Boston BSides - Pentesting for Fun and Profit by William Reyor

William R is an informational security lead for Fairfield University he's a pentester he's also the bides Connecticut co-founder Ness hacker space co-founder former qsa security engineer network engineer systems engineer and all around security CP purple team little rare thanks very much so this talk is focused on um people who hire pentesting companies or a lot of higher pentesting companies and people who uh want to become pentesters and get into offensive security work so I tried to break this into two different parts so one part focuses on people who hire pentesting companies and pentesters in general and then uh for people who want to get into that line of work I work now for Fairfield University uh in a

defensive role um I co-founded uh security bides Connecticut and that's it hacker space um LGBT supporter um you can follow me on Twitter so first section for folks that are hiring a pentesting company uh I would say one of the questions you want to ask yourself before you even have this conversation of which company I'm I going to hire is what is a pentest so I figure we'll just ask the audience does anyone want to just give that a shot what a what a pentest is and I guess different people have different definitions but for me it's basically um attacker uh simulation so it's not something that's directly repeatable you're basically taking behavior and creating it on the Fly given a

certain situation or scenario or network so if um you have one company and it's pen tested uh two different ways then you may get two radically two different results uh both may be breached but they could end up breached in very different ways and I want to point this out because there's a common misconception between what a pent tester is uh and what a pent test is versus what a vulnerability scan is and what a vulnerability audit is um and so uh part of the hit points that I wanted to take in this talk is if you're conducting a pent test you don't want to fall into just conducting a vulnerability assessment or a vulnerability scan and

submitting that as your pen test so on paper it's this very neat tidy process um you have your your kickoff you have your recon you have your exploitation and exfiltration and then you have reporting um and on paper it looks like this very neat process but in reality a pentest really isn't going to be that neat and tidy in reality it's going to be sort of this jumble of uh what can I try and get into um that didn't work let me try this that didn't work let me try this and this is more in line with how an attacker works this this isn't how a vulnerability assessment Works a vulnerability assessment is just purely

automation so uh the difference between the two is uh human intelligence and manual testing and basically um a person making judgments about what to do next instead of just pure Automation and the other thing I'd say is that a pentest isn't a checklist so there's lots of guides and Frameworks out there for for conducting a pentest so things like the uh uh ptes which was uh created and co-founded by Dave Kennedy um there's standards for PCI there's there's various different standards and those are guidelines they're not they're not a checklist you wouldn't just go down and check every single one of those boxes and say okay I did that you've got your pen test now and so I tried to illustrate that a

little bit better so the big difference between a b ility assessment and a pent test is that the VA or a vulnerability assessment is going to be metric based so you can repeat it over and over and over again and you can see if you're improving where you can repeat a pen test over and over again but it's narrative based it's not necessarily metric driven and it uses creativity and the whole point of this is to figure out okay um given my environment um beyond my vulnerability scan what kind of attack or do what are they going to try um and that should always be updating and that should always be uh evolving over [Music]

time so before you even get into a pentest you probably want to start conducting internal vulnerability and external vulnerability testing first because that's going to identify a lot of your your lwh hanging proof and then you want to answer some basic prerequisite questions um things like you know what devices do I have who has access to those devices uh how are these devices being patched and you know when did I do a vulnerability scan and what were the results and what critical things are open and what still need work and once you've got to that point then it's probably time to start thinking about uh having a pentest on but there are certain situations where

uh a pentest is useful even if you haven't gotten that far uh particularly if you're trying to get uh buying uh from upper management and they need to they're not convinced that there's a need for security or a security buy a pentest can demonstrate impact so it can um more so than you know maybe you may be able to do yourself uh nothing says we have a security problem like a screenshot of a cio's m box or a recording of voice conversations or um photos of information that shouldn't be public so once you get that far and you decide that you want to have a pen test done um these are great reasons uh to

conduct a test so you're going to verify what you know is in place and and what what you have you can create that political Capital that I just talked about and then you can determine how responsive uh your organization is to uh being under attack and the other thing it helps with is finding things you don't know about so so there's this uh Mike Tyson quote that everyone has a great plan until they get punched in the face and that is definitely true for a pen test so you can think you have absolutely everything taken care of and then uh a good pentester comes in and they creatively evaluate everything you have and they go about attacking your system

in a way that you haven't even considered and that's a great reason to conduct a pen test uh because that's going to find things that you don't know about uh that go beyond just the scope of um doing the basics and so like I said um nothing says that you have a problem like uh proof that there's a compromiser that there could have been a compromise so now comes time for uh you to choose a firm and so what should you look for um if it was me choosing to hire a firm these are some of the things that I would look for um given all the certifications that are out there ocp is probably the the best for demonstrating

knowledge of how to conduct a pen test uh I would definitely review a sample of the the firm's work um you don't want to see things like just pure tables and pie charts I mean infographics are great but you want to see a narrative of how the tester conducted the test what they were thinking and what drove their process to to get where they to get where where they got uh so to speak and you want to see photos of evidence too um you want to be able to prove that you know they didn't just run a scan um that you know they did some manual testing and you know there's definitely uh automation uh and there's definitely

uh a place for Automation in pentest but that's not the end all be all and lastly I would say uh you want to look for professionalism uh so you know there's lots of firms out there that will um they while they might be talented um they don't act in a way that's professional that you would want to have a trustworthy person have access to potentially sensitive and confidential data so you want to have some assurance that you know this company is reputable that they're going to handle things in a manner that's consistent with your own standards of how you handle or how you want to handle confidential information now because if they're successful they're going to you know they could

potentially walk away with the keys to the kingdom and so you want to make sure that they protect that information so I'm going to jump around or jump all the way to the end where a pentester gives you a report so and we'll cover the in between in the second section when we talk about you know what goes into becoming a pentester but so you go through this process the tester or the firm conducts the pent test and now you have this report so what do you do with this report uh and a lot of companies unfortunately they're like okay we have our pentest report we can file that away until next year um but what you should

do is make sure you drill and understand everything that's on that report uh that the the pen testing company or the the tester found and use that as an opportunity to drive remediation and then once you've remediated everything you basically want to schedule a followup and verify that everything is the way you think it is and then periodically you want to go through a process of repeating the test and seeing if there's uh a new attack that maybe you haven't considered uh that would apply to your organization that you know maybe you don't already know about so does anyone have any questions about um hiring pen testing company or a pen

tester they it really depends on the scope of uh the company um a lot of companies will sell a pentest by IP address um these are typically typically companies that are uh operating primarily based on automation or based on scanners um um so depending on the size of your organization you know pricing can go from 5,000 to 20,000 to even more depending on exactly what you want so uh you could have a test done that's just purely external so you just have the company um trying and get into X number of devices uh X number of applications um it could be internal uh you could have people uh actually on the ground in Prem um there could be social

engineering components so there could be email or there could be um physical components and if you can The Wider the scope of the test the better off you are overall um and the more s the more chance of success that the tester is going to have so um if you're hiring a company um I would go as wide as you possibly can um because that's going to identify uh the most realistic uh the most realistic uh what do you call it the it's going to be the most realistic emulation of an

attack so the second part is okay so what do you want to do to become a tester and what does a test look like so first and foremost um you really want to start with ethics and uh this is something that uh many organizations don't talk about or many presentations don't really touch upon but you're going to be handling information uh potentially from a company uh that's you know near and dear and critical to their business so you want to do your best to protect that information and you really don't want to talk about who you're working for or what you found or what your findings are um if you're with a mature organization they're going to have process and

procedure now to store this information um if you're with a startup or uh a fairly new organization then you need to make sure you take due care with storing and storing any evidence that you find and lastly uh especially for organizations that fall under PCI they're required to have a pent test and so it's very common to have an organization push you uh to uh they're basically going to try and push you on uh whether a finding is critical what criticality is that um and it's easy to fall into the Trap of uh downgrading a finding um and I would strongly encourage you to not do that uh to not basically uh compromise the quality of the report because it

doesn't really do any good for you as a tester or for the organization it basically just is one less thing that is off someone's plate that they have to remediate so some of the things that you can do to get involved in pentesting um here's some some quick tips for uh getting involved in the security community so things like planning a A bsides or publishing research or hacking things in general uh things like participating in a CTF these are all really great ideas um they build up your skill and they also connect you with people who do this sort of thing all the time um in last I would say find someone who's a mentor or Mentor someone these

are all great things and uh this is relatively new and I haven't I don't have a ton of the experience myself but uh bug Bounty programs like hacker one and Bug crowd um are uh becoming very popular ways to uh both build skill get involved in testing and build a reputation for yourself uh because you're going to have a public profile and companies like Salesforce actually look at this information and look look to see okay well have you participated in a bug Bounty program and if so what did you find and how did you find it so these are all really good ways to get started Beyond just um a college education which is still important but

these things are really important

too that should be better does there we go and so there's um other existing knowledge that you can have that is helpful to testing so figure that whatever you're testing you need to have some expertise on so if you're running into Linux systems or Windows systems or you need to automate something these are things that you need to know ahead of time so if having things like a solid background in networking in scripting in python or Ruby or C these are all really good things um and they're going to make you that much more successful and what I would say also is that if you just jump into pen testing and you don't have a solid background

and what you're testing you can give an organization a false sense of security so you want to make sure that you know if you're not really comfortable breaking into something or uh getting into a system or understanding that system you know maybe you should decline the work um because it's better to decline it and have someone who is comfortable testing those sorts of systems than have you test it not find anything and then give an organization a false sense of security so you've established your network you have uh established these basic skills and now you want to get into actually conducting a test so I want to talk a bit about what that's like and what the

different phases of that [Music] are so depending on the standard of uh the framework that you're looking at um there can be as many as eight different phases of a pen test uh but basically they break down to uh having a kickoff with the client to uh performing some sort of reconnaissance whether it's social engineering or it's uh purely it based or IP address based uh to attacking those systems exfiltrating the data and then reporting on that so there's some and I'll publish these slides after so these are basically some some tools that you can look at and familiarize yourself with ahead of time to understand how they might apply to to a contest so first and foremost uh you're

going to have a kick off with uh your client and so they're going to want to know um you know what experience you have so you you need to be relatively comfortable speaking with uh with a client about what you know what you don't know and you're going to need to ask them certain questions about what kind of system they have what their goals for the test are um and one thing that's really important is making sure that they have proof of the IP addresses that you're going to be testing against um early my career I was provided a list of IP addresses and the client didn't actually own them and that ended poorly for

me um so in things like physical testing you know you want to know do the guards have guns uh are there silent alarms um you know who's watching the cameras are they you know on Prem are they just recording do they have a third party service these are all things that you need to know ahead of time when you're talking about uh web application testing um and you talk about fuzzing web applications certain forms will automatically send emails so you know you want to make sure that the entire organization is aware that you're testing that way if you start fuzzing some web app and someone gets flooded with you know a whole slew of emails you

know they know who to contact to make that stop and last you had to say um combined attack so an attack isn't just going going to do a port scan uh and try and exploit a system they're going to try and combine that so you know maybe they send a fishing email maybe the fishing email lands on a uh a landing page that serves up malware maybe the malware uh provides you a foothold into their internal Network and from there you know maybe you want to Pivot up and you want to verify that these attack methods are what they're expecting to see and that they're not expecting just a simple scan and lastly um it's becoming more and more common for

organizations to employ uh third party vendors and Cloud providers so many of these providers allow you to actually uh test applications in their Cloud uh but you need to verify that information first so and lastly you want to set expectations so things like uh how often you're going to communicate um how often updates are going to be um the report's going to contain and what level of detail uh one thing that I like to provide when when I've conducted tests are basically a full forensic log of everything I did when I did it what I executed why I executed and basically all raw notes um and this isn't unreasonable to ask for um and it shows

you know the thought process that the tester took and it it shows how to repeat the test to verify that uh once ration has happened uh how it's basically how to verify things are actually fixed so before you start uh one of the things that you're going to want to do is figure out all the different tools you're going to be touching and using and setting up uh the tool in such a way that it creates log so if you're using a tool like metas spit uh you can spool that log to you know a certain destination if you're uh using something like NIU uh to test a web application you can pipe the output of the command

to uh you know some sort of text file and you can at least have a time and date stamp aside from just the manual notes that you're keeping and these are all things that you want to keep and when you get into testing and you're testing for a company it's really common to have to stop on one test pick up on another test and then come back to the other test you know weeks later or maybe a month later because something happened and you had to stop so having all this information having solid notes with date stamps and having all the output is really important to be able to pick up and repeat the work and basically

understand okay where exactly you work so you've established this and how you're going to log so you go into your first phase of Recon and so what's that look like so the goal of account isn't just to enumerate DNS records or who is information you basically want to understand what their business is what they do what's important to this client and from that point you want to drill in deeper and deeper and deeper so if this is a retailer um you can make some some suggest or some assumptions about what's important so you know if they're a retailer maybe they have credit card transactions um they're probably worried about their reputation they probably process everything internally because

they're processing so many transactions uh depending it we'll assume it's a national retailer so um you know maybe you want to start on LinkedIn and find it resources and figure out who these people are that control these systems um maybe you want to uh you know go through their profiles figure out what systems they have in place you know if someone says they work for company a and they're familiar and experts in Source buyer you can probably assume that they have a sour fire IPS um and taking the information from these folks um you can pivot around off that information so you can take one piece of information about say you know it worker uh John

Smith and understanding everything about John Smith uh to the point where you know maybe you want to design a social engineering pretext to try and uh get his information so understanding um the people in detail as far as how how you want to craft and how you want to get close to them is really important so aside from just the the typical you know pivoting from DNS records or who is or SSL or IP block ownership um and these are go hand inand between social and Technical

so there are certain tools that help automate this um and you know for the the purpose of this presentation we're going to just assume that you know we're doing an on-prem internal penc so here's some of the tools that you might look to um understand and I know so one of the things I used to love to do is uh it's day one I'm on a pen test and the first thing I do is just fire open wire Shar and just listen to what's happening on the network and just by listening to uh broadcasts you can determine okay uh how is routing set up uh are how tight is the network is there 8021 X is there um

what's being broadcast is there hsrp um and you can make fairly good determinations about how a Network's configured just by listening without transmitting a single packet so another um another app that's uh great to look at is multigo so multigo takes one piece of information you plot it on a map and it allows you to Pivot off that information to other pieces um and it helps you build almost a mind map of either IP addresses or people or social information um and multigo is a a semi- paid app there's paid versions and pre versions um but there's open source Solutions too like spiderfoot uh which basically does similar things um you check the boxes of how many engines you

want to query you provide a domain name and it's basically going to provide a ton of information in CSV format that you have to mind things like uh Discovery scripts from leebe are fantastic um but they're just a starting place while Lee be script is um a great resource you don't want to just run that script and say okay here's my Recon section of this ort you want to take that information gather the result and then pivot off that to build to build on it and improve it um and then of course showan is a great resource for uh just looking at um what's exposed externally in an environment and these are different uh screenshots of um you know these various

tools so so this is Mulo so you get an idea of what that looks like so you have you know one device here and you can see how it's it has a relationship with something else um and taking screenshots of this once you have this and once you build this information is going to be helpful to explain this back to the client when you're conducting the test so here's um this is a screenshot of spiderfoot and you can see it's very different it's basically uh going to run a number of checks and then it's basically going to dump all that data into CSV and then from there you you need to do your own magic and either

uh pull that into a database or uh find a way to query that and pull that into your report this is uh be Bird's Discovery script which is um actually an amazing tool um and he's gotten this to the point now where you can feed um just an IP range and it will go in end map and then feed the end map results back into metlo and and try and run uh known uh metas modules against um what it's collected but again this is very much um you know script and automation so um while this may find low hanging fruit you want to verify anything that uh any sort of automation finds and lastly there's a there's

actually a great book by Frank a Herm uh how to disappear and uh so this is the title of the book would lead you to believe that it's supposed to be uh something that you need to learn how to disappear um but really if you look at all the advice and reverse it's an excellent guide in how to track people and how to Pivot on different pieces of information to figure out how someone Works where they're going to be and what the routines are um so this is one of the best resources out B believe it or not so you get past those sort of passive Recon sections and now you want to go into

more uh I guess you'd say active Recon so here's some standard tools that you might do on an internal or that you might use on an internal pentest uh so this is n map which is a port scanner which basically is going to give you some some detail of uh you know what's out there and what services are exposed and what versions software which you know that's the sort of information that you want uh to be able to research back so basically you're executing these tools you're pulling banners and trying to determine um what systems are up what's exposed uh what software versions are uh available and you want to take that and figure out okay given these things how

can I exploit these um but and so given that given that information then you would take that back and go into an exploit phase and try and exploit those but uh depending on the security um the security maturity of the organization there's certain there's certain um I would say shortcuts that you can use for an organization that hasn't gone through a pentest before uh that worked extremely well uh so first and foremost uh it no one thinks they have them but most organizations have open file shares with confidential information on them it's just a fact of a fact of life if you've conducted business for a while um it just happens and so finding those shares figuring out

what's on them and what's usable uh I know in my experience I've found scripts with passwords uh I've pull domain admin creds off open file shares before um finding devices that have default credentials things like UPS's cameras um Nas devices um are incredibly common and then a lot of organizations have devices that they swear that they can't patch and so uh identifying those devices quickly uh can find you a quick and easy path to basically completely own a network trust wave spider Labs uh released a tool called responder which is fantastic and what responder does is it sits on a network and responds to any bios um name broadcast with uh a SPO response um and it'll do that for net

bios it'll do that for uh llmnr and it'll do that for uh wpad requests so that means that you can get in the middle of a user in web traffic without using things like uh AR it also means that this is a a very quick and easy way to gather hashes um so using a tool like responder on a Network that has never seen the tool before uh is a very quick quick and easy way to uh gather a ton of hashes um and then once you take those hashes crack them um you can pivot around the network fairly easily if they've never gone through the exercise before um and if they have the tool is great to verify

that you know the controls they have in place are actually working and lastly I'd say uh on uh baseband management controllers for servers there's a protocol called ien which is uh uh I think d d or uh any sort of uh out of band management uh have a a protocol called ipmi and ipmi works in such a way that uh at least version 2 does where if you send the device a username it'll respond back with the hash of the username password um and that's by Design which means that if you have that hash then you could potentially crack that password and so rapid 7 did an excellent write up um and I'll include this uh in the slide that's the the

researcher that initially discovered the vulnerability so these are these are shortcuts um for an organization that has already gone through and tightened up a lot of this information you know and so for uh there's lots of ways to discover open file shares uh the metlo module is probably the best um rather than using nmap or any other tool just because it'll gather that information quickly and dump it to a text file so now you're in the explo phase you found all the devices you want to exploit them so I would say first and foremost uh before I probably should have switched up the order but probably searching for specific attacks against certain applications is probably going to be um

you know your first and foremost um attacking web apps you need to know how to do that um and there's lots of different uh methods to attack um OAS is a great resource um a commonly overlooked method of exploitation is all the layer 2 protocols so things like uh ARP and hsrp um these are all things that are typically unauthenticated that can be used to uh get in between a device and uh another device on a network uh and manipulate that traffic or gather hashes and if you have um so I would strongly encourage you to to test these schools ahead of time test them on your your home lab or in the work lab if you

hav't and then you know fishing exercises so uh if you've never conducted a fishing exercise and don't know where to start uh social-engineer Chris agagi site is an excellent resource to start he's written a number of books about the subject uh Dave Kennedy has the social engineering toolkit um but there a number of Open Source tools that will allow you to uh craft a message send it to users have the users connect back to a landing page and then if you combine these with other attacks um you can get a good for cold into a network uh for a pentest which is the the goal is to basically demonstrate exploitation and so if you're building a

malware package there's even tools that will help with that so things like Veil as um and I listed spray wmi which isn't used specifically for building an attack package it's used more on an internal test uh for um exploiting systems quickly um but that was probably the the go-to tool right now um one of the issues I ran into is that um what you think might be undetectable often is detectable so testing these things ahead of time um the they say don't but everyone does um running a sample through virus total um is probably a good idea ahead of time to understand if you're you know if you spend all this time crafting a social engineering

campaign only to have your sample flagged by whatever the spam solution is then you kind of wasted your time so you want to know that the sample is mostly undetectable uh before you even really get started and then once you exploit all the systems so now you want to uh exfiltrate the data which um you know you get so involved in uh the Recon and the exploiting that you get to this part and you're like okay now what I got domain admin great so um doing things like granting yourself access to uh mailboxes that you shouldn't have access to finding confidential information and finding it quickly if this is a big organization you need to have scripts uh or you need

to have a method to identify this information rather fast

and so these are just examples of you know uh database dumps um interpreter sessions showing that you've got access to the system uh screenshots are awesome uh especially if you have a screenshot of someone's desktop with their apps open but yeah I think you guys get the idea so you've gone through you will change with all the data now what so now you need to report on this information and so this is a a paint of many pesters um but really your report needs to have three different parts so you need to have an executive summary so someone can quickly understand what it is that you found and how important or critical it is you need to have a

detailed narrative with uh finding information to show what information you have or what information you found why it's important why it's critical this is where you should have things like your screenshots um and then you need to have remediation guidance so we need to have things like um you know I found that it was possible to AR spop and get in between this traffic um so you know you need to implement controls against that so you need to implement Dynamic AR inspection or a21x or you know whatever your guidance is and this can take extra time and extra research so that's something that you want to uh basically save for yourself to to write or have time to uh

to focus on to remed so and the next few slides are just breakdowns of all these different parts so you know the executive summary what you did who you did it to what methods and what conclusions The Narrative so that's basically the metor test don't forget to include screenshots and then for every finding you have you need to include that on how to fix it and it doesn't mean that you're going to be the one responsible for fixing it but you need to you know these are people who may not understand what it is you found or why it's important let alone how to fix it so you need to provide people or your client

guidance on on how to get started and uh what direction to take and that's it does anyone have any questions how good so in one of your earlier SES

M you also

simulating so when you're conducting a pen test you're you're testing production systems um but when you're developing your methods of attack you don't want to figure it out on the Fly you basically so a great example is there's a there's an attack tool called uh yenia and something that yenia does uh will modify or scoop hsrp packets which uh are used for switch failover so uh if you don't understand what the tool does or what hsrp is uh you could cause a fail over in the client's Network and you could basically down their whole network uh without ever realizing it so that's that's really what I mean by you know don't test in production uh don't

develop your attacks uh while you're uh in the midst of a pentest you want to do that in the lab if you can any other questions goad mentioned early on that one of the ways to get started in pen testing is to volunteer with a conference do you know any bsides that are coming up soon I do oh so bides Connecticut is um uh we're going to be starting in uh what July 16th yeah so bides Connecticut's July 16th um there are lots of other bides um besides Boston these guys have uh they really have their things together now besides Connecticut is not as big as this uh we are jealous um you guys really do a great job all right

thank you very much thank you