SlideShare ist ein Scribd-Unternehmen logo

Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispagatos

Chris Fernandez CEHv7, eCPPT, Linux Engineer
Chris Fernandez CEHv7, eCPPT, Linux Engineer

A session describing how and why is possible to do professional security penetration testing solely using free software code and tools. We will be showcasing some of this tools and having a conversation to see how we can make this tools succeed in the field, come up with new ideas and maybe a project we can work on during the year for the intention to promote free software in the redteam security field. A brief history of hacker ethics on computer and software hacking, why both communities have the same roots and were are they now.

Internet
1 von 28
Downloaden Sie, um offline zu lesen
testtest Security Penetration TestingSecurity Penetration Testing LovesLoves “Free Software”“Free Software” Fernandez, Christian Troy CreggerFernandez, Christian Troy Cregger ReK2,ReK2WiLdSReK2,ReK2WiLdS TrizzTrizz Hispagatos, BugcrowdHispagatos, Bugcrowd HispagatosHispagatos
_# WHOAMI Currently working at: Bugcrowd as a Infrastructure and Security engineer. Originally from Alicante, Spain, A Free software advocate since 1996, Anarchist An autodidact, am mostly self taught. Companies, do make me take certifications for Compliance… which is ok. Back in the day I loved to play all night on BBS’s finding hidden underground information, Hunger to learn as much as I could, something my mother did not really understand when the bill came at the end of the month... Then FIDONET and just soon after the INTERNET, where I used to connect using compurserve from Spain in not very ethical ways… but Telefonica was a company I was not willing to give a dime or a peseta at the moment. Groups: Employeer: Hispagatos Infrastructure and Security Engineer DC415 at Bugcrowd in San Francisco Freelancer: Stealthy-cybersecurity Penetration testing and other security services.
And it all started…And it all started… and.. yesand.. yes as we know it today, it all started in MIT with some cleveras we know it today, it all started in MIT with some clever people playing with raildroad models...people playing with raildroad models...
A new frontier...A new frontier... Cyberpunks, explorers and other technocratsCyberpunks, explorers and other technocrats started to roamstarted to roam the wild wild west of what was coined bythe wild wild west of what was coined by Willian Gipson at the time as "CyberSpace".Willian Gipson at the time as "CyberSpace".
The seeds of change...The seeds of change... Richard Stallman started the GNU revolution,Richard Stallman started the GNU revolution, around the same timearound the same time the LOD or Legion of Doom and MOD also knownthe LOD or Legion of Doom and MOD also known as Masters of Deception were exploringas Masters of Deception were exploring this decentralized new frontier.this decentralized new frontier.
Both movements, making old power structures nervousBoth movements, making old power structures nervous in diff ways..in diff ways..
““Hackers”, HeroesHackers”, Heroes of the Computerof the Computer Revolution:Revolution: Steven levySteven levy Gracefully documented the great hackerGracefully documented the great hacker tradition for many decades totradition for many decades to come...come...
The hacker EthicsThe hacker Ethics Set in stone, for the commingSet in stone, for the comming generations andgenerations and an array of movements thatan array of movements that came out of itcame out of it
Just to name a fewJust to name a few influencialinfluencial movements:movements:
Ok, so looksOk, so looks awesome..awesome.. seems we areseems we are on the righton the right path, right?path, right?
Well…Well… then this happenedthen this happened That and the media... this was the total assimilation of the word “hacker” in a negative way... that's just what we needed... NOT.
And in the Free SoftwareAnd in the Free Software camp also a lot ofcamp also a lot of campaigns to discredit itscampaigns to discredit its model and ideas.model and ideas.
Still, there were realStill, there were real hackers in bothhackers in both communities... thecommunities... the software hackers and thesoftware hackers and the computer hackers, andcomputer hackers, and this is what this talk isthis is what this talk is about…about…
Both of theseBoth of these communities were andcommunities were and probably are the sameprobably are the same community, the toolscommunity, the tools people use for security forpeople use for security for the last 20-25 years werethe last 20-25 years were written by softwarewritten by software hackers for computerhackers for computer hacking and security.hacking and security.
Such software, of course,Such software, of course, respected the hackerrespected the hacker ethics and was released asethics and was released as free software in mostfree software in most cases or othercases or other compatible licences.compatible licences. So here we are.. hand by hand Free Software and Computer Security.
The moderm computer security field needsThe moderm computer security field needs hackers to write software that is open,hackers to write software that is open, free and respects the hacker ethics while at the samefree and respects the hacker ethics while at the same time breaking and going beyond what we can expecttime breaking and going beyond what we can expect as is usually done in the true hacker spirit.as is usually done in the true hacker spirit.
Now lets forward to 2010, Computer Security is gettingNow lets forward to 2010, Computer Security is getting to be a big bussiness, hackers are in demand,to be a big bussiness, hackers are in demand, new tech fields are created over traditional ones.new tech fields are created over traditional ones. Security Engineers, Pentesters, Blue Teams, Red Teams...Security Engineers, Pentesters, Blue Teams, Red Teams...
Pentesting is to computer hacking what Open source isPentesting is to computer hacking what Open source is to Free software...to Free software... Stripping the politics and idealism out of them to createStripping the politics and idealism out of them to create a simpler pro-bussiness market easier to digest.a simpler pro-bussiness market easier to digest.
So yes here we are. Now we have a lot of academicsSo yes here we are. Now we have a lot of academics non-hackers doing pentesting and security.non-hackers doing pentesting and security. In the last 5 years security is a multibillion dollarIn the last 5 years security is a multibillion dollar market, a lot of software companies are trying tomarket, a lot of software companies are trying to get a piece of the pie. This is ok, but what about theget a piece of the pie. This is ok, but what about the hacker ethics? What about the freedom and the openhacker ethics? What about the freedom and the open decentralized ideas of the hacker revolution by Stevendecentralized ideas of the hacker revolution by Steven Levy?Levy?
This talk is not intented to agree or disagree or discreditThis talk is not intented to agree or disagree or discredit any profesionals, but to be able to talk about why freeany profesionals, but to be able to talk about why free software is needed in the penetration testing world.software is needed in the penetration testing world. We have to know the link between the past and theWe have to know the link between the past and the present. So from now on I will describe hacking aspresent. So from now on I will describe hacking as penetration testing...penetration testing...
Pentesting & FreeSofwarePentesting & FreeSofware It took a lot of time for peopleIt took a lot of time for people to understand and fully respect theto understand and fully respect the whole point that open and libre are not a threat,whole point that open and libre are not a threat, but will actually revolutionizebut will actually revolutionize the internet era…and so it did.the internet era…and so it did. The same with security hackers,The same with security hackers, it took 20 years for people to understandit took 20 years for people to understand the difference between people exploringthe difference between people exploring and pranking. The difference betweenand pranking. The difference between curiosity and real criminal behaivour.curiosity and real criminal behaivour. Today we are hired and not demonized.Today we are hired and not demonized. Others were not that lucky...Others were not that lucky...
Popular software that hackers have written along thePopular software that hackers have written along the years that are used by security profesionals, some ofyears that are used by security profesionals, some of them are:them are: Nmap OpenVas Hydra Netcat Ncat Nikto Hping Gdb gcc Zaproxy.. Long list..
So…. What’s the problem? Most tools are free sofware..So…. What’s the problem? Most tools are free sofware.. Like we said before… as the hacker ethics leave the field also does free software, a lot of new professionals already abandoned free software options, they use tools like BURP, comercial and closed tools made by the evolving market that are in most cases closed source.
Sometimes… is really not their fault, some propietarySometimes… is really not their fault, some propietary tools like BURP have come a long way with no freetools like BURP have come a long way with no free competition, and these people don’t care about freedomcompetition, and these people don’t care about freedom until OWASP stepped in… now we have ZAProxy… butuntil OWASP stepped in… now we have ZAProxy… but even though it got much better in just the last 6 months,even though it got much better in just the last 6 months, it still needs more people collaborating… and for us toit still needs more people collaborating… and for us to spread the word so other pentesters will use itspread the word so other pentesters will use it
Ok let me now give you an over view of the tools IOk let me now give you an over view of the tools I usually use when I am engaged in a pentest.usually use when I am engaged in a pentest. My main tools:My main tools: Lots of custom ruby, python and golang scripts/programs I write.Lots of custom ruby, python and golang scripts/programs I write. Some ruby examples I put along other collegues at:Some ruby examples I put along other collegues at: RuByFuRuByFu GitbookGitbook Linux(BlackArch)Linux(BlackArch) Nmap,Ncat,HpingNmap,Ncat,Hping The-backdoor-factory, Veil FrameworkThe-backdoor-factory, Veil Framework Zaproxy, Nikto, WPscanZaproxy, Nikto, WPscan Gdb/peda,radare2/ragg2,GCCGdb/peda,radare2/ragg2,GCC Recong-ng, pwnbin, google dorksRecong-ng, pwnbin, google dorks Spiderlabs/Responder, smbtools, Enum4LinuxSpiderlabs/Responder, smbtools, Enum4Linux SecLists/dictionaries, lots of personal notes.SecLists/dictionaries, lots of personal notes. Tcpdump/wireshark...Tcpdump/wireshark... Sqlmap/metasploit...Sqlmap/metasploit... Aircrack/wifite2/mitmf…Aircrack/wifite2/mitmf… Snmpwalk...Snmpwalk...
VirtualBox:VirtualBox: I have a repository of VM’s with propietary OS’s to attackI have a repository of VM’s with propietary OS’s to attack and to compile exploits for win32 enviroments etc.and to compile exploits for win32 enviroments etc. Unfortunatelly this can’t be avoided… since you have toUnfortunatelly this can’t be avoided… since you have to experiement attacking these systems, just make sureexperiement attacking these systems, just make sure they are VM’s not your main OS :P I treat them likethey are VM’s not your main OS :P I treat them like viruses I need to study :Pviruses I need to study :P Radare2/x64_dbg/objdump/nasm/edb/Radare2/x64_dbg/objdump/nasm/edb/
MethodologyMethodology - Information Gathering- Information Gathering Recon-ng, google, bing, duckduckgo, nslookup, dig…Recon-ng, google, bing, duckduckgo, nslookup, dig… - Enumeration/scanning, detect live Hosts,Ports etc.- Enumeration/scanning, detect live Hosts,Ports etc. Nmap, ncat, hping,Snmpwalk,enum4linux…Nmap, ncat, hping,Snmpwalk,enum4linux… - Sniffing and MITM attacks if possible..- Sniffing and MITM attacks if possible.. Mitmf, tcpdump, wireshark, responderMitmf, tcpdump, wireshark, responder - Exploitation- Exploitation --getting-shell:--getting-shell: Custom made exploit, Veil framework, exploit-db.com, Proxychains,Custom made exploit, Veil framework, exploit-db.com, Proxychains, ssh, telnet, ncat, ftp….sqlI,XXS,phising...ssh, telnet, ncat, ftp….sqlI,XXS,phising... --Privilege scalation:--Privilege scalation: Local exploits/vulns, bad permissions,Local exploits/vulns, bad permissions, misconfigurationsmisconfigurations - Post Exploitation- Post Exploitation Pillaging, mapping internal network, pivoting, repeatPillaging, mapping internal network, pivoting, repeat
Thanks to my team members at HispagatosThanks to my team members at Hispagatos Trizz, Thibaud, Bitsurfer, sigma4, Heavenraiza, PetruknismeTrizz, Thibaud, Bitsurfer, sigma4, Heavenraiza, Petruknisme http://hispagatos.orghttp://hispagatos.org We use mattermost chat if any of you wants to join the chat ask me for an invite,We use mattermost chat if any of you wants to join the chat ask me for an invite, anyone is welcomeanyone is welcome How to Reach me?How to Reach me? I am always willing to help people starting, specially if you are an anarchist or a free software activist.I am always willing to help people starting, specially if you are an anarchist or a free software activist. KEYBASEKEYBASE:: https://keybase.io/cfernandezhttps://keybase.io/cfernandez Email:Email: rek2@protonmail.comrek2@protonmail.com Email:Email:cfernandez@protonmail.chcfernandez@protonmail.ch

Empfohlen

Hacking
HackingHacking
Hacking
Dianna Marie Manalo
 
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมาโครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
Onwadee18
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
Learn Hacking
Learn HackingLearn Hacking
Learn Hacking
hackingtraining
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
Onwadee18
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
 
Power Point Hacker
Power Point HackerPower Point Hacker
Power Point Hacker
yanizaki
 

Empfohlen

Hacking
HackingHacking
Hacking
Dianna Marie Manalo
 
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมาโครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา
Onwadee18
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
Learn Hacking
Learn HackingLearn Hacking
Learn Hacking
hackingtraining
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
โครงงานการพัฒนาเว็บไซต์เรื่อง Hacking ชลธิชา.อรวดี.อรอุมา1
Onwadee18
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
 
Power Point Hacker
Power Point HackerPower Point Hacker
Power Point Hacker
yanizaki
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
arohan6
 
Introduction PGP-GPG Subkey Management
Introduction PGP-GPG Subkey ManagementIntroduction PGP-GPG Subkey Management
Introduction PGP-GPG Subkey Management
n|u - The Open Security Community
 
Hackers are innocent
Hackers are innocentHackers are innocent
Hackers are innocent
danish3
 
Hacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering AdversariesHacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering Adversaries
GTKlondike
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference
 
The ultimate privacy guide
The ultimate privacy guideThe ultimate privacy guide
The ultimate privacy guide
JD Liners
 
Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year Backward
Positive Hack Days
 
Demystifying Secure Channel
Demystifying Secure ChannelDemystifying Secure Channel
Demystifying Secure Channel
Viral Parmar
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Back
x0rz x0rz
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
What is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniquesWhat is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniques
Klaus Drosch
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
Barcamp Kerala
 
Encryption
EncryptionEncryption
Encryption
DanielNanaAnyemeduHe
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
KeshavBhardwaj19
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
EC-Council
 
A Journey Into Deception Based Security
A Journey Into Deception Based SecurityA Journey Into Deception Based Security
A Journey Into Deception Based Security
Adel Karimi
 
Iniciación al Ethical Hacking
Iniciación al Ethical HackingIniciación al Ethical Hacking
Iniciación al Ethical Hacking
Chris Fernandez CEHv7, eCPPT, Linux Engineer
 
Retiring in a Bear Market
Retiring in a Bear MarketRetiring in a Bear Market
Retiring in a Bear Market
The 401k Study Group ®
 
Informe Monitero Online Elecciones Presidenciales Ecuador 2017
Informe Monitero Online Elecciones Presidenciales Ecuador 2017Informe Monitero Online Elecciones Presidenciales Ecuador 2017
Informe Monitero Online Elecciones Presidenciales Ecuador 2017
nethodology
 
PhytoScience Opportunity Presentation ver 7.00
PhytoScience Opportunity Presentation ver 7.00PhytoScience Opportunity Presentation ver 7.00
PhytoScience Opportunity Presentation ver 7.00
NMP Pakistan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year Backward
Positive Hack Days
 

Was ist angesagt? (18)

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Introduction PGP-GPG Subkey Management
Introduction PGP-GPG Subkey ManagementIntroduction PGP-GPG Subkey Management
Introduction PGP-GPG Subkey Management
 
Hackers are innocent
Hackers are innocentHackers are innocent
Hackers are innocent
 
Hacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering AdversariesHacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering Adversaries
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
 
The ultimate privacy guide
The ultimate privacy guideThe ultimate privacy guide
The ultimate privacy guide
 
Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year Backward
 
Demystifying Secure Channel
Demystifying Secure ChannelDemystifying Secure Channel
Demystifying Secure Channel
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Back
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
What is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniquesWhat is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniques
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
Encryption
EncryptionEncryption
Encryption
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
A Journey Into Deception Based Security
A Journey Into Deception Based SecurityA Journey Into Deception Based Security
A Journey Into Deception Based Security
 

Andere mochten auch

Iniciación al Ethical Hacking
Iniciación al Ethical HackingIniciación al Ethical Hacking
Iniciación al Ethical Hacking
Chris Fernandez CEHv7, eCPPT, Linux Engineer
 
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
kiki utagawa
 
Payments Trends 2017
Payments Trends 2017Payments Trends 2017
Payments Trends 2017
Capgemini
 
B2B Marketing and The Power of Twitter
B2B Marketing and The Power of TwitterB2B Marketing and The Power of Twitter
B2B Marketing and The Power of Twitter
Steve Yanor
 

Andere mochten auch (20)

Iniciación al Ethical Hacking
Iniciación al Ethical HackingIniciación al Ethical Hacking
Iniciación al Ethical Hacking
 
Retiring in a Bear Market
Retiring in a Bear MarketRetiring in a Bear Market
Retiring in a Bear Market
 
Informe Monitero Online Elecciones Presidenciales Ecuador 2017
Informe Monitero Online Elecciones Presidenciales Ecuador 2017Informe Monitero Online Elecciones Presidenciales Ecuador 2017
Informe Monitero Online Elecciones Presidenciales Ecuador 2017
 
PhytoScience Opportunity Presentation ver 7.00
PhytoScience Opportunity Presentation ver 7.00PhytoScience Opportunity Presentation ver 7.00
PhytoScience Opportunity Presentation ver 7.00
 
Building GUI App with Electron and Lisp
Building GUI App with Electron and LispBuilding GUI App with Electron and Lisp
Building GUI App with Electron and Lisp
 
Digital Activism 101: A Guide to Showing Up, Speaking Out, and Connecting on ...
Digital Activism 101: A Guide to Showing Up, Speaking Out, and Connecting on ...Digital Activism 101: A Guide to Showing Up, Speaking Out, and Connecting on ...
Digital Activism 101: A Guide to Showing Up, Speaking Out, and Connecting on ...
 
#MobileRevolution - How Mobile Is Changing You
#MobileRevolution - How Mobile Is Changing You#MobileRevolution - How Mobile Is Changing You
#MobileRevolution - How Mobile Is Changing You
 
Goでヤフーの分散オブジェクトストレージを作った話 Go Conference 2017 Spring
Goでヤフーの分散オブジェクトストレージを作った話 Go Conference 2017 SpringGoでヤフーの分散オブジェクトストレージを作った話 Go Conference 2017 Spring
Goでヤフーの分散オブジェクトストレージを作った話 Go Conference 2017 Spring
 
DockerでWordPressサイトを開発してみよう
DockerでWordPressサイトを開発してみようDockerでWordPressサイトを開発してみよう
DockerでWordPressサイトを開発してみよう
 
失敗の「のこら」ない、告白を = m2y.jp
失敗の「のこら」ない、告白を = m2y.jp失敗の「のこら」ない、告白を = m2y.jp
失敗の「のこら」ない、告白を = m2y.jp
 
人は一ヶ月でエンジニアになれるのか - 詳細解説
人は一ヶ月でエンジニアになれるのか - 詳細解説人は一ヶ月でエンジニアになれるのか - 詳細解説
人は一ヶ月でエンジニアになれるのか - 詳細解説
 
Les défauts de WordPress pour le SEO
Les défauts de WordPress pour le SEOLes défauts de WordPress pour le SEO
Les défauts de WordPress pour le SEO
 
フォントの選び方・使い方
フォントの選び方・使い方フォントの選び方・使い方
フォントの選び方・使い方
 
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
 
Link Building Strategies That Increase Monthly Revenue by $240,740 #EngagePDX
Link Building Strategies That Increase Monthly Revenue by $240,740 #EngagePDXLink Building Strategies That Increase Monthly Revenue by $240,740 #EngagePDX
Link Building Strategies That Increase Monthly Revenue by $240,740 #EngagePDX
 
Cancer Care in a Post Truth World
Cancer Care in a Post Truth World Cancer Care in a Post Truth World
Cancer Care in a Post Truth World
 
Quran Chart (Arabic Presentation)
Quran Chart (Arabic Presentation)Quran Chart (Arabic Presentation)
Quran Chart (Arabic Presentation)
 
What is Deep Learning?
What is Deep Learning?What is Deep Learning?
What is Deep Learning?
 
Payments Trends 2017
Payments Trends 2017Payments Trends 2017
Payments Trends 2017
 
B2B Marketing and The Power of Twitter
B2B Marketing and The Power of TwitterB2B Marketing and The Power of Twitter
B2B Marketing and The Power of Twitter
 

Ähnlich wie Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispagatos

Reframing the Net
Reframing the NetReframing the Net
Reframing the Net
Doc Searls
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
Hackito Ergo Sum
 
Os revolution reaction paper
Os revolution reaction paperOs revolution reaction paper
Os revolution reaction paper
Marklin
 

Ähnlich wie Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispagatos (20)

2600 v21 n2 (summer 2004)
2600 v21 n2 (summer 2004)2600 v21 n2 (summer 2004)
2600 v21 n2 (summer 2004)
 
Reframing the Net
Reframing the NetReframing the Net
Reframing the Net
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
nullcon 2010 - Underground Economy
nullcon 2010 - Underground Economynullcon 2010 - Underground Economy
nullcon 2010 - Underground Economy
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
 
2600 v20 n4 (winter 2003)
2600 v20 n4 (winter 2003)2600 v20 n4 (winter 2003)
2600 v20 n4 (winter 2003)
 
Write My Research Paper. Online assignment writing service.
Write My Research Paper. Online assignment writing service.Write My Research Paper. Online assignment writing service.
Write My Research Paper. Online assignment writing service.
 
Open source: can you ignore it?
Open source: can you ignore it?Open source: can you ignore it?
Open source: can you ignore it?
 
Os revolution reaction paper
Os revolution reaction paperOs revolution reaction paper
Os revolution reaction paper
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
“From Free Software to Open Source”
“From Free Software to Open Source”“From Free Software to Open Source”
“From Free Software to Open Source”
 
Mac129 med102 hackers lecture
Mac129 med102 hackers lectureMac129 med102 hackers lecture
Mac129 med102 hackers lecture
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
 
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdfLinux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
 
hackers
hackershackers
hackers
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source Movement
 
Piracy
PiracyPiracy
Piracy
 
2600 v24 n4 (winter 2007)
2600 v24 n4 (winter 2007)2600 v24 n4 (winter 2007)
2600 v24 n4 (winter 2007)
 
Hacking
HackingHacking
Hacking
 

Kürzlich hochgeladen

Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
SUHANI PANDEY
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
Diya Sharma
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
SUHANI PANDEY
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Escorts Call Girls
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
soniya singh
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
kojalkojal131
 

Kürzlich hochgeladen (20)

Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
 

Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispagatos

  • 1. testtest Security Penetration TestingSecurity Penetration Testing LovesLoves “Free Software”“Free Software” Fernandez, Christian Troy CreggerFernandez, Christian Troy Cregger ReK2,ReK2WiLdSReK2,ReK2WiLdS TrizzTrizz Hispagatos, BugcrowdHispagatos, Bugcrowd HispagatosHispagatos
  • 2. _# WHOAMI Currently working at: Bugcrowd as a Infrastructure and Security engineer. Originally from Alicante, Spain, A Free software advocate since 1996, Anarchist An autodidact, am mostly self taught. Companies, do make me take certifications for Compliance… which is ok. Back in the day I loved to play all night on BBS’s finding hidden underground information, Hunger to learn as much as I could, something my mother did not really understand when the bill came at the end of the month... Then FIDONET and just soon after the INTERNET, where I used to connect using compurserve from Spain in not very ethical ways… but Telefonica was a company I was not willing to give a dime or a peseta at the moment. Groups: Employeer: Hispagatos Infrastructure and Security Engineer DC415 at Bugcrowd in San Francisco Freelancer: Stealthy-cybersecurity Penetration testing and other security services.
  • 3. And it all started…And it all started… and.. yesand.. yes as we know it today, it all started in MIT with some cleveras we know it today, it all started in MIT with some clever people playing with raildroad models...people playing with raildroad models...
  • 4. A new frontier...A new frontier... Cyberpunks, explorers and other technocratsCyberpunks, explorers and other technocrats started to roamstarted to roam the wild wild west of what was coined bythe wild wild west of what was coined by Willian Gipson at the time as "CyberSpace".Willian Gipson at the time as "CyberSpace".
  • 5. The seeds of change...The seeds of change... Richard Stallman started the GNU revolution,Richard Stallman started the GNU revolution, around the same timearound the same time the LOD or Legion of Doom and MOD also knownthe LOD or Legion of Doom and MOD also known as Masters of Deception were exploringas Masters of Deception were exploring this decentralized new frontier.this decentralized new frontier.
  • 6. Both movements, making old power structures nervousBoth movements, making old power structures nervous in diff ways..in diff ways..
  • 7. ““Hackers”, HeroesHackers”, Heroes of the Computerof the Computer Revolution:Revolution: Steven levySteven levy Gracefully documented the great hackerGracefully documented the great hacker tradition for many decades totradition for many decades to come...come...
  • 8. The hacker EthicsThe hacker Ethics Set in stone, for the commingSet in stone, for the comming generations andgenerations and an array of movements thatan array of movements that came out of itcame out of it
  • 9. Just to name a fewJust to name a few influencialinfluencial movements:movements:
  • 10. Ok, so looksOk, so looks awesome..awesome.. seems we areseems we are on the righton the right path, right?path, right?
  • 11. Well…Well… then this happenedthen this happened That and the media... this was the total assimilation of the word “hacker” in a negative way... that's just what we needed... NOT.
  • 12. And in the Free SoftwareAnd in the Free Software camp also a lot ofcamp also a lot of campaigns to discredit itscampaigns to discredit its model and ideas.model and ideas.
  • 13. Still, there were realStill, there were real hackers in bothhackers in both communities... thecommunities... the software hackers and thesoftware hackers and the computer hackers, andcomputer hackers, and this is what this talk isthis is what this talk is about…about…
  • 14. Both of theseBoth of these communities were andcommunities were and probably are the sameprobably are the same community, the toolscommunity, the tools people use for security forpeople use for security for the last 20-25 years werethe last 20-25 years were written by softwarewritten by software hackers for computerhackers for computer hacking and security.hacking and security.
  • 15. Such software, of course,Such software, of course, respected the hackerrespected the hacker ethics and was released asethics and was released as free software in mostfree software in most cases or othercases or other compatible licences.compatible licences. So here we are.. hand by hand Free Software and Computer Security.
  • 16. The moderm computer security field needsThe moderm computer security field needs hackers to write software that is open,hackers to write software that is open, free and respects the hacker ethics while at the samefree and respects the hacker ethics while at the same time breaking and going beyond what we can expecttime breaking and going beyond what we can expect as is usually done in the true hacker spirit.as is usually done in the true hacker spirit.
  • 17. Now lets forward to 2010, Computer Security is gettingNow lets forward to 2010, Computer Security is getting to be a big bussiness, hackers are in demand,to be a big bussiness, hackers are in demand, new tech fields are created over traditional ones.new tech fields are created over traditional ones. Security Engineers, Pentesters, Blue Teams, Red Teams...Security Engineers, Pentesters, Blue Teams, Red Teams...
  • 18. Pentesting is to computer hacking what Open source isPentesting is to computer hacking what Open source is to Free software...to Free software... Stripping the politics and idealism out of them to createStripping the politics and idealism out of them to create a simpler pro-bussiness market easier to digest.a simpler pro-bussiness market easier to digest.
  • 19. So yes here we are. Now we have a lot of academicsSo yes here we are. Now we have a lot of academics non-hackers doing pentesting and security.non-hackers doing pentesting and security. In the last 5 years security is a multibillion dollarIn the last 5 years security is a multibillion dollar market, a lot of software companies are trying tomarket, a lot of software companies are trying to get a piece of the pie. This is ok, but what about theget a piece of the pie. This is ok, but what about the hacker ethics? What about the freedom and the openhacker ethics? What about the freedom and the open decentralized ideas of the hacker revolution by Stevendecentralized ideas of the hacker revolution by Steven Levy?Levy?
  • 20. This talk is not intented to agree or disagree or discreditThis talk is not intented to agree or disagree or discredit any profesionals, but to be able to talk about why freeany profesionals, but to be able to talk about why free software is needed in the penetration testing world.software is needed in the penetration testing world. We have to know the link between the past and theWe have to know the link between the past and the present. So from now on I will describe hacking aspresent. So from now on I will describe hacking as penetration testing...penetration testing...
  • 21. Pentesting & FreeSofwarePentesting & FreeSofware It took a lot of time for peopleIt took a lot of time for people to understand and fully respect theto understand and fully respect the whole point that open and libre are not a threat,whole point that open and libre are not a threat, but will actually revolutionizebut will actually revolutionize the internet era…and so it did.the internet era…and so it did. The same with security hackers,The same with security hackers, it took 20 years for people to understandit took 20 years for people to understand the difference between people exploringthe difference between people exploring and pranking. The difference betweenand pranking. The difference between curiosity and real criminal behaivour.curiosity and real criminal behaivour. Today we are hired and not demonized.Today we are hired and not demonized. Others were not that lucky...Others were not that lucky...
  • 22. Popular software that hackers have written along thePopular software that hackers have written along the years that are used by security profesionals, some ofyears that are used by security profesionals, some of them are:them are: Nmap OpenVas Hydra Netcat Ncat Nikto Hping Gdb gcc Zaproxy.. Long list..
  • 23. So…. What’s the problem? Most tools are free sofware..So…. What’s the problem? Most tools are free sofware.. Like we said before… as the hacker ethics leave the field also does free software, a lot of new professionals already abandoned free software options, they use tools like BURP, comercial and closed tools made by the evolving market that are in most cases closed source.
  • 24. Sometimes… is really not their fault, some propietarySometimes… is really not their fault, some propietary tools like BURP have come a long way with no freetools like BURP have come a long way with no free competition, and these people don’t care about freedomcompetition, and these people don’t care about freedom until OWASP stepped in… now we have ZAProxy… butuntil OWASP stepped in… now we have ZAProxy… but even though it got much better in just the last 6 months,even though it got much better in just the last 6 months, it still needs more people collaborating… and for us toit still needs more people collaborating… and for us to spread the word so other pentesters will use itspread the word so other pentesters will use it
  • 25. Ok let me now give you an over view of the tools IOk let me now give you an over view of the tools I usually use when I am engaged in a pentest.usually use when I am engaged in a pentest. My main tools:My main tools: Lots of custom ruby, python and golang scripts/programs I write.Lots of custom ruby, python and golang scripts/programs I write. Some ruby examples I put along other collegues at:Some ruby examples I put along other collegues at: RuByFuRuByFu GitbookGitbook Linux(BlackArch)Linux(BlackArch) Nmap,Ncat,HpingNmap,Ncat,Hping The-backdoor-factory, Veil FrameworkThe-backdoor-factory, Veil Framework Zaproxy, Nikto, WPscanZaproxy, Nikto, WPscan Gdb/peda,radare2/ragg2,GCCGdb/peda,radare2/ragg2,GCC Recong-ng, pwnbin, google dorksRecong-ng, pwnbin, google dorks Spiderlabs/Responder, smbtools, Enum4LinuxSpiderlabs/Responder, smbtools, Enum4Linux SecLists/dictionaries, lots of personal notes.SecLists/dictionaries, lots of personal notes. Tcpdump/wireshark...Tcpdump/wireshark... Sqlmap/metasploit...Sqlmap/metasploit... Aircrack/wifite2/mitmf…Aircrack/wifite2/mitmf… Snmpwalk...Snmpwalk...
  • 26. VirtualBox:VirtualBox: I have a repository of VM’s with propietary OS’s to attackI have a repository of VM’s with propietary OS’s to attack and to compile exploits for win32 enviroments etc.and to compile exploits for win32 enviroments etc. Unfortunatelly this can’t be avoided… since you have toUnfortunatelly this can’t be avoided… since you have to experiement attacking these systems, just make sureexperiement attacking these systems, just make sure they are VM’s not your main OS :P I treat them likethey are VM’s not your main OS :P I treat them like viruses I need to study :Pviruses I need to study :P Radare2/x64_dbg/objdump/nasm/edb/Radare2/x64_dbg/objdump/nasm/edb/
  • 27. MethodologyMethodology - Information Gathering- Information Gathering Recon-ng, google, bing, duckduckgo, nslookup, dig…Recon-ng, google, bing, duckduckgo, nslookup, dig… - Enumeration/scanning, detect live Hosts,Ports etc.- Enumeration/scanning, detect live Hosts,Ports etc. Nmap, ncat, hping,Snmpwalk,enum4linux…Nmap, ncat, hping,Snmpwalk,enum4linux… - Sniffing and MITM attacks if possible..- Sniffing and MITM attacks if possible.. Mitmf, tcpdump, wireshark, responderMitmf, tcpdump, wireshark, responder - Exploitation- Exploitation --getting-shell:--getting-shell: Custom made exploit, Veil framework, exploit-db.com, Proxychains,Custom made exploit, Veil framework, exploit-db.com, Proxychains, ssh, telnet, ncat, ftp….sqlI,XXS,phising...ssh, telnet, ncat, ftp….sqlI,XXS,phising... --Privilege scalation:--Privilege scalation: Local exploits/vulns, bad permissions,Local exploits/vulns, bad permissions, misconfigurationsmisconfigurations - Post Exploitation- Post Exploitation Pillaging, mapping internal network, pivoting, repeatPillaging, mapping internal network, pivoting, repeat
  • 28. Thanks to my team members at HispagatosThanks to my team members at Hispagatos Trizz, Thibaud, Bitsurfer, sigma4, Heavenraiza, PetruknismeTrizz, Thibaud, Bitsurfer, sigma4, Heavenraiza, Petruknisme http://hispagatos.orghttp://hispagatos.org We use mattermost chat if any of you wants to join the chat ask me for an invite,We use mattermost chat if any of you wants to join the chat ask me for an invite, anyone is welcomeanyone is welcome How to Reach me?How to Reach me? I am always willing to help people starting, specially if you are an anarchist or a free software activist.I am always willing to help people starting, specially if you are an anarchist or a free software activist. KEYBASEKEYBASE:: https://keybase.io/cfernandezhttps://keybase.io/cfernandez Email:Email: rek2@protonmail.comrek2@protonmail.com Email:Email:cfernandez@protonmail.chcfernandez@protonmail.ch