Server security (or pen-testing) for starters

Data that travels over the air and how to protect (or decipher) it

Server security (or pen-testing) for starters

Post by Artarka on Sat Apr 20, 2013 4:23 am
([msg=75245]see Server security (or pen-testing) for starters[/msg])

Right! I actually started myself out in web programming, learnt two language (not fluently tho) and more importantly, UNIX commands. Now, I got my interest in here for server security yet it looks like a totally new field for me. I failed to find some specific resources on this and I have no idea where to start. I wish someone in the community can provide me some resources or hint on how should I procceed (like making a website you need PHP, making a app need Java). Anyone can give me a kickstarter please? (maybe tools and stuffs, best with tutorials of course)
Artarka
New User
New User
 
Posts: 2
Joined: Fri Apr 19, 2013 6:30 pm
Blog: View Blog (0)


Re: Server security (or pen-testing) for starters

Post by LoGiCaL__ on Sat Apr 20, 2013 10:39 am
([msg=75253]see Re: Server security (or pen-testing) for starters[/msg])

Well, since you said you were into web programming and then learned Unix commands why not try to make the transition smooth and start off with some shell scripting? Not because the languages are similar but because you are used to writing code. Now it's just for a different purpose.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Server security (or pen-testing) for starters

Post by brutal_hacker on Sat Apr 20, 2013 12:53 pm
([msg=75254]see Re: Server security (or pen-testing) for starters[/msg])

Ok pentesting is quite hard to get into if your not willing to put alot of time in it eat sleep and breathe security.

You will first want to start by learning the basics of networking easiest way to learn is probably to start with getting a CCNA book. I started with CCNA 640-802 official cert libary tells you the basics. Since most servers run Cisco products its best to start there and then maybe go to junipher etc. You must learn the ins and outs of TCP/IP if you dont know any of this then your not going to get far.

Now your are going to want to either set up a 2nd pc or partition your HDD for a fresh install of Backtrack 5 the newer version is kali but it has some bugs and may be a bit difficult to install. This operating systems has a very large collection of pentesting tools use them on your own network see what they do read the readme files/ tutorials. You can run this off a live usb if you want to just visit the backtrack website. google will take you there.

Have a go at this http://www.offensive-security.com/commu ... unleashed/ its free!

I personally have 2 computers 1 with windows 7 with a windows vista vm machine and another laptop that runs kali for testing on both operating systems. I cba with windows 8 yet.

Once you get the basics pass you CCNA then get a CCNA security - these are to get your foot in the door. Maybe look up the backtracks pentesting course to see if your up to scratch there are others out there just do a google search but expect to pay £300 - £1000 for the courses.

Try to get a junior admin job and work your way up. ( not easy im still looking.... look at moving location )

You do not need certs to get a job but it sure does speed up the process. If your really good just hook up to there network from outside the door write a pentesting report and show them it. But expect to get in trouble if there not friendly because it is illegal pentesting without permission

Always remember to get permission before attacking websites / networks or servers. Its illegal without permission try to get it in writing to cover your back.

Oh and since i missed one "minor" detail eat breath and sleep unix (linux os) its a pentesters best friend. You will still need to know how to admin windows machines tho as you will connect through your os to theres and you will need to know where files are hidden etc.
brutal_hacker
Experienced User
Experienced User
 
Posts: 58
Joined: Fri Apr 19, 2013 1:03 pm
Blog: View Blog (0)


Re: Server security (or pen-testing) for starters

Post by limdis on Thu Apr 25, 2013 1:25 pm
([msg=75369]see Re: Server security (or pen-testing) for starters[/msg])

brutal +1
you should join us in #coffeesh0p
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1357
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Server security (or pen-testing) for starters

Post by Kataclysmic on Thu Oct 17, 2013 6:17 pm
([msg=77737]see Re: Server security (or pen-testing) for starters[/msg])

Artarka wrote:Right! I actually started myself out in web programming, learnt two language (not fluently tho) and more importantly, UNIX commands. Now, I got my interest in here for server security yet it looks like a totally new field for me. I failed to find some specific resources on this and I have no idea where to start. I wish someone in the community can provide me some resources or hint on how should I procceed (like making a website you need PHP, making a app need Java). Anyone can give me a kickstarter please? (maybe tools and stuffs, best with tutorials of course)
in my signature is my website. I have written two articles there on LFI and the one talking about how to protect yourself from LFI sounds right up your ally. Here is the link to said article.http://lawofcode.com/article.php?id=4 Basically make sure your php settings restrict users, that you do audits of the code whenever possible, and also make sure that each users' files are only writable by root and themselves no anyone else. That's just basic stuff. Make sure that you know how to code in the languages you are auditing and if you see that someone is using something that compromises your server that you contact them.
http://lawofcode.com
What will you learn?
Kataclysmic
New User
New User
 
Posts: 27
Joined: Wed Oct 09, 2013 10:15 pm
Blog: View Blog (0)


Re: Server security (or pen-testing) for starters

Post by tremor77 on Fri Oct 18, 2013 8:59 pm
([msg=77748]see Re: Server security (or pen-testing) for starters[/msg])

I've always put server security and pen-testing in two different categories, from which Server Security is by far the harder category. As a hacker/pen-tester, you have the opportunity to throw a lot of things at your target, many of which are already made and boxed in a handy little (pricey for the good stuff) package. You only have to be right once to find an exploit. As a server administrator, trying to secure your server, you have to be right all the time and you have to be psychic (know what's coming).

There is literally too much data on server security it's going to all depend on what server you are securing... challenges for IIS Webserver vs. Apache vs. Node yada yada... just google search "best practices for ________" insert server type. Start with best practices, then move into more explicit stuff like firewalls, monitoring, backups, etc.. just my 2 cents
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 870
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests