We all have to start somewhere. The question is, where?
The sheer number of tools available can make it difficult to choose a place to start. This is complicated by the fact that most of the tools on the market have a very steep learning curve, and that many of these tools can be hazardous to run on a production network.
There are several pentesting distributions on the market (Pentoo, NodeZero, Kali, and BackBox are good examples) loaded with tools and utilities. Unfortunately, these offer so many tools, they don;t help answer the question of where to start. Let’s look at a couple areas that are important and find some tools that cen help get you started on the road to success.
Network Discovery – I am, and always will be, a big fan of the phrase “you cannot manage what you cannot measure.” If you want to protect your network, it is critical to start by learning what is actually on it. A good network discovery tool should not only let you know what devices areon your network, but what OS is runing, what ports are listening and as much detail on what services are listening on those ports as can be found.
Zenmap/Nmap is a powerful tool designed specifically for netowkr insight, and is available for just about every OS and architecture on the market. It is also very widely documented, providing plenty of resouces to learn from. The Zenmap UI will also give you the ability to work with basic scans while you learn some of the more advanced tricks that nmap has up its sleeve.
Network Intrusion Detection – Athough most often considered a reactive tool, the network IDS is still avaluable tool for preventive issues as it can help you discover a variety of issues That other tools just do not see. There are a number of good tools available here, but these are actually one of the more diffficult to learn. The reason for this is that IDS tools tend to walk the line on false positives, and the field of play is always changing. It like playing baseball on a field where the bases are on tracks.
Bro IDS, Snort, and (my preference) Suricata. are three capable NIDS for analyzing network traffic to detect target activity. These tools are better run from a server or workstation, than on a mobile unit as they require configuring port mirroring on the network infrastruture.
A good choice for learning these is to install either a standalone server, or to install a SEIM which includes a NIDS such as OSSIM or Security Onion. We can then use the same server when you move on to learining about correlation. You can also install these as modules in some open source firewalls, such as pfSense.
Penetration Testing – While you should carefully consider what tests to run on a production network, this tools is absolutely critical for understanding security on your network. In all reality, you d not want the first time you see what a cross site scripting attack or a DDOS looks like to be when someone runs one against your network. The best way to understand exploits, to see what they actually look like, is to run them yourself.
Metasploit is undoubtedly one of the top tools on the market for this. Unfortunately, it is also a tremendously difficult tools to learn. The good news is that the crew at Strategic Cyber, LLC have create a front end for Metasploit name Armitage. This tool is one of the best learning utilities you could help for, as it provides not only a nice UI to allow you to run a series of attacks/exploits, but also provides the actual comands sent to metasploit to run them. This gives you a unique way to run the utility while learning it.
While too big of a topic to cover in this article, one of the best ways to learn to use pentesting tools is to set up a sandbox network.
Vulnerability Managment – This is another one of those toolsets that can be a challenge. This is mostly due to the fact that, like the IDS tools above, this one need to walk the hairy line. On the other hand, reviewing the results of these scans can shed quite a bit of light of the nature of software vulnerabilities as even the false positives are often only conditonally false, and because determining the validity of as result requires reading up on each vulnerability, which will naturally focus your studies on real world problems.
OpenVAS is a fork of NESSUS which maintains a pretty impressive scanner. documentation on the project is more than a little behind, but the theory of operation is docuented very well with the now closed source NESSUS tool.
Like the IDS solution above, these tools are often best installed as part of a static server as it is difficult to configure, is VERY resource intensive, and tends to be very slow to scan. you could consider installing a SEIM which includesone or more of these tools.
Packet analysis – The nice thing about all of the tools above is that they provide plenty of smaples for one of our primary tools. There is no better way to understand network traffic than to see it. Of course, the blinking lights on the switch don’t tell us much, but there are a few really good tools out there for this purpose, and one that really rises about the rest.
Wireshark, and its CLI-based cousin Tshark, are the defacto industry standard for advanced packet analysis. wireshark not only provides a powerful UI to capture and analyze netowkr packets or streams, but also has an added bonus. Whenever you select a filter from the UI, it constructs the filter in the filter bad at the top of the page. Since tshark uses the same filtering, you can use this to learn the structure for tshark at the same time you asre studying the network traffic to learn it. As an added bonus, even if you don’t generate all of the traffic you want to see with the tools above, the team at wireshark has built an impressive collection of samples for you to view.
Hopefully, this will get you started in the right direction. Once you start rolling, you will be able to start adding new tools to your toolset pretty regularly.