The Pentester Blueprint: A Guide to Becoming a Pentester | Phillip Wylie | BSides Delhi 2020

i'd like to bring on to stage please uh philip wiley philip hello sir how are you great how are you very good thank you and uh where did you just fly in from uh carrollton texas which is just north of dallas texas fantastic fantastic i just love the fact that this is such an international conference uh and not only that i see you've got the um the regulation information security haircut um which which means that uh we make the perfect pair uh on our viewers screens at the moment so um philip you're talking about the pentester blueprint a guide to becoming a pen tester i'm hoping that you are also a pen tester and and therefore what is it about pen

testing that makes you want to get more people in is it purely you know too much work or or something else well it's kind of uh i before i i also teach pen testing at a community college and prior to doing that i did a lot of mentoring helping people that wanted to get in the field and when i wrote this talk there wasn't anything that i was aware of at the time i've been given this for two years now but there was all sorts of books on how to be you know in pen testing pen testing skills but no one was really sharing the prerequisite knowledge that you needed to become a pen tester

so this was kind of really lacking in the community and i started this talk and actually have a book coming out on the subject that that comes out on december 3rd fantastic we always love a good plug of a commercial product on this conference so what is the name of the book it's the pentester blueprint uh the title the subtitle's a little different the subtitle starting a career as an ethical hacker okay so available in all good bookstores from december 3rd yes fantastic folks you heard it here first you know what to buy yourselves for christmas uh so um should you celebrate it or not i'm just saying uh so without further ado philip why don't

you bring up your slides we will get those onto the screen and then i will hand over to you

there we go fantastic philip you have the floor and i will see you on the flip side okay thank you

so welcome everyone i hope you've enjoyed the conference one of the things i really loved about one of the good things of uh social isolation through the coronavirus pandemic has been all the opportunity for the global content all the conferences before that were only available in person and now you know open globally so this is great a great way to share information and one of the things i really hope going forward is that the virtual aspect still you know still uh is part of of things going forward look forward to being in person again but definitely look forward to you know hopefully this is uh something that's uh also available remotely to the to the world so for

those of you that don't know me i'm philip wiley i am the lead curriculum developer at point three federal uh just recently went to to a uh you know my full-time job as an educator i create educational content for the us government and so prior to that i spent eight and a half years in pen testing i am also the founder of the pone school project which is an educational meetup we stream live and we have a youtube channel so feel free to check us out i've been in iit and infosec for over 23 years most of my career has been in security spent the last eight and a half years as a pen tester and one of my last

or most recent roles in offensive security was uh working as a red team lead i was in the tribal hackers red team book and as i mentioned i have a book coming out the pentester blueprint based on this talk in december i am the co-host of the uncommon journey podcast with chloe mustaghi and alissa miller i'm an innocent lies foundation ambassador and also a hacking is not a crime advocate and board member so my uncommon journey to offensive security kind of started out way back out of high school i didn't know what i wanted to do for a living so my friends told me i should be a professional wrestler so i wrestled professionally for a while and during

that time i actually wrestled a bear and you know i got married in 88 and i needed to get a more stable career i stuck with the wrestling thing for like another another year and then i worked various jobs retail sales construction different types of manual labor but none of that really paid well and was anything i was interested in so i went to a trade school to learn autocad drafting and became an autocad draftsman i did that for a few years and during that time you know prior to being a drafter i really have exposure to computers so i learned how to use computers and a lot of the places i worked at as a draftsman we didn't have it staff

so i figured out how to fix things and found out that i had more of a natural ability for the iet side of things so i taught myself how to build computers took a novell netware network operating system course and became a sysadmin so i did that for a little over six years and i moved into infosec started out as a network security analyst and then after a while we we hired in our company hired in a cso and he came in and kind of divided our group up into different sections everyone on the team was doing network security and risk assessments so everything did everyone did the same thing but when this new cso came in

he divided us up into different specializations unfortunately i got put in appsec and appsec is where i learned about pen testing so i got laid off in 2012 and i went to work consulting as a penetration tester so i shared this journey to just kind of get you know the pro wrestling part is really not relevant to becoming a pen tester or the the drafting piece but i the stuff to keep in mind here is the sysadmin experience the network security experience the app set those things played a big role in me becoming a pen tester so i share this this slide each semester with my students because this event actually came out for my lectures

for the first day of class each semester i would uh you know do a first day introduction to pen testing to tell my students about pen testing and it's eventually turned into a conference presentation which i gave for the first time in b-sides dfw which is the the local b-sides conference to my area which is the dallas-fort worth area and so i share this slide each semester my students because i love this quote that i first learned from spider-man with great power comes great responsibility so only hack or perform pen test if you have permission even better written permission hacking without permission is illegal and so up at the top you see this little sticker up there hacking is not a crime

uh i'm a advocate for hacking is not a crime and a board member and what we're trying to do is to let people know that hacking is not a criminal activity unless you're using it as such just like locksmiths uh unlocking your door that's not illegal unless they don't have permission or they're trying to get in for nefarious reasons so we're trying to get the message out hacking is important your security researchers are finding vulnerabilities that allow people to create remediations for and fixes so it prevents uh you know we're just trying to take back the name that it's not just a negative that is it's a positive thing and what is pen testing pen testing is

assessing security from an adversarial perspective attempting to exploit vulnerabilities to gain unauthorized access to systems and sensitive data also not as hacking security posture from an adversarial perspective gives you a better understanding of the security risk severity exploitable vulnerabilities are higher risk and higher priority for remediation as well as justification for budging sometimes remediation can be very expensive and if you prove that that vulnerability is exploitable then there's more of a need to remediate that finding so that's a lot easier for companies to justify the cost of remediation my pen testing regulatory compliance is a big reason for pen testing when i got started in 2012 most pen testers were consultants or contractors as payment card industry data security

standard became regulatory compliance requirement for companies processing credit cards then the need for pen testing became more more well known and became a more of a priority a lot of companies were still using consultants at that time but as uh the need for testing you know was was proven then companies started hiring their own internal pen testers and so pen testing it's a fun job every time i hack into a system it's still just as much fun as it was the first time and although it's not really a new role it's relatively new as an overall concept in security programs so there's a lot of good opportunities out there in this area testing jobs so pen testing is the the

the short term of penetration tester and these roles can fall and normally be categorized as security consultants analysts or engineers because not all hr departments can give a single title to every job within a company they to make things easier to to manage you know your security personnel whether they're defenders uh pen testers sock analysts a lot of times have similar titles the job descriptions are what varies so when you're looking for a job you want to look through the job descriptions and so some different terms synonymous for pen testing is ethical hackers this is the one that's most common think of the ethical hacking certification the certified ethical hacker it was one of the first certifications

of his kind but to make it easier to understand they use the term ethical hacker so this makes a lot easier for non-technical people to understand what you're talking about and even some technical people offensive security adversarial security are some of the newer more new newer terms that you hear pin testing refer to as and threaten vulnerability management is a a department that sometimes pin testing falls under threat vulnerability management is typically your vulnerability scanning and your remediation part of a of a program and so sometimes pin test groups fall in that same group pin testing skills in other areas so not only are these skills important for pen testers it's helpful for sock analyst and network analysts and

engineers being able to identify malicious traffic makes them better at their job makes them you know help the defense of the company so your your digital forensics and instant response be able to investigate a incident and understand the attacks makes it easier for your investigation if you're not familiar with those different type of attacks it's going to take a little more to investigate so understanding pin testing is helpful in those areas purple teams this is kind of a newer concept this is where the defense and offense security works together to improve the defenses so instead of just performing a pen test you're able to go in and work with these teams to execute scripts to see if scripts can be

executed on the endpoint seeing if it's being detected and working together as a team with the defensive team to be able to block and detect these these type of activities in application security be able to test the security of the application through the software development life cycle makes it easier to remediate these bindings if you find something earlier on it's easier to fix than you've been through several iterations of updates on your code so this is an important area in action this is kind of where i found out about pen testing myself was working on appsec team types of targets that you're going to test so there's different type of targets that you're going to test as a pen

tester so network you want to test internally externally from the internet and wireless you know attacker can have a high-powered antenna and usb uh network adapter and you know attack your facility a mile down the road or so so you really need to make sure that that's the the external facing as well as internal is tested application this is a popularity a lot of companies are using web-based applications they can be accessed anywhere if allowed they can be accessed outside the company thick client your traditional binary executable type files mobile and cloud as well as api and iot apis are used a lot but due to like iot and that sort of thing but this is a really important area to

test web applications have really become popular because at one time we wrote thick client applications to work on different operating systems and one time you know it's mainly just windows but with you know linux in your environment mac os environment mobile devices then web application made it easier to to deliver an application across multiple platforms in hardware hardware is a popular area that needs to be tested your network hardware your companies that build routers and switches are going to test their their products to make sure they're secure and your medical devices need to be tested as well i've performed wi-fi pen tests for hospitals during my consulting career and you know it's kind of scary when you see these

medical devices connected to a wi-fi network so a malicious actor got access to that network they could compromise us those devices as well as some of these devices like pacemakers and insulin pumps are are connected by bluetooth so you can manage the systems and monitor those devices so these need to be tested they can be weaponized for bad so we want to make sure that those devices are secure transportation any type of transportation different types of vehicles cars buses trains airplanes we need to make sure those are secure especially with the autonomous driving self-driving vehicles coming out we need to make sure that they're secure that they can't be used to weaponize someone takes control of that they could

cause harm so that's one area that has become popular a lot of different people in different companies automotive industry have you know added pen testers to their team to make sure that they're that their products are secure you need that need to make sure that your people and your buildings are secure to you because you can have the best security in the world but if someone let someone in the building and they get in the server room or get access to a computer they're more than likely to be able to exploit that system if not the whole network and same thing with your building your building security and your in your physical security all needs to be secure

so types of knowledge so when you're performing a pen test these are kind of the three main categories black box sometimes referred to as blind pen test white box also known as crystal box and gray box black box or blind pen test is going to be more limited to the ip addresses or a url or some cases you know i've done a full scope pen test or red team engagements where i only knew the physical address of the company so we could test the physical security and it was up to me to find all the ip addresses that the company owned through open source intelligence and using tools like shodan to be able to test the external facing

targets like their their networks and applications so this takes a little more time because you're having to research and find this information now if you go to like a white box test this is where you got detailed system information including applica accounts for application tests uh even like source code you know you need to make sure that the source code is secure so between these two you know the white box is more thoroughly testing whereas black box emulates more of an attacker these are all based on time too if you have a lot of time then you can perform a black box test if you're more limited on time then you'll want to go with a white box

test that way nothing gets missed you know you may be able to maybe your authentication is really strong and it's hard to initially hack into the system but once you have access what's possible we need to test that administrators don't need to be able to see account information and pii as well as lower level users don't need to be able to do admin functions so we need to make sure that there's some segregation of duties there so we need to test on all levels in a gray box test this is kind of a combination of the two and this is what you see most the time as a as a pen tester you know you you're going to get more

detail ips because they really don't want you to miss anything so they're going to give you you know either ip ranges subnets or individual ips to test so this is typically what you're going to see in types of pen testing depth or different steps in a pen test vulnerability scanning and vulnerability assessments you'll see noted here not a penta so these are not a pen test there are some companies that will run a vulnerability scan put it in a pen test report and give it to a customer either so either they don't understand pin testing or they're depending on the person they're doing the test for doesn't understand pen testing and they're kind of taking

advantage of them vulnerability scanning is an important part it should be part of your vulnerability management program you should be scanning on a regular basis and working with the it groups to remediate those and then your vulnerability assessment this is where you're basically doing vulnerability scan plus you're validating the vulnerabilities your vulnerability scanning can find false positives so you know make sure they're not false positives and in this stage you go a step further you're also running other tools to look for vulnerabilities that may not be detected by the vulnerability scanner so these are important steps to do during a pen test and then once you have validated your vulnerabilities and it found anything else with your manual testing and other

tools that you use during the vulnerability assessment then now you're going to exploit or hack those vulnerabilities that you found so we need to know how severe they are how much further you can get so you know some vulnerability may not look that risky from first glance but once you get a system what's what's available there what level of user are you able to access that system if you're able to access this nt system authority uh root domain admin then you can do a lot more things so this is a way to to further test your security passed like a vulnerability scan and then you have your red team in adversarial testing red teaming a good quote

from a good friend of mine and founder dallas hackers association he describes penta red teaming as testing the blue team so not only are you testing the security and the technology for vulnerabilities you're also testing the humans you're testing the different endpoint protection making sure that it's able to detect the different malicious activities and this is less restrictive scope sometimes referred to as an open scope pen test and a lot of times people confuse red team with pin testing in general it's you know a different type of pen test so it's not exactly the same thing so specializations which this first one really nodded a specialization this is just typically where someone starts out as a pen tester

is what most pen testers do as a generalist you're testing network wi-fi networks in some light web application these generals are not typically experts in web app pin testing but you need to know a little bit of web app pen testing because a lot of administrators tools to administer like print servers different it functions use like a web front end so as a pen test you may get in maybe the end point protection is good they've got all their patches in place everything's configured securely sometimes the web layer is the the only way to get in so you need to understand some light web app pin testing then the next specialization is your your application your web app

mobile cloud api and fit clients this is an important area and a lot of people come over from here as developers maybe you work as a developer you're interested in pen testing then you understand that that technology so it's easier for you to you know secure or break into that that technology so there's social engineering physical uh building assessments security assessments so these kind of go hand in hand these two the social engineering physical are usually part of the same type of assessments then transportation as we mentioned earlier and red teams so how do i become a pentester this is where this this talk has really become popular people you know hear pen testing they see it it

looks like something interesting something like to do but where do they start you know you there's a lot of books out there that show you how to perform pen tests the different tools but nothing really guides you tells you okay this is what you need before you become a pen tester so that was the whole goal of this talk so you need the technology knowledge so you need to understand networking operating systems especially windows and linux from like a sys admin level understand security and depending on what you're going to do application wise understanding uh hardware and applications can be very important so you really need to understand the security before you can secure it and

before you can break into it so understanding how to build a server if you install apache web server then you're gonna have more of an idea of what it needs to be to secure it and then you need to go know what to exploit by be able to set that up so hacking knowledge this is where i was at when i got my first pen testing job i had used vulnerability scanners and but i didn't know how to hack so i had to take a hacking class so i took the oscp and so the oscp is where i learned how to hack so you can get this hacking knowledge from classes conferences such as your b-sides

conferences different meetings and meet-ups your different user groups there's groups that are you know focused on security and some of them cover offensive security topics and then self-study no matter where if you're going to school if you're taking college courses or you know doing all the self-taught you do need some level of self-study to [Music] enhance your learning abilities so home labs videos there's a lot of good videos on youtube some decent udemy courses out there are some very good udemy courses tutorials blogs and articles and twitter more specifically referred to as infosec twitter is a good way to find people in the industry that are writing tools that are professionals that you can learn

from and find out about their talks at conferences and workshops so the hacker mindset so once you even knowing how to hack you've got to develop this mindset and this is kind of similar to learning how to troubleshoot something when you install like windows server for the first time and you have no problems with it then it's easy to install but if something goes wrong then it's hard to troubleshoot until you've run into some issues and successfully resolve those issues then you really don't truly understand that operating system so the hacker mindset's kind of similar you know you learn that for instance apache tomcat if you have a unrestricted upload or you got default credentials

you can upload a malicious file the malicious file can give you a shell to that system once you have shell access then you know that you need to try to get a better more stable connection to that server uh you know if that service account's running as root or nt system authority then you can do a lot more things so you kind of learn through practice you know through ctfs home labs and bug bounties what to do next step you chain those activities together to learn how to breach a system how to exploit the system and gain access to it so this mindset takes time and repetition to develop and is best developed with hands-on hacking

experience so just like anything else you can take a class and if it doesn't have any hands-on uh portions to it then when you get out there in the real world you're working with it's gonna be a little difficult so you have to get the hands-on lab piece to the learning so the pen tester blueprint formula is the technology knowledge plus security knowledge plus the hacker mindset so we kind of described what you need to know but where do you start so you need to develop a plan so what you're going to do is you're going to do a gap analysis based on the skills you have and the skills you need so if you have

no i.t experience then you're going to start with the basics like operating systems hardware and networking if you have it experience you know you could be on the help desk maybe you don't work with linux linux is a good place to start learning security and networking if you're in security then kind of learn the areas that you haven't worked in maybe you're a network security analyst you're going to understand the networking you've got to learn how to hack so doing uh learning taking you know pic pac uh hacking and pen testing courses participating in ctfs and bug bounties those are great ways to learn and also build a lab so here's kind of three high level

descriptions of some lab options my favorite is the minimalist lab and this is like your the computer you use for your everyday maybe you have a laptop laptops is what i prefer because it's portable if you're home studying you get bored you can move to other areas of your home you could go to a coffee shop or you know just or if you're traveling for work or you're going to see friends or in-laws or something you can carry this with you and you can get some studying in so the portability is really what i like of the minimalist lab so you have no restrictions on where you're at you know and with the minimalist lab

where you have your your vulnerable vms and your attack vm that you know you don't even have to have internet connection once you have this set up so if you you're somewhere where there's no internet then no problem and then a dedicated lab this is having like a dedicated system with all your vulnerable vms on there and uh so that way you know you can take your your laptop or whatever and attack those systems so you're going across the network so it more emulates a network-based attack so this is actually what i have i have the minimalist and a dedicated lab i have a server that i built just specifically for running vulnerable vms and so uh attack platforms so you need

something to hack with and i'm sure most everyone on here has heard of kali linux so this is like one of the first uh pin testing distributions out there while very good perot os is another option a really you know really good solid option to alternative to kali linux i got to use paired os over the summer because i was performing some wi-fi pen test for my past employer and i was having some problems getting some tools installed on kali linux triperidos and it worked great so i'm really a big fan of paired os now and then ubuntu you can take ubuntu linux and install the pentester framework which is a utility or python script

written by trustedsec that installs all the pen testing tools so you have a little more control over what you're installing and uh that way if you like ubuntu linux then it's more familiar environment to work in and then windows you need a system if you're a pentester you need a windows system and a linux system because there's a lot of great administrative tools for you know doing network administration active directory and these are these are native to to windows so these are very helpful you can use the command ovm scripts by fireeye and that's a set of scripts that installs all the hacking tools on there for your for your pen test so you need you need

your linux platform and a windows platform you need to be used to using both of those for the longest time everyone use was using mainly linux but as active directory became a target then more people started using linux windows as an attack platform so your home lab so you need some vulnerable vms so you can download targets from volunhub.com let us pointable two and three are great resources for vulnerable vms they have a lot of vulnerabilities they were created by rapid seven for people to learn how to use metasploit and it gives you targets to test uh metasploit against oas web goat as well as juice shop and some other vulnerable vms are great for

web app pen testing and then create your own vm targets with vulnerable software from exploitdb exploitdb is a website that is a repository of exploits and not only does it have exploits it has links to the vulnerable versions of the software so if you want to test a certain exploit out on that vulnerable software then you can go download the software and build that in your lab and test it out and another good reason to have a lab even is you're an experienced pen tester sometimes it's good to test exploits in your lab before you go to a production environment if you're not careful you can break something in production environment and sometimes you know you get one shot

to run these exploits and once it's run if it doesn't work then that system's got to be rebooted to be able to run that exploit so testing it ahead of time is a great option and be able to get the exploits and vulnerable software from exploit db is a great way to test it so recommended reading so this first book penetration testing a hands-on introduction to hacking by georgia weedman this was the textbook i used for my first year teaching we went to pentest plus after that because pentest plus came out in 2018 and i want to give my students a certification to prepare for so we switched to the comptia pentest plus material but i still recommend this book because

it takes you through building your own home lab and teaches you how to do pen testing georgia is actually oscp so i remember when this book came out or i had my oscp and i actually got the book from the publisher to to review and i just thought once i read that book it's like man if this only been out when i was getting my oscp it would have made things a lot easier then the hackers playbook took him two and three uh this is what i would follow up after penetration testing so this gets into some really good real world scenarios and skills to build for a pen tester version three is the red team edition so i wouldn't

skip out on version two you know if you're interested in red team stuff read version three after you complete version two and the web application hackers handbook discovering exploit security flaws this is created by one of the creators of burp suite and it's a great resource for learning web application pen testing then i have a couple resources over here on the right hand side of the screen the red team field manual and operator handbook these have different command line syntax for linux windows with the operator handbook they get into some cloud technologies they both cover some hacking tools the red team field manual came out in 2013 but the operator handbook came out spring of this year or actually uh like

around january of this year they have a printed book and an ebook which i like the portability ebooks i actually have both of those but it's uh it covers like some kubernetes stuff and docker so a lot of different cloud technologies so that's a really great reference to have good for red teamers blue teamers oset so learning resources so i've got a list of resources here the top section here there's a little space in between the top section are paid resources going from the most expensive sands all the way down to the least expensive pintester practical pintester labs and then below this we've got some free resources here bug crowd university and hacker one they're trying to teach people web app

pen testing to join their bug bounty programs so they offer some good learning content sans has a good pen testing blog out there hacking tutorials as well both these resources show you how to use different techniques and have cheat sheets and web security academy by portswigger instead of updating the web application hackers handbook they decided to put the material online which you know it's easier to you know when you're going through a publisher it could take a year six months to a year to get the updates put up there so with them offering the content online they're able to continue to add stuff to it and they have online labs which is free is a

great resource if you're wanting to learn web app pin testing then owasp is a great resource hack the box and try hack me or good vulnerable vms to practice your hacking skills over the wire ctf and under the wire ctf over the wire is more linux based if you want to learn linux and unix security and how to hack those operating systems that's a great resource and under the wire there's more windows focused and it also covers some power shell so certifications your entry level certifications are going to be the ceh by ec council this one was one of the first certifications so it's recognized by hr in in management and if you're doing business with the us

government or you're a consult or you work for the us government then ceh is one of the dod uh certifications as well as the cissp so companies that do business with the government like those certifications pentest plus is a good one for beginners i like this pentest plus because it really gets a lot into the methodology of pen testing then your intermediate and advanced certifications from sans and offensive security these are the certifications will help you get you get your foot in the door at least get you an interview the offensive security certifications you actually have to perform hands-on hacking and pen tests to get certified whereas the sans certifications while not easy certifications they're open book

but they're still uh widely regarded and looked for by hiring managers if you look at a lot of job descriptions they'll have like oscp or g-pin or any of these other sans and offensive security certs job tips you know professional networking you know my last four jobs have been i've got referrals from people that i knew in the industry people i knew of local meetups or knew from conferences and this really helped my job search you know needed to change jobs a while back it took me two months and so based on all the work that i've done in the community and the networking i was able to find a job in like two weeks

so you know get out there and network you know your friends or people you know in these different groups a job comes open they can share you know it with you if they know that you're wanting to be a pen tester then they can keep that in mind i've made referrals to people that i knew that want to get started pin testing people come to me a lot because i teach pen testing looking for entry-level pen testers and i always keep in mind other people i know in the industry and community that are interested in the same kind of job so talking to people letting them know what your interests are interests are is a great way to get

referred to jobs so interview tips uh you know make sure your linkedin profile is professional and up to date with all your latest information that's your own online resume and that's what's going to pull recruiters towards you to get uh possible job opportunities prepare for your interviews know the os top ten if you're you know all pen testing interviews usually cover something no watch top ten and some of the most well-known vulnerabilities and so make sure to know those be able to explain basics like the three-way tcp handshake and osi model you'll still get answers ask questions on that i ran across some of those questions in my recent job change as well and so here's my contact

information before i started teaching and presenting at conferences i did a lot of mentoring and i still do and i'm happy to answer anyone's questions so contact me on linkedin email or through twitter and my hack my uh website is the hackermaker.com and also check out pwnschool.com this is for my meetup i have some youtube videos on there of some past talks we record and stream our talks so they're live two talks each month they're live as well as recorded and put on youtube so this is a great resource we've had all sorts of topics on there from you know people wanting to become stock analysts you know digital forensics and all sorts of stuff so

you know these are some great uh opportunities so if you're interested in connecting with me uh reach out to me on on social media and if we have any time for questions and i'm happy to answer any questions now great thank you so much phillip thank you that's some excellent advice and insider information on getting into the pentester game we don't have any questions on the youtube link although uh it looks like somebody has already pre-ordered a copy of your book on our say-so so if we go halves on the profit that'll be absolutely um uh that was really good i think one of the points that you made quite early on was the the ability or

you certainly hinted at the ability of a good pen tester to work with other teams and i think that's that's so very true because we often the uh traditional view of a pen tester is somebody who's just sort of by themselves focused single screen single person when actually it's a huge team effort um i think the previous um uh the previous speaker daniel spoke about the a team and how everybody brought a different skill to the game uh and that couldn't be truer for pen testing yeah and and that you mentioned that that's been one of the successes of your bug bounties your crowd source pen test because you've got you know you may have one application

where traditional pen testing you've got one person working on it but if you've got like 100 different people or 20 different people pen testing they've all got their specialties there's things that they'll find and they can help teach each other in the process as well yeah absolutely absolutely um excellent thank you for closing out our presentations of b-sides delhi 2020 uh very very good thank you so much for flying all the way from texas to to delhi for this much much appreciated i hope the the airline food has improved and and you get a chance to see some of the sites while you're here um so thank you indeed uh phillip thank you it's my pleasure