BSidesSLC 2015 - Hey Guys, I'm a Pentester! - Metacortex

so to begin things off um this is actually first for me I actually have my boss and my boss's boss in the back hey please Heckle all day long so just kind of some of the things that uh Dan already said you know a lot of people know me as metacortex others know me as Danny call me either or don't care I'm a senior security consultant at secure ideas I'm also an 801 lab's founder and a board member if I could spell that correctly apparently oh I think it ran into the image oops hello um 801 Labs is the local hacker space out here in Salt Lake City uh dc801 the local Defcon group I hope uh

do a lot of stuff with them and this is my third time speaking at bside Salt Lake now to kick it off as a quick survey who in this room has ever thought about or currently wants to be a pentester a lot of people why it open for discussion he'll stuff out it is sexy get to break into things fantastic jobs security yes it pays decent amount of money reports they're my

favorite that's very true so just some of the answers that I've heard from other people and it looks like you guys answered most of them you know it's fun sexy you get paid to own companies or some kind of your mom joke which I'm disappointed in all of you but I can relate because for years I set my goal as my career to start pen testing um eight nine years ago and I'm only just getting to this point where I'm being able to do it professionally uh most of my experience before getting this job was tons of V I would load up VMS for everything I could I didn't care if they were backo at isos that I downloaded off some shady

tracker I was going to own them myself tons of metas Spate materials I anything that was said Metasploit on it I was reading or watching tons of mailing lists this security Focus stuff sometimes makes a lot of noise um various different podcast mailing lists Twitter monitor Twitter a lot it's very active medium in our community and our industry I would hop into every CTF I possibly could I would compete to the best of my ability and you know take a lot away at the end of it and you know most importantly I would listen to everybody else everybody else's experiences you know penetrating networks getting paid to do it everything I would I didn't care how

boring it was I was going to listen to the story but while I was doing all that most of my time was spent in The Blue Team site of things doing network engineering firewall deployments firewall configurations support for those firewalls um so yeah so I can understand where a lot of people are coming from and wanting to get into this field but real quick we can go over kind of I threw this together real quick but it's my idea of security testing and different levels of testing in those um everything in my experience has been building upon the lower levels so you get good audits going if you're fairly you know inmature um program for as far

as security goes you start auditing a lot of stuff um and start fixing it depending on you know what the audit says and from there you can move into vulnerability scanning um things like nessus um open V there tons tons of vulnerability scanners out there they'll go out scan the whole network tell you what's there what's not and and let you you know look at what are some of the higher severity things and uh fix accordingly to try and just build the security in your company um from there on top we have penetration testing and Red Team um which I don't know why I'm going through all of that I do have slides for those so let's go on

um security audit yeah I mean a lot of check boxes a lot of compliance PCI yay that's the big one um you get to you know just evaluate tons of systems and configurations you just look at them and try and identify issues with them and keep going like I said vulnerability scanning it is um mainly automated can put scanners in various different points of the network to you know catch certain things and uh a lot of times you can put in credentials into those systems so it'll log in tell you vulnerable software versions all that there's like I said there's a ton of vulnerability scanners there's a good list there and then what we get into is

penetration testing which is I mean the focus of this talk which is basically you let people come in find those vulnerabilities exploit them to see what they can gain access to as far as um critical Business Systems and how you know one you can leverage one exploit move it over to another vulnerability and keep moving through the network to find the most critical things in the business um the the thing that penetration tests are limited on is generally scope and length of the engagement which gets me into red team which I see more as a p penetration test with less scope and less time constraints it's really all it is for the most part so all right we want to you know start

penetration testing you get tons of awesome tools everywhere you know metas sploid can enable know anything in Cali you you know tons of all these sexy exploits that you can run and do a lot of really cool stuff in so great you can grab all your stuff all your tools get them all ready and just let loose you know I I had to put a pony in here somewhere there it is so we you know pone all the things great fantastic but hold on a minute because it's not all like that so let's dispel some myths real quick um I made this slide it may make uh Kevin in the back squeam a little bit

but it's funny nonetheless sec to read over it so in a penetration test like I said we are limited on scope and time that we're able to actually run this assessment most of the times we're limited to five days business hours and we have to cover a lot of ground in that five days sometime I've seen networks that I've had upwards of 50 class 16s that we've needed to scan that's going to take a long time so we rely on a lot of automation nessus is great I love it you basically set up a scan tell it to not do anything crazy that might knock over devices say go it's going to map the entire network give you a list of

vulnerabilities it was able to find it helps a lot it's really noisy we're not running in trying to be a ninja right off the bat just because of that time constraint so you know a lot of people I've heard have have said a lot of negative things about you know pentesters going in and run vulnerability scans which I think is unfair um just because of that time constraint but um so we'll get into some of the tools that I use the most you know as you'll see up here it's it's not metasite I've used it I've used a decent amount but it's not my go-to right out of the box you know do a lot

of Nessa scans parsing through those a lot of burp for web app stuff that's de facto burp is amazing if you're looking at web apps and honestly sometimes I've spent a couple hours just browsing around open network shares because there's a lot of good information in those I have seen several times that past passwords are stored in text files on an open shair that anyone with domain credentials can get to as well as personal identifiable information such as identity cards for Canada and a lot of scary stuff that wouldn't want everybody to have so another misconception that I've heard I've heard a lot of stories people you know they're like fired up metas spit set my R hosts this whole gigantic

subnet range typed in exploit and go and all of a sudden I'm getting back tons of shelves I'm owning the network every way possible that doesn't happen a whole lot it just doesn't um honestly it took me several engagements to find something vulnerable enough to actually get a shell um why why cuz a lot of our customers are really good at security they hire us and they they know a lot what they're doing to begin with so but I don't want to put you off you know don't want to say it's boring or anything there are times that I feel you feel like Luigi and to get this reference go back and play Mario Party 2

for the Nintendo 64 if you're playing single player and you put all four other characters on easy mode you can set the controller down and walk away you will win every single mini game that game will throw at you and if I can find my mouse on here I will show some proof of that wish

there's this is long there are a lot of videos I'm going to skip ahead to another I think this is the other good

one you know I feel like Luigi when I find you know Microsoft SQL running as system administrator with a password of nothing or the one on the exact NE IP next to it sa password password it makes it really easy you just have to show up and you basically own an Network that doesn't happen very often though so let's go into uh real quick some things that I do not like about pen testing my boss's boss is one of them um fully external penetration tests with no social engineering they will you know that's classic example example of destroying a scope like it won't let you do a whole lot because you know firewalls work what do you what do you

want which leads into my other one scope scope will kill you and limit you to what you can do there's been a couple times I've seen you know hey this system over here is vulnerable just basically using using the application let's say web application and it's ring on another component that I can tell is vulnerable but it it's not part of scope I can't touch that system actively or do anything like that so that's going to you know hinder the test a little bit you know which is fine if that's what the customer is looking for you know or they're looking to test one specific application that's fine but it's it can't go unmentioned so I

like to you know mention that to them and how we mention it to him is the next part that I don't like about pentesting which is the reporting reporting sucks there have been times where my boss and my boss's boss in the back have asked me to bang out a 45 page report in two or three days it sucks it's not a lot of fun it it ends up with me sitting in my apartment for eight 10 hours compiling a bunch of content in a Word document and that's my day and that sometimes tends to be my night um not fantastic but they I mean all the negatives are offset by the things that I love about it it's fantastic

I get to do things that I wouldn't legally be able to do how fun is that you know I don't want to go to jail I wouldn't Fair very well I I am I'm not a

fighter I will not dignify a response to that I love getting passwords for admins who are logged into the systems like it's incredible I've seen passwords that you probably shouldn't be using as passwords in your corporate environment and I have had to Ping a coworker before and be like they asked us to publish all the passwords we found that might get him fired what do we do so we ended up you know red most of it just you know to be nice guys but I know that admin saw that report and I know he knows that we saw that password which just makes me smile um another thing I like I've gotten into company's phone

systems because they were recording every call in and out of every phone and storing it in a central server for the past six years that's fun being able to listen to conference calls about promotions that they're going to give out to their customers coming up here pretty soon handy things to know um gaining access to personal identifiable information that's always fun um again like I said passwords on clear text or clear text password stored on open shares that's one of my favorites but most importantly the the best thing that I really love about this job and everything I'm able to do is be the baseball bat companies hire us sometimes knowing they're vulnerable to a lot of things

and they want the report to prove it to upper management we get to come in and and be that weapon for change in that company it's an incredible feeling to hear the guys say this is going to give me so much ammunition to get everything changed in our environment can't get much better than that because I mean you are the Catalyst for that change to make people more secure so I mean that's pretty much the the biggest takeaway that I have from this job um what about you guys everybody that wants to get into this industry wants to start doing this professionally you you have to commit to it I mean I was hanging around the

industry for you know monitoring participating for eight nine years you know before I even felt I was ready to do this it's a big commitment you have to know what you're doing before you can let loose all these hacker Tools in somebody's environment because it'll knock a lot of stuff over and cause outages if you're not careful um it's it's a way of life you need to stay up to dat if you're not monitoring feeds and everything you're going to be way left behind and you're going to start getting worse at what you're doing it's something that it's it's a lifelong commitment you have to keep doing it for as long as you want a

job doing it and then one of my biggest ones is the community like this local community has done Leaps and Bounds for me personally than I would have ever imagined it has made some of the most key connections for me to learn the things that I need to Ping the people that are this incredible at said subject and they're way open about it and teach me everything that they know and just that collaboration is incredible and invaluable in my opinion I know many people that have gotten jobs through coming to the hacker space and hanging out and talking to people like it's that's the way you want to do it um so I'm ending really quick I got

through those slides a lot quicker than I thought I would but that'll give everybody a break to uh go see some of the other stuff that's going on here's my contact information you know I'm on Twitter I'm somewhat active on it um my email for you know non-w work stuff feel free to ping me about anything you want anytime I will respond or if you want to talk work stuff Danny atsec ideas.com other than that I think I'm

done