Hacker01 So You Want to Be a Pentester Calvin Hedler

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey good so I see a few people who I already know in the crowd and for those of you who don't know I am Kelvin Hoefler this is my talk so you want to be a pen tester the idea of this is to give you guys kind of the information that I wish I had before I started this job and before I got into actual security work about a year ago so I've been doing this for around a year first a little bit about me my twitter handle is at zero zero one spartan if you guys use twitter i use it and frequently i am a junior pen tester for a company called networks group right in downtown Ann Arbor and I'm a speed skater I strap metal blades to my feet and go 25 miles an hour around an ice rink if you want to know what it's like to hit the wall headfirst at 25 miles an hour it's a little bit painful I was sore for a couple days after that and I am a student at EMU and the information assurance program I'm a super-duper senior hopefully I'll get out of there soon enough that's pretty much it about me so like I said this talk is about my experiences over the past year of doing pen testing I want to help you guys learn from my mistakes things to do things not to do and then I'll go over a little bit of a case study about the process that I went through on a couple of tests recently this year so first off what should you do or what are things that you need to do in order to be a good pen tester and in order to be prepared for your first engagement first off you need to prepare your gear then of course you need to know your tools you need to know what it is you're using you need to know when you will use certain tools how they react that sort of thing you always need to have a plan because even if the plan gets completely messed up by something that happens that you need to know at what point you're going to do certain things in the engagement and then you need to be able to find the goodies and I'll go over what that means more later so the first step of course when you're going on an engagement the night before sometimes is to prepare your gear and as pen testers we have a lot of different stuff we've got laptop so you've got rubber duckies we've got flash drives all kind of charters I probably have about a dozen charters whenever I go somewhere I'll write in my backpack and you need to make sure you have all that because when you're on an engagement sitting there in an office or trying to break in and you realize suddenly that you don't have an Ethernet cable that is not a good thing so you always need to make sure you know what you have and you always need to make sure that you have it ahead of time after that you need to know your tools who recognizes what this is on the screen here fan map right pretty standard tool probably most of you know it already but as pen testers we use a ton of tools we use everything from scanning tools to attack tools to recon tools I'm pretty sure that on a given engagement I will use over two dozen tools whether they're custom or pre-made open source closed source all sorts of things and you need to know all of them you need to know what they do you need to know how they accomplish that you need to know how they fail and you need to know how they can be caught up on the screen here I have Metasploit PSX AK and it is not working and something that will cause it to not work is UIC being above medium security level that kind of knowledge is important because if something is failing on the pen test you need to be able to diagnose that and you need to be able to respond accordingly another thing that you would want to know about PSX AK is that it spawns a service and that it leaves a very noticeable event in the system logs that blue team people can look for you need to be aware of that so that you can adjust your techniques accordingly or so that you can be prepared to be caught or not get caught as the case may be throwing around tools blindly is a good way to get caught and or brake systems so neither of those is a good thing when you're a pen tester secondly you need to plan ahead you need to know what your objectives are what will you try to accomplish in the engagement how will you do that what are the techniques you're going to use whether the tools you're going to use do you have a back-up plan in case you can't do something right the first time and when how long are you going to spend on something before you give up and say okay I'll move on to the next objective at what point in the engagement are you going to perform certain attacks or try to get at certain data all that sort of stuff is very critical because if you don't have a good plan then you're just going to be floundering and you don't want to be sitting there in the middle of the client's office being like so what now and that won't get you any bonus points that won't get you what you need as a pen tester and lastly not lastly second to last you need to find the goodies what does that mean you need to ask yourself a couple different questions before you start the engagement you need to ask what does the client do what's their business what are they trying to keep safe do they have credit card numbers are they worried about PCI are they worried about HIPAA do they have social security numbers what sort of data do they deal with if they're a manufacturing company they're probably concerned about keeping their manufacturing plants going if they're a power company they want to keep the lights on that sort of thing you need to find out what they're afraid of happening and figure out how an attacker would do that and you can even straight up ask them you can say what are you concerned about that will very often get you a good idea of if they're doing this sort of threat modeling that they need if they're conscious of the risks and they're they know what to watch out for that question is very important because it can show a disconnect or it can show you here's what we're worried about here's what you should go for on the pen test for example if they're a company that's worried about PCI compliance and you're doing pen tests for them have they been breached before did they lose credit card data if so they probably want to check to make sure that they don't still have plaintext credit cards sitting on a Secretary's computer they probably want to make sure that they aren't keeping millions of transactions in a database that's unsecured stuff like that you need to know what they're concerned about so that you can check for it and then of course what not to do many people fall into these traps I won't say that I haven't before but you need to make sure that you are not getting cocky damaging systems creating vulnerabilities or getting caught the last one is sometimes optional depending on the gig but first off and don't get cocky you're not there to look cool you're not there to have fun you're there to do a job if you do your job properly the first two will probably come along with that you will look cool you'll get to do some really cool and you're gonna get to do some fun stuff at the same time but those are not your primary job as a pen tester sure it's cool being able to break into a building and gain access to their domain controllers and don't password hashes and stuff like that but so what so you got domain admin you need to answer that question so what why does it matter you need to show them where their security issues are and you need to make sure that you're explaining that in a way that it's not about you you're serving their needs it's not the other way around don't break things of course as pen testers our job is to break things but you need to be careful about doing that you need to make sure that you're not crashing production systems when you dump 50000 password hashes on a domain controller sometimes it'll fill up the RAM and crash you don't want to do that you don't want to alter data if you're looking at their credit card transaction log you don't want to change those transactions to you know affect actual business processes you're there to show that you could but you don't want to actually do that that's how you wind up with talking to lawyers and that's not fun don't change settings this is not critical in some cases sometimes you will need to change certain settings to be able to get proper penetration but you don't want to change settings to make things more insecure and that's kind of going into my next plane don't create insecurities you're there to test insecurity you're not there to create it if you see a vulnerability and exploit it that's fine if you specifically open up a vulnerability in a system like say you just spawn a binds shell on a web server that's probably not a good idea because then anybody else on the internet could connect to that and have the same amount of control that you do our job is to do testing in a safe way and to demonstrate things in a way that won't allow another attacker to get in off the back of what you're doing and sometimes that can happen yeah yeah sometimes it depends on the engagement of course but we'll use tactics like that if they're necessary and sometimes creating vulnerabilities like that is kind of is necessary but you want to do it in the safest possible way you want it to be as controlled as possible if you're just leaking out data over paste bin to perform data exfiltration that's not a good thing you need to find ways that will expose your client as little as possible while while you're doing the engagement don't get caught like I said this this one is optional depending on the sort of engagement that you're doing but in order to not get caught you need to know a couple different things you need to know what tools are going to be noisy you need to know what tools are going to trigger alarms you need to know how much bail will be if you get arrested you're breaking into a building although hopefully that won't happen so you need to be conscious of these things if you're trying to stay hidden if you create a domain administrator that's probably going to trigger every single alarm they have they're gonna wake up the sysadmin in the middle of the night and say hey something's going on let's press the panic button there are quieter ways to do things if you're going around blindly throwing t5n map scans that you know as fast as you can as fast as you can something's probably going to detect that and you need to be aware of that there are ways to be stealthy and if you want to make use of you want to make use of those as much as you can and then of course you don't want to get arrested usually we have a get-out-of-jail-free card but even so you don't want to get caught by the police because that's just no fun so far I've managed to avoid that but this is always the first time so in order to demonstrate that these techniques what I've learned over the past year so I'm going to go through some case studies about engagements that I've been on what I did what mistakes I made that sort of thing and I'm fairly new so there were mistakes made on these engagements there were times when I didn't follow my own advice and I want to help you guys if you're getting into pentesting to not fall into the same trap as I did so the first case study was a large retailer 50,000 plus employees 10 billion dollars in revenue every year and six character passwords so I'm going to walk you through the various phases of this engagement of course first we start out externally we enumerated applications we found their their IPs their various blocks that they controlled all their external facing web applications we scan those IPs for various services to see what's going on there and then we identified entry points that basically anywhere a user can log into the system it could be VPN it could be Outlook it could be SMTP SSH all sorts of things you need to examine each one of those in this case we determined that one of those applications was not locking out user counts no matter how many tries we threw at it so based on this web application we did a reverse brute force and what that does instead of picking a ton of user names a ton of passwords trying them all against each other of you know millions of times until you find a match we chose one password and we chose a thousand different user names that we could find for this client and we found out that the password was the season and the year so if your password for anything is summer 16 right now change it right now I will wait if you have that password yes so we did that we brute forced the entry point that we found which was I believe it was a VPN client login so we found a valid user name we found a valid password summer 2016 and then we logged into their VPN we had a foothold we were basically internal to their network at that time had we realized it then we probably could have gotten domain admin from the outside but this was getting towards the end of the week before we went on site so we ran out of time we got access to a user's workstation we tried a couple different things to gain some gain a foothold inside their network we didn't realize quite where we were inside the network so we didn't get the access that we would have liked you oh we ran out of time and that'll happen but you just need to roll with it you need to have a plan you need to know what's next so we went on site to do the internal phase how many people here are familiar with a tool called responder a few people so for those of you who don't know what responder does is it will listen for NB t NS requests and ll MNR requests and those are Windows computers being very helpful and screaming out to the network hey does anybody know where a SDF comm is if it doesn't have it in the local cache it'll then start asking the network if somebody types a domain name wrong that won't resolve normally that will never get a reply but responder very helpfully on your attacker workstation will say yes I do know where asdf dot-com is that's me give me your username and your password it's very helpful windows makes life very easy for us responder will almost always get us a valid username and password and there are plenty of trivial ways to disable that behavior but not enough people do it not enough people know that that exists and that's why we do what we do as pen testers to show people this is what you should be aware of this is something that you should look out for for a real attacker to do so we got a valid username and password while we were doing this we were enumerated we were scanning using things like NDT scan using ping Suites using n map all sorts of different techniques to get as much information about the network as we could we look for domain controllers we look for file shares we look for important workstations like if something says CEO workstation probably important luckily we didn't really need to do much more to get into main admin because responder got us a username and password it was for a domain administrator account and the password was six characters that cracked in about half a minute it doesn't take very long if you have weak passwords and that was the entire that was the whole reason that we got domain admin is one weak password it only takes that much if you don't disable ll m and r or and b TNS things like that your going to be vulnerable to that and that's what your job is to show you have these legacy accounts they have default passwords or very very weak passwords they haven't been used in eight years nine years or something like that but an attacker doesn't care about that an attacker is gonna take the quickest way in he can and we did six character password now what's next like I said we have to find the trophy data in this case this was a retailer they had credit cards they had a pharmacy so they had pH I health care information they had private privately identifiable information Social Security numbers addresses linked to real names all that sort of stuff they had it we needed to look for it for the quickest way to get that is to attack certain high-value targets those are going to be Network shares those are going to be executives account managers all that sort of stuff you need to know who to look for and what where you're likely to find the data and that's where enumeration really comes in handy if you don't do that proper enumeration if you don't do that reconnaissance you won't be able to find that as easily and you're just gonna be you know spinning your wheels trying to look for this stuff over a week or more and not going to get anywhere so we tried to gather more credentials for various applications that they had we logged in to their switches we saw their mainframes we decided not to log into those but we did get credentials for them because they're concerned about that their servers are handling you know thousands of credit card transactions a minute we showed them that as an attacker with this level of access we could gain access to that it didn't take anything more than cracking a six character password and that's something that an SS can will never show you that's why pen testing is more than just running an SS can giving them a 5,000 page report and saying we're done we never used necess a single time on this and then after we did all this after we gathered information after we showed that we can get credit card information or control their entire domain we decided to test their security game for responses we decided to try and be as noisy as we could to see what the detection threshold was we ran louder scans we did some really sketchy activity on their network they didn't see it so we created a domain administrator we were logged into one of their security guys box in boxes so he deleted the email that alerted hey somebody's just made a domain administrator nobody noticed the next day we still had that domain administrator there nobody had noticed that a new domain administrator had been created there was one email no text messages no phone calls in the middle of the night no bright red flashing lights in the data center nothing and we could do whatever we wanted to we created another domain administrator we waited no response we were sitting down in the little room that they put us in we had two domain administrators we were doing whatever we wanted to on their network still nothing that was a little bit weird because you know we didn't delete an email we didn't try to disrupt their security team at all they still didn't notice we had to create three domain administrators for anybody to take notice and then it took them about two hours to track us down and find where we were that's exactly the sort of thing you want to do when you're testing a response a lot of people are emphasizing the idea of hacking to get caught now hacking to show the defenders what to do what to look out for and that's something that I think we should absolutely be doing is pen testers because if we're not actively helping make the defenders better we're not doing our job well enough so we tested their security team and then after that they were concerned about physical security which is just fun to do because you know you get to break into buildings and climb over fences and do all sorts of fun stuff so we did a little bit of physical security the common tactic is to tailgate through doors somebody will hold the door are open for you because people are very helpful if you have a box in your hands there's nobody who's not gonna get the door for you and say here let me hold that and thank you very much now I'm in oh you're going to scan your badge for me and put in your PIN to get through the second door that's even more helpful thank you my badge is just in my pocket I swear so that sort of thing gaining access to the building it's important because they're obviously concerned about somebody coming in and ransacking the place or gaining access to their systems physically because everybody knows that physical access is route we jumped over turnstiles because you know they have little turnstile things for all the employees to scan into and if you were doing it properly you scan your badge and you walk through the turnstile accounts that this badge has been scanned you jump over it nobody notices they we had security cameras but nobody was watching them what good are those security cameras if you don't have somebody watching to say hey that person just jumped over the turnstile maybe we should send somebody down to investigate we broke into their data center using an under the under door tool for those of you who don't know any sort of the lever type door handles we have a tool that will go under the door come up grab the handle and you just open it from the inside because those all unlocked when you open them from the inside I think it's an OSHA requirement and it takes all of ten seconds at most if you do it properly this one took us a little bit longer but nobody stopped us to question us why are we doing this to the data center doors they have you know tens of millions of dollars of equipment in there yeah yeah if you have automatic doors that's an even better way to do it in this case datacenter didn't have automatic doors but it did have a little gap under the door and nobody seemed to know that if there's a little gap under the door there are there's a tool that's 30 bucks and you can buy it online and have it shipped to your house and the next day shipping so it and you can even make one out of a bit of coat hanger and a string practically it's not hard to do but nobody's watching out for and that's exactly our job as pen testers to show that people are not realizing the vulnerabilities that they have even if they're easily exploitable nope you gotta be able to think outside the box think like an attacker because that's where our value is and then we were just generally noise nosy we poked around in the offices we walked around you know checking computers to see if they were unlocked we checked for papers left out on the desk we took pictures of a couple sticky notes with passwords on them because everybody likes to do that you know you flip over the keyboard hey password one okay if somebody did manage to tailgate in they would have access to that information we didn't have employee badges we didn't have any sort of ID we just walked around their offices and it's so big nobody questions you if you don't have a badge once you're on the inside people trust you you should be there right you can walk around no matter what if you look like you know where you're going nobody's gonna stop you and say hey where's your badge people don't want to do that people don't want to confront you because we don't like confrontation I don't want to stop you and make your stick my nose in your business maybe you forgot your badge at your desk that's what you have to rely on when you're doing this sort of physical security and then we tested another location this was a type of a type of distribution facility and in order to get through this all we had to do was walk through the snow for about a mile and a half and I wore ankle socks and sneakers because I was not expecting to go through the snow yes my ankles were very cold after that I'm lucky I didn't get frostbite and we slept under a fence there was a gap there so we slipped under the fence we got in we walked around everybody else had hardhat safety vests things like that employee badges we were just two guys and jeans and coats nobody said anything we walked past people and they said hey how's it going nobody questioned us that's what the that's what you want to demonstrate to your client you want to show nobody's asking questions nobody's taking security as their priority here's what you can do to improve that and we avoided arrest there were at a different location we tried to break in and we were stopped then we decided to try again we were told by our point of contact that there are cops waiting for you if you try and do that again probably a good idea to call it off at this point so I've almost been arrested I have not been arrested I would like to stay out of handcuffs for as long as possible and I would like to not go to jail and that's always important as pentesters it can happen when you're doing the sort of physical security assessments that some of us may do yeah try not to get arrested I don't recommend it yep yes we do have get-out-of-jail-free letters which are basically a piece of paper from the client that says these people are authorized to do this kind of work yep exactly so you have this letter sometimes it will make a difference sometimes it won't and there will be you know lots of phone calls and you'll sit in a jail cell I have no desire to experience that so weird yep I mean it has its perks but I just I still wouldn't recommend it yep yeah it's uh yeah definitely definitely something to watch out for you don't want to get arrested I don't want to go to jail so you know be as careful as you can always have that letter of permission saying you are allowed to be here you are allowed to be doing what you're doing a business card will definitely help to prove that you are who you say you are because you know business cards can't be faked or whatever um but generally if you are sneaky enough and you keep your wits about you that won't happen I've only been doing this for a year there are probably people who have been doing this for longer than I have who have been in that position but that's just my experience so far and now I will move on to a very different case study this is a very clear example the best that I've seen so far of pentesting actually making a difference actually bringing people to improve their security to raise awareness and to you know it's the example of pen testers doing their jobs properly showing the client the risks and then explaining that in a way that allows the client to make adjustments this is a small business they have one location one office a hundred employees and they're concerned about PCI primarily when they first contacted us so we did a pen test in year one there was sequel injection in external applications it lets you read the customer database add social security numbers credit card information all that fun stuff all exposed on the internet to somebody who can run sequel map and that is pretty much everybody and my dog it's not very hard to do and I'm sure most people here are aware of that internally they had things like MSO eight oh six seven default passwords and that's pretty much it you get 10,000 plus records with thi PII credit card numbers but that was pretty much game over we got the goodies this was not me personally but this was my company and this was the first time they'd ever had a pen test on and we wrecked them of course because they weren't taking security seriously they had Windows XP then Windows 2003 that windows 2000 all that sort of stuff but then they asked us to come back next year next year we didn't get anywhere that all their web applications behind a laugh even though they were still probably not fixed it at least prevented us from getting anywhere it you know blocked us at every turn internally they had fully patched Windows seven and eight and they had 15 character passwords how many of you have a 15 character password more more than half I would say but still 15 character passwords in an enterprise environment they changed them monthly too even if you could crack the 15 character passwords it would probably take longer than a month so then it would be a different password even if people are using common patterns it's still going to be a pain in the ass to crack any of those passwords we didn't end up cracking any of the passwords in the week that we had to do the engagement so we failed and that's a good thing we want to go into environments and say we didn't get access we use this we use sneaky tactics yep yep so in many cases that is a valid tactic that's something an attacker would do but generally speaking we're not allowed to perform denial of service attacks on our engagement because customers don't like think going down even if it's a waif that is out in the cloud somewhere unfor exactly and that's a very valid point in this engagement we weren't able to test that we would have liked to obviously we like these engagements where everything is in scope no holds barred we're allowed to do whatever we want but the reality is that's not always an option clients want you to do certain things clients want you to not touch certain servers things like that they say don't touch our file share it'll go down if you even look at it well well it's your file share isn't that important don't you want that tested yeah but it'll go down if you look at it wrong so don't test it stay away from it stay away from our domain control it too while you're at it come on so you to try to convince them to let you do everything but that's not always going to happen sometimes your hands are going to be tied in this case our hands were somewhat yep that's a very I mean that will convince some people that won't convince other people it's a good it's a very good question whenever were being limited to things that we feel like a scope is too narrow or something like that we asked that question but a lot of the time we're dealing with people who don't have the authority to let us do more unfortunately and obviously as pen testers it's more fun to do full scope anything-goes pen testing but sometimes that's not an option but in this case we failed and we failed because we had done the pen test before and we tore them apart they were terrified of what would happen and with a smaller organization they had the ability to make those huge changes in just a year because the IT managers said we're doing this and that's what they were doing it's not gonna happen in larger organizations but I think this is a really good example of how we as pen testers should work with the defenders we should help them improve we should give them all the ammunition that we can in order to improve their organization's security the more things that you find for your clients the more ammunition they have to take to management and say we're going to be if someone even looks at us let's make some changes and our job as pen testers is to do that we need to show them that there are things you can do to prevent this from happening and look how easy it is it is for us to get in an attacker is going to do the same things that's why pen testing I feel is very important and that's a great example of how we can make a difference a lot of people view pentesting as go in break give them a 500-page necess report say we're out we're done have have fun good luck but you need to work with them your job as a pen tester isn't all offensive as much as we would like it to be we have to do more we have to be better than those you know big four shops who are just delivering 500-page and SS reports run by an intern that's not your job as a pen tester you need to do more and you need to push the client to let you do more in order to demonstrate that so I guess I still have some time and ran through that a little bit quick if anybody has any questions if you'd like to discuss things with me I'm happy to take any sort of comments or criticisms yep ah that is a good example of something I forgot to leave I forgot to put in my powerpoint presentation yes exactly so let me see one of the things I learned is to not hash dump a domain controller when you've got you know tens of thousands of users and you don't know what your tool is going to do that was on that retailer engagement we tried to do a hash dump on the domain controller it stopped responding nobody complained specifically but we were not aware that it would behave like that and we made a specific note to not do that in the future another thing is that pen testing is more than just running scans it's more than just looking cool it's about actually helping people improve security when you're getting into pen testing you want to get shells you want to get root you want to break in you want to show people how cool you are but at the same time I've seen that it's better to be humble it's better to come to them as not an adversary but as someone who's there to help you're there to do your job you're there to assist your client you're not there to look cool you can have fun doing it you can look cool while you're doing it but that's not your primary goal and it shouldn't be and I think that's something that I wish more red team talks emphasized and then I guess the importance of being caught sometimes how being caught can be a good thing because it can be a learning experience for both you and the defenders because if they see something they can then go down the rabbit hole they can see they can dig deeper into the event and figure out what they would actually do if they had an incident and they needed to respond to it so getting hacking to get caught is a big thing that I would like to do more than that I've learned about over the past year yeah I would say basically no holds barred let us attack your organization completely don't give us a scope let us find you let us do like three months of work to get in from the outside you know let us use tactics like getting hired at the company let us do things like Fisher users we do that in many cases but sometimes they're like oh we don't want to test that because our users will click anything they're stupid yeah exactly but that's the sort of thing we want to do because those are real world things like you're not going to have an attacker say oh these servers look fragile I won't touch those because they're fragile and that's what we would do if given our you know our way yeah yeah and that's entirely fair and that's a valid point I think that as pen testers we need to realize that it's not just about getting domain admin it's what you can do after that to demonstrate okay we know that you can get domain admin now what what's the endgame and that's where getting the goodies comes into play but to get back to your original question yeah there are perfectly valid reasons to not want us to do things but as attackers we're not going to say oh that's unfair that's cheating a kid sitting in his basement in Russia is not going to say well I I think it would be unfair if I fished them because I'm too good at fishing that's not going to happen yep yep absolutely we don't just give them a giant list of vulnerabilities we say here's measure here's measures you can take to prevent this here are best practices for how to deal with this we aren't just going in there breaking stuff and saying here's what we broke good luck we're saying here's specific things you can do to correct that to train your users to patch this to raise awareness about this issue we try and do we try and give them defensive tips after we go in and break every yeah if there was an incident going on we would absolutely drop everything say you have this going on take a look at this and we'll help with that so I am a student at EMU in the ia program I will say that most of what I learned about attacking systems about doing pen testing was not from school it was tinkering with computers it was breaking things that you know my own wireless router I broke into it to show that I could and say hey this is pretty cool I can get into things most of most of what we do is not taught in school you're not going to be taught how to you know trick someone into letting you in a building in school you're not going to be taught about lock-picking in school most of the time I'm not good at lock-picking but that's beside the point so my educational background I do go to school for security but it's not enough you always need to be constantly learning you need to be pushing yourself to do better you need to read you know InfoSec Twitter to keep up on the latest and greatest news you need to be digging deeper into topics that interest you at every given point I read constantly I read even when I shouldn't be reading because I'm addicted to learning more I need to push myself to become you know as good at pentester as I can be so it's mostly on my own time yeah yeah absolutely whenever we come across something that stops us whenever we failed to do something we absolutely take a look at that in our lab and say how can we bypass this are there issues that could arise that we didn't have time to discover of course you don't always have time to dig into that as deep as you would like but we absolutely do to do that because it's part of becoming better hackers yep yeah just as just yesterday I came back from an engagement where we had a long time to research a company we had a couple weeks to start learning about them to connect with employees on LinkedIn to research as much as possible about them and we started spearfishing and all of that sort of stuff we were unsuccessful actually because we didn't anticipate some countermeasures that they had but yeah the Recon absolutely the more the better we usually start looking at the client when we first hear that we might get the engagement because the more time we have the better our pen test will be externally the more we can fish them all sorts of stuff the more time the better anyone else I don't bite yep yeah yeah it so if I'm understanding correctly you're worried about the client knowing that the pen test is going on and employees being aware that it's going on actually oh well of course we try and keep OPSEC as good as possible and that's the most you can do I would say if you keep it a tight ship and make sure that there are no information leaks on your end you're doing as much as possible like we never mentioned client names we would never associate and test results with the actual client all that sort of stuff and we're absolutely concerned with our results getting into the wrong hands and we do everything to counteract that any other questions um well the problem is that a lot of people get into pen testing from widely disparate backgrounds and everything I would say definitely knowledge of the sysadmin sort of tasks common things that you'll need to know like Active Directory you need to know Windows because everybody uses Windows you need to know Linux because a lot of the tools we use are based on Linux you need to know as much as possible about the internals the common configurations and honestly that's my weak point because I don't have that level of experience I know a good deal but I don't have years of experience to draw upon and we're still able to do fairly well so as much in prerequisite knowledge I would say you need to know computers in general you need to know various operating systems and you need to be competent with all of them not you don't have to be a professional with any of them but you need to at least know your way around that answer your question one of the big things driving pen testing is PCI because if you handle credit card data you need to have pen testing done I think now it's twice a year in 2018 that's one of the big things that's driving pen testing so all these companies that want to be PCI compliant need to have pen tests done so we try to do more than PCI pen tests we try to convince them hey PCI is compliance but compliance is not security security is what we want to test we don't want to test compliance we will but we want to do more in addition to that this last engagement that I was on was a PCI assessment that we convinced them to allow us to do full scope meaning we weren't just testing PCI requirements to the letter we were testing outside of that more what a realistic attacker would do but companies are looking for pen testers companies are looking for consulting to do pen fests I can't give you a number on market share or anything like that because I don't know that just often hopefully that answers your question there is demand yeah yeah penetration test yep my job title is penetration testers sometimes it'll be like security analyst or security consultant but my job is penetration tester that's what I have on my business card so external tools that we use to identify what a customer is running right so we use a lot of different stuff of course there's always end map and map is the go-to tool for recon because it's so widely known it's yeah we will do things like using show dan showed end results for the company for those of you who don't know show Dan is basically a database of internet connected systems that are being scanned by show Dan for open ports for services for applications so you can very easily identify what a company has externally through that additionally you can use like CMS mapping tools you can use things like that a lot of checking for web applications is just right click view source does that answer your question I think I'm happy to talk more tools if you yeah sure yeah any other questions I think we're just about done five minutes or so yeah we use Kali it's from what I can tell it's fairly well integrated all the tools are set up when it breaks it's a pain in the ass but it's also a pain to set up from stock Linux I don't have an opinion one way or the other this is just what my team decided to use as a group there are benefits to both but I would always choose to run some flavor of Linux for Peniston setup like I have I have my macbook but maybe i have but i for pan testing we do virtualize colleague I would say we're open to the idea I don't know if we're hiring specifically I'd if you want to give me your contact information I can actually absolutely yep yes so you need to be creative it's not a science it's not something specific you need to be able to think outside the box people say that it's cliche but it's true you need to think like an attacker does you need to say hey I'm a bad guy what do I do being having that malicious mindset is important but at the same time you need to be very ethical on top of that you need to be absolutely committed to improving security I would say rather than just breaking stuff for the hell of it I think it's important to realize that we're doing a job we're doing a very important thing and we should not we should do our best to be reasonable and to perform our duties without breaching confidentiality or anything like yeah one one tool or something like as much of a script kitty as I sound like Metasploit because it has all those tools it has lots of different stuff if you learn about Metasploit internals you can extend it to do whatever you want and it's a script Kitty tool but it's so much more than that as well it's absolutely a good tool to learn as bad a reputation as it has among defenders and among some red teen people it's a great starting point for people getting into - am I being cut off okay five more minutes so any other questions you guys have I'm happy to answer if not thank you for yes yes crowd

Info

Channel: Adrian Crenshaw

Views: 5,400

Rating: undefined out of 5

Keywords: hacking, security, infosec, irongeek, detroit, bsides

Id: 2zC3XHOTGrA

Channel Id: undefined

Length: 55min 22sec (3322 seconds)

Published: Sat Jul 16 2016