test and a Nessus scan launched by a script kiddie. It would be nice if there were a general standard/framework that purchasers of pen tests could actually understand and use to avoid charlatans. And it would be nice if ALL pros followed the existing frameworks such as the ones you pointed out.

Pen testing and infosec in general are plagued with countless "professionals" that don't know their heads from their arses. When those guys sell crap to unsuspecting folks I get all grumpy about it and as a result I derail innocent threads on random forums

[haqking]

Agreed. I wish there were a way to fix that. I was speaking more broadly- that there is a distinct difference between a quality penetration test and a Nessus scan launched by a script kiddie. It would be nice if there were a general standard/framework that purchasers of pen tests could actually understand and use to avoid charlatans.

Yes a big difference, one is a pen test and the other is a vulnerability assessment, two completely different things, but I get your point, you know I like to be pedantic

As for the general standard then there is to a degree, the thing is it changes so much for example web app would be covered by OWASP pretty much everywhere these days, US DOD or UK MOD or Govt work has certain standards required also such as CHECK and CLAS here in the UK, in the US it is covered by various DOD standards.

PTSE is coming along but stil needs lots of work. And not forgetting OSSTMM which is a globally recognised standard for security testing.

Also how do you have a 'real' standard for something that is never standard in scope

That being said if say it is required as part of SOX or PCI compliance then certain requirements do need to be met, and the pen testing teams do need to comply for the most part with some standards for verifcation with the things i mentioned such as CREST, CHECK, CLAS though these are validations and affiliations rather than a testing standard or framework like OWASP or OSSTMM


Peace

[ShadowGuardian]

@Samiux

Thanks for the suggestion. One question though: Is it a course or just an exam. I like to learn on my own, so i tend to avoid courses, but an exam sounds okay. I just need a guide to show me what to learn.