Tuesday, August 13, 2013

#01: The tools we use...

**My opinions are not my employers, and thusly are mine and mine alone**

I am slowly coming around to understanding the nature of tools like Metasploit, Nmap, and the like. I thought that to become a security researcher, you have to understand exactly what the underlying code does, and you're required to grow your Unix-y beard and ponytail like everyone else.  I felt like Metasploit was a 'cheat' that people used to become pentesters.  I have been around long enough to see people get into positions they clearly were not ready for, and earned certifications because they could write a good test, yet had no knowledge of what they were doing.

I equate Metasploit to the blender a chef would use in a kitchen.  It's a tool, that automates a process that is time consuming or laborious.  Or a wrench that a mechanic would use to tighten bolts.  Everyone in a job has their tools, those little time savers that make work more efficient.  Someone else created the blender, and the wrench, but we gain an advantage by using them.

I always thought that I'd need to make my own exploits and learn C and Assembly, and I'd need to learn how to solder well enough to make my own circuits for hardware malware, etc.  While I would still love to have an in-depth knowledge of those ideas, I have realized that I ended up with a bit of scope creep, and that I need to dial it back a bit to keep from being overwhelmed.

That's why I'm learning Python, and someone else suggested Ruby (since Metasploit uses that)...  I do want to learn more about C, but right now, I just have the basics.  Plus, there isn't much in the way of C programming being used at my office, so I need to learn concepts that will relate directly to my job so I can keep my edge sharp...

So, Python and Ruby it is...  Also, gotta get back to shell scripting... I used to do it a lot in the past, but vulnerability scanning, and justification of firewall ACLs for PCI-DSS doesn't have a place for shell scripting...

I want to do a post once a week, even if it's just stream of consciousness shit.  The C|EH All-in-One book is a hard slog though... Just through the chapter on Social Engineering.  I realize now that we probably should give some kind of training on a regular basis to spot social engineering trickery, as well as proper disposal of papers with info on them... ooh... I wonder how difficult the shred bins locks are to pick...  Yep, even when you reduce scope, scope creeps back...
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)