Build Your Own Pentesting Company | PenTest StarterKit 01/2014

Description

Dear PenTest Readers,
Welcome to the first issue of PenTest StarterKit in 2014. This time, we decided to focus on less technical, but equally important aspect, which is successfully starting and running your own penetration testing business. We have several articles which we think should help you to understand the whole issue more and prepare you to launching a company, as well as running it with positive outcome. Of course, technical tutorials also are included. You will learn about the crucial pentesting tools, reporting, and more.

TABLE OF CONTENTS

How to Properly Report the Penetration Test Outcome

by Adam Kliarsky

We find ourselves, especially as new or junior penetration testers, developing and perfecting technical skills that will help lead to the next ‘owned’ system. Advanced scanning techniques, exploit development, or anything to obtain that sweet root shell are all great. But while the coveted root shell is something to be proud of, it’s what we do with these types of findings that separate the true professionals from…well those who aren’t. Let’s face it, while the skills required are technically one in the same between being a hacker and being a penetration tester, there are a couple of things that separate the two. One of them is reporting.

From Exploit to Penetration Testing Module, Using Reverse Engineering Principles

by Massimiliano Sembiante

Penetration test is a security test performed against a target system or application with the intention to find a bug or vulnerability, gaining unauthorized access to data or exploiting specific functions and proceed to further attacks. Penetration tests shouldn’t be confused with vulnerability assessment, which aims to discover present vulnerabilities, without differentiating between flaws that can be exploited to cause damage and those that cannot.

Is Pentesting in the Cloud Managable?

by Rob Somerville

It is often stated that the most secure computer is the one encased in concrete and submerged at the bottom of the ocean with no cables attached. Is pentesting in the cloud manageable, or does a new mindset needs to develop to face the challenges of virtual computing?

The Beginners Tools Kit

by Bruno Rodrigues

I've been doing penetration testing for a couple of years now and, looking back when everything started, I can't really pinpoint how I've started. I remember being fascinated with all the security issues and all the hackers out there. I also remember thinking that that world was so advanced I would be lucky if any day I could do some security work. This article explains the use of several tools which come in handy while performing a penetration test.

Basic Host Scanning with NMAP

by Gerard Johansen

The Penetration Testing Execution Standard identifies “foot-printing” as a step in the overall penetration testing process. Part of foot-printing is identifying active hosts and scanning those hosts for open ports and services. Many times, target organizations will lease a large amount of externally facing address space. This can involve several class C subnets. Taken together, several class C subnets can have over 1000 IP addresses. For internal addressing, this can include an entire Class A address space. Manually identifying the live hosts in these subnets is time prohibitive. To add to the complexity of this situation, this all has to be done without alerting Intrusion Detection or Intrusion Prevention Systems.

Web Application Penetration Testing: Threats, Methods, and Tools

by Jason Samide

This article is meant for beginner web testers or those interested in getting into web pentesting. Web application penetration testing or web app pentesting can be very different from network penetration testing. Web apps are typically more robust and much more dynamic than networks.

Capturing a Wireless Handshake Using Kali Linux on a Nexus 7

by Jason Samide

This article is a tutorial on capturing a wireless handshake using Kali Linux operation system on a Nexus 7. The tools used to complete this task are bcmon, AircrackGUI, and Terminal Emulator.

Breaking into InfoSec

by Marcus Dempsey This article is based upon my knowledge and quest to become a part of the information security community, to move from one technical job of looking after servers and infrastructure ensuring that all devices are secured as much as possible and then attempting to move into the penetration tester role. Through this article I hope to provide some insight for anyone hoping to do the same as me, and hopefully remove some of the pain that I’ve been through throughout the years.

Starting Your Very Own Penetration Testing Company

by Daniel Chew

So, you’ve decided to take the plunge and start your very own penetration testing company. There are quite a few things to consider when starting your company. This article will cover some of the tips and advice for those who are thinking of taking on this exciting venture of owning your own business.

Running YourFirst IT Company – 15 Important Pointers

by Rob Somerville

Building an IT business is very much like any other, in as far as the bottom line (Profit or Loss) will decide the longevity (and the enjoyment) the principal will enjoy as a brand. The decision to start a business should not be taken lightly, as there are a lot of hidden responsibilities and commitments that lay beneath the surface. Once you have decided to go independent, there is a honeymoon period, followed by a lot of hard work! If you make it past three years, there is a good chance you will succeed for many years to come. Here are some lessons I have learned over the years as a freelance.

How Data Analytics and Collaboration Can Improve Enterprise Security

by Ravi Iyer

Despite significant investments in various Information Security and fraud related solutions over the years; organizations continue to suffer from significant attacks. Enterprises have deployed a raft of technologies to reduce the damage caused by data breaches but continue to struggle to detect breaches. The 2013 Gartner Magic Quadrant for Security Information and Event Management asserts, “The greatest area of unmet need is effective targeted attack and breach detection. Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization.”

Interview with CF Fong

by The PenTest Team

We have prepared for you an interview with Malaysia’s most influential infosec professionals. Mr. Fong has countless certificates and broad experience in the field. He also has his own penetration testing company, which he kindly agreed to discuss with us. Hope you will like what he has to say.