Pentesting Ihelp?

[Sheepgobeep]

Hello all, a friend and I would like to start pentesting small, home networks around our area to make a little extra money. We are both 15 year old, and I was wondering if anyone had advice on pentesting in general. I have read some ebooks and have a fair understanding of what needs to be done in a pentest, but have fairly limited knowledge about writing a report after the pentest. Any advice or help would be great!

Thanks, Sheepgobeep

[Infiltrator]

I agree with Morfir, most home users are either too dumb or not properly educated when it comes to home computer security.

Secondly, going around each neighbor's network and pen-testing could backfire, you will need authorization from the owner, or you could be legally charged for it.

Say, even if you had authorization to pen-test a network, how would you go about explaining to a person that has limited IT knowledge, what the implications of an insecure system are.

Again it comes down to the individual, some would take the security matter seriously others not so much.

[Sheeepgobeep]

It's sheepgobeep, I had to make a new account because I can't login through twitter on my iPhone. I don't think it would be too hard to explain what could happen if your network isn't secure. And the things we would be doing would only be like making sure they aren't using open/wep, haveing a secure wifi password, changing the default router pass ect.

[xpath]

It does sound like a cool idea to help bring some awareness to those who don't have some basic form of protection on there wireless

networks, it cant hurt to let your locals know that open are a bad thing. but as the others have said the average home user

is not going to understand whats going on. you could write up some very basic reports to explain the issues to them.

but this will also help you with your report writing skills because the report in a proper pen test is properly one of the most important

things you are providing the enduser.

but to be honest you would be better off setting up your own networks and pentesting them from out and inside

and the writeup your reports. because you wont really get much use out of cracking the hockey moms WiFi password, other than developing

your cracking skills or using tools like the pineapple. its a very grey area you are talking about but just be carful how you implement your

plans.

[int0x80]

Prepare for bad reactions.

This reminds me of a story with some kids from my city. I may be off on the details as it was a while back. IIRC, these kids won the WiFi Shootout at Defcon; then went around town finding APs with insecure configurations. They would then go ring the doorbell and offer consulting services to secure the network. People freaked out and the kids got no business; and I believe they were threatened with legal action on more than one occasion.

It seems people will probably consider this as a personal attack, even though it's not intended that way.

Here is the 2004 Wired article about them winning the WiFi Shootout -- http://www.wired.com/culture/lifestyle/news/2004/08/64440

[int0x80]

As an alternative, have you considered teaching a free home computer security class at your local library or hackerspace? We offer classes at Hive13 all the time. There are a number of benefits to this approach:

1. You help people (though you might be saying "bfd").

2. You have a conversation piece for job interviews and college applications that shows you do something useful with your time outside of school. Employers and colleges eat that stuff up.

3. People will know you as a helpful person and will call you to help them fix their computers/networks, for which you charge them.

I strongly recommend creating an official business (I have an LLC) before any money starts changing hands. It's easy and inexpensive to set up, and can limit your liability and losses in the event that something goes horribly awry.

[Sheepgobeep]

As an alternative, have you considered teaching a free home computer security class at your local library or hackerspace? We offer classes at Hive13 all the time. There are a number of benefits to this approach:

1. You help people (though you might be saying "bfd").

2. You have a conversation piece for job interviews and college applications that shows you do something useful with your time outside of school. Employers and colleges eat that stuff up.

3. People will know you as a helpful person and will call you to help them fix their computers/networks, for which you charge them.

I strongly recommend creating an official business (I have an LLC) before any money starts changing hands. It's easy and inexpensive to set up, and can limit your liability and losses in the event that something goes horribly awry.

Thats actually a really good idea, thanks for all your help

[Infiltrator]

Its actually a brilliant idea and one that could land you on a real job one day. Going around and teaching people, the benefits of computer security, as well as gaining their confidence in you.

Good luck dude.

[Atomix.Gray]

There are a lot of great comments on this post. I honestly think you can CREATE a market for this. 'Eductional based marketing' is very powerful. Approach it like this: Create a report off from your lab (as mentioned above) Show how easy it is for any kid with a computer and youtube to 'hack into their network' In the report explain what infomration these people can get... Sniffing passwords etc...Create a business FB site - then direct people to your site for this free report (they will need to enter their email address - you can market to these there - as they are warm leads. At the end of the report offer a deal X% off a network scan or something.. yada yada... You could also have 6 months check ups - network/computer scans to insure data integirty.

[digip]

There is another approach to take with this as well. Instead of going and knocking on doors to tell people, "Hey, your network is vulnerable to attack, can we fix it?", make up some business cards and staple the cards to a flyer with all the info on what your services are. List clearly what you can do for them, your rates, and why you are doing this. You can even play the whole angle of, "we're still in school, trying to gain real world working skills in information technology and hope to do this for a living someday".

Then leave them in the mailbox or on door hangers for all the houses in your neighborhood. Let the people come to you, see who bites and go from there. Build a rapport with the customers, the more you gain new clients then word of mouth will help you get more business. Just make sure you are professional, dress well, and explain everything in plain english to the clients and take your time.

Most home users who don't have any encryption on, probably don't have a clue they are vulnerable, so anything you tell them, they would have to take your word for it. You want them to feel comfortable with what you are doing for them, and assure them they are safe(er) from attack. Personally I don't trust wireless at all, but thats a whole other rant...

Edited January 5, 2012 by digip