BSides DC 2016 - Beyond Automated Testing

the b-sides DC 2016 videos are brought to you by clear jobs net and cybersex jobs.com tools for your next career move and antietam technologies focusing on advanced cyber detection analysis and mitigation alright so for those of you who attended the talk prior to us with Sean you got free puppies and fortunately today with breakpoint labs no free puppies to report so at least I can give you is a thank you and thank you very much for coming as well as everyone who put this event together this is our first besides DC event we've ever done so we're really glad to be here so on behalf of breakpoint labs I'm Zach Myers this is Andrew McNichol and today

we're gonna talk to you about how to go beyond automated testing and when we say automated testing we're talking about your big gun vulnerability scanners and things of that nature from an external assessment perspective so let's jump into this so here's an agenda high-level overview of what we're gonna cover today I'm not going to bore you and go dot by dot but essentially we're gonna talk about the methodology and practice that we use in any external assessment we also will kind of heavy in on the manual testing aspect and why it's really important so when you run these automated vulnerability scanners you don't just stop there and then hand the report to your customer or just reduce

false positives from the automated scanner you actually do some manual testing and we're going to go into some really good examples of how you do that and how you go above and beyond and give them that actual great report that they're looking for so Who am I like I said I'm Zack this is Andrew you can find us on Twitter at the following Twitter handles bear munch primal sec essentially we're security geeks by Nature we're red teamers at breakpoint labs there's our handle there for breakpoint we're bloggers and podcasters and contributors to the primal security blog and podcast so feel free to check that out we just recently released a new blog the other day on has to be relay

with messes and how that's a fun attack vector we're certification junkies in a way that we have a lot of different certifications from all-sec and sans we respect them all very very much our go-to scripting language is mostly Python we love capture-the-flag events we love to mess with vulnerable VMs so anything on bone hub we'll try and test it and try and figure it out create our own little walkthroughs personally and collaborate with our team members we also love to constantly learn so anyone who's in this industry you understand we're always at an uphill battle we're always learning and evolving and always trying to get bigger and better so that's why we love this industry I'm learning something new

every day and I'm always getting something from other people so I don't know everything and I will never claim to know everything Andrews famous line is what I don't know could fill books so we live by that motto yeah and we also like long walks on the beach and if you do - or by the pier come join us at knapsack it's a recent group that me and another guy from Lars started essentially we just meet up it's a happy hour meets once a month usually the third Tuesday of every month in downtown Annapolis it's just a network event we talk about different things if you know you if it was recent you know as anyone knows here dirty cow

just came out so that kind of kept some people up Linux admins at night and you know the like so we probably would've talked about something like that but it's just a good way to get to know people and network and just have a beer - so overview so we want to share our experiences with external security assessments essentially the motivation behind this talk was pretty much frustration to be honest with you the higher powers that be always asking us when is the scan done have you completed the scan how often is the scan occurring you know we hear this all the time is people working in InfoSec where everyone just thinks everything's a scan but it's

not there's much more to it and we're gonna kind of cover that whether you're a red team or blue team err I hope that you walk away with something from this talk automated testing when I say automated testing throughout this thing and Andrew does to think of running a vulnerability scanner because you kind of add a definition whatever term you want to call it manual testing is everything else that you're going to do beyond the scope and going beyond that that automated vulnerability scanner and we're gonna pick up on that definitely throughout but I always think it's a cool little note Department of Homeland Security reported that 67% of high-impact vulnerabilities actually were found through manual testing and not

signatures and vulnerability scanners so I like to land that point especially with customers so how do you go ABI on a scan first of all you have to have the right mindset and that's basically you're gonna fail a lot more times and you ever go to succeed as a pen tester you need to perform recon and mapping you need to find your footprint you need to know what you're up against and you need to find out all the content that's available to you on the Internet you will need to run these automated testing we are not going to bash automated vulnerability scanners every single person in this industry runs them and we run them too

but you need to run the right tool for the right job and then you need to really go in and go in-depth with your manual testing and this is where we really want to understand and identify and fuzz all areas of user input that are being passed to the applications and the like on the internet we want to research the technologies and the versioning associated with these technologies sometimes it's just a simple you know Joomla version exploit DB and you find out a lot more things and a lot more vulnerabilities than you ever would if you just didn't do that and we need to combine findings so a lot of times with our vulnerability scanners and we'll get

into this with a good example later they'll report several low findings but if you kind of piece them together you can create the perfect storm into a critical really big bad finding that an automated vulnerability scanner wouldn't find what you could do with manual testing we also need to remove the false positives and abuse all the features that we find with these things on the Internet and then we need to take all this fun stuff we just did and put it into a report it's our favorite part as being a pen tester in any assessment we always love to convey everything we found because that's what everyone pays for you know it's the final report essentially but we

need to make sure that we convey it to the business impact as well and know what keeps up these firms at night so with every method to a madness you know you need to have a methodology a solid methodology is not only good from a business perspective but from that technical perspective as well and you don't need to marry the methodology and what I mean by that is you don't need to go in sequential order when you do these security assessments a lot of times you'll find something maybe in your manual testing and then you go back to recon so you don't need to like just always do recon then automated testing then manual testing you can jump back

and forth between these things and especially if you're collaborating with a team you'll always learn new things so it's really important that you do that there's several great methodologies out there that exist these are just three examples some checklists some guidelines things of that nature feel free to check those out and we believe honestly that every methodology should not only include the automated testing but the manual testing as well especially when you label it you know as a secure in-depth security assessment or a pen test so here's our methodology from a high level it's probably just like every other generic methodology but you know we're gonna cover these steps planning and scoping reconnaissance automated testing manual testing reporting and

then the icing on the cake the remediation support but Before we jump into the planning I would like to just say I think today in our industry we've become a hybrid of not only not only having the hard skills but we have to have the soft skills because we have to convey our findings and our security assessments not only at a detailed level but a high level that the high level will understand the developer will understand so I really just want to say I think that soft skills are very important in this industry so definitely hone in on those and make sure that you convey them and just know that every time you go into an assessment you have

to have that mindset that you're gonna fail a lot more and you're gonna succeed and it's like hitting your head against a brick wall half the time so planning this is where we want to know what our customers goals are right so we want to establish the scope which is the what we want to establish the rules of engagement which is the how we want to set up communication channels and we want to set up the appropriate time frame being the who in the way if you don't set up communication channels properly you're gonna have a bad time it's just gonna be a whole nightmare with emails going back and forth and confusion of who to speak to you don't

want to get caught up in the terms we've seen this a lot with our industry is sometimes people will define things as a pen test or an in-depth varner ability assessment and it completely means something it's it's in the eye of the beholder so you really need to define that and understand that in the planning phase because sometimes a pen test means exploit the systems if you find the vulnerability and sometimes it means just stop when you find the vulnerability don't exploit it so you really needed to find that so you don't go you know and make somebody pissed off or go beyond the scope and you also want to figure out what's the most important

thing what keeps them up at night is it the confident reality the availability or the integrity of the data if they say it's all the things and you know I guess I'll just kind of go about that with grading the impact but if they say oh man if I lose availability and I can't make sales if we find something that deals with denial of service we'll probably rate that is more higher vulnerability than the report before we jump in the recon I always like to convey this and I think it's a really cool idea a lot of times we'll just type things in Excel spreadsheets Word docs try and create a mime at next time when you're

collaborating with a team or you're just working on things it's a great visual free tool that basically you can say here's my target organization here's the things I'm finding on the internet of their systems or the vulnerabilities whatever you want to rank it and just go from there and kind of spiders out you can get a nice visual representation and I always like to land that points I'm a visual kind of person some reconnaissance this is where we get to play detective and it's fun essentially reconnaissance the goal is I'll give you a company's name go find all the bet now okay now a lot of times they usually say besides the company name they'll give you usually a

whitelist or they'll maybe give you a seeder range and say this is our IP space you know and you go from there and you essentially want a footprint everything and try to find all their things that belong to them you want to do IP and domain research with those utilities with search engines you want to do system enumeration whether it's passive or active you want to do sub domain enumeration and you can do that through search engines you can do it through certificates searches you know fierce is a great tool as well you want to do that tech stack enumeration with applications there's tons of technologies that are always in use in collaborating together you want to try

and see if you can get the versioning information as well and there's are some good things you can use right there and you want to do your open source intelligence gathering and that's when you really are playing detective you're trying to see the target organization you're doing the assessment for if they've acquired other companies recently that they maybe forgot to address in the planning you know you try to figure out their email names scheme the domain scheme they're trying to figure out all the way that maybe that they do first initial last name for their logins all the like so you're trying to really play us in so system enumeration how many of you have heard

of showdown or census raise your hand okay good that's actually a lot better than I thought of it what okay so it's not going to not many people here I'm going to change your life but showed an its senses are basically passive third parties that do these port scans in the service enumeration for you and really give you that great database of information when you're going up against a domain or an organization or IP space and you can just query it and look it up since this is free showed ian has free but it also is a paid for if you really want to leverage it for heavy searches in this API if you're gonna do

active scanning we all pretty much use end map here I imagine which is a great port scanner service enumeration tool you can use it for many other different things it also has its scripting language great tool but let's say for example you're in a jam and you're running a slash six you've run against the slash sixteen suitor range and that may take several hours to get you back data well try mask scan on your next assessment it may take you only a minute and get you results that are pretty comparable in the thing that's nice about that is when you are in a jam and you're going against a big range it'll pull that information for you and

there's not too much of a variance in the results another thing here we created just a simple show dance searcher where essentially we gave it the domain the top-level domain it pulled out the cedar ranges here so this is like it's just a way you can use Python to do a quick and dirty with the Shonan API pull information and do this system enumeration it's a subdomain enumeration you can use Google use showed an use the search engines to try and find subdomains off the main domain of the organization you can use CRT de SH and look at certificates you know for different various applications you can use recon ng as a framework it's great

at doing all types of things and Jason Haddix actually wrote a script called enum all that sh for recon ng so feel free to use that in your next assessment and you can use fierce it's a golden tool that basically does you know Dena tries to do DNS zone transfer it tries to do brute forcing and enumerate subdomains so it's a really good golden tool to use Tex akka numeration this is really important as well and we're going against applications there's various ways we can go about this if we want to just go across a list or just do a simple request we could use a tool like what web it's a command-line tool you're

basically going to trip you know use what web to do a banner grab of the site and it's going to basically tell you the tech now versioning if it can write in the command line weaponize is really cool if you use Chrome or Firefox as your main browsers install install webalizer it's just a plug in as soon as you type something into the URL run line on the far right will be a you can click a button and it essentially give you a drop-down list of all the technologies that are powering the site you're visiting right now in your browser and any versioning information if it can pull it I witness is a great thing to

when you're going against a big organization or a list of IPs or a list of domains you can basically in create this report where it's gonna try and get that service technology information from doing a banner grab and then show you a screenshot of the landing page it gets so you can kind of go okay well you know what this is there owh server here and that's their main site here and it's a SharePoint site and it has a login I see okay I'm gonna go after these two things out of these 30 things when I just see default is at pages so you kind of get an idea of what should be your your key

priorities of target at first and then oh sent this is where a lot of times by me not a lot of times a few times we've seen it where we'll get an organization right and when we do a little bit of searching and digging we find that there's stuff posted out on the Internet creds you know different things they've been popped and they have no idea they just have absolutely no idea and no one has ever told them and it's a scary thing so you always need to do your detective work there you want to try to figure out the user name scheme and the handles of different users and developers that work for these

organizations and then you get really kind of creepy and you look them up on YouTube and social media platforms but really what you're doing is you're doing your due diligence as an attacker and you're looking at you know if they use this handle you know happy Panda and they use it across YouTube and all their social medias and and you know there's Stack Overflow and their github and they're paste bin you can start to look and see if they actually post any code from the organization that probably shouldn't be out there are they asking troubleshooting questions that they should not be in goes against your policy for your organization and also can you find source code online so if we

go against open source technologies we like to pull down those different things and try to basically make a lab environment and see where can we find different holes and different things in that server-side code if it's actually available to you online and not if we don't have it all right and then Andrews gonna jump into mapping now hey guys so carrying on from with Zack talked about with reconnaissance we've built our list of systems right so we start out that company name and whoever might be and we've got a list of systems and you go to a lot of the pages you see default is stuff because you're going by IP not by domain and the next step is to

figure out what's actually all there because there can be a lot so because we're talking about external assessments we do a lot of it's a lot of web application stuff so mapping is kind of specific to that but you can look at it as just learning more about the technology and defining what's there regardless of the service or protocol but with regards to web applications it's kinda broken down to two main ways you have spidering which is you know crawling the links in the site all those hrs what it wants you to see and you have unlinked content which is a land of treasure for us as pen testers and that relies on brute force techniques you

know requesting the resource to see if it's there and look at the status code or the response length and checking it out the other important thing to do is we just see a lot of like - your pen testers do this a lot your adult judge and I system by its IP you know when we talk about you know you can put your IP in the browser shows you back very little you might need to actually know where the the contents living that unlinked directory or you may need to reference it by the domain names like virtual hosting so some important things to keep it out when we switch from the port scanning option which is more IP

based to the application mapping which is more a lot of times domain based this is just a quick looking spidering burps our bread and butter tool for a lot of the stuff we do with external assessments pretty easy to do right click spider not gonna spend a lot of time there sitemaps pretty nice we will however talk about some of burps additional features which go into like the pro version but brooks pretty cheap so if your pen test you should probably have burps pro version anyway intruders really nice intruder can be used for fuzzing we'll talk about later but also for online content numeration because all it does is basically rapid-fire requests for you based on what you set

up sniper a logic because it's a really good for the unlink onto numeration burp also has a discover content feature which tries to dynamically find this content you also want to make sure you check out web services the question mark whizzle there's other tools out there so pew ID before that specifically with all these techniques though you rely on the brute force method i mentioned and it's heavily depend upon your word list I really like the robots disallowed which is the top entries for from Alexa 100 powder case sites and then there's also sec list which has a bunch of good stuff including raft list which is like an older project that did the top Alexa one thousand robots at X

but there's a lot of good word lists in there and I if you run these things against your applications your enterprise even if you're a security guy doing Boleyn stands you will find cool stuff I found resumes with hundreds of thousands of Social Security numbers just because it was unlinked hanging off a web directory that nobody knew about so you know little things like that only content can be a goldmine now for automated testing we're not gonna spend a lot of time here with this we're gonna assume you can do the scan button click the Scan button what I will say is that it's important to run that right tool for the job I think Zak mention that

earlier that's really key because what I see a lot of times is people will rely on one or two sets of tools to do their big guns alone ability scans when I say that is I have organizations that just use nessus meses is a great tool for a network vulnerability scanning but it doesn't address web apps very well at all or they'll just use web inspect and they just you know if it passes the web inspect scan and the web inspect isn't any red stuff then we're good but what if you're running if it's a wordpress site you don't configure maybe you want to run like WP scan which is just a script that it's gonna find you a lot

better data so just understand the technology you're running against and making sure you're running the appropriate tool because there's a lot of times there's these CMS scanners out there that are a lot better to identifying these specific vulnerabilities but a few things to keep in mind you know can miss stuff fit can break stuff I don't know if you've ever you know run a scan and getting some 503 service unavailable or it can take a long time have you pulled up a web inspect scan it says it's gonna take 53 days I don't have that long time in the to wait for it sometimes automated testing isn't going to be the solution for you and you have to fall back to

your manual testing which is the next portion of the talk we're actually gonna run into a quick overview of manual testing and dive into some examples that kind of illustrate what we're talking about we have five examples so but for us manual testing is about these four main things kind of broken down on a high level we've kind of talked about them a little bit already but the big thing is you know identify all the areas of user input these are we call injection points and we want to fuzzum you know we like to use burps intruder for that and you want to also identify any features and abuse them like an attacker I'm a bit

advocate of like feature abuse when we talk about pen testing and hacking what I mean by that as I mean we've got a login page how can I've use that feature well maybe there's a password reset and I can get user name enumeration we have a file upload for an avatar maybe I can upload a shell it's essentially trying to figure out what does this technology let you do and then what could an attacker do with that feature and you can use your mind map to kind of map that out for you you also want to find the systems and content that others have missed because you can't test what you don't know about we get a lot of wins on

our pen test not because they're like super cool O'Day's crazy stuff but a lot of times just because you know oh I didn't know that that directory had stuff from 1999 PHP code from 1999 last pen test I got code execution across the enterprise because a PHP code was living in some weird directory from 1999 I got really excited copyright 1900 so it doesn't have to be some crazy just have to find what's there that was on the internet you know it's just you just have to look for it and then continue to ask yourself what happens if I try this you have to be creative I think like we go back to the whole thing we're gonna fail thousand

times you have to keep asking yourself because it's very easy to say something's not vulnerable and go back to Facebook or YouTube and as a tester we need to like isolate ourselves and get in the zone and do that John wick you know mode and keep asking yourself these questions here's another example of how you might identify how your inputs being leveraged to fuzz appropriately this does not cover all vulnerabilities but to cover some some pretty pretty pretty high ones pretty common one so is your input landing on the screen right that that's something I'm gonna look at that and see if my inputs on the screen I'm a test for XSS you know script alert script of it and

work maybe a jobs weird event handler and didn't work alright then I'll throw it to perp and I'll use like a custom Jetix it's got some XSS fuzz lists which are really nice and I'll go through some custom fuzzing is a calling on store data I'm doing that a search it's a little harder to know from a blackbox perspective but you can text for C test for sequel injection there's a lot of ones here we're gonna go through a couple of these a file inclusion example really cool but this is exactly start to think about how your inputs being used so you can fuzz appropriately you're not just like throwing random lists at stuff you're

trying to actually figure out okay how can I misuse it as I mentioned burps our go-to bread-and-butter tool for fuzzing this is a screenshot of burp intruder if you've never used it you basically define injection points inside the request and then you can later set your word list for those ejection points as I mentioned fuzz DB cyclists have got some good options for ubirr pets and built-in ones as well but the big thing is just understanding you know how how the inputs being used so you can you know misuse appropriately and if you're not using Pro and throughs gonna run really slow and drive you nuts and you're probably not gonna want to use it but

your pro is expensive so going now this is the moment where we're gonna get really into what we're gonna talk about Andrew might like break a sweat II might go crazy but we're gonna really go over five cool manual testing techniques of how you can go above and beyond automated testing so this is when we're going in our record Ralph's mode alright so example one feature abuse alright applications a lot of times developers and just people in general content management systems they try to get crazy they try to go all right well you know I I really want to handle I want to make some form based contact us page and have my application send an email on behalf

of these people and not just do a simple mail to write well that happens a lot so contact us fields feedback forms look for all these different things capture that post request it's making when you submit these different form fields in the UI and sometimes you're gonna see some hidden parameters or different things that are client-side being passed as well that you wouldn't see in the UI and a lot of times people overlook that because they're gonna you know no one's ever gonna capture my stuff in a proxy but attackers will so you need to look at that and it sounds very simple and it is essentially we're gonna do SMTP injection so how excited would I be if I

told you I found a site where I can send an email on behalf of that site and I can control it says I can control the two-line you know in the UI I can send to anybody I want but I can control the from line and I can send it from probably the CEO of that company I'm pretty excited right okay so I find that there's a site admin and a subject parameter being passed in the post requests client-side but it's not in the UI it's trapped in our proxy and I can essentially send it from anyone I want and change the subject line to anybody I want on behalf of your web server so

thank you very much you didn't do a simple mail to you tried to go above and beyond example to essentially here this is where we're going to combine our several findings right so we're gonna say alright our vulnerability scanner said we can get a user name enumeration from the login we there's no automation control so there's no lockout in place for the login and maybe the password complexity was low we found that out from crawling the site and we saw that only 8 characters and 2 numbers or you know required for the complexity we piece all these 3 things together they're all low findings or separate findings and maybe an automated vulnerability scanner but when we piece

them together we do our manual testing we can actually create the perfect storm of an account compromised and this is where it gets fun so ways to identify these things as you know password reset features basically saying you know I want to reset this admin I'm gonna try admin as user name and in the password reset it says email address not found well if I try Bob and it says email sent I know Bob's a user now add them to my list log in error messages rather than being generic sometimes applications are very specific and they shouldn't be they should be more generic whether you fail the pit or pass the test contact us features I've had it once

where it said which admin and gave me a drop-down list of all the admins for the site do you want to send this to thank you very much contact us page you just told me all your admins adding it to the list time for login attempts so this is when you look at your your burp you know your intruder your things that you're running when you're doing these brute-force attempts and you're gonna see if there's a variance of time sometimes the status code won't change but there's other ways to identify it we can look at our intruder session and see if maybe we get a valid login it actually has a smaller variance of time

than an invalid login for the response user registration that username already exists a lot of applications have this it's just no way around it unless you want to make generic error messaging but you know if let's say for example on say I want to be Zack on this site well you can't be Zack all right why knows actually user now I guess I got to be Zack one so various error messages look at the HTML source code sometimes developers forget what they put in there and comments just different things with Google hacking you know sent you can find a lot of username structure and things of that nature on these different forms whether it's paceman Stack

Overflow YouTube you can sometimes people who will make youtube videos of hey this is how you use my application log in and show you that Bob's logged in and okay you know it's just different things like that you and they're just doing it for for good nature but you know attackers have no good nature sometimes the application just flat-out tells you WordPress is guilty of this PHP VB is guilty of this it'll tell you who's the last person that made a comment or logged in so fun stuff right so we got our username enumeration we're building that list we now find out that the login has no anti automation controls in place basically I don't want to deal with unlocking users

I don't want to deal with account lock outs or having some automated process so yeah people can just log in as many times as they want well that's bad that's a very bad practice if there's no sign of anti automation controls root forces on the table and it's gonna happen until you're successful or if you're that determined but no account lockout if there's no caption place this is another way to thwart the you know the issue even like I'm not a robot with Google that's a simple thing where you just click a couple images and it goes hey is this a railroad is this a railroad okay you pass the test those kind of things can really help and

having account lock account lockouts maybe after five bad tries really can help work the enemy but sometimes developers will say alright my main login is locked down alright but they forget about their API and they also forget about their mobile interfaces and they don't have the same controls in place so always look at all these different login vectors and finally we're just bad everyone here's bad I mean it's not everyone most people are just bad at passwords you know what I mean it's it's sad it's very true that you know you look every year they post the top ten you know passwords and then they don't change very much they're always just you know password or some

variation of it or maybe the year and the season and the company's name in the Year keyboard walks and people think they're getting tricky but no they're not there's password lists out there with keyboard walks always keep in mind that there's tons of password lists out there like fuzzyby and sec let's have at your pre-built you can use in your intruders brute-force sessions and you also want to just kind of maybe research different people that you're going after like maybe you do find out that Bob Seymour is a valid user well look in Bob's social media platform and start to figure out is he a Washington Redskins fan and then start building different you know variations of word lists of

interests that maybe that's his password that's when you get really creepy I guess - yeah exactly right you can also use cool - tools like cool where they're gonna crawl the site's content and try and pull like extract keywords of interest and try and build word variation list there's tons of tools out there but feel free to look at all those and those are the three things that can really build that perfect storm and get you those account compromises that are just truly high-impact especially when you get someone with higher privileges so example 3 I was going against a map application and I didn't unlink content enumeration and I came across this proxy a SHS so essentially what this this

resources for is if you don't have a course policy in place with this map application you can then make connections to other domains and have their content load and see if a good connection works so I basically appended a question mark at the end and then you know I put Google as an example just trying to reach out to another external internet facing site and lo and behold Google's HTML content is loaded Wow in in in sense of that proxy and then relayed back into the page while I'm still there and that that resource and it loads Google within the page and I'm still at the map site and I'm like okay this is interesting maybe I have an open

redirect in my hands and from there you could do two different things and the first thing you know simple fishing you could basically put a malicious link you can obfuscate the link and then try and make that in your campaign and distribute malware or distribute whatever you're trying to do through this resource because you're trusting that map application but really you're putting bad boys so at the end of it other cool things so now I requested Google right well what if I start requesting internal IP space what if I can bypass the firewall and make some TCP connections to systems internal well we tried it and made an automated Python script to try this and lo and behold it

worked very cool right this is out of the Internet some resource and essentially if I just depends some internal common web ports I'm starting to basically map out your internal infrastructure and starting to get an idea of what is going on behind the scenes and if I'm doing an external and turtle pen test I'm you know basically starting to map you out a little bit before we jump into the internal portion but here you can see there there's a Cisco email security appliance I got the versioning information on the login page and it's just kind of cool how you can convey that and that's a real attack scenario that we came across and it's just definitely interesting

so Andrews going to jump into example four here because he did this yeah so file inclusion to shell this is always a good one if you've never done it I'm gonna walk you through step-by-step on how you would massage file inclusion to shell which if you are interested this is the best way to pick up chicks at a bar it works trust me so this is how I actually broke into an organization highly secured organization I was you know we spent a while on a lot of their main apps a lot of their main infrastructure and we're bashing her heads failing that thousand times right and I finally stumbled upon a resource that got me code execution I'm gonna

walk you through it but a little backup on file inclusion for those who aren't familiar file inclusion volumes can lead to code execution or they maybe maybe they can't an example of a code execution would be like a PHP include it really depends upon the function that's being called an example of a file inclusion that's just gonna like cat files the screen is a PHP echo you also have local file inclusion and remote file inclusion so local file inclusion is exactly that you're including local files and with that particular type of vulnerability it takes a little more work and magic to get your code execution because you'll have to get your input into like a log

file or somewhere else on disk and then include that file and that inputs code log poisoning is a common term for that remote file inclusions are a whole lot easier because you can just point it back to you say grab by code run it and it runs it and it's awesome so we're gonna go through an example of this here now this is an example I like because for this talk especially because it one ability scanner is not going to find this even big-guns one ability scanner wet web inspect a kinetics you name it the reason being is that debug dot PHP was living out in the web server wasn't linked so first off unlink content we

talked about that if you don't actually map your app and find these cool of interesting resources you're not gonna find you're not gonna fuzz now the second reason is I go to debug dot PHP and I think I actually did this and then I went to lunch it blank screen you're always like yeah blank screen nothing here what's going on I came back I was like all right you know what gonna do next I'm gonna want to try to figure out my inputs now commonly you know you're gonna find inputs by a parameter whether it be a get parameter post parameter I'd just started with get and as we put a dollar sign or question

mark equals parameter name and I started to flood with burps intruder right so I set up the sniper and I said okay let me go through common parameter names which you can't see they're probably in the URL bar is question mark page equals test gave back a different response so I started a thumb through and you can sort by lengths and burps intruder results I got 193 on everything else page equals test KB 633 a my COO let me go check it out so I go over I'm getting a PHP warning and I'm getting very excited right now because it says function including if you remember we talked about the slide before including its code execution so we're getting it's

awesome and we see test is there now if you fed this parameter to a vulnerability scanner and it knew about the parameter it might land you with with with the vulnerability but you'd have to really get to that point and the vulnerability scanner is not just gonna like get you there all the way there's a lot of manual features that may know testing it to get to this point but from here I can get code execution and the way being is this is an RFI you could test for a local file inclusion you know Direction reversal up Etsy password cool and the next thing is to test for raw file inclusion so I just pointed it back

to myself my attacker box set up a little Python simple HTTP server if your pen testers is a great way to get a quick webserver up so the first one there number one is the request I'm making to the server number two is it fetching my code from me and number three is it running and telling me the result the quote the code I was just running was a quick system ID command and I'm getting code execution which is really awesome in real life this was actually running a system on a Windows box so it's like mini cats and spray everywhere at that point it's awesome because that was on a web server for like a really long time and it had

gone through many pen tests many of security assessments many Volans and never been found but these are the kind of things that your manual testing and your your kind of hunting mentality and you're not giving up confine you these gems that just you know aren't that hard necessarily when you look at on the slides there but it just doesn't get pieced together without the human interaction the next and last example is email spoofing I bring this up because I'm not I find this a lot actually believe it or not and volun scanners don't do this testing very well because you need to have an email server set up to interpret it so you need to able to

basically see if I'm sending in some input can I get an email back and how many of all in or see yourself there an email to see if they're receiving email in the Inbox not a whole lot I don't know of any could be that with something out there but the first step to do email spoofing this is a quick slide step one I'll find the mail server so I'll run a host command get the mail servers and I'm actually happy myself here with primal security blog I think I think it actually still vulnerable you can tell that to the mail services Google and I'm here I'm setting up the the SMTP commands mail mail from recipient - this

is what your mail servers are gonna actually parse and not what the outlook client is necessarily going to show you unless you view the headers but that's what that's what your mail server is going to parse so here I'm just putting a ridiculously fake data at primal security net and then I'm doing I type data and I'm gonna actually put the email together which is what's gonna get parsed by outlook client and I'm putting in additional headers that the from header the to header the stuff your users are gonna see the subject line demo for con talk take a look I spoof the email this is how I I find this a lot and what I'll do is I'll play around

with sometimes I can't spoof the step3 headers if I can spoof the set for headers and the user still click stuff so it's cool and the slides are online already so the the steps there you'd have to memorize here's what it would look like in my inbox demo for con talk you know you could see it came right through this is Google Apps for work works just fine to a user this is actually sent by Gmail so in my actual testing I found okay I can't spoof the the SMTP actual headers that I sent in for the mail server but I could control the stuff that the outlook clients gonna parse and I wanted to model legitimate

communications and make sure that everybody has to change your password click my link a highly successful fishing I'm sure it goes without saying they're from helpdesk but you can see just says helpdesk support looks legitimate really cool stuff the scary thing here is this actually works if you are using Google Apps for work right now and you have not set up DNS text records for SPF dkm Demark you were vulnerable i can actually use your organization and spoof to a lot of other places right now through you because it doesn't have to be read oh man I could do like at whitehouse.gov and Google will sent to you and people trust Google's mail servers when it comes to

their infrastructure their stuff so I can misuse Google Apps for work and in a dirty way so my finding is that Google doesn't really tell you to do this you go to Google Apps for work you get your five dollar email per month it's awesome really good service but you have to set these dnx test correct text records to prevent spoofing attacks and they don't like tell you where the box though if you call them to walk you through it's pretty easy but it's when I come across a organization that's using Google Apps for work nine times out of ten they are vulnerable to spoofing attacks not to themselves but also as a proxy to others and now the final stage

reporting like Zak said this is our favorite part who cares about shells and spoofing emails and stuff when we can we can get in the word and getting PowerPoint I mean this is that's why I went that's why I got in this industry right we we like to leverage markdown if you've never used markdown it's like HTML shorthand if you want to get to get hub you can looks really clean like that new bik's has common findings database project on github which is basically markdown templates for vulnerabilities so you can like grab them to build your reports up really nice make sure you talk to your customers you can spend a lot of time make it a birdie markdown

report which is in HTML it looks okay in PDF and they come back and they say they want a word doc you're like oh shoot I made it in markdown so make sure you talk to them about the formatting what they expect and what they need he may just they may need a spreadsheet they may need this word doc PDF what have you so just make sure you land that free start using markdown reporting another piece that we talked about we talked about like the pen test means different things different people we get this a lot where it's like it's a pen test but don't hack anything okay I gotcha all right I'll do that so if

you can exploit a cool write it up if you can't exploit it what could you have done include an attack or a narrative we like to do that so if we cannot exploit it they say no no no not rules of engagement I'll say okay tool and the impact with the customer I will replicate the environmental lab take some screenshots and show what I could have done and a lot of times than not they may come back and say alright you really can't do that and I say okay well let me try and that that can be helpful plan the impact and get things fixed ultimately that's what we're here also highlight business impact I've had like

Zack said I've had customers that will if you know what to make what keeps them up at night and what gets them afraid you can really find the right vulnerabilities for them like legs access availability is key you know and you find vulnerabilities it's gonna take their their point-of-sale systems down that can be some that might be critical to them if it's coming up a medium on the bone scanner you know so keep that in mind and also include a detailed write-up on what you did I think that's getting more more important as you talk more about red team's and you are about pen tests and other types of security assessments but it's important talk about what you

did as a tester because that can be leveraged from a you know further for the fenders they can go back and say okay what did I see what didn't I see what tools did you run when what time were they run at and I can go back and look at my is sim my vet logs and you can work with them after the fact say okay you know as you can see I ran this on Wednesday and I we pop that pop that lfi you know on Wednesday night and you can go back and help them and see so you got to keep it that involves keeping detailed notes as you test which is not

fun but it can be very helpful and then it finally include that high-level summary you know tool and home those metrics find out whatever metrics they need you know what I like to do is find out what it you know take the industry they're in and compare them to other like industries so life it's a school cuz of other schools kind of thing see where they land up in their market offer remediation testing this is very important because you know especially we talk about whether it bones can be complex to fix it's not often just a yeah sorry

we don't usually put the links directly there we'll break the link though so they can they can go there themselves yeah but it's not like hyperlinked in the report or anything but they break the link with like brackets with you mindset we always break links but we will include the I'll give them code - all right I'll write a little python script if it's applicable a given code to retest but it kind of bounces in their mediation testing we definitely provide you know as much detail as I can to the to the customer on what vulnerabilities found and how to pet exploit it how it could be exploited kind of thing and then all for

remediation testing so if they fix it you know that script lock scripts blacklisted but a JavaScript event handler is it you know just reevaluate finding so you're making sure they're not fixing an instance of the problem they're actually fixing the entire problem so you often have to go back and all your key findings and retest them like you would have from from scratch and it can lead to additional testing obviously that's stronger relationship with the customer I've actually had a situation where they fixed a file upload example I popped a shelf through file upload as a trivial meme type bypass just changed name type in the post request and it was file upload dot PHP

or whatever it was I forget the language and then they fixed it with a file upload one dot PHP and I just went back and just touch the old file upload didn't take it off so little things like that you got to be creative and like thinking like that they said why would anybody go back to the old file they don't know what's there like yeah but you can look it's not that bad here's some useful links like Zack said we started out this with we loved learning we in our day jobs we like to learn our night jobs we do primal security so we're it's all about learning and sharing knowledge there's a lot of links here to do that free

training on cyber area which is really great CTFs valen hub Pat there's a bunch of good links here not gonna go into all of them off sec training and Sanja training really like a lot of good books and talks there including one by Michael Hoffman who's speaking next a lot of good stuff there so feel free to check them out these links are on the on our website and that's it we we really enjoyed the opportunity to speak here we we are hiring right now we're interested in talking to anybody in there that's doing security testing and that kind of stuff feel free to reach out to reach out to us after the talk or reach out to us here email

Twitter website Sean the dark if anyone's good of these somehow and in besides Jackson and Mississippi in two weeks we'll be there too we different talk complete shot in the dark though I read that Jackson Mississippi man yeah exactly so yeah but we'll be giving an internal pentesting talk there so thank you all very much got a snow if you have any questions back