Penetration Tester

1) LOOK at the resume - closely.
Penetration testing isn't just being able to run some tools, exploit some systems, and charge the client for coffee and pizza (although that last item is essential, especially for late night work).

They must be able to:
* write clearly
* spell properly
* convey meaning

These traits are ESSENTIAL in explaining problems and recommending remediation steps in a way that is easily understandable by the client.

Biggest turn-off: All too often I see resumes full of run-on sentences or non-assertive phrases.

2) READ the resume - how do they think?
You might be tempted to skip over the majority of the resume and look for certain keywords like the names of familiar tools like nessus, nikto, webinspect, nmap, etc. While familiarity with these tools is important, you need to know their approach or methodology.

Some common (and quite good) methodologies:

The Open Source Security Testing Methodology Manual (OSSTMM) is:
"…a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. OSSTMM is also known for its Rules of Engagement which define for both the tester and the client how the test needs to properly run starting from denying false advertising from testers to how the client can expect to receive the report. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
"

The Information Systems Security Assessment Framework (ISSAF) was developed by the Open Information Systems Security Group, and is defined as "…a peer reviewed structured framework that categorizes information system security assessment into various domains & details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. ISSAF includes the crucial facet of security processes and their assessment and hardening to get a complete picture of the vulnerabilities that might exist."

(Note: Of the two methodologies listed, the OSSTMM is more mature.)

Familiarity with the Guidelines on Network Security Testing from NIST (The National Institute of Standards and Technology) is an excellent baseline. These guidelines are published in Special Publication 800-42, and are a bit less comprehensive that the OSSTMM model. Testers familiar with 800-42 are typically more knowledgeable about working with regulatory agencies and their specific testing and auditing requirements.

3) Certifications listed on resume - what matters?

CEH (Certified Ethical Hacker):
We have discussed this certification at length in articles here and here. My current opinion is that the certification program gives testers an exposure to tools, and prepares them to pass the required examination. That's about it.

National Security Agency IAM (Information Assessment Methodology) and IEM (Information Evaluation Methodology):
Both of these certifications cover the excellent IEM/IAM methodologies in grueling detail. The certifications involve classroom training, group activities, presentations to peers on assessments (think intelligence briefings), and written exams. These certifications form an impressive foundation for risk assessment skills.

Certified Security Professional (CSTP) and Certified Security Testing Associate (CSTA) are accredited by the University of Glamorgan. The certification coursework is excellent as seen in this PDF file.

Operating System Specific Certifications such as a MCSE, RHCE, etc. and vendor-specific certifications like CCNA, CCIE are very desirable. The more a candidate knows about the operating systems, devices and applications they are testing, the better.

ISACA has two great certifications that show knowledge of information systems management (CISM Certified Information Systems Manager and CISA Certified Information Systems Auditor).

My comments on the CISSP can be found in this entry.



4) What box(es) do they think in and out of?

Candidates may list their engagement experience as being either white box or black box. Knowledge in both types of testing environments is essential.

White box testing is testing an environment with prior knowledge of the infrastructure, systems, applications, policies, procedures, etc. In this situation, the tester has an 'edge', can spend less time doing reconnaissance work and more time testing and exploiting.

Black box testing is also known as 'cold testing'. In other words, the tester has no previous knowledge of the environment to be testing and must perform extensive research and reconnaissance on the target(s). Black box testers are usually intimately familiar with social engineering techniques and knowledge acquisition methods (like dumpster diving).

Focusing on the 'boxes' in interviews is a great way of judging a candidates true level of experience. Ask the candidate for specific examples of their work. Do they freely give previous clients' names? If so, this may be a sign that the candidate doesn't respect Non-Disclosure Agreements.

Most importantly, look for 'out of the box' thinking. Candidates that are able to think on their own and come up with unique solutions to problems are in high demand. (For an example, look at how Scrap & I penetrated the headquarters building of Allison Technologies in Case Of The Tepid Tipster.)

5) Personality, Business and Legal Skills

Your candidate is going to interface with your customer at many levels. Some important things to consider while reading the resume and during the interview:

• Do they have good people skills?
• Do they understand the value of the service they provide to the customer?
• Are they conversational?
• Do they comprehend how important it is to make the customer feel 'at ease' with their presence and service?
• Do they understand the legalities involved in testing?
• Do they have a 'John Wayne' attitude that could get you in trouble? (example: testing outside the scope of the engagement is a no-no!)

6) References, References, References

Ask the candidate for professional (and if possible) client references.


7) What's In Their Toolkit?

Candidates will have their own preference for toolkits, as there are many tools that perform the exact same function. The candidate should have an understanding of tools, and experience using toolkits like Auditor.

Auditor has one of the best (if not the best) selection of tools around. The candidate should have knowledge of at least a few of the tools listed in each category below (taken from the Auditor toolkit):

Footprinting

* Greenwhich
* Whois
* Gnetutil (Network Utilities)
* Itrace (ICMP traceroute)
* Tctrace (TCP traceroute)
* Traceroute
* DNSwalk (DNS verification)
* Dig (DNS lookup)
* Host (DNS lookup)
* NSTXCD (IP over DNS client)
* NSTXD (IP over DNS server)
* Oxyman (DNS tunnel)
* Curl (URL transfer)
* Elinks (Console web browser)
* Konqueror (Web browser)
* Socat (Socket Cat)
* Stunnel (Universal SSL tunnel)
* Arpfetch (SNMP ARP/IP fetcher)
* SNMPWalk (SNMP tree walk)
* TKMib (Mib browser)
* GQ (LDAP browser)
* Komba2 (KDE SMB browser)
* LinNeighborhood (Graphical SMB browser)
* Net utils (NET utilities)
* SMBClient (SMB client)
* SMBGet (SMB downloader)
* Smb4K (SMB share browser)
* Xsmbrowser (Graphical SMB browser)
* nmblookup (Netbios name lookup)
* smbdumpusers (User browser)
* smbgetserverinfo (Get server info)
* Cheops (Network neighborhood)
* NTP-fingerprint (Detection based on ntp fingerprint)
* Nmap (Network scanner)
* NmapFE (Graphical network scanner)
* P0f (Passive OS fingerprinting)
* Queso (OS detection)
* XProbe2 (OS detection)


Scanning

* Cisco global exploiter (Cisco scanner)
* Cisco torch (Cisco oriented scanner)
* ExploitTree search (ExploitTree collection)
* Metasploit (Metasploit commandline)
* Metasploit (Metasploit console GUI)
* Metasploit (Metasploit web interface)
* Nessus (Security Scanner)
* Raccess (Remote scanner)
* Httprint (Webserver fingerprinting)
* Nikto (Webserer scanner)
* Stunnel (Universal SSL tunnel)
* Cheops (Network neighborhood)
* GTK-Knocker (Simple GUI portscanner)
* IKE-Scan (IKE scanner)
* Knocker (Simple portscanner)
* Netenum (Pingsweep)
* Netmask (Requests netmask)
* Nmap (Network scanner)
* NmapFE (Graphical network scanner)
* Proxychains (Proxifier)
* Scanrand (Stateless scanner)
* Timestamp (Requests timestamp)
* Unicornscan (Fast port scanner)
* Isrscan (Source routed packets scanner)
* Amap (Application identification)
* Bed.pl (Application fuzzer)
* SNMP-Fuzzer (SNMP protocol fuzzer)
* ScanSSH (SSH identification)
* Nbtscan (Netbios scanner)
* SMB-Nat (SMB access scanner)
* Ozyman (DNS tunnel)
* Ass (Autonomous system scanner)
* Protos (Protocol identification)

Analyzer

* AIM-SNIFF (AIM sniffer)
* Driftnet (Image sniffer)
* Mailsnarf (Mail sniffer)
* Paros (HTTP interception proxy)
* URLsnarf (URL sniffer)
* smbspy (SMB sniffer)
* Etherape (Network monitor)
* Ethereal (Network analyzer)
* Ettercap (Sniffer/Interceptor/Logger)
* Hunt (Sniffer/Interceptor)
* IPTraf (Traffic monitor)
* NGrep (Network grep)
* NetSed (Network edit)
* SSLDump (SSLv3/TLS analyzer)
* Sniffit (Sniffer)
* TcPick (Packet stream editor)
* Dsniff (Password sniffer)

Spoofing

* Arpspoof (ARP spoofer)
* Macof (ARP spoofer/generator)
* Nemesis-ARP (ARP packet generator)
* Nemesis-Ethernet (Ethernet packet generator)
* CDP (CDP generator)
* DNSSpoof (DNS spoofer)
* Nemesis-DNS (DNS packet generator)
* DHCPX (DHCP flooder)
* Hping2 (Packet generator)
* ICMPRedirect (ICMP redirect packet generator)
* ICMPUSH (ICMP packet generator)
* Nemesis-ICMP (ICMP packet generator)
* Packit (Traffic inject/modify)
* TcPick (Packet stream editor)
* Yersinia (Layer 2 protocol injector)
* Fragroute (Egress rewrite)
* HSRP (HSRP generator)
* IGRP (IGRP injector)
* IRDP (IRDP generator)
* IRDPresponder (IRDP response generator)
* Nemesis-IGMP (IGMP generator)
* Nemesis-RIP (RIP generator)
* File2Cable (Traffic replay)
* Fragrouter (IDS evasion toolkit)
* Nemesis-IP (IP packet generator)
* Nemesis-TCP (TCP packet generator)
* Nemesis-UDP (UDP traffic generator)
* SendIP (IP packet generator)
* TCPReplay (Traffic replay
* Etherwake (Generate wake-on-LAN)



Bluetooth

* BTScanner (Bluetooth scanner)
* Bluesnarfer (Bluesnarf attack)
* Ghettotooth (Bluetooth scanner)
* Kandy (Mobile phone tool)
* Obexftp (Obexftp client)
* Phone manager
* RFComm (Bluetooth serial)
* RedFang (Bluetooth bruteforce)
* USSP-Push (Obex-push)
* XMinicom (Terminal)


Wireless

* apmode.sh (Act as accesspoint)
* Airpwn (Client penetration)
* Hotspotter (Client penetration)
* GpsDrive
* start-gps-daemon (GPS daemon)
* stop-gps-daemon (GPS daemon)
* ASLeap (LEAP/PPTP cracker)
* Genkeys (Hash generator for ASLeap)
* Airforge
* File2air (Packet injector)
* Void11
* Void11-Hopper (Channel hopper)
* GKismet (Graphical wireless scanner)
* GPSMAP (wireless mapping)
* KLV (Kismet Log Viewer)
* Kismet (Ncurses wireless scanner)
* Wellenreiter (Graphical Wireless scanner)
* 802ether (Dumpfile format convertor)
* airodump (Traffic recorder)
* aircrack (Modern WEP cracker)
* Aireplay (Wireless packet injector)
* Wep_Crack (Wep Cracker)
* Wep_Decrypt (Decrypt dump files)
* Airsnort (GUI based WEP cracker)
* ChopChop (Active WEP attack)
* DWEPCrack (WEP cracker)
* Decrypt (Dump file decrypter)
* WEPAttack (Dictionary attack)
* WEPlab (Modern WEP cracker)
* Cowpatty (WPA PSK bruteforcer)
* changemac.sh (MAC address changer)


Bruteforce

* ADMsnmp (SNMP bruteforce)
* Guess-who (SSH bruteforc)
* Hydra (Multi purpose bruteforce)
* K0ldS (LDAP bruteforce)
* Obiwan III (HTTP bruteforce)
* SMB-Nat (SMB access scanner)
* TFTP-bruteforce
* VNCrack (VNC bruteforce)
* Xhydra (Graphical bruteforcer


Password cracker

* BKHive (SAM recovery)
* Fcrackzip (Zip password cracker)
* John (Multi-purpose password cracker)
* Default password list
* Nasty (GPG secret key cracker)
* Rainbowcrack (Hash cracker)
* Samdump2 (SAM file dumper)
* Wordlists (Collection of wordlists)


Forensics

* Autopsy (Forensic GUI)
* Recover (Ext2 file recovery)
* Testdisk (Partition scanner)
* Wipe (Securely delete files)


Honeypot

* IMAP
* POP3
* Honeyd (Honeypot)
* IISEmulator (Honeypot)
* Tinyhoneypot (Simple honeypot)