BSidesLondon 20th April 2011 - Steve Lord (@stevelord)
----------------------------------------------------------------
The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session.
---- for more about Steve
http://www.mandalorian.com
65. But Don't Be Sad Well, not just yet... Obligatory tool release moment pending, journalists please stand by, the marketing team have been very busy.
I'm sure many of you will have come across this before, when I heard it I interpreted it as a sign of interesting things to come.
How many pentesters does it take to change a light bulb? It's the customer's job to change it, we just break stuff. In theory the role of the pentester is to assist the information assurance process by providing a technical assessment of actual threats. In practice.
The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
Said to me during unlawful detention after 'impossible' route back to customer network from Indian Offshorer identified And after we'd found all manner of hideous stuff on the network proving that while they may have a duty, it wasn't being exercised
I made this all up, but run with me
Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
Understands an RFC
Experience increases Realisation of inability to effect change Depression Alcoholism Drugs Divorce Etc. As they transcend Able to take TigerScheme QSTM May pass first time Should pass second time
The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
I have a lot of respect for CLAS consultants, I was one for a year. Sadly this guy wasn't one of them. Yes he talked a bit like Hyperchicken too.
The majority of team leaders fall into this Death by PCI/DII
Putting up with management, followed by doing it
“ But why would you want to leave?” There are many reasons, but pentesting is a strange job and if as with anywhere else they don't feel valued or that they're achieving they'll move on. “ You'll have to go into management to grow” Not only will you lose one of your best technical resources, but you'll gain someone probably unprepared for the horrors of management interaction. “ How do you feel about writing an RMADS?” Up until this point, the Jaded Cynic may have heard of IS1 but is unlikely to fully understand the fundamentals that drive the IAMM and SPF. Policy is mostly boring for pentesters.
We found something on a pentest. Got all excited, wanted to call it Cross-Site Squirting then marketing looked up 'squirting' on google with safesearch off. Marketing doesn't click on links any more. Which was just as well, as we found out that it was an obscure issue, but documented on the interwebs. So we wrote a tool instead to automate it
Subversion uses webdav to handle checkins and checkouts. Without webdav you can't just rock up and check out, which sucks because sometimes even with webdav you can't checkout as someone was clever with the permissions.
Subversion uses the .svn directory structure Beneath this is an entries file for each subdirectory The entries file lists file and directory names that exist beneath the current directory root Subversion creates a backup of each file, with the name .svn-base at the end
Where this gets interesting is this: Most HTTP servers treat .svn-base as an unknown extension so serve it as text/plain or similar This means that if you can parse the entries files and directory structures you can download all the .svn-base files And then you have a full backup of the svn tree
Hidden admin interface Debug=1 variable Various RFI bugs
Assimilates new information at lightning speed Makes their own tools Does or does not – there is no try Commercially aware Balances value and coverage At least moderately socially balanced Attempts to understand customer threat landscape before testing Goes beyond attack trees Builds attack avenues Scenario based testing
Alright, one last war story
Went to a Call Centre Found a PC Logged onto PC Hacked Siebel using MS Access and ODBC Forgot to link tables – FAIL Access tries to download full Siebel database across WAN link