Breaking, Entering and Pentesting
3 likes1,054 views
The document discusses the varying roles and classes of penetration testers (pentesters) within cybersecurity, highlighting their motivations, experience, and common pitfalls. It features anecdotes from the speaker's experiences and observations about the pentesting community, including examples of vulnerabilities found during tests. The presentation aims to educate on the essential skills and attitudes of different types of pentesters while addressing misconceptions from clients regarding their responsibilities.
Breaking, Entering and Pentesting
- 1. Breaking, Entering and Pentesting - Steve Lord
- 2. The Things Customers Say To me, at least... From a leading SI: “ That's not a risk. It's internal.”
- 3. Who is this guy? And what does he know? Steve Lord Founder, Mandalorian
- 4. TigerScheme SST and TP member
- 5. Co-Founder, 44Con - http://www.44con.com/ 12 Year Pentesting V ictim eteran Big gov, small gov, financials, defence, NGOs, small countries, small continents
- 6. What Does A Pentester Do? Other than drinking, natch
- 7. What Does A Pentester Do? In practice
- 8. What Does A Pentester Do? Don't believe me? 3 months ago we tested a government system
- 9. During the test we found a ColdFusion System
- 10. Tried requesting the following: /CFIDE/administrator/settings/mappings.cfm?locale=..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts%00en
- 11. What Does A Pentester Do? Don't believe me?
- 12. Did You Spot The Gorilla? Really? Shall we try again?
- 13. What Does A Pentester Do? Don't believe me?
- 14. What Does A Pentester Do? Grading time It was vulnerable to CVE-2010-2861 1 point
- 15. What Does A Pentester Do? Grading time The /CFIDE/administrator/ path was accessible from the Internet 1 point
- 16. What Does A Pentester Do? Grading time That Adobe acquired Macromedia in 2005, and as such this thing's been open for how long since an upgrade? 2 points – report due by end of talk pls
- 17. What Does A Pentester Do? Keep it going harder Can we get admin passwords? ..\..\lib\password.properties Add Scheduled Task
- 18. What Does A Pentester Do? Keep it going harder Can we get admin passwords? ..\..\lib\password.properties Add Scheduled Task
- 19. Leading to...
- 20. The Things Customers Say To me, at least... From another leading SI: “ We have a duty of care to protect customer data”
- 21. Classes of Pentester You mean there's more than one? Pentesters can be grouped into several classes based on: Experience
- 22. Attitude
- 23. Motivation
- 24. Ability
- 25. Classes of Pentester The Nessus Monkey Often fresh out of Uni
- 26. Runs tools
- 28. Good at filling in checklists
- 29. Can do an OPTIONS request in a single bound
- 30. Might even know how to drive Ubuntu
- 31. Classes of Pentester The Nessus Monkey
- 32. Classes of Pentester Common Nessus Monkey Mistakes Wandering off-scope
- 33. Not choosing company wisely
- 34. Thinking it's someone else's job to teach you
- 35. Classes of Pentester Even Nessus Monkeys get root Nessus reports Tomcat HTML interface
- 36. Nessus Monkey fires up metasploit
- 37. Nessus Monkey own system
- 40. Classes of Pentester Experts in Training Has written a tool
- 41. Knows a programming language
- 42. Can use a Linux commandline
- 43. Has read an RFC
- 44. Hungry for root, hungry to learn
- 45. Classes of Pentester Experts in Training
- 46. Classes of Pentester Experts In Training Observations As skills increase Awareness of problem space (usually) increases
- 48. QSTM/CTM ready
- 49. War Stories With pictures SQL Injection on a box
- 50. Nessus Monkey runs SQLmap
- 51. Team Lead rolls his own
- 52. Sometimes SQLmap isn't quick enough Which leads to...
- 53. War Stories With pictures
- 54. The Things Customers Say To me, at least... From a CLAS consultant: “ Lets call this what it is, an unjustified unlimited hacking exercise”
- 55. Classes of Pentester Jaded Cynic Hit the tech ceiling
- 56. Changes the dates on old reports and submits on retests
- 57. It's just a saga now
- 58. Classes of Pentester Jaded Cynic
- 59. Classes of Pentester Jaded Cynic - Key Factors in Cool Stuff Time Certifications TigerScheme SST every 3 years ~20% 1 st time pass rate, 2 day exam Management
- 60. Marriage
- 61. Kids
- 62. Classes of Pentester Jaded Cynic – Mistakes Employers Make “ But why would you want to leave?”
- 63. “ You'll have to go into management to grow”
- 64. “ How do you feel about writing an RMADS?”
- 65. But Don't Be Sad Well, not just yet... Obligatory tool release moment pending, journalists please stand by, the marketing team have been very busy.
- 66. War Stories The Jaded Cynic and the Web App PHP-based Web app .svn/Entries found by Nikto Has a poke round .svn-land
- 68. War Stories The Jaded Cynic and the Web App
- 69. War Stories The Jaded Cynic and the Web App
- 70. War Stories The Jaded Cynic and the Web App Subverted Generates a list of source backup files for wget
- 72. The Things Customers Say To me, at least... From an IT Service Provider: “ If any of our systems go down, we're throwing you off-site”
- 73. The Things Customers Say To me, at least...
- 74. There is another class of pentester...
- 75. Classes of Pentester Jedi Master
- 76. Classes of Pentester Jedi Master
- 77. Classes of Pentester Jedi Masters – specific qualities Is Relentless
- 78. Has blood
- 80. Thinks beyond attack trees
- 81. Classes of Pentester Jedi Master
- 82. War Stories Jedi Master Grade Sorry I don't have mitochlorians But I'm trying to be better
- 83. The Things Customers Say To me, at least... From *yet* another leading SI: “ A particularly vigilant DBA spotted your tests”
- 84. Tonight at DC4420 A taste of things to come
- 85. Thanks for having me It keeps me off the streets This presentation brought to you by Caravan Palace, Parov Stelar, Daft Punk and Beer. Hmmm... Beer. My next talk will be at DC4420 this evening about strategies for evading automated detection and manual analysis. Hope to see you there! CC-NC-SA ©2011 Mandalorian.
Editor's Notes
- #3: I'm sure many of you will have come across this before, when I heard it I interpreted it as a sign of interesting things to come.
- #5: How many pentesters does it take to change a light bulb? It's the customer's job to change it, we just break stuff. In theory the role of the pentester is to assist the information assurance process by providing a technical assessment of actual threats. In practice.
- #7: The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
- #16: Said to me during unlawful detention after 'impossible' route back to customer network from Indian Offshorer identified And after we'd found all manner of hideous stuff on the network proving that while they may have a duty, it wasn't being exercised
- #17: I made this all up, but run with me
- #20: Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
- #21: Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
- #22: Understands an RFC
- #24: Experience increases Realisation of inability to effect change Depression Alcoholism Drugs Divorce Etc. As they transcend Able to take TigerScheme QSTM May pass first time Should pass second time
- #25: The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
- #27: I have a lot of respect for CLAS consultants, I was one for a year. Sadly this guy wasn't one of them. Yes he talked a bit like Hyperchicken too.
- #28: The majority of team leaders fall into this Death by PCI/DII
- #30: Putting up with management, followed by doing it
- #31: “ But why would you want to leave?” There are many reasons, but pentesting is a strange job and if as with anywhere else they don't feel valued or that they're achieving they'll move on. “ You'll have to go into management to grow” Not only will you lose one of your best technical resources, but you'll gain someone probably unprepared for the horrors of management interaction. “ How do you feel about writing an RMADS?” Up until this point, the Jaded Cynic may have heard of IS1 but is unlikely to fully understand the fundamentals that drive the IAMM and SPF. Policy is mostly boring for pentesters.
- #32: We found something on a pentest. Got all excited, wanted to call it Cross-Site Squirting then marketing looked up 'squirting' on google with safesearch off. Marketing doesn't click on links any more. Which was just as well, as we found out that it was an obscure issue, but documented on the interwebs. So we wrote a tool instead to automate it
- #33: Subversion uses webdav to handle checkins and checkouts. Without webdav you can't just rock up and check out, which sucks because sometimes even with webdav you can't checkout as someone was clever with the permissions.
- #34: Subversion uses the .svn directory structure Beneath this is an entries file for each subdirectory The entries file lists file and directory names that exist beneath the current directory root Subversion creates a backup of each file, with the name .svn-base at the end
- #35: Where this gets interesting is this: Most HTTP servers treat .svn-base as an unknown extension so serve it as text/plain or similar This means that if you can parse the entries files and directory structures you can download all the .svn-base files And then you have a full backup of the svn tree
- #36: Hidden admin interface Debug=1 variable Various RFI bugs
- #42: Assimilates new information at lightning speed Makes their own tools Does or does not – there is no try Commercially aware Balances value and coverage At least moderately socially balanced Attempts to understand customer threat landscape before testing Goes beyond attack trees Builds attack avenues Scenario based testing
- #44: Alright, one last war story
- #45: Went to a Call Centre Found a PC Logged onto PC Hacked Siebel using MS Access and ODBC Forgot to link tables – FAIL Access tries to download full Siebel database across WAN link
- #46: Putting up with management, followed by doing it