Adam Compton - Hillbilly Storytime - Pentest Fails

all right uh welcome back so our next talk up uh Adam and I were just talking about this uh Adam's had the distinct pleasure of being here every year we've been doing B-side so he's been a speaker every single year uh so round Applause for Adam for that yeah that low enthusiasm I'm disappointed yeah there you go thank you raise it up a level all right so this should be a really fun talk uh Adam's here to tell us some pin test fail stories so take it away Adam [Music]

so welcome to besides Knoxville um the LIVE edition of hillbilly Story Time pin test fails with me Adam Compton if you've seen me on a line or at another con thank you for attending for this time where I'm going to be up here talking about some pen test fails uh some issues that may be I or people I've worked with have had over the years with pin testing maybe uh some lessons learned that we've learned from it over the years in general just hoping to have a good time in here and uh share a few stories maybe at the end if there's time uh one or one of y'all if you want to share a story of

your own that'd be happy to give you the stage and let you share a story if you want to but anyway let's jump into this so me uh nothing much about me I'm a I've been doing it for a sec for around 18 plus years now probably closer to 20 honestly in that time I've done a little bit of everything from pin testing social engineering research code development name it I've probably done it at some point currently I'm a pen tester for rabbit seven uh love the company one of the it's been fun for me so far so hoping to stay there for a while but on top of everything else more importantly than that I am a

father husband son and brother love my family if it wasn't for them I wouldn't get to come out and do these kind of fun little presentations and I love them they give me a chance to get out and do stuff and give me a chance so yes yes absolutely um I think I'm missing grandfather in there as well or maybe cousin I'm not sure but no no no I'm not that I'm not from West Virginia apologize thing right from West Virginia out there that's uh watching this especially because you're from West Virginia but not okay nah no issues there have lots of friends from West Virginia I buy them shoes every once in a while

so honestly so uh as I was talking about whoa come on so what are we going to be talking about today as the slides set or the cover page said as your schedule probably says I'm here to talk about pen test fails issues things of that nature well I'm not going to be talking about some new exploit or some new data leak or some awesome new tool not this time why because we already get a lot of that on the media on social media on the news on conferences talks and all that everybody's all keyed up about talking about this new awesome stuff that they're doing awesome new things that they found things of that

nature and that's great we all love hearing about that problem is is that no one ever talks about the amount of effort the amount of work the failures all that that go into those discoveries well that's fine you know we all at some level understand that that happens but at the same time a lot of us you may may not feel this I do that you're sent back and you're trying to do your own research or maybe just starting out in the field and you're looking around and going why can't I come up with these discoveries why can't I do all this awesome stuff that these other people do you seems like these people are just

cranking out new exploits cranking out new discoveries all the time because that's all we ever see we only see the awesome stuff that people are presenting out there we're not seeing the hours or the hundreds of hours of work that they're putting into trial and error getting these things to work getting these uh exploits working writing their tools at the same time we're not even seeing the years of experience that goes behind them being to the point where there are in order to be able to create those and that's what I'm hoping to do here with with both pen test fellows as well as the presentation today is get the word out that people do make

mistakes it is a ongoing Road of trial and error to get to a place where you can do these great discoveries and hopefully uh share out a little bit that it is okay to make mistakes we all do it and if you're gonna laugh about the mistakes or share them have other people laugh and learn a little bit even better it's acknowledge that it's there and let's just move on so I got started in infosec like I said about 20 years ago when I first got started in pen testing I knew nothing of pen testing I started out applying for the job got the job show up on work the first day keep in mind I didn't even know what in

map was at this time straight out of college I'd done programming I knew C plus plus I knew all this stuff I'd taken my system administration classes so I knew how to do some unique stuff and all that but when it came to breaking into systems all that I yeah I was completely new to that so I show up first day they sent me down at a desk say this is going to be your desk here you see that stack of equipment over there in the corner yeah build yourself a lab that was my first day on the job build a lab okay what am I going to do with this lab that lab is going to be your world

for the next ever how long you're going to live here and work here that's going to be your test environment that's where you're going to test that new exploits where you're going to try out new tools where you're trying out new fixes and patches things like that nature anything you want to learn you learn with that and you share with us and we share with you like-minded well that's great so I got started with this I started building up my network it's gone going good second week of work comes around you're going on an engagement okay I've been doing this all of five days now I'm totally qualified to do a pen test this is great

needless to say I didn't do so well on that I didn't like burn down the place but I didn't really make a good showing of myself no one expected me to honestly so but that was the way I got started I got thrown in feet first Into the Fire and said Just Go With It it took me many many years in order to get to a point where I felt really comfortable that look I know how to do pen testing do I know how to do all of it no and do I make mistakes absolutely probably on a at least a weekly basis if not more often but I've learned from those mistakes and hopefully my mistakes

now are less than they used to be or at least smaller ones but I still make them but enough about me let's jump into actually one more of me oh yeah if you haven't noticed most of my slides are just going to be quotes about failure and learning from them so go ahead and read up no issue there but so I will share one experience of mine that I will attribute to myself the other ones may or may not have been me I'm just not going to attribute it to myself for whatever reason maybe it was some people in the audience maybe it was some people I know but I'm just leaving those open-ended but for this first one I was

still fairly new in pen testing I went out and uh we were told to do an external engagement that's fine another co-worker of mine who both both of us were fairly new to the industry we were told you're going to do this external engagement on this long list of uh external IPS it was for a very large entity that gave us several uh IPS and slash 24s and what have you across the board which is fine and all the problem was is at that time we were running on Sonos for something of that nature and well we didn't know some of the limitations of the operating system particularly of Ben shell and of nmap I don't know if these scenarios would

still exist or it still could happen but at the time they did bnsh used to have this scenario that if you put a very long string on the command line it would truncate it at a certain point well why does that come into play well us being fairly new to it all we kicked off in math we're going to kick off in map on a Friday before the engagement we got authorization to do this just so we can get the pork skinning done before we start well we typed it on in there and we didn't do the dash IL to do an input file we just typed it all out on the command line we typed it out went way

out so then we hit enter like we're good to go we're going home Saturday morning we get a phone call from our boss who got a call from his boss who got a call from some random company saying why are you scanning us we're like uh I don't know uh but come to find out not only did uh bensh uh truncate the command line for us uh as you can see it would go through and it would just it truncated about right there so you get octet.octet dot some number well nmap was very happy to go ahead and take that and append well it's just all three parts of a dotted octet so it went

ahead and put a dot o slash 24 at the end assuming that's what you wanted well that is an Air customer that was some random customer out there on the internet turns out it was a motor I mean it was an automotive company and they were okay with it after we tried to explain what was going on the end of the story was that we scan the wrong Company the company was okay all they asked from it to make everything right was for us to tell them if we found anything we're happy to do that like yeah we found you you had a few web servers and whatnot out there but and they're like okay nope he's just don't do it again

of course all the more senior people on the team had a great laugh about this and they didn't realize too much about it we were up there and they were just talking about and saying look you've made a mistake we all do it learn from it and move on and that's sort of early on in my career that was a great thing to hear that just to move on learn from it and move on because that sort of guided the rest of my career knowing that if I do make a mistake I probably won't get fired because of it immediately unless it was something really bad and that's a totally different talk but for the more

less critical issues even some of those you can work it off you can figure it out and move on and learn from those mistakes so you don't make them again now this time really enough about me let's jump into some of the more uh entertaining stories that I've collected over the years from co-workers and what have you get a drink here so if you've called any of my uh online videos I'll be reusing some of the names and everything from that if not welcome to the story time so to keep things Anonymous to keep things uh political I mean to protect the egos of the guilty so I say we're going to be going with

some random company out there let's call them cheap pin test R Us was contracted to perform in this case uh an external pin test of two different locations there's two different stories in general but still they were contractor do external engagement so first thing they did is they went and they started doing the external scanning and they're working way on it the guys are they're pin testing away and uh well they're finding a few things nothing great and then they come across a website they're like oh this looks really interesting this is a well-based internet camera I wonder what we can do with this so they paying her way at it not find anything they do a Google search oh it

has default credits let's log in they log in with default creds they're like oh got in and they're seeing a video screen of like outside somebody's window it's like oh okay oh it has pan and tailed and zoom buttons here that's great let's pan around they're panning around and they see a white board a desk and stuff like that well there appears to be like documents on the desk and writing on the Whiteboard that might be IPS might be user credentials might be other senses of information so they're trying to zoom in on it and the camera zooms back to the default position hmm that's kind of weird instead of trying to do it again about a minute or two

into it it zooms it pans back to default position oh that's kind of weird so I do a little bit of Google searching again or search engine of your choice and they come across the model number and all that they're going to look it up okay well it turns out that this isn't something like a little bitty tiny camera this is like a big security camera but like you can see the same when it moves and it apparently makes some sort of noise when it moves like whatever and it makes a lot of noise as it moves around they're like but I don't see anything that has like a default reset after X amount of time

well so be it they go back and they start messing with it again panning it around this time it resets but there's somebody staring in it this time they're like oh let's go so they close out they cut it out and walk away at the end of the engagement they're talking to the point of contact for the customers they're like what was going on here they're like oh that's our uh camera that we used to do our weather feed for our Internet website for the University or they're like oh so uh when we were pinning around and looking at those things on the Whiteboard and the passwords and stuff that was being streamed to the internet yeah

sorry uh so but the customer did learn that they need to change the password default stuff like that but it's one of those things that if you're attacking a web camera or something like that you might want to look at what that's being used for and uh maybe verify some of that stuff another scenario with a webcam or webcams in this case sticking to the theme was engaged to do another external this time for a a legal office attorney's office something of that nature so they're doing the engagement same sort of thing they find a website they do X number centered things fishing campaigns stuff like that but they also come across a couple webcams again

Google search later they come back with default credits they log in they're looking around they're like wait a second we got in with these webcams we're seeing a lot of stuff what are we targeting oh it's a legal office why am I seeing a hot way a cafeteria oh in a playground and a classroom wait a second let's look this up to go and search it up oh and that's for the IP ranges actually belong to some Elementary School in the area they're like okay uh does this Legal Office run a school no they call the customer customers like oh yeah sorry about that we used to own that uh IP range but we got rid of that

a couple years ago okay and you still gave that to us the target yeah sorry airbag so luckily the powers that be the upper Mansion whatever went out to the unit or to the school system and they're like they just brushed it off what have you no issue there but the problem here was that you can't always trust what the customer gives you even you need to double check what they give you it's enough and many times they have to double check what you're putting in yourself and your own commands like is it being truncated or not as in before but this time you can't even trust what the customer gives you you have to learn from that and now

myself I always double check everything if I can help it even if I have somebody else on the team I try to double check what they do but it's just one of those things you just learn over time and what have you jumping on to the next one here another set of stories here so it's time to get a little more into the Physical Realm of pin testing here so continuing the thing with cheap pen test for us cheap fantastic was contracted to do a couple physical engagements uh well one in particular that I'm going to be telling the story about so you had one of the guys from the company they were told go to this

location it's somewhere in Manhattan mind you the first location was so they go up to Manhattan and they're told this is your company building they're going to be on floor 13 or something like that of the building so that okay that's fine so they go up there they get there a little early it's going to be a physical trying to find a way in they're walking around the outside of the building they're like okay this is good I see the guards desk is there I see the elevator bank is over there no turnstiles okay this is good we can do this walk around they find the loading dock all this time they're not noticing that the security guard inside

is keeping an eye on them so they walk around those other building they keep finding stuff they walk by the other side of doors security guards are standing at the door staring at them they're like oh that's kind of creepy but okay uh being aware of that so they're walking around they come back later in the day after everything's calmed down they try to break into the building they get in the front they get to the elevator they push 13. they get up to the floor they get off and they're looking around they're like what company are we attacking it's company ABC and they're looking around they're like oh this is for Acme Corp wait a second

they go back down they go outside the building they're like oh that's the building we're supposed to be attacking oops so luckily they didn't break into anything really they just went to the floor so no harm no foul there but they're again double check everything even if you're trying to break into a building especially if you're trying to break into a building make sure you have legal authorization to go into that building um so no wonder the guard was kind of suspicious he had no idea what's going on but probably wouldn't have anyway so they move on to the real location they do that engagement that's fine this particular customer had another location it was out in the boroughs a little bit

so they make it their way out there they're going through this building they get in with some pre-tax they're there to do it or what have you they get into the building they're walking around they sent their stuff down on one of the desks they find a little room that they can work out of they sat down their dust stuff they Connect into the network checking a few things that's all great and all so then they try to make their way and see if they can find other ways in maybe back doors or whatever they go over to the front or to the side door there they're checking the door they open it up look outside oh yeah

this is pretty good the door closes wait did my door is locked oh no this ain't good um why didn't you grab the door I thought you would grab the door either way no one grabbed the door the door's shut they're stuck outside and all their fake credentials and everything was in their bag which is in that office which is inside the building so now they have the fun time of trying to break back into the building without any of their stuff that they used to break into the building the first time but they eventually do it takes much longer than they expected they have to go back after hours go through doors and all but it's another one of those where

no one was communicating that no one knew what was going on they were both just goofing around trying to do it oh look we got to end this is great oh crap we're just locked out okay but it's just a little funny antidote there now this is one that uh happened to us what happened to people I know I should say I may have been involved I don't know I'm not admitting to it that happened a good number of years ago probably I don't know 10 years ago or so trying to do a pin test for a company doing an external heading up their website doing all kind of stuff trying to get in spent many many hours on this

getting nowhere possibly come across a SQL injection on a website finally working at it way into the wee hours of the morning or late hours of night I should say and finally get in tired not feeling good finally getting like yes we got in we got a very remedial remote shell into the system we're trying to do something else with it trying to type other commands see what's going on some of most of our commands aren't working they're not connecting back out or other remote shows or more persistent stuff isn't working we're not figuring out what's going on can't figure it out there was an intern with us who sat there and said oh um I have an idea we'd already ran

through all of our ideas we couldn't figure out what was going on he's like you know uh you're running that Target is a Windows box okay Windows Firewall has a great logging on it if when it's enabled it will tell you everything that it's blocking and all that oh yeah that's great he goes why don't we enable that and so we can figure out what's blocking like okay it makes sense to me I'm tired I don't feel like messing with it oh crap we lost our connection the one way that we'd worked out a this is a short engagement mind you we worked all day for this to get that one connection and then we closed that Port

like access ourselves customer didn't lock us out we locked us out oh so if there's anything to learn from that is one don't work when you're tired and two don't blindly enter any command that the intern tells you when you're tired in general don't trust the interns it's a bad idea no interns can be great just not when you're tired and they're tired so oh what was this one so on a different engagement here this one happened to be a fishing engagement I'm trying to cover Gambit here of different kind of stories just to give everybody a good variety here this is one that uh the guys at cheek pen tested are us had a little bit of an issue with a few

years ago well what happened is some company let's call them Acme said hey guys that cheap fantastic we need you to do a x i mean do a fishing campaign against us and here's a big long list of targets we want you to try to fish okay that's fine well in order to set up the campaign that was a little grunt work so they handed off to the Moore Junior guy he's like okay I'll do it he goes out there and he starts setting up stuff and then the process is like wait a second didn't we just set one of these up not too long ago oh yeah we did so I'm gonna go I'm

gonna reuse that copy and paste everything over put it on the new server it's like okay I've got it all set up everyone's like good good let's go ahead and kick off the fishing you got it all set up right yeah it's all set up all right so they kick off the first round of phishing emails they wait and wait no response not getting any bites off the fish anymore nothing okay even on a really bad when you expect to get something off of it nothing nothing's coming back well why not so they try to do the troubleshooting now they go through and check it out oh yeah the website that the phishing email sends you to wasn't turned on

oops uh Mr Junior guy why didn't you turn on the website I don't know web server I don't know I I forgot okay good excuse so this time well now they've burnt that first part of the list of the phishing email uh they've already sent emails and it did nothing so I guess you probably could resend to them but your likelihood of getting successes dropped so they choose to go into another part of the list this time they double check that the web server is up the mail server is up everything's ready to go they hit send all they go all the emails go off they're waiting oh good we got a one hit back so it's working this time

they wait a little while later another successful uh attempt comes back but it's just trickling in not like a flood of them coming in like they used to it's just onesie twosies here not a lot of them coming back why is this well they just let it go like it's working let's not jinx it let's just let it go well okay fine it finally finished it well they let it run for I don't know six to eight hours I'm like okay that's enough we're not see we haven't seen any success any attempts coming in over the past hour or so so it's we'll just call it they stop it they build their notes out their stats

so they're like okay why didn't this work though why were we getting so little so they go and look at the emails that were sent this time well first web server is up all that's working then you'll get the email wait a second who is their customer Acme um why does uh the emails say it's talking about some company um I don't know uh let's call it Jim Bob company oh yeah that's the company I copied this uh phishing email from so you didn't edit the emails before you sent them out no was I supposed to yes of course you were they didn't change the the logo image that was in the email or the junior guy

didn't he didn't change the verbiage in the email it was sort of a templated one but still it had the other company's names like at the bottom was like signed I.T Department of Jim Bob security company or something like that instead of Acme Corporation so okay how can we turn this to our advantage so trying to turn lemons into lemonade here the team finally says okay look customer we did a fishing engagement against you and even we wanted to test how bad your people were because even with obvious phishing email here that was even talking about the wrong company two percent of your people still fell victim to it he was just trying to make some uh

benefit out of it fully knowing that he screwed up in the process or him and his team did so there again don't be lazy I mean it's okay to reuse stuff just double check everything if you can because if you don't things like that will come back to bite you I've had that happen or see that happen many times with even reports people are like oh yeah I've written this up before let me copy and paste that over and don't change the name in there or don't change some reference or some IP and the customer notices or what have you I see that more times than I want to admit on reviewing other people's reports or seeing over the years things

that have happened just make sure you sanitize anything that you copy and paste over so what kind of lessons can you glean from all these stories sorry I'm going a little faster than I expected here but so first thing always double check everything it doesn't matter if it's something you did something the customer gave you something that you've done a hundred times double check it you never know when you're gonna make a mistake you never know when you fat finger or something especially external IPS I always double check external IPS I don't know how many times I just do a who is on it it comes up with some random company name there sometimes it's valid sometimes it's not

um in general if something doesn't feel right it probably isn't if it if you're looking at a website and it says that it's for a Elementary School and your customer isn't at an elementary school something probably happened there you might want to double check that go go see number one again uh and finally this is in relation to the uh oh uh never listen to an intern if you gain access to and also locking yourself out of the building I would assume that would fall in there never rely on just one excess Vector if you can help it if you gain access One Way use that to gain another excess Vector as fast as you can because you never

know when that one's going to go away whether it's through some fault of the customer and that they've detect you and block it or it's more likely some thought of yourself where you decide to delete your own access and prevent you from getting access to it again things happen just saying so it's just kind of the lessons learned but more importantly hold on a second

but more importantly don't let mistakes like that get you down over these people who've know or who know me know that I make plenty of mistakes I've been doing pin testing for 18-ish Gears over that time I've made more than my share of mistakes I'm sure and some of them have been pretty bad some have been that bad at all but in none of those cases have I ever let one stop me from doing pen testing every time I sit back and try to figure out what went wrong was it a mistake of my own was it a mistake of the customer and thus a mistake of my own for not double checking it or questioning it

what happened there how can I not let this happen again sure occasionally something really bad happens and you're like oh yeah I'm probably gonna lose my job over that but luckily in my case I've never actually lost a job over that I'm sure I've come very close at times but still even in those cases even if I had you stop and reflect on it what could have I done differently here and you learn from that so that next time doesn't happen and if I get a chance like I've been able to here today as well as over the past year or whatever that I've been trying to talk about failed failures share those with other people yeah

sometimes they're not going to want to hear you if they're preaching or whatnot but if you can twist it into a fun like oh let me tell you about this one time that I whatever people tend to listen to you and they tend to get a good laugh out of it and as long as you can keep it light-hearted people are going to be feel better about their own mistakes too they're going to feel more out to go out and share their own so let's share a little bit of the knowledge out there that things don't just miraculously be perfect every time you don't just start writing a new exploit and bat your eye and you have

the exploit no you're going to try and try to get that working well you might actually get it working the first time that's very rare though you're going to try various iterations it's going to fail and fail and over time you're going to get it working right and as you do this over time you're going to get better at it sure but you're still going to be making mistakes here and there so it's just that just learn that it's okay to make a mistake and it's totally fine to laugh at those mistakes if at all possible okay you might not want to laugh at somebody else's mistake if they're not laughing but use it as a

learning experience and finally thank you questions comments thoughts um anybody want to have a question for me or more importantly does anybody have a story of their own they want to share I got a surprise for you if you do you come on up anyone

nice surprise come on come on up yeah okay sure go ahead

yes the question is is what have what happens when you run into uh questions or issues with the soft Rules of Engagement things that aren't written down in the statement of work written down in the contract but it's things that were discussed on the phone or assumptions made by one party or the other it goes back to my other statement of always double check get it in writing if you can ask the customer in an email talk to them on the phone if need be send them an email saying I have a question about XYZ can you please give me more guidance on this and when they respond to you then it's in an email from them that might not be

like the most official response that you can get from them but at least you have something in writing from the customer stating that more appropriate is you would go to your um project manager if you're not the project manager to your opponent contact and say look we need to have further verification on this further validation [Music] information what have you so that we don't cross some line somewhere ideally those things would have been taken care of prior to an engagement sometimes they aren't it's fully acknowledged but the more that you can get an official response from the customer in writing the better you are because then at least you can go back to them later and say look you actually

told me to do this sort of thing I'm not saying that you're doing it as sort of a cya but you are trying to at least get them to acknowledge that they did say something so that you have full authorization to do it so did that answer your question awesome anybody else any other kind of question yes sir called on a pin on a physical uh well most pin tests were there with their acknowledgment things red team would be a little more appropriate for that where they don't know we're there uh the fastest we've been caught or that I've been caught on a physical engagement would have probably been about five minutes and it was very very

small office where the receptionist Ashley had visual line site or eyesight or line of sight to every office trying to sneak by her was not easy I actually did get by her at first and got into an office and plugged in a thumb drive trying to malicious uh what was it a Word document or a cell document getting ready to launch it they use LibreOffice why would why does anybody use labor office I don't know no offense to the people who developer office no offense to you but our payloads don't work against that so uh or at least my payload at that time didn't but yeah so that's how she called us we were in there going why isn't this

working and she's looking at us we're like oh crap she's looking at us hide and she goes can I help you like oh we were just trying to and things went bad from there I had to pull out the get our jail free car and all that kind of stuff so yeah that was us thinking we were prepared and not being prepared because the customer was using some random software that we were not prepared for at all so anyone else oh first did that answer your question anyone else I love telling stories by the way and if I can make myself look like a fool I will so yes um that would be a question for our sales

team I am not involved in that there's many engagements I would prefer they would have turned down but I don't have final say in that because some engagements just are just you know like they want us to do what oh fine that's what they're paying for that's what I'll do but nah I haven't ever turned down an engagement myself but I'm sure our sales team have and I can't really speak to that I apologize but yeah there's always going to be those ones that even if they didn't turn it down you're going to be then uh the consultant or whatever doing it and you're scratching your head like why are we even doing this like I had one

engagement where the customer for whatever reason there was probably a history to it we were supposed to be doing a pin internal pin test instead we ended up doing a internal vulnerability assessment no we ended up doing internal ports not even we were scanning four ports internally and we couldn't even check one of them having to be like Anonymous FTP we were not allowed to check if Anonymous FTP was actually open on there we had to ask them get permission and they would tell us oh you can check on that one IP there is an example like why are we even doing this it's I don't you're not getting any benefit out of this and those kind I

would prefer to turn down but they're paying their price and we're there to do the job so we work within that it was officially scoped that way so we're good but yes yes sir [Music]

uh there might have been a scenario there's been several scenarios where things have just went wrong um one in particular was doing an engagement for a company that has a large Warehouse with a large uh label printers in it like I'm talking like sort of label printers that are like four feet wide sort of thing doing the internal pen test scanning around doing stuff this was years and years ago when some vulnerability scanners might not have been uh as sensitive to printers and things of that nature as they are now skinning away I'm just there for like six hours I'm jumping side to side and I scan and I'm almost done by the time I'm hearing

phone calls I'm yelling and all going around and they're walking around and I just hear in the background oh yeah no I'll stop printing oh my goodness turn it off turn it off enough and then they walk in they're like are you about done in here I'm like oh yeah I'm packing up right now they're like okay yeah we have an issue we're dealing with and um yeah if you're fine go ahead and we'll we'll talk to you on uh phone call or email later all right most likely it was me I can't attest that it actually was me I didn't they didn't question me about it but yeah that's one scenario another one was

doing an internal pin test a company that had multiple locations command and controls where the pin testers were there's warehouses out that do or manufacturing plants that are out all communication went through a central processing system on the headquarters side start the pen test first up front is there any systems that are very delicate should not be scanned no we're good 15 minutes into the scan everything goes down in map took down a port scan not even the version scanning just port scan took down that messaging system site was down for I mean all sides were down for an hour costing them all manufacturing for an hour yelling why did you do the problem you

told us everything was good and finally one of the uh systems that are like oh yeah we told you that you're not their own management we told you that was a bad one and you never listened to us so we told them go ahead and scan it thank you for making us the bad guy now well luckily they were still mad at the upper management still mad that we took it all down but at least they had to acknowledge that it wasn't our fault if we were set up to fail on that one but still those are the kind of things that tend to happen so was that a good enough story for you there

anyone else anyone else yes way in the back

ah yes and I'm gonna play uh safe on this one and go with an engagement that was years and years ago I'm talking 15 years ago working for a government research facility I'll leave it at that uh was it it was both government and civilian operated but it was a research facility doing an internal scan come across they had a bunch of uh Unix systems on there son off something like that and they were exporting slash read write to the world okay that's great oh I forgot to mention these are accessible from the internet um why are you doing this oh we have researchers around the world that need to access the system okay why are you sharing out root a

slash to the world well we don't know where they want to access what data they want to write on there you know you shouldn't do that right no we need they need access to anything well we're telling you you shouldn't do that well we're not going to listen to you we're going to leave it like that anyway okay it's your network it's your data you do with it as you wish we could just give you all the recommendations we can that was probably the worst one I've ever come across as far as that kind of environment but we have come across several others where especially on internal you'll be scanning the network and you'll find some random web server

on some random Port that just gives you a text box or like a little text field with a button beside it that just says okay you type in LS you hit enter you get output type ID hit enter root oh that's nice you gave me a root shell why but or the better yet you do the same customer year after year you go back to the same export that you put on there the previous year they haven't cleaned it up even after you told them exactly how to or you created an account and they said they would clean it up and they didn't so you gain access immediately when you get back why this happens it happens more it only

happens enough that I can joke about it so and I'm sure if any of you are fantastic you probably have come across that same sort of scenario so so those are cases where we haven't really broke things it's just we gained access really easy or they we just saw something that was just that horrendously unpatched or misconfigured sort of thing anyone yes

on a new application

conduct all batteries oh that's nice yeah you will occasionally come across things like that or I hate to say it just the old joke of how do you check for a SQL injection you put a tick in hit enter I've done that and it actually let me end to a couple sites over the past couple years and I'm like have we not taught people enough on how to not do around how to do an input Center Station apparently not but that that actually worked it's still kind of surprising but for example I still see ms08067 on Networks why I still see nt40 systems on networks well I don't understand this but they have to have their Reasons I'm sure but

I am yet to figure out why so let me see I think I'm about up on time there so if anybody has one more question or what have you yes go ahead as far as how to not make mistakes or what to learn from uh from system to pen testing trial and error honestly I'll go back to what I was given when I started out build a lab it's a lot easier now with virtual machines and all that go grab uh what is it um I can't think of the name of the website now that has all the um Von Hub that's the one I'm thinking of go out to Vaughn Hub set up esxi or set

up uh I don't know virtualbox whatever you want go out to Von Hub they have tons of pre-built isos out there VMS that have various levels of exploits on them sort of like mini ctfs try them out a lot of them the older ones have full step by step of how people have explored them in the past try it yourself go back and look at that and figure it out 10 talks talk stuff like that it's really going to boil down to experience the more you try something the more you're going to learn it You're Gonna Learn either how to do it or how not to do it one of the either way works great so that's my best uh

suggestion on how to transition from like the system engineering or system admin to pen testing is you already know some of the basics in the background just go ahead and grab these other vulnerable systems if you're more of a Windows guy stand up some Windows systems and older systems and just try to hack away at them try to build your own ad and if you can or who um adtrina then try to go at that just try to emulate a network and go after it the more experience you get whether you gain access or not you're going to learn from it all so and thank you all and I think that's about time for me so thank you and have

a great day