Pen Testing for NOT Dummies

we're going to talk about pen testing and Pen testing uh from a different perspective a lot of pen testing that's happening today is really for them is in fact there are books fantastic for dummies I think uh but uh we'll make it more complex more interesting and we'll explain demystified couple things throughout uh presentation I'm going to give you actual practical hints what to try and what uh things you can do in 2023 to do pen testing successfully with actionable results I'm going to introduce myself a little bit uh tell you who I am this is what I look like if I'm wearing a tie but I consider myself a Nike professional yes I have an accent and my

native language is Russian but I'm not from Russia I was born in Ukraine great many years ago and I the United States since 1989 so this is my home I uh never been a hacker uh I've been a Nike professional and that was my initial calling um I became began to try to understand how things work because of curiosity Natural Curiosity and as I progressed I became a security cyber security professional actually a great time to be growing up in technology in early 2000s I started questioning if even commercial software is it written correctly if it's bug free how things really work and how to get further um in the past uh decade and a half I

really start watching uh how uh hackers work how the minds work and start hunting cyber criminals if you Google my name uh there are quite a few hits there about successes of me and my company achieving really big victories against cyber criminals one of the last things that we did that hit uh Forbes Magazine was uh taking um Bitcoin and a half from Russian drug lords and moving into Ukrainian charity so we try to do good things uh and uh really uh you know use cyber security for the good stuff but stopping cyber crime is very very important and uh my not only guilty pleasure but the oldest cyber security skill that I have is penetration testing

pen testing uh and that's what I'm going to be talking about today I'm talking about uh a lot of uh history uh literally more than ten thousand pen tests uh behind me and my team on the companies of all sizes from very small companies to million plus device pen tests so uh this is all from experience and really good hints uh uh for us I'm going to tell you a story about my first pen test it happened in 1997. some of us maybe not born then definitely not many been doing pen testing in 1997. uh this was also the year nmap was invented by the way so I I didn't use Anna for the first pen

test I was very very young uh in my early 20s uh I uh was hired by a relatively small company to do a security test and they had this new cool thing called firewalls so um I was hired to do it over the weekend so not to impact the stability of computers that were rebooting anyways by themselves so uh did the pen test uh I remember I got paid 500 for roughly four years of work that was normal labor at the time but it was the first pen test that I've done and it was so much fun and exciting uh on Monday Cole was the guy who hired uh me the I.T manager I told him about the results and said hey

you know you guys as far as I can tell don't have a firewall and the guy got really upset he uh yelled at me on the phone and pretty much fired me so that was my first pen test uh uh and uh but I I I I got into the router in the internet router I saw a number of hops I didn't see extra hop I didn't see any traffic filtering I didn't see any other entries you know I was relatively smart at the time didn't get better afterwards but um two weeks later the guy the manager called me and said hey you know they want to meet for lunch and you know like okay well you know you can you

want to yell at me in person go ahead so so I came out and I didn't have a car at the time so you know I it took me a while to get to a place he went for a bunch uh and uh he sat down with me and said I found the firewall so this is a story how uh what happened to the viral so the company which spent quite a bit of budget at the time uh to buy uh Fireball Appliance uh send two guys an I.T to get trained on the fireball one of them got certified uh one guy left was in the months another guy left within three months before the second

guy was leaving and nobody really had any certification or really clue how to use that firewall uh he was asked to put any any rule on the firewall uh so that you know to make things uh more uh easy to support uh but the first time they had Network problem uh the brilliant Network guys actually routed all the traffic around the firewall a couple weeks later somebody needed a network cable uh that the switch was full so they took the network cables from the firewall uh and disconnect the firewall from the network uh and then at some point somebody needed direct space and they removed that uh big black box uh that was taking uh four use at a time uh and put it in a

storage room that's where the manager found the firewall so he said that technically they have a fireball it's just not in the right place so I got paid uh but um this the the pen testing is not an easy science if you understand uh if you ever done this and I'm gonna Usher you through some challenges some interesting things that are out there to consider what pen testing uh should be and really is uh so uh penetration testing is not um like compliance compliance to me is best practices because if we don't have best practices we're not going to do the right thing if we don't have uh the rules how to drive we all gonna

drive crazies but we need to follow the driving signs and stuff like that uh but uh you know or speed so you know it's uh we know where to bend the rules compliance is to keep us within those lines uh vulnerability testing is also not uh pen testing because vulnerabilities actually show you a classical vulnerability cves and stuff guys but you're not going to discover things vulnerability testing is another type of assessment it's a valid assessment but it's not a pen test and red teaming which is uh also a good way to do this but the red team is more about capture the flag for me a red team would uh go through tools available to them but they

are not always going to test everything pen test to me is about thoroughness if you found one way in good you document it you keep going to the next next vulnerability red team is more Capture the Flag they use one vulnerability to get in in and go get further further further to show the impact pen testers only if they want to show off uh want to use that access to get much further but the goal of pen tester is to test all the ways in because uh I uh over say that hackers when they attack cyber criminals when they attack your infrastructure they are like panthers they just don't share dependence results with you they keep it to themselves and

also on the Defenders on The Blue Team side we need to be uh 100 uh right because bad guy is only looking for one way in and Panthers uh we have a job to do this 100 find as many vulnerabilities as possible so from uh that perspective I want to talk about ideal pentaster who is a pen tester I hire a lot of pen testers we are hiring uh and uh we uh definitely look for certain things I'm not only going to look at technical capabilities of person they can be brilliant they can win a lot of uh Capture the Flag exercises and stuff like that but the question is okay do you know how things work do you have

Natural Curiosity or are you gonna follow uh the step one steps two step three of a fantastic manual which doesn't exist in my head so curiosity is extremely important if you're curious about things how things work and then you have basic technical capabilities you're going to be a potentially good pen tester you need to understand Technologies I think Technologies are the key if you understand how technology works you can take things apart we have a different type of job so developers who don't really like pen testers because we really figure out uh things that they screwed up but we need to be partners for these guys because if we understand technology we can find weaknesses technology if you have no

clue about technology about the protocol about infrastructure we now going to be effective finding every single thing that's out there uh experience with system administration how the network infrastructure Works how interactions work a lot of pen testers come in and say hey I can break any web application what about not web application what about the client what about ad what about Linux infrastructure we want pen tester to be versatile I mean there are folks who specialize in certain Technologies by all means you're going to end up doing that but you also going to be a very good at everything but you need to specialize in something if you don't understand how the infrastructure Works uh you don't have much of a chance

to be versatile and then today uh more and more fantastic is about developer skill set or about base scripting you don't have to be a full scale developer but you need to know how to do automation not being driven by tools and we're going to talk about that more but you want to be actually a developer uh have developer skill set and you can automate everything that you're doing I end up in pen test writing two or three my own tools because I need to automate certain functions some of it is very simple some of it may get more complex but if even if you're not a developer if you're not good at scripting you need to

have a friend who is and that way uh and the team is going to be much more worse though if you have a system admin experience then you you your friend can be a developer and both of you can do really really cool uh pen tests uh from the different types of Panthers and we'll get into details just shortly but there are different types of pandas and sometimes you're getting uh do one or the other I want to explain the difference and why each one of them is important sometimes uh Black Box pen test when you were given almost zero knowledge I mean besides what you have to uh your target is a it is a good

thing but uh it's not always an easy thing it's probably imitating the real life the most because the bad guy walks around the internet they find your website now they're going to be attacking it that's pretty much the idea of the black box without any additional knowledge without any additional information but uh there are some caveats and some weaknesses in especially today's infrastructure uh in the gray box um components which is probably the most common type of pen test day is when there is basic knowledge shared not only about uh what you're testing but you're given some kind of user access uh for the most part most of the applications most of uh interfaces today require some

kind of authentication and that authentication may be open to a small group of people like employees some some of these components may be open to anybody who wants to register so if you can register if you want to test certain functionality you need to be you doing it as a user as a user on a deeper level because the bad guys know how to register for things look at some of the vulnerabilities some of the breaches that coming out today somebody goes ahead and fills out information hey I want to register for Access that on that website and somebody in you can help that says oh yeah I approve it great now the bad guy is in the inside of your

infrastructure and they may have access on a basic user can that basic user own the system we don't know but pen tester can tell you so make sure that uh when you talk about pen test you're not only doing complete Black Box but you have abilities to look inside of the application and it's extremely critical to understand how things work there the other type probably more thorough uh but uh different is uh the white box where you are given access not only to the front end but to the back end and you're going to do an assessment based on what you see on both sides this is not realistic the bad guys if they have access to the back end they

already end so they got all the data but here's what you can do as a pen tester as a good experience uh professional you can look at what happens when an attack actually ensues you can identify a root cause of a problem we deal with SQL injections still uh so many years later because of uh this vulnerability being out uh for a number of decades and still uh leaving certain things vulnerable well to write us write SQL instruction uh uh sequence is not easy and even some tools are not smart enough to do this but what if you can put a sniffer as a logging agent on your SQL server and you can during your pen

test during your SQL instruction attempts you can see how many of your uh signals actually getting to the SQL database maybe it's not in the right format maybe you're not escaping every single uh sequence maybe number of columns that you're trying to put in uh is wrong or whatever but if the signal is getting across it means it's possible and the bad guy with a different approach but with slightly different tools can be successful same thing uh works on a certain 500 errors sometimes uh you don't see other component opponents what are out there and my favorite is that when you see certain vulnerabilities um you may not react to them appropriately but behind them maybe much much more

information it starts with a single file that may be exposed and that may give the bad guy a naming convention that you would not guess otherwise so if you see the file infrastructure you will be much further in so white box has its own uses uh but level sophistication of that is obviously different uh scoping to scope a pen test also takes a special skill if you ever scoping your own pen test if you're setting up make sure that you are mentioning certain things you can have internal external pen tests which are different pen tests and make sure that you do the external pen test first not internal because with internal if you do doing the same guys they're coming up

with so much about your internal infrastructure that they may not have a fair advantage over uh the standard Outsiders so outside pen tests first but inside uh should be also a consideration third party now we are within third party space whether it's Cloud whether it's um you have a host application make sure that uh you test these things thoroughly but you also need to make sure that you're obtaining proper permissions just because it's sitting in the Azure Azure has its own set of roles versus uh Google Cloud versus AWS and stuff like that so you need to follow their rules and uh breaking uh into uh into the environments is different and sometimes not easy if it's a third-party

hosted application you still can pen test there's still maybe additional uh limitations but you uh can actually request these tests to be on a different level and then uh looking at the infrastructure what are the components of the infrastructure that you need to test uh if it's going to be all or some specific components or applications because at the end of the day most requests today coming in for pen test is a test pen test this application besides this here are the common mistakes that are given let pen tester to figure out you know we just got the request from client saying hey here are five RPS you figure out the rest great thank you well at least you get

that list because uh we would not start a pen test without knowing the limitations it's very simple to assume that everything on the subnet or was in this domain belongs to a client sometimes it does not and you definitely don't want to be breaking into somebody who is not related to a coin it's very easy to make that mistake and attack the wrong infrastructure plus pen testers may not know every single component they may not have all understanding of all the different components what's out there uh one of my least favorite things is very very nerd test scope saying hey here here's an environment here's a test environment that you can do all your work in and don't do

anything else and also making sure that you're not doing tests with an empty system too many times our pentascope is within a test or QA system here's here's what happens here's an issue with uh this um we in 2006 uh the company was working for decided to acquire uh McAfee's EPO e-polic orchestrator and this product uh was relatively new for Mcafee and uh we said hey can we do a pen test against uh your infrastructure and they said well of course we already did the pen test go ahead see what we find so we've we found uh over 100 vulnerabilities critical vulnerabilities McAfee EPO is really cool botnet if you think about it you know if you take over you know you got

agents on every computer that completely 100 trust you can do you can run viruses on uh antivirus software because you can just exclude the your signature on there so why not uh and it would do any command it's impossible to shut down remotely so it's it's really really cool about that so we showed that automatically and they said well no that you know you must be running all the old version no it's the latest one that you gave us um they came back and uh wow uh later the product owner manager from McAfee called and he said hey you know in our pen testing we made a slight mistake there uh when we tested EPO it has a

whole bunch of modules like firewall antivirus stuff like that when we tested if you we didn't enable any modules it was completely you know just the framework and like okay finding framework we found no vulnerabilities the framework is good but within the environment when you are enabling features and functions you need to be testing something realistic if you're looking at a lot of movements from user a to user B make sure that the user in user B actually have data if these are just empty accounts uh it's impossible for you to see user B is data because there is no data and if there is no data on assist in the system at all there is no way to actually get into the

system and retrieve the data because it's absolutely empty so more the more you look more you find that certain Panthers are always set for failure I've been doing pen test on the system but I'm the only user well can I become a natural user I don't know nobody else to become I can create a user so make sure that when you test you test in the right place in the right side excluding environments uh also a bad idea because uh certain environments are similar so if you can get into one environment you can transfer Knowledge from one environment to another sometimes a QA environment is less protected or double test environment less protected than fraud why can't you

apply knowledge that you get from less protected environment against production environment the bad guys are doing it why can't he so you know it's it's it's really common sense that we as humans we learn if I see uh the structures and the naming conventions what was in the the dev site I can translate it across everything instead of that it's going to be PRD or product or whatever and it's gonna work so don't exclude environments but be careful about breaking production environment and also uh be careful because even Dev environment sometimes if you ask the owners really has connections to production just called Dev also uh you know when we do pen testing sometimes they're Blacklist or biteless

only uh go to these IPS addresses so don't go to these IP addresses my question is that uh is your buck and white list uh also published on your website so when the bad guy comes in and it's like I'm gonna hack the system no no this is bad IP address you can go there um no uh you know at some point you need to test everything if you have problems with stability over certain IP addresses uh or certain devices make sure you fix it uh instead of just excluding on the pen test uh and then uh let's talk about tools it's important to pick the right tools we really know how to pick wrong tools

uh you go and uh get the most expensive tool out there or uh uh open source tool it doesn't really matter it's what you need to do with this tool for open source tools you need to evaluate its function what can it do for you if it's a point solution if it's a comprehensive solution read the history of this open source tool read the reviews read the challenges make sure that somebody use this tool against an environment that you're going to go against it's not uh uh overall solution for everything closer Source tools also nice uh they are more commercial tools that may be user friendly here but when you are fully delegating control to somebody

else make sure that you understand their methodologies some companies that provide their tools they don't really explain they're going to say hey it's going to give you a report that says it tell you if it's PCI component or not well great but what is the testing it's testing everything that's PCI component okay well fine but I really want to run my own tests I need to make sure that all the components that are out there actually a good good components and we test them properly uh I I used to have a slideshow of 10 12 different slides showing uh the um at the stations on from companies uh and then vulnerabilities real vulnerable is discovered so one of them that is

very clear in my memory is that the PCI attestation from one company said that we talked to the developer developer uh said that we have no SQL injection vulnerabilities and when we found developer didn't know about this this was a true sport station the bad guys don't care about it and your customers that lose the data uh won't care about it either uh when you have tools uh make sure that we talk about scripting and the other components make sure you customize things anybody here uses their Buster anybody knows when was the last time uh their Buster was updated 2009 uh but it's open source you can tweak things we continuously improving their Buster and its

capabilities we are continuously updating the list of keywords and putting new things in that uh drb I think stop being maintained in 2011 which is a Linux equivalent of it and but you can still improve it you can rewrite certain code you can look at certain things to make it more efficient even if certain functions are broken if certain components are broken if it's open source you can actually improve it and you can actually mail a mode it to what you need and this is the coolest thing ever because uh we can keep developing these things even though the owners are no longer using these things not no longer maintain it uh one thing about tools is about using default

settings and if we are using the default settings uh we going to be really assuming that uh this test is absolutely the same as everybody else's if you're doing it on the third party think about that they already probably run some kind of security scanner if you don't customize this if you don't put an account special conditions for example certain cookies that you need to put in certain conditions uh even Locale of your computer and stuff like that you may be actually testing and getting uh default responses but these responses won't be as effective as the normal things um same uh their Buster and their B uh actually return a lot of interesting things uh in the past couple years we've

seen uh several dozen vulnerabilities based on three or two web code 302 is redirection uh redirection uh based on uh certain restriction or command so uh when you're running these things you can look look at the size of three or two code return usually it's very very small it's under one kilobyte it basically tells you go elsewhere so all it does is it says uh uh code 302 locate new location is here what if you get uh 10 100 kilobyte response or more well you know what happens uh in some code badly written uh they render the full page and then one of the last lines of code is like oh you're not authenticated go elsewhere so it

actually gets you in the entire page but then on that based on that code 302 you're being redirected if you look at the size of your three or two code return code you may see if it's not uniformed across you know if it's a couple kill a couple bites it's okay but if it's uh you know 10 kilobytes 100 kilobytes stuff like that you're actually getting data back so when you're doing a pen test look at three or two chords and it's it's amazing sometimes how easy it is to override these codes all you do is a strike the location and change your 302 to 200 and all sudden your pages starts rendering so these are the common

techniques that you can use the photos would never do this the photos would say hey it's 302 going go here and you're gonna follow that by the way this is their Buster's default function but if you actually switch over don't follow links uh you're gonna see this information so we run their Buster always twice so it's interesting how things can open up if you know uh go outside of toes using wrong tools uh if you have once a single set of tools like Nexus and assume that it will give you everything that you need no it will only give you certain functions certain components understanding what the tool does is a part of your success we use different

components different libraries different uh things based on speed based on returns based on interaction based on defenses a lot of uh web application firewalls now reject a certain automated ways again going back to the defaults you know that default cookie set by lots of automated tools change the default cookie to something else because that's how some tools detect your default tools your brain is the biggest tool for pen testing if you're not using a brain and you're using uh just tools for pen testing you're not great pencil I'm sorry you need to actually understand how things work in order to get much much further when you are starting a pen test you'll sit down with the application

owner or infrastructure owner whoever is commissioning it and you ask a whole bunch of questions and when they say no you should know that ask them why not uh IP addresses well kind of makes sense like you know what's the realm that you're testing uh if you're doing an internal pen test and they won't give you subnet ranges uh there are uh let's see a couple million API that's three million IP address that I see that you're going to be testing instead of being given much smaller scope so test much much more scope ask for these uh ranges uh test the rest but don't put much uh um uh stuck into this another clue for uh internal pen testing

ask for routing tables routing tables would be really neatly summarizing all networks that are inside uh DNS entries well it's important to know DNS entries because uh certain DNS entries you cannot guess you can gather them from elsewhere like from certificates from DNS cache passive DNS so forget but uh knowing all the DNS endpoints you may actually find things that are long forgotten in some cases you'll find other things on uh when we look at the DNS entries sometimes we find that the IP address is no longer owned by uh the company sometimes it's pointing to a different place and the bad guys would love to take over that IP address and put something uh bad there

we hosts on a lot of web servers you have virtual holes or equivalent and when you look at these type of components uh you may not be able to guess them some of them maybe even internal but if a server is a web server has both external internal functionality it's possible to make calls to that web server if interface is not properly bound so make sure that you ask for that information additionally application endpoints sometimes application is there on index.html on the front page sometimes it's not sometimes it's deeper inside of the infrastructure and if if you don't know that it you may not never be able to find it but sometimes in application sometimes on the Internet

it's a easy way to find these things uh apis nowadays uh web applications are much much more complex so knowing how to how API work it's uh much much easier to go uh forward we even ask for file structure saying hey just uh give me all the files that's sitting in the Webroot for example uh in all virtual uh map directories and real directories why well we can guess our file name guessing machine is really good but we're not going to be as good as some other guys maybe we're not testing it in the right language because uh you if your server is in Mexico it's most likely have uh Spanish file names and we have good

libraries but we may not be able to test everything the bad guys may guess for certain things but uh pen testing is not only about guessing it's also about uh getting the right things uh right away uh asking for logins I already talked about it but it's a fair game to ask for Logan's without admin privilege but it's a good way to ask and shorten the weight if you're given one week uh for a pen test and you have to request a login that takes a 48 hours to approve well guess what uh for first two days you're not going to be testing the right thing and that's going to be a very weird and

unusual here's another thing that you can ask about sharing knowledge asking for ask for a demo of the application ask what how it works and what it does because once you get in you may not have a clue what it's for or what the end points or what they're to do it's unusual maybe and most likely somebody will tell you no you shouldn't know about it okay be the system go on their website and watch a demo uh or request a demo uh pretend to be a customer they will give you a demo of the site ins and outs and stuff like that and you may learn much more about it before you start doing certain things

you want to do some Discovery uh reconnaissance oscent is really really cool because uh when you we are doing uh ocean um we may find things that uh uh the company may not know about itself uh we're gonna go Google we're gonna look for other things we may be uh in sooner than later and the other thing is you know we want to discover DNS endpoints uh us search engines uh ask GitHub sometimes lots of information is going to be discourse on GitHub and don't only look for keywords like company name and stuff like that figure out who works for that company uh and help GitHub repositors and see what they have in their inside of their repositories look

find their passwords inside of their repositories and log into application under their passwords that's uh maybe part of a fair game the dark web the dark web is uh also part of fair game they're still in credential out there and there is botnet data now uh I can caution you and tell you never pay for stolen credentials you are empowering the bad guys you're creating interest for the bad guys in this particular type of data so don't give bad guys your money even if it's for pentas is go to uh the client to the company and say Hey you know it's out there uh make a decision and let them do that and if you obtain credentials

um for free or otherwise don't use them Beyond proof of concept go to a call and say hey these bad song credentials are on the dark web they're still valid you investigate further there is a technique for some folks to use these credentials and what you're doing you are destroying evidence of crime so if bad guys already use these credentials got in you may be erasing all forensic evidence that this account has in place don't do that go to the company that you're doing pen test for and say Hey you know it's found it's found you guys fix it give me some more credentials so I can continue testing this is fair game using stolen abuse

data you may be making doing it huge disservice to the victim uh so probes uh initially probing the network and making sure that you understand the infrastructure Services applications uh components of these applications so you'll find everything that is out there so you you can actually do the testing appropriately but then this you start mapping uh with an application all the endpoints all the ins and outs things that allow your authentication and don't allow authentication uh stealth speed are mutually exclusive If part of your exercise is to be not discovered you do this but you don't do it all along you're gonna say for the first two days I'm gonna be in sales mode see what you see but if you have

limited amount of time to do a pen test don't go in the slow mode all the time because the bad guys have infinite amount of amount of time if you're given a week and spending that whole week going very very slow you're not going to go through entire infrastructure it's not fair it's not good within the web applications and other applications understanding how the data flows asking the company saying okay where does this data go give me a data flow chart how many servers in end here is there Cloud components uh what happens on the back end it's part of understanding how things work we talk about different environments production and others authentication and authorization very

important to test once you get inside the application log out and test all these uh things that you mapped out while inside and maybe you get different results same thing for users make sure that user a gets uh moved to user B besides authentication strings and see if user agency user B and so on and so on uh lateral movements escalations within web applications very simple for example if you go to admin panel and see how coal is being made to make any user admin try to repeat that call as a user to make itself admin believe it or not at 50 of time today in today's applications it works I can make myself admin I just need to know how to make

that call properly so examining these things on admin site sometimes helps uh using various standard exploitation techniques works and right now don't think even this complex applications uh you won't be successful finding these things but more and more we are starting to look at the components of JavaScript JavaScript is a great repository to figure out how the application is built if you have uh the application of uh JavaScript pulling out all the endpoints from there sometimes you find passwords uh I found in JavaScript just last week anthem of Ukraine uh links to family pictures and links to internal git lab of one company you own one script so that was an interesting thing uh active directory

um besides that standard exportation Network look for older Technologies they're usually more vulnerable than others uh look for bad scripts my favorite thing once you're doing Ada audit and you get the basic user access try to look at Network scripts and look for right writable Network scripts it's really cool to modify uh a script that being executed by all the users and you basically uh you know let them run whatever you want to run uh sometimes these scripts are being run as admin and you become admin so give yourself admin privileges part of it look for patches or lack of patches out there and uh if you have access try to turn things on and off

sometimes when you get inside of some of the applications you can turn off certain uh components so you know we in some fantastic you get inside of a buff and the web application firewall you could make an exception for your AP address and all of a sudden the entire server all the servers are vulnerable uh networking is also extremely important understanding the protocols uh understanding how the management platforms work in Communications if you not familiar with networking especially with for internal pen tests become more familiar because that's one of the easiest way even to Route data uh becoming one of the routing points on the network by uh if there is a multi-uh uh node failover setup you can become the

main node uh end user devices keep in mind that not all devices are the same so if there is a great uniformity look for other things it devices are the easiest ones because it folks think that about the rules or they test things and they leave things open so that's really really cool and also look for forgotten components I love management platforms for internal pen tests management platforms are usually easy and uh uh people think like nobody will log into a mentioned platform let me put username test and password test or something like that but look at these platforms also uh not patched all the time think about solarwinds and how much headache that was uh they're misconfigured and some of

them are forgotten on the recent pen test we found the management system that uh somebody tested and then they didn't like it they didn't buy it but they forgot to turn off the server the demo license uh expired so what we did well we did something really weird we blocked uh so it the web application would uh communicate with a license and server make sure that uh the licensing is intact and obviously because it wasn't it would tell you that the application's not licensed Vlog communication with uh licensing server server and application is licensed because they thought can talk it's licensed now you can log in because nobody should change the default logins and now you have access to their ad

credentials for admin that nobody really uh removed an application so these things do work when you find these platforms and don't just get discouraged like this doesn't work stuff like that even silver light which is a antique thing that only works in Internet Explorer that is not normally supported download server light make sure that uh Edge is running in the uh Internet Explorer competitor mode and now you can get into Silverlight uh this actually makes exploited one system two days ago just like that don't forget about iot iot is easy in some cases nobody really cares about printers on the network but printers do store like your network passwords for scanning and stuff like that that's kind of cool some companies

consider printers to be their mission critical because uh if the company is doing uh 3D printing on 3D printers as a main business the printers is their intellectual property the printers is a production so now you start caring about printers cameras like okay well cool I can see public areas because the camera is supposed to be only public areas what do you feel a bank we see their stories of bad guys disabling uh getting on Netflix disabled uh cameras on the bank Network so they can compromise and rob the bank because uh the all the cameras are off they know that uh Nazi would be recorded cameras are important in certain cases but cameras also very very critical for

people's privacy uh in environmental controls usually left unattended but environmental controls are also interesting us all the iot devices uh you know people reuse passwords so you get into one iot device you all sudden you get uh admin from many others physical access all the control panels also can be uh manipulated in a certain way or even disconnected um in certain uh rooms like meeting rooms even public areas then now little iPads setting or tablets that you can uh reserve the room and stuff like that if you click on couple things if it's not properly secured you can get a Wi-Fi password the internal Wi-Fi password if you're really an entrepreneurial by the way when you bring somebody brings your

wine list in the restaurant stuff like that you can do that too and get into a restaurant network uh not not that lesson uh anyways uh power power may be underrated uh you're not going to play around with power I was in the company but uh to a key to management it's critical because if somebody shuts down power they may be a critical situation uh in the cloud pen testing in cloud is rather difficult because you don't have continuous IP space you have endpoints that somebody can build and drop at drop of head but go ahead and map all the endpoints these endpoints can be vulnerable most breaches that we are seeing today somebody created something in the cloud

forgot to tell anything about it it's exposed Place some data in it somebody else found it the mean time of finding things used to be one to two months now it's hours so if you leave something exposed things would get found really quickly so make sure that you're ahead of it and anything that's being put out on the cloud gets tested right away funding management consoles we'll talk about those as well uh code repositories bitbucket GitHub gitlab components of jira zandesk conference and others they're all out there they own the cloud and there are so many different techniques stop use and get data out of them and that's part of a pen test because your goal is to

get in using uh things around you forgotten credentials we talk about that credentials so I'm gonna kind of skip that um couple Advanced topics SQL injection also can be done with intelligence it's not a simple thing to do but we can do that uh much uh deeper uh broken links that domains uh also part of what we can use for attacks because uh sometimes the bad guys can take over this uh the mean they can look at where broken link is leading in the use some kind of other attack we have a technique to use uh web Works to understand how the applications already built if you interest all your web logs mostly get requests post requests it would be

complicated but get requests you can play against your website without authentication overs basic user Authentication and that gives you the best ever map of this uh site ever will find everything that's unauthenticated or has big authentication try it your weblogs is the best map to your site impersonations as I'm running out of time a couple more components try to abuse physical access to electronic assets intrusion detection as you're doing pen test make sure that security tools that the company has are working as well aren't they fishing components not only you test the users but test the technology try to send a phishing email that should be stopped see why it's not stopped and also same thing as under ransomware

data can be exfiltrated can you detect it can your defense systems detect it and it's part of pen test lastly as a security tools testing testing logging alerting as your pen test progresses did anybody see your activities did anybody see uh how things were created don't have don't tell the company that you're testing or internal folks to study for the test but also don't tell them to ignore the test it needs to be in normal environment because when bad guys hit your network they're not going to be nobody going to study for the test and nobody's going to ignore it uh test your honeypots make sure that part of your pen test if you have honeypots see how honeypots respond

to real attacks I know I'm uh right on time so if anybody has questions probably afterwards thank you very much [Applause]