Breaking, Entering and Pentesting
•
3 likes•1,048 views
BSidesLondon 20th April 2011 - Steve Lord (@stevelord) ---------------------------------------------------------------- The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session. ---- for more about Steve http://www.mandalorian.com
![The Things Customers Say To me, at least... ,[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
Similar to Breaking, Entering and Pentesting
Similar to Breaking, Entering and Pentesting (20)
More from Security BSides London
More from Security BSides London (12)
Recently uploaded
Recently uploaded (20)
Breaking, Entering and Pentesting
- 1. Breaking, Entering and Pentesting - Steve Lord
- 4. TigerScheme SST and TP member
- 6. What Does A Pentester Do? Other than drinking, natch
- 7. What Does A Pentester Do? In practice
- 9. During the test we found a ColdFusion System
- 11. What Does A Pentester Do? Don't believe me?
- 13. What Does A Pentester Do? Don't believe me?
- 19. Leading to...
- 22. Attitude
- 23. Motivation
- 24. Ability
- 26. Runs tools
- 28. Good at filling in checklists
- 29. Can do an OPTIONS request in a single bound
- 30. Might even know how to drive Ubuntu
- 31. Classes of Pentester The Nessus Monkey
- 33. Not choosing company wisely
- 34. Thinking it's someone else's job to teach you
- 36. Nessus Monkey fires up metasploit
- 37. Nessus Monkey own system
- 41. Knows a programming language
- 42. Can use a Linux commandline
- 43. Has read an RFC
- 44. Hungry for root, hungry to learn
- 45. Classes of Pentester Experts in Training
- 48. QSTM/CTM ready
- 50. Nessus Monkey runs SQLmap
- 51. Team Lead rolls his own
- 53. War Stories With pictures
- 56. Changes the dates on old reports and submits on retests
- 57. It's just a saga now
- 58. Classes of Pentester Jaded Cynic
- 60. Marriage
- 61. Kids
- 63. “ You'll have to go into management to grow”
- 64. “ How do you feel about writing an RMADS?”
- 65. But Don't Be Sad Well, not just yet... Obligatory tool release moment pending, journalists please stand by, the marketing team have been very busy.
- 68. War Stories The Jaded Cynic and the Web App
- 69. War Stories The Jaded Cynic and the Web App
- 73. The Things Customers Say To me, at least...
- 74. There is another class of pentester...
- 75. Classes of Pentester Jedi Master
- 76. Classes of Pentester Jedi Master
- 78. Has blood
- 80. Thinks beyond attack trees
- 81. Classes of Pentester Jedi Master
- 84. Tonight at DC4420 A taste of things to come
- 85. Thanks for having me It keeps me off the streets This presentation brought to you by Caravan Palace, Parov Stelar, Daft Punk and Beer. Hmmm... Beer. My next talk will be at DC4420 this evening about strategies for evading automated detection and manual analysis. Hope to see you there! CC-NC-SA ©2011 Mandalorian.
Editor's Notes
- I'm sure many of you will have come across this before, when I heard it I interpreted it as a sign of interesting things to come.
- How many pentesters does it take to change a light bulb? It's the customer's job to change it, we just break stuff. In theory the role of the pentester is to assist the information assurance process by providing a technical assessment of actual threats. In practice.
- The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
- Said to me during unlawful detention after 'impossible' route back to customer network from Indian Offshorer identified And after we'd found all manner of hideous stuff on the network proving that while they may have a duty, it wasn't being exercised
- I made this all up, but run with me
- Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
- Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
- Understands an RFC
- Experience increases Realisation of inability to effect change Depression Alcoholism Drugs Divorce Etc. As they transcend Able to take TigerScheme QSTM May pass first time Should pass second time
- The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
- I have a lot of respect for CLAS consultants, I was one for a year. Sadly this guy wasn't one of them. Yes he talked a bit like Hyperchicken too.
- The majority of team leaders fall into this Death by PCI/DII
- Putting up with management, followed by doing it
- “ But why would you want to leave?” There are many reasons, but pentesting is a strange job and if as with anywhere else they don't feel valued or that they're achieving they'll move on. “ You'll have to go into management to grow” Not only will you lose one of your best technical resources, but you'll gain someone probably unprepared for the horrors of management interaction. “ How do you feel about writing an RMADS?” Up until this point, the Jaded Cynic may have heard of IS1 but is unlikely to fully understand the fundamentals that drive the IAMM and SPF. Policy is mostly boring for pentesters.
- We found something on a pentest. Got all excited, wanted to call it Cross-Site Squirting then marketing looked up 'squirting' on google with safesearch off. Marketing doesn't click on links any more. Which was just as well, as we found out that it was an obscure issue, but documented on the interwebs. So we wrote a tool instead to automate it
- Subversion uses webdav to handle checkins and checkouts. Without webdav you can't just rock up and check out, which sucks because sometimes even with webdav you can't checkout as someone was clever with the permissions.
- Subversion uses the .svn directory structure Beneath this is an entries file for each subdirectory The entries file lists file and directory names that exist beneath the current directory root Subversion creates a backup of each file, with the name .svn-base at the end
- Where this gets interesting is this: Most HTTP servers treat .svn-base as an unknown extension so serve it as text/plain or similar This means that if you can parse the entries files and directory structures you can download all the .svn-base files And then you have a full backup of the svn tree
- Hidden admin interface Debug=1 variable Various RFI bugs
- Assimilates new information at lightning speed Makes their own tools Does or does not – there is no try Commercially aware Balances value and coverage At least moderately socially balanced Attempts to understand customer threat landscape before testing Goes beyond attack trees Builds attack avenues Scenario based testing
- Alright, one last war story
- Went to a Call Centre Found a PC Logged onto PC Hacked Siebel using MS Access and ODBC Forgot to link tables – FAIL Access tries to download full Siebel database across WAN link
- Putting up with management, followed by doing it