BSidesMCR 2018: How CTF Mindset Will Hurt You As A Penetration Tester by Idan Ron

thank you for coming welcome to my talk with a very unsexy title against the house city of mines of a heart it's been traction after it wasn't helpful shaaka tell me is signs of nervous because I'm super nervous if so please be with me I usually talk quickly once and nervous so please tell me if I speak too quickly or if my English is going down mmm I'm here to speak to you about penetration testing the differences between contractions resting and CTF and mindsets and give you tips because for me I saw this internestor I didn't heard that anything it could contribute you especially if you're just getting into this field and learning to become a

patient tester him all this talk is based on my own mistakes and what I've learned during the time so hopeless help you becoming better what do you do he quickly about myself he told me on Twitter I'm 27 I'm married have one dog you won't get his name a system mystery Turkish penetration test energy consultant so I've started from networking move my way up to penetration testing I suppose CPC RT I just lately complete my stance certification so I've done a lot of those I've done bad bounties or City a interaction testing so start with that as anything caveat I have nothing against OCP CTF if you're doing then amazing go and do that but

just need to understand the differences between them we also gonna speak about nurses and what you can find with nurses again nothing ends that I use them all the time and you deal with them how many of you don't sit here for bug bounties or one hub stuff like that so I love you it's quite a common tool to get into this into into penetration into security it's quite common but you need to understand the differences because the Gowan CDF is the search for one exploit and it can lead you to the wrong way mutation testing and what you need to achieve a so that was my way for me to get into penetration testing started

doing CTF doing Vaughn hub hog the Box stuff like that moving to bug bounties not didn't do very well with them nobody came out of it like my job is the interesting tester you know bet all of you like done it part of their university or their job so you know how it works in I'll start with talking here about my own engagement how one of my gauges are done just when I started he I've been already to come to console in here in the UK sorry if a counter console and to perform a free dangerous penetration testing on site he plug in my computer after a sign in start with scanning quite typical stuff

Nessus and responder hold the basic what do you do in the beginning a quite quickly found out them is 17 so internal blue you know destined be version to exploit thank you and say I got a access to a Vista machine who runs be stopped the guy who runs Vista is the IT guy so quite quickly I gather their credentials dump their password again they are domain admin because they are IT had quite quickly assisted they may not mean the and dump all the passwords of all the of all the company not a company console they or their organization all this under 24 hours I have three days on site I was like you know what let's sign

up don't need to be here anymore like I've done my engagements I've completed that he I can go home now start writing a report am I wrong if Franklin speak about difference in mid-city F what is the purpose so in CDF you have one flag to find usually don't need anything except that just find one flag or find the technical problem that which lead you into the flag there's one room ability at a time so usually the hacker who God created that doesn't want to create more vulnerable machines or services it's not like Metasploit a ball or something usually there is one goal into your into your target and you just ask like you pretty digest you ask and I

start through through technical issues in you have to be very technical to do that not very technical sorry there is CDF's are easy but usually it's kind of lazy into what you need to do and you gain technical knowledge that is very useful in life but what's the problem they are not realistic CTF are not day-to-day engagements they are you won't find those problems you won't find those vulnerable services in real life most likely if you focus on one machine you got into our computer gas shell then and then it's called your previous or whatever you've done one problem you found one problem their machine they could be another ten more you can find that you might miss any engagement and

this is exactly what printer she has been talking about because you need to find quite a lot of them and this is a quick overview about the differences between CBF and penetration testing what you main focus in cdf is one durability you only need one to get to your flag usually and patronising find as many as you can your goal is there to be secured their network insecure helped them become better in their security posture therefore you need to do is find as many as you can you don't need to exploit on the first day you just need to get as much of your abilities and information as you can scope as you all know like this you can

do whatever your client you want in CDF you can go for any services you want or any if it's web app if it's infrastructure you can choose what to do printers testing is well all well defined you can't go of your physician to test B and you really need to remember that you can test stuff you're not authorized to unless you're gonna start trouble a time frames CDF have you done hoc the Box on up doing whatever you want do as long as you want the judge testing usually under five days to do that and that's it field also reporting sorry what's on the other side he CBF usually gonna be hugger someone like you someone who knows the system

know what you're looking for and then it can guide you or help you to achieve your goal a touch next thing you have a season and a satyr usually their goal will be enough security they don't know they don't care but they don't focus on their security so need to think you need to help them you don't need to attack them you need to help with season how to System Center to understand what is the problem so muffled right in the end what's the angle a CBF is the plug achieve submit the flag over there or or give it to someone or just to yourself interesting well full report we have to give his including executive summary is

taking technical problems it's basically a noise of all the thing you done from the beginning to top he and what does other people need to focus on if what are the powers possible constant constant okay sorry possible content sexist ah never mind is what the outcome of the orientation testing I told you - go down and how they can fix the problems they found interesting pestering the business risk basically how you get a Caesar in that in two words if every time you speak to a client the every time sticks our client is Victor executive summary speak to anybody in the business you need to speak about the business risk that's what they understand and this is to

become a better penetration testing you need to understand how you can how you can pass this risk into the client if you don't tell the cop if you tell the client you got a problem with this service your MSN and you have m17 internal blue gives them nothing they don't know you don't know they don't understand you need to go go to their level and asking business risk this can impact your your income disc a reputation speaking their level stuff they could understand and actually relate to it so the mentality of finding one problem if you are engagements like CDF and come why like I've done I found Emma seventeen I got into the domain

into the computer it got into the DC I got to do may not mean that's me nothing to the client because you only found one problem in the purpose impression testing is fine as many problems as possible and my dad held the customer achieve a better baseline better security posture and explained and then you need to explain the variability and how the kid affect the business revenue impact he and that's where we going to understanding what is very interesting is you're getting into security or you doing that running running automatic tools won't really achieve the goal everybody could do that everybody can run necessary where can run responded you have to understand what the tool does and how it works to become

give more value to the customer and they become better because a customer can install Nestor's it's free seven days trial you can just install it and run it it doesn't help them it doesn't help also - I don't know how many of done that have I'm guilty of that of like getting an F this report I exported app and then just make it into our report to give that client this is not good this is not what you should do you should research your stuff in understand how you can leverage and help the client more he here on responder you just poison all their network you just what is helpful you need to more focus on

understanding what the tool does poisoning their network can break their network so if you don't run it with the right settings you break stuff and this could make stuff worse additionally Nestor's anybody knows the disadvantages and advantages of nexus what you need to understand what ness is fine what necess doesn't mind let's just doesn't find passwords and LDAP necess doesn't find bespoke web applications problems if you find a shared drive it doesn't know what is important to the client you need to go in research what the files have been found and what on them if theft has a valuable bodyboard information then that's what you need that's how you can contribute more to a client I've been to a client I found the

share Drive Nessus fine sure drive I went into that and I found movies on it and again that was the IT person leaving this so like you need to know what are they so my time wasn't very important but I can show them the walk we look at and actually contribute something over the automated tools he it was that's what you need to do to understand it told what he does what he doesn't and by then contributing as what other thinking progestin is not about exploitation it's all about miss configuration it's not about understanding how you can exploit it's about understanding how you can make stuff more secure again Nessus doesn't find segregation villains hoping

hoping or stuff they can't secure the network you need to find the problems that the Hawaiian sysadmin is created by their Miss configuration Eve automated tools again like theft our bloodhound if use them it did it really help the client if we get bloodhound sorry if nobody knows I'm sorry from just friend the name of tools a blood on G if you are on your computer you just run it and you go and give you the main aadmi you do all the exploitation by its own yeah so doesn't really help did you find the path the bloodhound can you do it on yourself take those tools learn them what they do and what they don't do and down you

become better penetration tester again figures and stuff a lot of us think that there's all these segments that there's not enough people in this field with the right skills it's not we also many people who learn City FC learning university computer science is that's not the problem there's enough people what companies want is people to understand what was done and send the business what's the risk to the business they can relate it to the client a according to Isis P this the information audit and Control Association a down in 2016 2015 sorry he the senator cook client said the people said that people they just bring into the company don't understand how to relate the business

risk into the client and this is the big problem we need to work and his people spender investors we can relate our technical knowledge to the client B I found this sentence on hug the box form while down this research and I found it very useful I'm gonna be dumb and read it to you but we hug the Box is basically the equivalent of Sunday paper paper crossword puzzle to English teachers it's all similar to learn new tricks and techniques and someone in the field but no this is going to help you on a daily basis and what I want to say that good job learning CPF doing them for probably engagements it's not going to

be very helpful to you and you're not going to learnt it so you need to do the separate separation between CDF's and penetration testing and what you can learn it could be very useful cdf but you're not gonna find a date today those problems there's unique problems thank you thank you for everybody and especially thank you JJ sitting over there Eve any questions social engineer I think for me best way to learn and I think I always like to have mentors people help me people help me to achieve those goals so I'm saying how to work better understand the tools or in standard techniques they're using so I like to find mentors that will help me now recommend

everybody else reach to someone that you think is good at what he's doing and just have further out you know just seniors people in your job the background you ask me where I got the size phones yeah Google Google was the Google slides is code and there's like Google site and house oh yeah that's probably that and have tons of notes here so I'm sorry if I look into the computer and type in you know yes sir hey Mouse thank you for coming if we're really