티스토리 뷰

Tip

Pentesting Skillset

do9dark 2014. 11. 9. 11:54

General / Overall

- Project Management - Start, maintain and complete a project

- Toolkit and Exploit Management - Maintain a useful set of tools

- Education - Stay up to date, learn new concepts (books, people, training)

- Teaching - Explain new concepts, publish information

- Research - Own a topic or research area

- Bullshit Management - Ability to work in close quarters


Auditing

- Law / Regulation Knowledge

HIPAA,FISMA,GLBA (High level regulations)

ISO17799,ISO27002 (IT standards)

PCI, COBIT (Lower-level guidelines)

- CISSP Domains


Writing

- Technical writing ability

- Ability to analyze & correlate information

- Ability to reconstruct a narrative from technical information


Social / People Skills

- Common Sense - Finding the quickest, easiest solution to a problem at hand

- Social Engineering


Searching / Information Gathering

- Research Skills

- Google Hacking

- Recon Techniques

- Information Correlation


Attack Modeling

- Risk and Threat Modeling

- Attack Modeling

- Security Mindset

- System Decomposition


Web Application Skills

- General Development and Testing

- AJAX

- Design Patterns (MVC) - Ruby

- Javascript Debugging - Venkman, Firebug

- Web Services - Rest, XML-RPC, SOAP, json

- Web Specific Languages - ASP, PHP, JSP, Coldfusion

- Web Frameworks and Platforms - ASP.NET, J2EE

- Database Administration

- SQL / Data Query


OS-Specific Skills

- System Administration

- OS Theory

System Architecture

System Security Models

Filesystems, Networking, I/O

Startup / Shutdown

Analysis (dump, debugging, memory, forensic)

Management + Maintenance

- Windows

Active Directory

Exchange / OWA

SQL Server

- Linux / BSD

Apache

MySQL

Sendmail / Postfix

- Package Managers

- OS X

- AIX / Solaris / Unix

- Kernel / Posix

- System Programming


Networking

- Networking Theory

- Protocol Theory

- Routing and Switching

Cisco & Juniper

- Firewalls

- Embedded Devices


VOIP / Voice Skills

- PSTN experience

- Routing + Signaling Protocols


Scripting Skills

- Bash, etc

- Perl, Python, Ruby

- PHP, ASP

- Batch, VBScript, Powershell


Hardware Hacking

- Embedded Devices

- Electronics Theory

- Secure Design of a System


Wireless

- WEP / WPA / WPA2

- Packet Injection

- Hardware / Driver knowledge

- Basic Encryption

Symmetric ciphers

Asymmetric ciphers

- 802.11

- Antenna Theory

- Mobile Networking

CDMA, GSM, Mesh Theory


Development

- Coding

- Regular Expressions

- Development

Design Patterns

Development Methodology

- Version Control

- Database Design

- Language

C / C++, Java

C# / dotNet Framework


Vulnerability Development

- Reverse Engineering

- Buffer / Heap Overflows (explain + code + find)

- Creative Thinking

- Analytic Thinking

- Coding / Debugging

- Fuzzing

Testing Theory

File Fuzzing

Protocol Fuzzing

SPIKE, Peach, etc


Attack Analysis / Forensics

- IDS / IPS experience

Snort / Commercial IDS

Honeypots

- Forensics experience

- Packet capture and analysis

packet dumps, bpf, flows, wireshark



source: http://hexesec.wordpress.com/2008/07/05/pentesting-skillset/


댓글
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
링크
공지사항
Total
Today
Yesterday