2. Ahmad Muammar WK, OSCE, OSCP, eMAPT.
•Professional hacker/Penetration tester
•Doing offensive security/hacking for 15+ years
•Founder of echo.or.id & idsecconf.org
•Web: http://me.ammar.web.id
•email: me@ammar.web.id
•twitter: @y3dips
3. A Journey into Pen-tester Land: Myths or Facts - y3dips
•About Penetration Testing
•How to become Penetration Tester
•Myths or Facts Around Pen-test
Agenda
5. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Is a way to Validate/check the level of
security on every aspect of IT
Infrastructure.
•Also to ensure that necessary security
controls are integrated into the design and
implementation.
•To prepare for better enhancement
IT Security Assessment
6. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Vulnerability Assessment
•Penetration Testing
•Security Audit
IT Security Assessment
7. A Journey into Pen-tester Land: Myths or Facts - y3dips
•A vulnerability assessment is usually
carried out by security vulnerability
scanner application. Most of the product
test type of Operating system, application,
patch level, user account and else.
•Vulnerability scanner identify common
security configuration mistakes and
common attack.
Vulnerability Assessment (VA)
8. A Journey into Pen-tester Land: Myths or Facts - y3dips
Vulnerability Assessment (VA)
9. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Most part are checklist-based (corporate
security policies or regulation standards
(ISO) or PBI)
•IMPORTANT for being complied with
security policies, legislation and standards
•e.g: is there any backups? ANTIVIRUS?
Security Audit
10. A Journey into Pen-tester Land: Myths or Facts - y3dips
Security Audit
http://vsanspareil.com/security-audit-report-template/security-audit-report-template-2/
11. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Is When a “Hacker” do the attacker work.
•The only goal is to get as much as possible
and as deep as possible to break into the
system.
Penetration Testing
12. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Vulnerability Assessment identifies the
“possible” vulnerabilities (Also false
positive).
•Penetration Testing validates the
vulnerability.
VA vs Pen-test
13. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Security Audits important for being
complied with security policies, legislation
and standards.
•Pen-test compliment Security Audit and
help to fix security threat before an
attacker discovers it.
Security Audit vs Pen-test
14. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Check sensitive information available.
•Check what kind of privileges pen-tester
gain.
•Check if it is possible to escalate privileges.
•Check if Vulnerability can lead to more
exploitation (another application, system,
or server, scope).
Pen-test
15. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Should be only Blackbox!
•Black box: 0 information about the system,
maybe only the ip/domain name. Full
attacker perspective
•grey box: partial information about a
system, simulate attack by employee,
vendors.
•White box: significant information about a
system, source code/configuration review.
Type of Pen-test
16. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Ideal = no scope that limited the
activity.
•Wire Network Infrastructure
•Wireless Network Infrastructure
•Application Infrastructure
•Operating System Infrastructure
•Physical Infrastructure
•Social Engineering (people hacking)
Pen-test Scope?
17. A Journey into Pen-tester Land: Myths or Facts - y3dips
Pen-test Methodology
!
18. A Journey into Pen-tester Land: Myths or Facts - y3dips
ISSAF
19. A Journey into Pen-tester Land: Myths or Facts - y3dips
Demo [Video 1]
21. A Journey into Pen-tester Land: Myths or Facts - y3dips
•IT Security Officer
•IT Security Analyst
•IT Security Auditor
•IT Security Engineer
Information Security Professional
22. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Security Contact Point for Organisation
•Principle Advisor for IT Security
•Ensure Security Program Running ( Security
Awareness course, etc)
•Creating Security Policy, Procedures,
Hardening guide
•Title: CSO, CISO, Head of IT Security, VP
Security, IT Sec Manager
IT Security Officer
23. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Monitor all type of access to protect
confidentiality and integrity
•Provides Direct Support and Advise to the
IT Security Manager
•Title: System Security Analyst, Network
Security Analyst
IT Security Analyst
24. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Auditing an Organisations Technology
processes and security.
•IT General Controls Reviews
•Application Controls Reviews
•Title: Security Auditor, Penetration Tester
IT Security Auditor
25. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Maintenance Computer Hardware and
Software that comprises a computer
Network
•Doing a Security hardening and
Configuration
•Title: System Security Engineer, Network
Security Engineer
IT Security Engineer
27. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Penetration Tester
•Ethical Hacker
•Professional Hacker
•Information Security Professional
•Red Team officer
Pen-tester
28. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Recently, New ‘Hot’ Profession beyond and
separate from Security Auditor.
•Nowadays so many Information Security
Curriculum, Faculty, also a University.
•High Demand because of Regulation,
especially the growth in electronic
transactions.
Pen-tester
29. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Skillset, Knowledge
•Experience
•Attitude
•Able to work independent/group
•..
Requirements
30. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Knowledge of Operating System
•Knowledge of Networking
•Knowledge of Application
•Knowledge of Programming
•Much more :)
Skillset, Knowledge
31. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Self-taught Hacker
•Formal Education
Skill & Experience
32. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Join in the community/hacking group
•Gain their hacking knowledge by Hacking
•Hack to Learn not otherwise.
•Often start as kiddies and hike the way into
Hackers
Self-Taught Hacker
33. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Newbie (larva) > kiddies < Hacker (elite)
•Know the Tools, Able to use the tools and
modify; But, Do not know how the tool
“really” works.
kiddies
34. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Gain Information Security/Knowledge from
formal Education, Course, Certification
Formal Education
35. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Most of University (nowadays) has Info-sec
curriculum.
•ITB has Master engineering of Information
Security.
Formal Education
37. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Self-Taught [+] / Formal [-]
•Proven Skill and Experiences
•Able to do a proof of concept
Self-Taught Hacker vs Formal
Education
38. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Self-Taught [-] / Formal[+]
•Lack of Methodologies
•Lack or Organisations/Managerial
Self-Taught Hacker vs Formal
Education
39. A Journey into Pen-tester Land: Myths or Facts - y3dips
•[+] Need to Boost
•Willing to learn, share and teach.
•Eager to learn new things faster.
•…
Attitude
40. A Journey into Pen-tester Land: Myths or Facts - y3dips
•[-] Need To Avoid at all costs!
•Become Drama Queen/King!.
•like to selfie around data centre, client
server, target.
•publish post in social media especially
about client and the weakness even with
or without NDA.
•Always take and not give.
Attitude
41. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Able to work Alone (individual),
•or a Team Player
Work
42. A Journey into Pen-tester Land: Myths or Facts - y3dips
Demo [Video 2]
44. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Myth!
•Penetration Testing validates the
vulnerability.
•If the company get Pen-tests report that
look like VA reports, then blame your
selection process of pen-tester.
Pen-test is just “marketing VA”
46. A Journey into Pen-tester Land: Myths or Facts - y3dips
https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
47. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Myth!
•They do need to have knowledge about
the target but not to be a master of all
(since it won’t be possible)
•Great Pen-tester should be a fast learner
and able to adapt since most of the system
he never interact before even heard.
•Technologies will always changing and
improves and hard to stick to only one.
Great Pen-tester is “master” of
programming, networking, ….
everything!
48. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Myth!
•Ideally pen-test not cover every
vulnerability, because it’s only the one that
give access even the smallest vulnerability.
•Security is a process.
•Now you are secure, next minute is not.
•Compare to actual criminal, pen-tester
limited by time, scope, resources.
After fixing pen-test result,
Yeay we are secure!
49. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Myth!
•Truth is VA results are equal!
•Even with same School or Certifications.
•Thats why “smart company” spend time on
sorting the pen-tester. (beauty contest,
administrations, go through the cv for
every pen-tester, etc)
Pen-tester are Equal!
50. A Journey into Pen-tester Land: Myths or Facts - y3dips
•Myths!
•Targeting Low Hanging Fruit Vulnerability
first.
•Weak/Default Password
•Out-of-date and vulnerable version
usage.
•Security Misconfiguration
•…
•Well, some are really sophisticated, since it
already being pen-test over and over ;)
Wow, pen-test is always
sophisticated!
51. A Journey into Pen-tester Land: Myths or Facts - y3dips
Wow, pen-test is always
sophisticated!
https://xkcd.com/538/
52. A Journey into Pen-tester Land: Myths or Facts - y3dips
Wow, pen-test is always
sophisticated!
http://allthetropes.wikia.com/wiki/Hollywood_Hacking