How To Be A Pentester?

so how do you become a seasoned IT security professional this is one of the questions I get asked many times when people ask me what my job is when I'm asked I usually respond something along lines hey man I hack banks for a living that's kinda cool and the next step usually is oh man but how do you get started so what are the first steps on the way of the samurai so how the Stardust okay I have a general background on IT so how to start pursuing a carry carrier in IT security so in this next 40 minutes I will try to talk about the challenges presented in this regard and I will tell you a whole

bunch of things but these things are basically my opinion so please feel free to agree or disagree with me more than happy to discuss my views with anyone else who comes to me and the first thing here the first lesson is that one a master said once that don't believe anyone anything so it it also applies to these thoughts so please apply a grain of salt to whatever I say and whatever you'll be hearing or thinking okay so let me tell you a little story first we are in 1834 in France which is the most develop one of the most developed countries at the time and they have a whole bunch of big cities they have

lively commercial life and the capital is Paris as we know it and this the other store the other place where the story takes place is the picturesque town of portal near the Atlantic Ocean Bordeaux is a huge commercial crossroads at a time so there are many ships coming annoying and there is a stock exchange change which is used to transfer and sell and buy goods which comes with those shapes in order to communicate with the military also post Umberto there is certain communication network between Paris and the major cities of France as in Bordeaux so this communication network was the was like cutting-edge technology at the time so we are talking about the early 19th century and the way this

communication network worked is what they call optical telegraph poles so as you can see those are those things on the top of this tower in the early 18th century this was the the most this was the top of this technology in France they started to deploy these devices all over France in the beginning of the 18th century the 19th century saw him and they had like 1500 of these all over France how did these work so if you look at the picture you see that there are these rods on the top of this building and these what could be turned into various positions depending on the signal they want to transmit and the way this this was like a one single old post

and that was like network of these the way the word imagine that someone from Paris tries to trust with the signal to Bordeaux they had the first old post near Paris they set up the control rods according to the signal and the neighboring station which was in eyesight of the previous one they just used a good pair of binoculars and the next station manager just adjusts the rod on their old post just like they saw on the previous one so this one time all the way to bore and this was quite cool at the time according to transcript in good conditions like when there was like good visibility signal could reach 500 kilometres an hour from Paris to

Bordeaux this is like this means that it was possible to get a signal from one end of the country to the other in just one hour which is kind of cool we are talking about 18th 19th century so the most widespread way of transporting information was using careers and messengers at the time this was quite cool how did the protocol work so in order to introduce some kind of error protection in the protocol implemented by these optical telegraph poles there was a station in the town of talk some way between it's around halfway between Paris and Bordeaux and there was there was a guy in that control tower who had a code book which allowed him to

actually decipher the message the signal that was being transferred this was like a privileged thing as normal telegraph operators did not have a clue about what kind of signals they are transmitting so it was possible to introduce some kind of error protection there so this man that the station manager into checked whether the signal made sense and if it did he just continued the transmission to the other end of the country otherwise he sent a message back the line saying that please repeat the signal because this makes no sense this was this was kind of cool and this was as I said cutting-edge technology at the time this was used a similar system was used in also in Britain and also in

the Russian Empire which which was kind of interesting alright so the signal chain used two kinds of signals one signal was for like normal information transform thing so this meant that the control roads were adjusted to positions and what that signal meant was known according was deciphered based on a code book which was in Paris and also in the old posts in Bordeaux and as I said the station manager the to station also had that code book with him but non no one else did it besides these normal signals there were also control signal control signals which was like meta characters in this protocol this month that should be an error in the transmission should

there will should there be an operator error in the transmitted message the the control signals were used to signal that please repeat the transmission or do something else according to what the problem was this was as we see the nuclear weapon of the telecommunications at the time but as we see an operation of 1800 telegraph poles with officials and shifts and that kind of stuff was quite expensive as a result these telecommunication systems was reserved for government use and government use and military is only so civilians were not able not allowed to actually use this network so they were still relying on messengers and careers all right so we have this communication telecommunications network we see the

protocol we see the infrastructure and this was the infrastructure which was affected by the first recorded attempt on cyberattack and as we call as I think we would call it the signal chain piggybacking kind of thing but to see how this worked later on so we have two people two brothers in the picturesque town of Bordeaux they were called in for my lovely French Francois and maybe Yusuf blonde they were too stock clerks man the Board of Stock Exchange and they wanted to make money and they actually came up with a brilliant idea how to abuse this optical telegraph systems for their purpose so what they plan was that they had a colleague in the Paris Stock

Exchange which was the center of all the stock exchanges all over France so whatever happened in the Paris Stock Exchange had a significant effect on everywhere else so this meant that the brothers ask this person to communicate the movements of the Paris Stock Exchange to a bribed a telegraph operator of the tool so this month that the colleague sent messengers to this store telegram operators literally after every significant move of the stock exchange and this bright telegraph operator introduced a false signal in the signal flow this meant that he included a custom signal which had no meaning in its original context but had meaning for the brothers in Bordeaux and subsequently of course this signal broke

the official the original communication flow and in order to correct his mistake he introduced a oops sorry I screwed up operator error please ignore the lost signal signal after the introduced one and these two signals went all the lines to Bordeaux and since the fixed signals were only recorded this entire attack went out of the books so no one really understood what was going on but the inserted signal actually made sense to the people in Bordeaux who were who had keen eyes on for signals so what does this we have the distance of Paris to Bordeaux around 600 kilometers and the distance between Paris in to 230 kilometres this meant that a good 400 kilometers was shortcut

using this method this meant that the Telegraph Oh due to this telegraph operator hack the brothers were able to get notified about the Paris Stock Exchange movements days before everyone else which is kind of cool and they make they made a whole bunch of money using this thing the plan worked and they've been reusing the Telegraph network for almost two years in the 1830s using this method so they were quite successful of course in the end they were caught because they bribed the telegraph operator was sick called in sick and he tried to notify the other guy who substitute him about this in incorrect use of the signalling protocol and that other of that other person reported them

so the brothers were caught but interestingly they were put on a trial and lost in France at the time did not make custom proprietary use of the optical Telegraph network in legal so as it turned out they were condemned but since having no laws against this kind of activity they were only asked to pay the cost of the trial so they want home scot-free and also they were the first hackers in human recorded history who abused a common telecommunications network for their own purposes which is kind of cool I think so I love this story because it illustrates a very important point with hackers and hacker mentality and that's that's what the point of this talk is of

course I'm trying to ignore ethical concerns here for a moment and focus only on the mechanism and the underlying philosophy what they followed so firstly we are talking about two dudes who had a general understanding how the optical Telegraph networks work and they also knew about this signalling protocol they realized how they can use the human element to abuse this protocol for their own good and they they did they actually did it quite well and the second thing which I find really appealing in this in a cyber attack let's call it that is that the whole thing went unnoticed because the the log protocol ignored wrong signals so that's that's cool because log entries were free of their

interval introduced signals and that's that's kind of cool so any backspace message was absent from the locks so let's talk about mentality here being a hacker I think in my opinion it means a certain type of mental approach it's a unique point of view to me hackers are the most curious species of the world they try to understand how things do things work and how they can use things for something that the inventor of those things would have never dreamed about they try to understand everything they can as as I think everyone shares this everyone wants to understand the world around them this this might sound quite philosophical but it will get very practical how many of you have tried to

use desktop Linux at one point or another just raise hand show hands who all I think almost half of the audience has try that so I've been using desktop lublin tools in one form or another or for almost five years and this meant that I had a whole bunch of problems all along the way like unprecedented challenges anytime anywhere there's no guarantee that anything will work at any point which it is really hard to explain to anyone why this actually makes any sense because what they see that you are struggling with the computer all the time and that damn thing doesn't work and when it breaks down it breaks down at the worst possible time so I really enjoyed those

times because I at some point I understood how the thing worked and I could fix it whenever it went wrong and there's one thing I never had in associate in in association with my computer that is fear I was never afraid that what the hell will go wrong with that thing because if it went wrong I knew how to fix it if it went really well you know you had that feeling when use trying to install some new features new kernel maybe and you will sit at the end of the day in a couple of hours you will sit in front of a blinking grub risk you shell in front of your computer trying to make

the thing work again and I'm pretty sure anyone who has tried to use desktop Linux has that experience and knows how to kill his machine or how to reinstall for that matter really quickly so and that's it's really cool because it takes a critical element into the picture that is understanding so if if I understand how the computer works I will stop being American Sumer of that computer and merkins humor of IT so this is this what this means is that I understand how the things work and I know how to fix them when they go wrong and I think this was the the ancient meaning of the word hacker before the whole cyber security

kevin Mitnick thing came around so these are the dudes who take whatever they have in their garden sheds and be at something of those things that's that's really nice looking at the word having having a whole bunch of opportunities around us alright and the next next question which comes to mind how to have to become one how to become the one how to start this whole thing so first and foremost I think to me being being a hacker is having a unique point of view unique perspective of the world so it's really interesting to talk and walk around in the city for instance with with a couple of penetration tester dudes I did it many times and we made fun of ourselves

by talking about what we look 1 what we see when we look around for instance in in one case we want to to have lunch with a client and as we were walking from the office to the place where we had lunch it was in in Zurich it was in Switzerland and the place was near the near the main train station and there were literally thousands of bicycles attached to this bicycle storage areas near that station and as we all were like keen bicyclists we were looking at the bikes and it's often and that's that's very cool it's really cool and as it turned out that guy the client was looking at the bikes themselves and the

pentesting team was looking at how those bikes were locked so we're looking at locks not the bikes themselves which is really funny because we're looking the same thing but we were focusing on completely different aspects so this basically is the kind of curiousness about the world around me and it's really really interesting to see the world this way so one of the first lessons I learned when when trying to work as a penetration tester and walking around in different areas and different companies was that many times hackers don't have to do anything with IT so this means that even though even though most of the hacking type activities is associated with the IT security and probably by financial gain

and defacing websites and all this kind of stuff many of these hackers are not working in IT security they just work somewhere else for instance when I was working in London I met a girl and she was an investigative journalist from Denmark and as it turned out her this is was to arrange a face-to-face interview with Denmark's most wanted drug lords at the time and he was on the run it was being on the run from the police when she arranged that interview with the guy and there's a very interesting because as she told me how she get there how she get that person t4 referring to you it turned out that she was pursuing

the driven by the same motives as I was even though she was not she had nothing to do with IT security and she had this tendency of talking her way out of everything every every tight situation of his tight corner it was funny because after we met she actually applied for a pen tester company and she became the social engineer expert so this kind of cool and as I heard she happens to be one of the best alright so the next step in the next lesson is is how to learn this kind of approach to the world so IT security and hacking is as huge as the world as the rest of the world as

everything can be hacked at some point or will be at some point therefore it is impossible to say that anyone is an expert on anything I talk to a lot of guys who were really cool in one field or another but there is but none of them called themselves an expert even though even though they were really good in those things but Jesus didn't call themselves an expert so in order to get started I think there is a couple of fields which need to be learned when trying to pursue a career in 96 I will talk about those with more on that later and the gimmick is that many more often or not by the end of the day

we will have a better understanding of the technology or that particular system than those guys who actually built that system and that especially is true for penetration testing and system testing assignments where developers operator just SLC guys they have huge blind spots so there are areas which they don't know about what we do because we go and we went there and tested the whole thing so this means that by the end of the day we will have a clearer picture about what they see then actually they do and this this might lead to you really funny situations for instance in one occasion I had a job when I had to test an iOS application and well it was it was a

pile of crap from a crypto point of view and we sent the whole thing back to the developer guys and they did a quick fix on the problems but it was bugging and it was us who helped them debug their code even though we didn't have their code but we could have them because we had the entire thing going on in either Pro and so what's going on okay and I think and an idea of a note on learning which is this cost me quite a bit of a headache one when I got started so this means that learning is not a theory thing so you have to do it in practice whatever you learn try to do it in

practice so there is a difference between theoretically having knowledge about something and struggling your way through that particular attack or beginning of that particular environment so this means that in order to replicate any kind of attack you have to fight your way through the whole thing like you have to build up the environment learn how that thing work how to configure those things more often than not you will have to take in manuals and anything that allows you to build that environment which the attack will live in and this this will result in a quite deep knowledge about that particular area this this can be even a piece of architecture a piece of infrastructure an operating system

database manager or whatever that doesn't really matter what it is there are a couple of things which which which are essential for instance how networks work and how networking works that that's one of the key areas which need which no matter what you do and no matter what your field of interest is you have to know how networks work also there's a really need there's a really deep need for understanding how operating systems work and this is the point where having a desktop linux around gives a really significant advantage on anyone who has struggled their way through trying to live with the desktop Linux also this is there's a question that pops to mind where are

where is this all learn thought which school should I take I think that's not the question of which school to take I think it's the question of how to approach IT and IT security in general so there are places where you can actually learn stuff Andy so these are like certificates certifications which which can be handy sometimes so in my opinion there are two kinds of certs the one gets you through hey char and that's it they are really they come with really thick books you have to learn those books tick some boxes on an exam and if you have it your H your CV will be put on the top of the pile by HR people

other certs however they actually give you the opportunity to struggle which which is another way of saying they give you knowledge but I prefer the saying that you have to struggle your way through the through the exam and through the syllabus all the time there is a common misconception about certifications like many many of my friends say that all men do is all dude these are really expensive things and my employer won't pay for them well I think if you are interested in you want to perceive your career you probably should purchase those search for yourself pay for yourself eye for mind visually I think all my certificates were paid by myself so when I was between jobs I said

okay I will spare month or two before my certification and spend most of my time trying to learn and fight my way through the exam and that was kind of cool I think this this kind of works because I had to I had time to digest the materials and to learn how to actually fight my way through the exam but this that's not a necessity something that is for free but it only costs some time is watching conference talks when I was at my first workplace I spent literally hours every week watch just watching security conferences and watching talks of much smarter people than me and that also that gave me a whole bunch of ideas

for instance I learned many things many fields that I never knew that even existed and I had the keywords to google them and the tools to start playing around late but the other day what this gave to me was a general understanding what is interesting for me so I was really interested in everything that is invisible so I was interested in hacking radio networks playing around with Wi-Fi Bluetooth that kind of stuff and I was I'm really grateful to those guys who did the hard work and the research for me and they only needed to to stand on the shoulders okay but this is all still theory in order to get things into practice as CTF games this

capture-the-flag competitions which are one of the easiest and most popular way of trying your claws on actual infrastructure and actual applications these city of games provide you with the safe environment to try that's that's kind of cool many of these CTF games are associated with different security conferences but many of these are available all year long like there's an aggregator sites for these like I think it's a child that Matt that's the just a name of the site but there's a whole bunch of those just google them many of these give you a VPN connection if you I want to try to hack windows boxes the news boxes they have always bunch of those lying around and you can try your

favorite tools on them also alternatively you can go and create your own test labs which will be a necessity at some point or another but thankfully VMware virtual box and all these virtualization software is for free so there is no problem investing in some boxes and popping them should you be interested in mobile application hacking and hacking Android or iOS applications in general there is a way of is following a custom rom on your phone we feel heaven I enjoyed if you're an Android user this will also introduce you to a whole new level of challenges when it comes to struggling with your infrastructure sir I already call that I was running CyanogenMod on my galaxy and I think we

had some some vacation in in in the Canary Islands and we were cycling around a lot and as I recall I try I was trying a new kernel on my galaxy but as it turned out it started overheating the phone so when I was like making pictures and cycling around in Gran Canaria I had I had to touch my phone every 30 35 seconds to say is it hot is it hot no no no no and what as it turned out that yes this is the overheating problem with the kernel I had to do an Android backup restore while I was still cycling I don't recommend anyone to do that because that's obviously cut your

potential to use your phone but it's a great way to learn how Android works and it's a great way to learn how to fix Android when it breaks what's that's kind of cool and there's this thing called it's not my term pretty sure many of you have heard it it's called try harder and this means this is this an approach the willingness to struggle to try harder I think there's a there's a there's a brilliant Hungarian word for for this it is called C bash I asked a couple of native English speakers say that what what how do you translate this into English and as it turned out there's hardly and an equivalent for this word in English the closest thing

you can get is struggling for which expresses the the minuscule scale of results compared to the efforts you have to put in so a little story for this one when I was tasked to gear up and train a mobile penetration testing team for one of the plan test companies here in Hungary I was like super excited and I made and I said that I will make a whole bunch of really hard challenges for those guys and I made a couple of dozen applications which were of variety culty but the point was to hack them and as it turned out I gave them to you guys and as it turned out that they had problems of course they have problems because

they knew they didn't know anything so I give them books they still came back to me that I'll hey we can't do this it's too hard I started to give them more books more talks I showed them how to fix those how to hack those applications and and if they it took time it took a lot of time and effort but eventually they get got a hang of it so they they started to be better and better and I think by the end of the training process they were really good and and I thought well well I could maybe I could do a little shortcut on this process so I started writing tutorials for those for

the most crucial steps and I thought that okay these tutorials will make things much easier and much quicker to learn but as it turned out it didn't because the guys the new rookies who were the juniors at the time they were following my tutorials but they were not able to replicate those steps in real applications when they had to tweak things around a bit so as it turned out I came to the conclusion that the struggling bit is inevitable so the more you struggle the more it possible for you to learn whatever it takes to hack an application and this bit I think unfortunately it's inevitable but I'm happy to discuss the question from from a tutorial point of

view so the conclusion is that you have to have to try harder so when asked what the most important question my most important skill of a pen tester or wannabe penetration tester is is this thing the willingness to try harder and to struggle their way through the process okay so as I said what kind of IT degree or degree for that matter you make it's kind of irrelevant so the whole thing is that you have to be just simply interested in what you want to do and have this mindset to the willing to struggle and that's what's the most important thing is not the school where you really blow minds from also it's it's also a team afford so hackers are

famous for for the community approach so it's not a single player game virtually every pen testing team I work for had a vertical test our team and we built a nice environment around us and this made a pleasant and liveable working condition but it's it all boils down to to being in a team also a couple of quick advices it's completely ok to firm the willingness to struggle also means that you will fail a lot many many times you had to start over and over again and when when I interviewed people who wanted to be on my team the the question I usually ask those guys was that ok so how do you take struggling so what was

the most difficult thing you tried and failed and depending on how they answer nobody answered I can together get them get the general view of how that person tackles struggling with problems and how to use those skills on the team well we're nearing the end and it's necessary to talk about the topic that largely concerns ethical hacking in our case being ethical basically boils down to this statement don't be an idiot so in many cases when someone tries to pursue an IT security career and Trust learn to hack we see a pattern said okay you know how to use SQL map you know how to use burp you know how to the web application assessment on whatever

application you want and you start looking around on the internet because it's so huge and so full of applications so the thing the main advice here is don't don't do this because it's more often than not you will get caught and eventually you will get caught and you will face serious problems as we are in Hungary now I think I don't have to remind you of a recent couple of recent stories about wannabe hackers who wanted to get jobs with major IT a major internet provider in Hungary but they did it did it in a really really stupid way so don't this is what I called like a hoppy freedom fighter type thing so this means that

you're looking for vulnerable it is you try to you believe that you're trying to make the world a better place even if you do you find something you report those problems to the owners of the website and no one gives a you get frustrated you get angry you send the vulnerability disclosure letter again to different email addresses addresses even if they were spawns they write about that they don't care you get frustrated and you go say I'll you guys I'll go full disclosure and you post your finding on some blog post or wherever you want well this is the single easiest way to go to jail and I advise I highly advise anyone against doing this type of things

if you want to try or class go go and do CTF games and and that's that gives you safe environments where you can try your luck and try or skills and improve them thank you very much and that is all so any questions or do we have some more time we have since we still have time for a couple of questions or arguments or anything that comes to your mind does anybody have a question for jumbo hi my name is Peter Andre and I am an pentester Network and I would like to ask you if you think or can you agree with better translation and the philosophy between the try harder it may be in Hungarian not fail so it's very

important not to give up after the first view or or or or more hours of hours of you know sivash yeah I totally agree so the thing is that this not families don't give up so you know everyone has who has faced challenges at one point or another get to the point I'll screw you guys I'm going home I live this I don't care but but many of us will eventually come back when we don't give up so that's yeah I agree that's a good good solution anybody else then in that case please say thank you to jumbo for that presentation thank you [Applause] [Music]