How To Get Away With Hacking by Liam Follin

uh this is how to get away with hacking um it kind of was kind of born because of something you see on LinkedIn all the time when I was the previous speakers have spoken about it as well it's like you know here's how you get into pen testing post Then followed by a list of resources longer than the average Christmas shopping receipt um half the resources on the list are questioned all the best and there is no structure to it some of it then the few poor souls you do actually grind away through this arduous mountain of nonsense content end up in an interview and realize that they're missing large portions of key knowledge um so this talk is not only based on my

own Journey but on also on the journeys of three other people um ultimately though I hope they will arm you with the knowledge that you need to really nail your first interview so obligatory who are my slide um is GitHub and you can email me um I'm a tech team leader for applications um you can see all this extra stuff on the screen Twitter is just a nonsense rambling GitHub has some pretty cool tools if you're interested in getting into fantastic or if you already are a pen tester and you can also email me questions queries or preferably cat so quick agenda a bit of Preamble um explain exactly what a transistor is touch from the law that's largely to

cover my own back I can't mine and then we'll cover the day-to-day to the job and then some warnings I'm then going to go through four Journeys the first is mine then we have uh Charlie um Jasmine and Josh um and then I'll throw some advice at the end which kind of tries to distill exactly what you know these these people have done and how you can apply that to your own Journey um obviously there's no Silver Bullet a lot of it is just hard work but hopefully we'll get a bit of that and then we should have some questions at the end so first of all quick explanation what is a pen tester um we call the medical hackers what hats

or pen testers so there's a couple of different terms throwing around as well um the order again basically similar job the tax system see its weaknesses and then reports on them so you tell them somebody what's actually going on so they can be fixed um comes in many different forms but primarily you as a tester you're given a Target or set of targets thereof and are tasked with assessing them this can be anything from a single laptop to hundreds of servers in AWS to a massive content management system doesn't really matter what it is your task is to go in there and break it and then tell the person who owns the system haven't you broke it

okay hello um some of the things I'm going to talk about here are illegal if you don't get permission so please get permission before you do this or use uh instead of doing it against Natural targets using the training platforms I'm going to talk about and whatever you do please don't go attacking random companies looking for bug bounties I don't want any emails letters or more to the point explosive devices rocking up at my flat after somebody gets arrested for doing something legal we'll do it quick explanation of the day-to-day um it's not all fun and games hacking is really really cool and we'll get into exactly how cool it is a little bit later on

um but as I said um wake up your first thing you do is you check Twitter and there's a couple of other like threat feeds that you can just be plugged into for any use security vulnerabilities you know any kind of crazy announcements and nonsense coming out of one of the other zero day Labs or or um of something that's being used to actively exploit stuff um there will be either a testing date or reporting reporting is never the most fun part of any job it's writing a large amount of text about stuff that you found and finding it's obviously the cool bit reporting on it slightly less cool but always more important uh the testing is quite cerebral you

know imagine you're given a Rubik's Cube every day but it's mixed up to a varying degree so sometimes you'll walk straight in and you'll find everything you're like all right great and then other times you're chasing the rabbit for hour and hours and some of the apostrophe syndrome some of the previous uh speakers have also spoken about um comes uh comes a creeping back in and you convince the idiot you're gonna absolutely need to bomb out and someone's going to factor out and then the next test it's all easy again and you have a great time um but as I said the report writing 15 to 100 findings in an easy to just format that's clear and concise

always quite challenging especially it's one of the hardest things we've found you know people coming into the industry are certainly struggled with it myself and I was starting to get into pen testing and people who are just kind of joining and find uh normally they pick the technical stuff up a little bit faster because there's loads and loads of research content we can talk about that later to help teach you how to hack things how to write about packing there's a lot less um so that's kind of always the harder part of the job is the hardest part to teach and hardest part for people to kind of really get to grips with um back to the day-to-day calls with

clients to discuss our tests you're talking to the incline all the time you're kind of working in a big cyber security company or consultancy um and then after work get back to self-development again so that's solving Labs like they had a code we'll get to that later reading up on new attacks that have come out some really cool um adcs ones have just been over the past six eight months you know coming out which are really awesome and then of course you've got to have a simple favorite Tipple as well I've got a couple of bottles of whiskey lying around here somewhere um you've got to enjoy yourself at the same time that is an important

part of being a tester so first one's me hi um Apprentice Junior pentester check team leader and then um well okay so the last one hasn't happened yet right I'm holding out hope I did start as an apprentice I moved through to Junior pen tester in uh junior pentester after suffering through uh BCS qualification which oddly enough doesn't feature in any recommendations of mine later and then grab my way to check team leader in applications with a small Pit Stop away doing some kind of threat intelligence work um more than a few mistakes were made along the way by my own admission and hopefully I can have some of you avoid them if you do decide to come and jump

into fantastic such change is born there is a common theme here we've got journey two which is uh Charlie who may be in the audience today so hopefully so um Charlie started with marine biology moved on to stock analyzen then Junior pen testing and now check team member and manager um his journey is taken in from being a fish sign s he's so eloquent it calls it through the hard graft of being shown in the shift Workshop analyst and passing the suspect somebody did it by running a job as a junior pen tester and that pop skip and a jump to a team member a while Divergence from sharks and coral but there is a common theme here in Marine

Biology and in it you have to be able to grasp both depth and breadth both of them green biology quite literally been quite deep and quite wide and it being figuratively so our third journey is Jasmine so Jasmine here flew so fast through her career she's the only one that was never technically a junior pen tester um but trying straight from one of our graduate courses all the way through through the chat team member in what can only be described as a Whistle Stop tour of a hacking Jasmine's very background is a testament to how to make hard work pay off um and you know the experience that you're getting from things like the Merchant

Navy working in civilities offices you know battles with with the law have prepared her well for the tough task of switching it off and on again I'll but more seriously as well as to the credits against testing a high variety of high-profile clients there is obviously a common theme here which we'll start to listen soon but Journey four will refer back to all of these people in the company slides is Josh so started off somewhat more traditionally than the last couple of people uh Southern forensics degree um he was then a developer for about three days I think um then Junior pentester and then check team leader for perhaps um you started I guess a traditional

route in cyber degree um but if you actually go and ask him about it it didn't help him that much which is I think a common theme from the other speakers today either they don't have a kind of traditional degrees or um they weren't necessarily the biggest fans of them um but it was a burning desire to break stuff that really drove just to be great what it does and His short stinters as a developer reminded him that breaking stuff is wildly more fun than building it we do have we do build our own Labs as well again I'll get on to that and uh I can attest that breaking them is uh way more fun than saying they're writing

CSS files um this but yeah this uh this kind of burning desire um to Break Stuff led him to be an objective leader the tender age of 23 which is no no not an easy thing at all as anyone who's sat those those crazy exams what he did cyber scheme or Crest will attest to so those are the four Journeys again we'll be referring back to those over the next a little bit of time um we'll kind of move on now and start to distill so there's a bit of advice for various parts of your journey through it so there is some advice for beginners um there's then some advice for people who are trying to make that leap into

like you know maybe maybe it's into check work maybe since it's just a specialized area of testing iot or red teaming um and then it doesn't really matter where you want to go what really matters is that you have a kind of Direction a path and a more to the point a plan of exactly how you're going to go and exact a lot of these are these things are knowing where you where you want to end up or not maybe not even knowing where you want to end up but having an idea of what you like doing and figuring out what you like doing and then figuring out the other ways I like doing this so that means I should probably go

and do this because it's something like that so advice for someone for beginners real beginners never maybe if you haven't even touched a computer before well hopefully you have um but we've got some resources on the screen here so these are just a couple of ways of starting to get introduced to hacking um and they give a very good all of them give you a very good basic understanding of the techniques that you know certainly I use on a day-to-day basis um over the wire especially the Bandit levels which are shown on the screen there um is a must for learning uh basic Linux commands it's a also a good introduction to like what capture the flags are going

to start looking like if you want to use those gamified solutions to learning these things then it's an it's really excellent it's uh you just SSH into a box um from there you try and capture the flags um it teaches you all about the different Linux commands which obviously you'll lose power or whatever District you really fancy um that will set you up very very well if you want to focus on there's nothing more the infrastructure side of things uh try hack me and hack box write introductions but if web apps are more you jam then download but so it's Community Edition and have a crack at the ports we get development course learning how to leverage those resources

will be quite important for when you get to your first interview so even if you start today with no understanding of what really pen testing is you start to slowly work your way through that so over the wire was the first thing I did when I was looking to get an apprenticeship I think it was about 17 at the time and I sat down and there's 34 labs in Bandit and they go on and you can do some of the other ones and just the knowledge that gave me really helped me when I was starting to do it for real or whatever I want to work my way through the apprenticeship and start to go on client work

to understanding of how Linux works and at least that's what it really help black cat python is going to be a controversial opinion coming in some later slides so be warned that black hat Python's a great book um and a great explanation to offensive coding you don't have to know all the things it talks about it goes pretty in depth on some things but it's still very useful to have and obviously Paul's quicker try help me hit the Box um they're all very very useful for learning the actual techniques of it um another great thing that you'll need to do is you need to learn how to make notes I use obsidian to take my notes I

know some people like to do other things one of the previous one of the people whose Journeys are speaking about previously enough likes to use text files and just hundreds of text files which causes me physical pain but it seems to work for him so fair enough um but yeah make sure you've got really good notes um because if you do walk into your first plant system knowing how to attack adcs or perform non-based cross-san scripting or any of the other things you might want to know you'll have an easier time than most and it'll give you something to talk about if an interviewer says you know do you have a favorite vulnerability you can go yes

it's processed script tickets request forward reads you know relaying things on on internal networks well no matter what it is there would be something that you can talk about and it's really show your passion that you're interested in the industry um soap moving on for advice for beginners be warmed right everybody wants to be a hackie if you walk into a classroom full of you know a full of six-year-olds you say you well here wants to be a hacker you know how many hands would have thrown up um which does make the industry incredibly competitive it's also not necessarily your standard nine to five you will need to work outside of that not just only to excel but also

just to maintain a reasonable level of Competency um because it's very wide and very deep because it is an industry that's incredibly complex and very very hard and that's just the technical stuff you know there's reporting on top of that Consulting travel difficult clients the exams suck not even not just the offensive security ones but all of them are quite long or a lot of revisions or work hours it is tough um but don't let that put you off and if it hasn't put you off let's have a Ganda what you'll need to start on in order to start standing out a little bit more in inside or at least in this first couple of interviews

um I'm going to say it again the really important things immediately make good notes um really good notes and make them about everything anything you see find or do on a catch the flag when you're solving any of those labs when you run try Hackney when you're doing the pause for your Academy slap it in your notes as I said are you subsidian it's fine it's the best and you can integrate it with Git very very easily but really doesn't matter how you take your notes just make sure they're really easy to do this format and make sure you can search them as well because if you if you've got like a massive Bank of notes and you're

thinking oh I know how to do this because I've done this before if you can just there's a search function built in you can find it really fast and then you're not spending 60 hours going through text documents um and then the other thing about notes is make sure you know how you talk to yourself as it'll make them easier just to understand and you need to use them so I was sitting the um the cstl exam without going into too much detail I didn't realize that your screen was shared with the examiners so a lot of my notes had profanity in because I was writing them at 11 o'clock at night and everyone was revising

um so maybe maybe not so that so much but again if it's how you talk to yourself and you then when you're reading it back to you or just sound like you're talking to yourself you'll be able to understand them a lot better and the other big one is make sure to practice every day it doesn't matter if it's 10 minutes reading you know Cyber Law or 10 hours doing Labs um hacking is a bit like Tesco every little helps so these the other side to kind of the tips and tricks they're not really tricks a lot of it's just about you know keeping on going um is uh try and understand which bit you fall in love with straight away if

you know that you really really enjoy um my packing or really enjoyed like Cloud um or enjoy attacking Microsoft's ad show then there's positions for you that will focus a lot on that and you can focus on that kind of area of testing let me view about your specialism and if you're very passionate about something it'll become all these late nights you know these 10 hours dig Labs or the crazy grind or the awkward clients won't matter so much because you're actually doing what you love um I know I appreciate it it's a cliche you know do what you love and you haven't worked a day in your life but it's also quite true uh mainly an

application guy I did a lot of other areas of pen testing as well but there's something about seeing like that old vanilla PHP app that just gets gets my yeah gets my juices going um I'm sorry that's why I decided to pursue have a great time doing it um addendum to that is it's also as an industry it is paid quite well um but it doesn't pay enough to make it doesn't play enough to negate the fact that you'll be miserable if you just got into it for the for the money um as I said I've got the self-development time a lot of other things aren't necessarily the most fun parts of the world but yeah you

do get to school yourself a hacker at the end of the day um which works surprisingly well on hinge so the other part is automation so I know I mentioned a controversial opinion earlier it's time for that hard truth um to be a good pen tester do you need to know how to code well no not necessarily but to be a great one you do need to know the ability to write your own exploits becomes invaluable when common tools like burp Suite or metasploy reach the end of their capabilities which they do um to demonstrate I'm explaining exactly how knowing how to automate tax is so important or at least knowing how to how to code and how to

build different techniques into these these sorts of things um but I do really want to ram home that learning how to code or how to program even if it's just scripting is a key part of both demonstrating exports to clients and improving yourself as a security professional again you don't have to do it but specifically for fantastic it's crazy valuable if you can you know we start every every test off with a load of scans and if you can just stick in The Bash file or write in Ruby or in python or even in lure um you know or in go you can you know the first the first thing you do is just sort of

firing up loads of terminals running really different scans then having to interpret it well if there's just one script you go you should like dot slash screen it dot sh or script.pi whatever it is and it just does all of that for you knowing how to write that and then also debugging it things like that will save you a massive amount of time which means that you can go and demonstrate value in other ways because all your low hanging fruits have been crossed off by the script that you wrote Oh the thing that you come through together it also means that when tools break which they like to especially if you're on site with no internet always seems to

be the case and you're left staring at this horrific stack Trace you know how bit of scripting you know how to write a little bit of code especially in the languages the common ones so Ruby python are two of the common ones goes getting a bit more common um if you're able to to understand that you're able to fix your tools on the Fly which means you're not sat there all quickly going um sorry you know client I can't manage to do anything because I don't know how to understand the tools that I'm using and it'll help you explain things because of the holiday things um so it's not going to be a code with

me but a bit on JavaScript because a practical example of uh exploiting cross-site scripting um to give you a bit of an understanding of what the day-to-day is like as well and and then also hopefully this doesn't scare anyone off um so this comes from a particularly spicy reflected crosstalk scripting vulnerability that was um discovered in tandem with an alcoholic of mine um Kieran um uh so thanks Karen um now we've returned so I have a pretty vitriallocated of alert one I know if anyone's ever worked either in pen testing or kind of pen testing Jason's had to read the reports sometimes you'll see a little alert box center where it'll be like oh we found process

scripting and there's one in the box and it proves absolutely nothing you know that's not really demonstrating exploitability to a client is it and then and I've had this I had to have this argument many times or had to then go in and have calls with clients to other people have submitted reports with one in a box and you're like oh why is that bad and yeah explain so instead we'd like to deserve a little bit more value and again if you can do this in an interview then you'll be it again is showing the consultancy skills and the technical skills which are you once you put those two together you're in um you basically you're in luck

um injection point for this was authenticated and it was in the URL which is pretty good um and but we couldn't get um strings for some reason weren't quite working because of the injection point so we had to go figure that out anyway um this isn't occur with me but and I'll try and do this reasonably fast because I've only got seven minutes left um so more season programs in the room um there's a function that's called different things across different languages gersonifies the the common one um as a good explanation takes complex strings and makes some safety includes an adjacent structure so you can take some a user's input an app for example you can just signify audit and then you

can stick it to Json fire it off and then decode it from the other side awesome um but uh uh payload was being incorporated into a Json structure and then reflected afterwards but because of the backslashes it was breaking in which obviously is pretty annoying when you're trying to demonstrate this value again we could have left it alert one but we don't like doing that I specifically definitely um so we'll try to get um kind of clever with it and add a load more um the backslashes to try and escape the backslashes then maybe we could have done something with that but it does it doesn't necessarily matter that will work in some instances there's some

excellent Labs out there that will go through that um but it didn't work in this one um but in this case it wasn't working as you can as you can see there and that's not exactly how it was working in the app but it was functionally was um we even tried like grav Accents in terms of bypass filters um so we but we knew we needed to include some kind of string if we were going to exploitate anything because we needed a URL in there all right how are we going to do that so stringed up from Char code um doesn't require any codes and returns a string object yes success so now we can pass to any other function quite

happily lovely stuff we can now use straight in our attack um application actually didn't send her any of the recommended cookie security Flags always set your flags and it was an authenticator page so we're going to cut out a little amount of History which was some authenticated to cooking um the phrase hacking tools and breaking rules uh don't use that in any official documentation clients don't like it speaking for a friend um we now have our string so the easiest way to express cook users incorporate into the path for a URL and remote server then send the get request to set URL um so how you actually send that is pretty easy there's something in your

JavaScript fetch you just use that sorted your another thing that you can use to help appreciate with some running out of time here but another thing you can use to speed up your export generation is that JavaScript executes in your browser not on the server so you can really easily using python just python M http.server um bang you've you've already already sorted um out a little server that you can then use as a as a demonstration of how things get exfiltrated um document.cookie is okay we'll skip over some of this but talking about cookies how you access cookies client side you can then use concatenation to concatening strings together again acting Falls and Baroque rules don't use

any dots so we are then left with there with this so jquery.get will use jquery.ca in this instance this is supposed to hit fetch um string Dot from charcoal document.com and Eddie Presto we get all the cookies sent back to our server those aren't actual real author cookies that they're taken from Google but the the idea is that you remember on the previous slide saying be warned well here's the other side of that message I know the previous example can be quite intimidating especially if you've never done any pen testing before but ultimately of all the advice I can give and I have been accused of liking the sound of my own voice before the one thing you need is

perseverance of all four Journeys I showed you earlier there is a single underlying Factor none of us gave it I've actually done martial arts for most of my life and there's a famous phrase in that Community a black belt is just a white belt who never quit so as I said earlier hacking is just like Tesco's every little helps spend 10 minutes a day and eventually you'll get there use all the resources I just showed you but you know if you keep chugging along even if it's just 10 minutes even if you're exhausted and you just go okay just one question on yeah or something like that eventually it will pile up to look at that