Oh the shame of it all ! Having promised to keep this up-to-date and not to slip into the "dead-blog" category I have done just that !

I'm sorry ! There are not enough hours in any given day to keep up with work, family and sleep. And I like sleeping ...

Fortunately I was running through my Inbox this morning and came accross something from Testing Reflections and two braincells collided and the guilt came on in waves ... So here I am again ...

Wow ! Doesn't time fly ! You take a breath and several weeks fly by all at once. So again appologies for having been remiss in my writing ...

Recently in some of the mailing lists, there has been some discussion of the use of VMWare for practicing ones skills. I think that VMWare is one of the greatest inventions ever, and, as soon as I can afford a copy I'll probably get one ! There are the Open alternatives, but in terms of simple use, you can't fault VMWare, there is a space in the world for well written, reasonably (!) priced commercial software, and VMWare is by far the best that there is. I fear for it's future with the Microsoft offerings comming out, but we can hold on to hope there.

I must firstly apologise, everything seems to have gotten on top of me, and I have failed to blog for a few days. I'm aiming for this not to become like every diary that I have tried to keep in my life, filled for the frist three days, and then empty !

However, time is at a bit of a premium ( except the amount I seem to spend in transit - the British rail and underground system seem to want to keep my soul for as long as posible each day ... ), so this will likely be a short blog.

Time, it seems, is an ever decreasing commodity in my day ! So I'm afraid that this is going to be short, and I'm going to try for it to be to the point ...

Being able to find a vulnerability in a system is only half (if even that much) of being a good tester in a commercial environment. If you can do only this, you are a hacker, not a PenTester. To be commercially viable, not to mention professional - you should follow a defined methodology. This does a number of things for you:

Computing has to be the fastest moving industry there is. Every day there is at least one new software product. This is hard enough to keep up with if you are looking after one Operating System, let alone more - and as a PenTester you are interested in them all !

How on earth do you keep up to date ? ( And I'm perfectly open to suggestion here ... My e-mail inbox is bursting at the seams. )

This is a two topic blog - ethics and port scanning. Having promised not to go off on a tangent again I thought that I had better fill in something more relevant to actual testing !

So lets start with Port Scanning. This is something that you should understand the theory of, and then use someone elses tool to do it. I ( shameless self plug comming up ) wrote a little wrapper for nmap that takes its output and runs it up against the OPRP ( Open Protocol Resource Project ) database - this is a project at ISECOM - which is where you can also download the wrapper. Anyhoo back to the point ... Some of the feedback that came in said that I "shouldn't rely on the output of another program" and that I should "do it all". Sorry but this is complete garbage ! Choose your tools wisely - but please don't waste time reinventing the wheel - it is good to know that you can make a wheel if you need to, but mostly I leave that to Mr.Goodyear, why should my other tools be any different ?

As I was comming into work this morning, I had a think about my advice in my last entry : "Learn Linux".

I said this as a matter of course, Linux knowledge is - in my opinion - essential, as is knowledge of as many other OS's as you can get your hands on.

My current personal platform of preference is MacOS X, I can run all of the Linux utilities that I want and then I can write reports up in Word - cutting and pasting painlessly between the two. I have, in the past, done testing from Solaris, Linux and Windows as well. Each has it's own strengths and weaknesses, and in the right hands, all of them will be as powerful as the others.

Until this point I have avoided having a "blog", but the community has caught up with me, and I actually feel behind the times !

I got into PenTesting a little over a year ago - I had played around before that, but being made redundant left me with a lot more spare time - so I decided to focus my energy on learning a bit more thoroughly.

PenTest and ethical hacking has to be the singly most arcane field of Computer Science that exists, if the amount of begginer information is anything to go by. There is no "PenTesting for Dummies", "Teach yourself PenTesting in 24 hours" or even an O'Reilly "PenTesting in a Nutshell". ( I'll come back to O'Reilly in a minute - there are a million and one useful books here ). So where does one begin ?