Hacker Of All Trades, Master Of None

I'm an eagle I'm gonna do a talk about something I haven't just written this late honestly they've been written for about ten minutes so we'll get there I'll be fine so if you read the brief you might have thought about pen testing and learning about [ __ ] and winging it and stuff of that and you might be sort of rightness stop the boat okay pen tasting but anyway so a blanket tree Who am I I'm a fresh or an eagle you might know me for several reasons I would sharp I put a rope and some people seem to enjoy it if you've not read it called [ __ ] by it's great and you also might know me

because I got a lot of spirit conferences and they talk at people but not ask me who talks so this is the first time in about three years I've done a talk a security conference so it may be okay oh okay FC and Jessica Barker will shine about at the start what's the worst that could happen on stage now white will probably shake yourself hopefully that doesn't happen so we'll go for it and the other reason you might know me and I phoned a couple years ago Frank quite a few bugs and quite well-known public services website some you might have heard of it it's to have videos for people and if you don't know going people my name

you'll find out this is a safe for work top guys and I also work so my day job I worked for a pet I work for a company called paint as partners as a security consultant so I break [ __ ] for a living and and I get paid for it it's creative fun and and my evenings I spend them kicking things breaking things hacking things good films and driving places some things in that order because it's quite good fun now seat guys come on I've only just started I've I even got into the interesting stuff yet just talk about yourself so that's me they are not dead although some of you might have been led to

believe last night on Twitter I was dead that's red wine I saw an opportunity and I took it so you should doing pen testing always so apart from being a tech in a lot [ __ ] I'm also a black dog right so I'm not only a keyboard warrior I can break your legs if I want to so there's that so thanks for today yes we're going to understand pen testing we're gonna give you a few tips and tricks so and what I've learned through my time in pen testing which is about four years some lessons that I would wear should be before I got to pen testing and the different traits that a tester can have

so it's not all about acting that are other aspects of things and I saw a better person see stuff as a pen tester slash hacker because it's not all poppin shelves it's not all sunshine and rainbows as they wait to see it it's good fun so okay giggle penetration testing if you've not heard it before it's the art of finding holes on certain websites or in the real world that's it's hacking things but it's a good conversation star certainly when you're chatting to a bunch of muggles who have no idea what you're talking about they ask you what you're doing you go what a penetration tester like right what's that well that's not what you

think find homes and computers and break things and food bits and pieces but it's also good to laugh when you follow up with I faint holes in pornhub and they go there's hot holes in that website don't you know it so so really what is pen testing the expectation is have already said is popping shells all day hacking all the things and yes there is quite a lot of that but the reality is you're working zarkan so and for our clients your your there's a massive human aspect of things once you break something you need to explain to the client well yes I broke your thing but this is how you fix it and this is why it's a

problem recently on site with a client and they had MS o 8 which is quite annoyed everyone bow if you don't know it it's probably one of the most famous execution if underbellies and it was like yep this is a problem no no no it's fine they're not interactive machines in like yes but your staff gets the waste point these things are still sensitive bigger they're like nah that'll never happen and like a month later somebody run off with our customer database alright just tell you this like and once the goods it's fine so that's that's what happens in pen test and you tell people that their stuffs broken and you tried to help them a little lesson -

yeah so what are you gonna do anyway if you also need to be the king or queen of analogies when you're explaining things to business because you can't just go well if I found Exeter CSRF srf and all that stuff and the business guy goes what yeah so anyway I'm rattling through this top industry for two minutes anyway so it clicks the trees the good the bad downright ugly - so these are the dues of pen testing when you're Europe away about read the [ __ ] manual always if you have if you have time because sometimes if you can pull in the framework the Apple fall it's always worth doing so if you've got something

like Oracle Business Week you look at it and you go are well some guy called Dave watch field phone a bunch of one about if you go to use them straight away you've got actually or you've got exercise with it sequel injection or something else so they're quick ones are looking at a little bits and pieces that might fall under stress in certain environments you've also got to be not afraid of googling things like a ninja you just if in pain testing is inevitable you're going to come across something on site you're going to find something an application you've never seen before you may have seen something like it but you know how to well maybe

you don't know how to good be asking Google how they do this no a lot of people will say I don't do that say you do you do if you think about it you go well I've seen XSS before but I've lost you in this environment exercise for those who don't always cross they scrape things and we've executing JavaScript in our victims browser so you might see that one tag is filled out you might try something else and googling it finds you find out what stopped you it's good so as well as that on an application actually use it before you go to start hacking stuff because some things function out it can also be a bunny you

have the current phrase that it's not a bug it's a feature but a lot of time that stuff can lead to more serious issues so as to use it before you go breaking it the other aspect of that is if you start hacking things before you actually use it and you break it to an extent that it's no longer usable how are you gonna like work out what the rest goes the business do you buy oh yeah go exercise the app doesn't work anymore and like well yeah that's great but like can you elaborate on wife's problem or or what users are impact if you wanna break it out can't use it you don't fight the internship on day one

you're screwed basically and the other tips I have are if you can't use Google if you're on site always have to colleague you'll be surprised how much people know more than you and the little things you forget you can use them and it's really really useful also being on site your dog can be quite lonely so maybe don't ask the client how this works or maybe do is it just depends if your wife always gauge your situation and what you're doing and so Google like a ninja and when it comes to em [ __ ] try HTTP HTTPS on kind of random port she be surprised was run on HTTP iPhone things running on like port

10,000 or 11,000 the one that is an admin interface for like a back-end database or the internet people what they wouldn't ever find that it's on a high port no one scans high port it's true some people don't but the people who do you find the golden treasure troves so it's worth doing there are there other random things where you find really high for so always go for scan if you can because you can find things running you can run that cat connector finding that minute fish use FTP use telnet things that are very old but are still run the bellies and people still run telnet on for 10,000 because it'll be fine it's safe so people like there's

and admins they do weird things so that's the dues of pen testing the don'ts don't do these things bad things happen okay so when you're when you're testing away about and this I know someone who's done this don't run spy though just don't just flex by leg around going for lunch it's really bad things happen I had a million in the previous company who ran spider on a wordpress site and it came across he had automatically submit forms on so when it finds a function which is done' and it had a function that was delete table no that's fine i'm so drop tables so what's in the picture of drop tables that's fine if you catch it but he wiped the

entire client production database they have database and pre prod database in the space of a one show I was like how you doing is that yeah it's a great test having phone and the apps don't and what okay why is the app don't so you can try it was so the apps down and yeah everything's don't say okay care to elaborate there's no data where's the data going so there goes for the logs and say oh yeah we found the function that's dropped tables and you can do on offend the kid who thought that was a good idea so anyway don't spider things round away also if you're using Bob sweet door just right-click on the root of the web web

ruin quite active scan because that can also cause problems that was on site recently and there was a web interface for a virtual desktop environments at a shutdown function which is fine for admins because you obviously need to shut down maybe boxes on this they you think maybe there's education or something but but no who needs a authentication grown in Tehran network so if you if you were to act out that we scan that we didn't do it but we asked the quite houses we could just shut them run them boxes it just pack a box and go gonna shut that one down that one down and that one doe because because why not there was disaster recovery but I don't

know who thought I was a good idea but alas always make sure as well see when you're given a target range by a client to scan check is the right range because if you're if you're entirely or externally the worst thing that can happen is crank goes yeah so Mike's Terry is 192.168.1 you like is it is it really and we're am I going to be located to you they gave me a VPN oh no you don't have VPN we can access it fine in our systems it's like yeah the other problem is as a human you will make you will sometimes mistake like so always be careful we could type into the web browser if you missed taper the main by

a single character stuff can go wrong hasn't happen to you personally but one of my colleagues not program vehicle to companies go enter the URL wrong who's hacking it for five days so no problem lovers of flight goes yeah that's not all right don't who's that that is best Nora so don't be that guy so as well the other doors is always be careful what kind of bandwidth you've got and not work twice but in my personal and I do like researcher to pass research and I have a 10 gauge and dedicated service it's got Lane and normally yeah as finds great for taunting and everything else but see when you go to test applications

just be careful you're not bossing someone with 10 gigs that they only therefore Scott it happens I've seen it I was doing research and at the site when donors are [ __ ] the site stone what I do and when did it from my lesser VPS and nothing massive oh it's the bandwidth you need be careful how much daily attendance so I was worth looking into and being careful so they're they're the the do's and don'ts of testing so the lessons I thought let me want to teach you as a potential pain tester one site 101 always pack everything be prepared for anything if you're rockin a dataset pack warm clothes it what Canada itself

pack cold foods have along an Ethernet cable have a switch have an extension lead basically going like you're ready for war have a camping chair because the floor is come through for a day but if you don't say for five days it's not fun believe they have done it have a USB Ethernet adapter model pulls off them because one can feel you can be convinced the night before was working rock up on the client say it's like yep but the quite definitely your fault your infrastructure is broken find out your Ethernet adapter it's diet always have multiples always have a USB stick on you if you need to transfer things they're quite the make sure it's encrypted

the only pacified there about don't be silly I also be prepared for things not to work anyone who's been on site as a pen test or as an eye Arkansan or anything they one normally as a right off normally sometimes it's fine wrong something goes so yeah and we knew you were coming we've known this for three months but we're not ready it's like okay cool that's fine we'll just wait for you you get for once Dana Andrews yep now we're still waiting for dangerous reads better change order and get all that stuff so I know which it happens anyone whose apparent half the room will have experienced at some point if you haven't you've got fantastic clients and I feel

really bad for you that you're messing today on site alas anyway so let's talk winging it Moo spokes are waiting here and if they tell you they're not they're lying or they're probably old enough being in the business for a while and do everything up here but not way in the sense I have no idea what I'm doing it's more that every opportunities a learning opportunity at a colleague of mine described it as experimenting so you're not necessarily learning a new technology and then going I'm just gonna hack it you're you're learning new technology experimenting it and then trying on find site and and usually ends up being you find technology one week that you've never dealt with before but

you've found something someone to and you can apply the same methodology the same motions to that to go and hatch this somewhere no answers it's really good for that perspective and it works fifty percent of time obviously the time so there's that the other hats of a tester so intense that can have many hats not in this case of black hat white hat and green hats not heard about the good guys are bad guys and the guys are not quite sure if the good but alas you have the the range of trades I deal with the text around day to day basis you know hacker yes you're finding home you find problems your consultants you're helping the business

fix things you're also helping the blue team in some aspects of things so if you break something you're working with the recovery the response the forensics everything you're you're learning on the go and this is this is a quote it's not really related to this late but I found it quite funny anyway one of my colleagues this this is mattre for testing something something root so you rock up you go unless this this route they would have no bother so it's usually working from so yeah you've got you've got the different trades the the trees that being a hacker you don't really get talking universe you don't make that toilet of course is the business aspect of things so so

being a bear of business hacker you get all these amazing acronyms and you've got you've got a she exs FCS RFS is sorry beast who do robot SSL you could possible angle everywhere cop use of use of colleague sons very good there if anyone notices and being being in a boardroom and seeing this or if you're in a boardroom you end up seeing this and they said if you've got a lot of people that were just cook with white just not understand you see she need to be king at what you're going to king or queen uh what you're going to say you need to be able to articulate both the technical Wizards and the c-level

executives and my old boss used to say imagine you're teaching your granny imagine and your executive some are you explaining it's an old person know what the fries used to be is amazing you're teaching a toddler but a lot of toddlers these days were smarter than sea level use X so you've got that I'm thankful you guys laughed I was like [ __ ] is that gonna make you laugh or not but yes you've got that you imagine you're teaching your granite any anytime so any any paint tester anything with a business rust summary executive summary they might have teaching of grounding imagine you explaining it but but so you're a guy doesn't know exercise says

you know SSRS they don't know what SSL or they might know SSL is you've seen it to be padlock some people describe the handbag in my browser not so fresh often yes it's fair so you need to be you need to articulate were these things asked to try and break them down to if you're looking at something like SSL you're like well those encryption and it's keeping your data safe and it's making sure that bad guys can't see that you're an Amazon buying your shopping or bad guys can't see what you're browsing on YouTube and stuff with that or you've got things like XSS so a bad guy or a good guy or in it or bad Garrow

it doesn't know gender exclusive all that stuff and you can execute malicious code in your browser and therefore steal your session and steal your shopping potentially so think it's thinking about it as well as being a business hacker you also need to be a people person so being a hacker you quite well a lot of hackers are in Traverse I'm quite a social guy so I find myself a people person but you need to not be able to manage your situation so it's a case of knives in the clients when things go wrong you need to be able to communicate that the client you need to be able to articulate things in a way that you then become a

consultant more than a hacker so you're able to admires when things are happening so if you report something to clients so I had all my thoughts with me yesterday they call it anyway or yes something's gone wrong and that they didn't follow up with an email so the client at the end of it they went oh no that wasn't report that's been here and that's it but back to the phone's no no no but there's nothing on paper so I always always keep a note of everything always always trying try and keep notes it's the same as anyone who's looked at the forensic protest you keep everything in a repeatable state your report is going to be readable by someone so

anything that goes into your report should be like communicated with you the client and also anything you say should be report and vice versa so those that I have rattle through that's talking about 15 units at the apologize but you can find me on the internet that's my twitter my blog my book which is currently free so anyone who's interested in getting into pen testing and security check out Lucas just pretty good and also from their work for apprentice panelists we did blogs about hacking I've do things in swaps bits pieces my head of us pretty good stuff so they'll forgive me a minute to take a few pictures of that or to come and fade

me offers and finally they don't get any questions you've got questions right around is it ten minutes in we get any questions so don't want to be the guy waiting about afterwards that yeah

so the question was is pentesting going to more towards camp ice yes and no you get clients who do one technology exercise but a lot of clients that I work with and the enters partners work with a warden actual pen testers so their what their apps tested for to be secure or to be an acceptable risk standard you've got the same things with hardware your wanting your hardware to be find holes before the bad guys do there are there isn't a certain degree of things like cyber centers which are check box exercises but it means that you get a badge that you can go and work with mystery defense which is fair enough if you're if you're Jamie's

corner shop or Jimmy's IP that wants to go in what with um LD you lose on the EDB cyber essentials certified so therefore as a tech bhakta so I would say the majority of pen testing is probably 70/30 between 70% being actual pen testing throat sentient exercise they'll probably have this things like gdpr which people want entice things like [ __ ] GPRS common and we need pen tested we've defined our homes and all this stuff but I'd say it's probably 70/30 there are some farms out there that are they're described as point penton's popping though so they would just do check what it says over and over and over again just an easy ground they

easy easy easy which is fine like because you're making a lot of money but if you're a pen tester in that environment you'd be expected you'd be extending your spell to move ones and 12 months to find something interesting so does that answer your question yeah enough yep so trends wise certainly pen test partners we've weeded quite a lot of work with hardware so we've got quite a lot of internet has an evil things test the car we've got a lot of like youthful hacking in bits and pieces hey the trend is more towards hardcore nowadays there's a lot of people interesting like fishing in different fishing has always been interested it's now becoming more and more interesting

because people are going or GDP are going to do everything which is just a bunch of layers really bit that the trend is more towards hard work refrain it which was Hardware night but the stowaway anyway other other places will probably find that a lot of stuff is moving towards web because everyone everyone in the dog can write they've up and go off I'm your GS to be that's a good-ass that tends to be the train in the ass better things but I'd say probably hardware so if you're wanting to get into paintings and hardware the proceeds that we forward who listen to poly and routine he's talking to me talk about that sort of stuff too so when I

said transfer method is not like by the book I found excess here so I'm going to try it here it's more looking at the technology so if you find if you come across an application freeze up uses WebSockets so I came across one reason is WebSockets is using everything that's transparent so you look at similar techniques you use napkins previously so I found previously that there's application has object referencing so references by one two three every three a3 through them using they were document so the same things up that way it's not just gonna going yes from this this is directly transferable places it's ticking being more fluid with it so no not not wait for like bit knowing

when to Google things is more like you've heard of it you sort of understand that go and read about the kind of documents that sort of thing that's that's what I'm say it be a typo also Google's really helpful for when the random flags and tool so if you're using like really all the articles he pull you've not used it in ages so remember you've never used it you like shipped another fight for us it can be really useful to go with other man page my page is really useful I hope air else

it depends on their job it depends it's a knowledge as well so some applications will be brand new technology that you've never seen before and you end up failing boats by accident that end up going well our phone sequel injection here and it's blind but very it's not like its tendency you'd only get in the app sleeping for like 1 2 3 seconds that type you want to dig into it and find more so it really depends on the length of the job if you've got to post once or two days test 1d reporting you're not gonna have enough time to write an order or if you if you do you know you you know we but it just varies

sometimes you'll get like a 20 day text which is fantastic you've got enough time to look at like a whole free mark or something and go in Dec really deep but it just depends but also the the kind of person that spent things I do like bug bounties and stuff my free time and I find myself doing a lot of research with that which helps with a day job so I'll find something about Bernie which earns a bit of cash whatever but then I see our customer job couple weeks later and go I've seen that before I can go and apply that it is it's so Imperial it's pays the Spencer that's left the job depends on how

interesting it is friends the technology if you've seen it before there's lots of factors but the rest is really vague answer yeah I don't think that to be honest I don't think that'll ever happen I think the human aspect things is always going to be valuable you'll get clients you mean that there are already automated solutions out there there's army avv that is maybe next generation amazing but it's still we bypassed the computer is only as smart as they treated it they mean you have artificial intelligence business in their name you know what other non sirs but you still have you still need our human aspect things because you make mistakes as the humans but if you take

everything by the book from AI and go are this said that we're vulnerable to this ends up being a false positive it might be able to correct itself but if you want a human to step and go that's apps they're false positive you take that as gospel and it'll be where is but that's you Kris Pilon the think it'll be I don't think it will ever be a time for to be released I think painters will evolve of time and maybe in corporately I think it will be well that that's that is a problem I mean that falls into the check box no sighs that is a plant over there a lot of check box test people

will just click and run net is there are some consultancies out there I'm not going to name them but it will send a graduate and they'll drop neces and an internal network just run it Oh export the NASA's report and go there's your report there's no value there the test there isn't learning science not getting anything they can they can tell would be for NASA's it's no problem using this as an example there are many tools like that do it but necess is one of the most popular so there's no value for that I spent things but the clients like I've got my check box I'm happy so it's just it's it's up to confessional and I'd see Frontera

class but things nobody's nobody's getting any value or that you're getting on you get a gold star with a little star me to [ __ ] off I said I wasn't gonna swear anyone else thanks for come along as my first talking three years our security competence I'll speak speaking at b-sides Glasgow where the Internet of death so they don't fancy seeing that come off the Glasgow it's not far the train is live for us from here and I'll be a great conference being run by that's fun so yeah [Applause]