Penetration Testing: What They Don't Teach You In School

cool hey EB sighs II Troy doesn't go in today I'm Alex Fernandez Gotti and I'll be here speaking about pen testing what they do not teach you in school so I've given this talk once before at Eastern Michigan so for the students in the crowd it's maybe a little bit repeat but hey so how this is going to work is you know it feel free to speak up and say something in any point in time I I realize I'm professional but I'm not an expert I'm a year into this so if you guys hear or see something you don't agree with I want you to speak up so there is one exception to this rule if

belt face comes into this count this room today he has to show some dance moves before he said something so be sure to call them out in that he says something so a little bit about me I graduate from Eastern Michigan University in 2010 with the bachelors in science of information assurance my focus there was penetration testing ethical hacking network security so I am currently a pen tester at trustwave spiderlabs security analysts entry level there and in our statement of work it actually says we're contractually obligated to be world-renowned so that's why I keep my head shaved so I do have a background in IT and I'm have been heavily involved in various infosec groups since the age of 16 whether it be

Michigan 2600 or different IRC chats I've also been trying to get involved in the mentorship programs to be somebody who's mentored by somebody rather than be a mentor myself so during school went to class like we all did you know when it went there learned we had to learn from professors passed the tests but else went to conferences which not everybody did it was a kind of a failure in that kid the emek universe there are academic institutions to not encourage students to go out there and engage in other parts of what might be their career ya got go ahead to speak up right that's a problem right absolutely i completely agree with that concept

people should be getting involved if it's truly their passion so but that's that's kind what this goes into here a little bit so i also got directly involved in making things happen on campus whether we setting up a new network environment new lab a new testing scenario i I wanted my hands in there so i would go ahead and push forth and say hey i am going to be that [ __ ] says i'm going to do it so but during this process i still didn't really have an understanding of what penetration testing was even though I very much wanted to be involved in it I really thought pen testing was this I'm the guy in from the screen of the

glasses on being some lead [ __ ] so as I moved on i graduated so what the hell what do i do right crap so i put my resume out there and got it hid within a couple weeks ended up in kansas city missouri when you're 27 Kansas City's now where you want to be so there's really nothing to do but it was a great job and idle learned a lot no learn had a lot of fun boulevard brewery out there is pretty good if you haven't had a boulevard beer check it out so i moved on from there is rather ambitious and wanted to move up to something else i became the network engineer for the

Detroit Tigers on a five month contract from the contract jobs when you're new in the industry is after the contract what do you do well nothing so that sucked but I kept them putting myself out there getting involved in Twitter and infosec groups and conferences and ended up eventually talking to somebody at trustwave really like March thirteenth really kind of a it was far away from what actually got hired so I'm sitting there hoping I'm getting hired hoping hoping hoping and nothing happened and so I had to keep on going out there and put myself out there and kept them doing conferences like con ganas said hey there's no after party so I'm gonna organize one where I met other

people in pen testing and got a bit of a lesson in life when it comes to that and that lesson life actually led to a phone call which led to an interview and which I did my research and realized that pen testing such is more than hacking metasploit school but that's really about that much they come to pen testing so and same thing with system design analysis and major network deployments this is really not security this is only a fraction of it so but I was only just learning this stuff I I didn't really know and I said this in the interview process and said hey this is what I think it is correct me where I'm wrong

so I got hired and their am little red circle the group of about a hundred different spiderlabs people or way smarter than I am and I walked around my D what is that def con 20 they hired me they flew me out I walked into the training room or the dinner and said hey I'm new they said yeah right God get out you know belong here then Rob walked up said no really we just hired him he's not trying the soldiers genere his way into free food and drinks for the night so then I started going to the parties met people idols people I looked up to rock stars and this is when it became a

little bit disillusioned infosec rock stars are just doing the job like anybody else here and I realized that they may know some things but technical skill is only part of it so if you try and apply technical skill in certain areas that doesn't work in you know you end up in situations like this so it may kind of apply but it's probably a square peg round hole kind of situation where you're going to have to force it and what I really learned is penetration testing is more of this you're more of a consultants you're more of a people person you're a business person you have to go in there and you have to listen and figure out what's your clients need

and nobody told me that in school nobody told me that going into the industry that was something I realized after my second kick off call where the client said you know what are you really trying to accomplish here and I said well I'm going to try and hack your stuff and give you a report that says how I hacked your stuff but the I kept on learning and growing and eventually I realized she almost have to really get to know your peers and your clients first name basis gets another you know who these people are what they want mutt motivates them not only are your peers going to help you out and lift you up when you fall down but your

clients are also your clients will also lead you on the path of what you have to do when you have to do it to make them happy and come back to the client next year which kind of brought me to you have to be prepared for anything and pen testing so generally my day to day when it comes to pen testing is you know I get an assignment email so this client has been assigned to you you have 40 hours it's an internal pen test you are to basically go in there and hack them they'll stay whether it's for PCI HIPAA or any other compliance standards or it will be just generalized pen tests and i

love the generalized band test with the gloves are off so i'll reach out to the client hey you know Alex Fernandez guy who trusts reits spiderlabs i'll be your pen tester i will attempt to compromise your domain and i will do so in a professional way that will make you happy and so we have the call we talk scope ranges the blacklist stuff they won't be touching and requirements if it's for PCI if it's for HIPAA if it's for some of the compliance standard which the my copy may not cover but they would like to have something to help them in that realm and so the engagement begins and we'll start doing I'll start with recon passive listening capture

hash is off the wire when they trying to authenticate to machines via SMB or other authentication protocols I'll then begin active scanning actively engaging workstations or servers with open shares see what they come back as see what I can access without authentication and then I try and fear what those boxes do so now I've got a ton of hashes and I crack them then I then log into those systems and dump more credentials from there hopefully finding a local admin or a user which has access to other machines which leads me further up the food chain within the environment all along this process I'm gathering more documents and more information bearing in mind what my

client has told me is important and what's important there is again the listening skills you have to figure out what they really want if they want me to look at health they're like health care data cool that's fine do they want me to find if their boss is unencrypted pen test reports and I found those do they want me to figure out if somebody's peddling porn from their workstation I can help out with that that sort of thing but it's all what the client wants I'm in their home turf and I have to respect that it's not my opinions or my desires it's theirs so part of that process is documenting everything because that eventually brings the end

results the deliverable which is the reports 10,000 yes

haha that's very true you can do not document enough in any industry personally I use a lot of notepad to be honest a lot of no patent screenshots so for example if i come across or i have found something that's led me to domain administrator or a workstation with a lot of sensitive information i'll stop myself even though I really want to continue going down the rabbit hole and i'll figure out i'll write down what i did to get to this point the hostname the IP address whether or not next plate was used and if it's if so what exploit if not what user account allowed me access to this and whether or not that

user account is is really permission for if they have permissions for it or if it's probably just an open access group where it shouldn't be for the sensitive area and so in regards to the report though that all information has to be there you're not writing a 50-page kids of honor abilities as the stuff it's useless to a client if you give them here's the here's a narrative here's how somebody could walk in here so somebody could do this or that that's more valuable i feel but not just the one path I took to successfully do it but you to stop yourself you go back five steps and you start over and in school I

was thought you know you start and you finished job move on to the next job if I got da by doing and bns spoofing capture the hash crack the hash gotten to the DC created in the administrator account and that's cool let's find another path to do it because a pen test shouldn't be just here's your one path of escalation it should be multiple paths otherwise they paid 20k for one answer so and you really do after the reports are really where it comes into place and coming from a technical background with a technical degree if nobody taught me how to write so I had to learn a lot of grammar skills a lot of what the hell is a semicolon used for

so I don't really know but if you deliver gibberish I mean it's useless doing so like this the slides some say the balls never actually thrown you walk into a client you hack them and then you're like yeah here oh wait pocket now you don't want to do that just speak up my way no you don't want to ask me I did find some online resources sorry that's a good idea yes

I can only agree sorry good practice but how would you actually practice if you don't know how to compare community colleges yeah so other in that that's it's it's a really important skill that I mean who in the professional world really knows that a rather than like a marketing person or with an English degree I'm seeing somebody getting called out in the crowd here but yeah that's that's that way I would love to have just a person dedicated to correcting my grammar but I would have to have time to do that so yes right I think it's a very valid point however the problem with pen testing is the last information is very confidential so if

you I go off in hand a pen test report for a major for a fortune 50 company to somebody who's not vetted who's not inside the pen testing world I don't know if they're going to do that that's a security problem that might occur

it's a valid end point so I do too which is that's my concern fit if I handoff pen test report to somebody that doesn't know added practice security when the pensioner comes to my company and compromises their box well there's ten pen testers reports right there for 50 clients and that's where the concern comes into play but they're not going to say something they might accidentally leaked information so do we have technical people consuming the problem queuing reports or do we have english majors people who know what I right people who have skills that we didn't bother with come in and do this I would prefer somebody to come in and do this but yeah I make my life easier but the

report really is just a combination of a bunch of me going in the network and touching things and figure out what works and so whether it be our spoofing attacks where I compromise or compromise I I get 15 hosts start running the traffic through me this is one of my normal everyday I step into a network day 1 i'm doing our of spoofing i'm looking for people to start filtering the traffic through me if the clients using a proxy for example i'll get domain creds because there are thanks to the proxy and then the proxies hooked up to the domain controller act directory and Lomi holds maybe I got the domain admin maybe I got somebody in HR or

finance pool in the water in the box and dump all the financial data but i'll keep on captions hashes and go through and then i'll send me off to my crack box and I'll crack them and by the end of the first day I'll have a long list of usernames and passwords which I have also a list of which workstations they came from so that's part of the documentation process and understanding where what came from or what came from where is rather important so you're not just throwing creds against something that's not valid for it locking out out which makes things messy and then the end result hopefully more than likely you'll find a local administrator

in one of these boxes and this local ad and then stored land manager hashing which is incredibly easy to decrypt will end up being the local admin for every single workstation across the network maybe even the main controller ending complete compromised and so that's that's generally the easiest process for ink when I engaged in a client there's a number of attacks that do use including LM an hour link local multicast name resolution protocol which is built into Windows Vista Windows 7 and Windows 2008 and what it does is it's another step in the hole I'm going to find something for you so you type out a domain go to your house file goes to DNS and in windows XP

it went to netbios windows vista windows 7 windows 2008 it goes to llm an hour and then it goes from netbios so all these boxes come with LM an hour enables they're out of the box the install is just it's hey we're going to use llm an hour before netbios so people turn off netbios but neglects turn off LM and r and what occurs is I get a crap ton hashes from that which makes my life very easy and then of course go and crack them our spiffing is also one of those really critical skills that you have to figure out the right time the right place and how to use it correctly so you have to build a filter out

capture rolling traffic for the certain ports you're looking for and then go through that too in a very small doses on the network so if you have 1500 hosts you're going to do in 10 host at a time it might take forever but you're making sure the networks not impacted in the process that's that's really important for the client say can you know back in school ethical hacking yeah absolutely just you know let's enter cap the entire subnet that's cool right now that's how no incidents occur sev one incidents especially at a hospital or a major financial institution where tutor and 4054 host just went down so oh my god so but primarily I fall back in line

administrative skills that I did learn in school so the exploitation the knowing windy use it becomes another tool set that my admin side knows then takes over at some point so i'll log into a box if i didn't know how to use windows command line or windows powershell or shell scripting i would be useless in those environments and so basic administrative skills make for a good pen tester in my humble opinion and i would actually like if somebody has a differing opinion at this point i would love to hear it so nobody disagrees on the administration skills okay i could deal glad to hear that but primarily i think something we all have to push for

in our peers and our subordinates in ourselves is truly getting involved going to conferences I know you guys you're here you're besides it's right we're all having fun right so but other conferences like con DEFCON not a con and hopefully someday 313 con we transition over to that just push that yourself out there push your name out there learn people's names across the world across the country and you'll learn a lot of stuff in the process you'll have resources anywhere in the world you can go and say hey you want to get coffee or shout jameson so cheers that and on that same token like getting involved as professionals getting involved in CCDC being a red team ER or

getting vonnegut hub hopping on the IRC channels or going out to meet ups in your local area I relays are not all from Detroit so there are DC groups all over the place going into your office and saying hey person in sitting next to me the cube watch come with me building that group up so we get a security mindset pushed out to a majority people instead of a minority so the more we put ourselves on people in regards to security the better off our entry will be and so on that same token you know asking questions teaching people how to listen and also acting as if we all know doesn't really work when it comes to

interpersonal communication it only works in social engineering engagements don't pretend you don't know you don't know so and further you know podcasts blogs books and truly the most important thing is mentorship so if you're involving yourself in in local schools in local meetups find that kid that's 16 year old boy or girl who doesn't know what they're doing doesn't know how to run shell scripts or even look at them and take them on your wing step up so some of us been doing this for 20 years and you can tell by the gray hair or lack of and you guys need to be taken out taking those kids on your weighing the high school kids the middle school kids who

don't understand you don't understand that hacking is going out and attacking China while it's cool might get you some trouble but loading up a lab or providing them with the equipment for the lab or providing them you know VPN over to your lab that would be incredible an incredible opportunity for them so and just for a printer oven so that's James Banfield's he was he was the leader of the facial surance group at Eastern mission university and he is whipping one of our interns into shape to get him the load up server rack so so this is my contact information but in all seriousness just let you know I'm not a troll here I really do want your

opinion and your feedback on this I want you to know what you think what we can do as a community to reach out everybody involved here to prevent people from walking to pen testing going what the hell is this crap I have to be a business guy so what are your thoughts what are your opinions speak up

being only a one year old in this industry I'm not entirely certain I I feel better researches researching would be advantageous understanding the research process that comes with writing it's a basis or it's a writing leads doing better research I also think more diversity in your skill set so if I'm going to school for administration cool to some networking or some shell scripting or send development and I'm not just talking like Java 1 and 2 i'm talking java one and two shell scripting and you know some archaic language which is just difficult get your mind working so I think those skills be useful and as we all know programming is just another language that we have to learn to speak

dt

is that Eastern they're like oh if this was on a Linux machine that total of you getting this well it's not you know I think that's an error of youth almost you're an era of experience they're not there yet to truly understand the value so they that become dedicated fan boys or girls that being said breaking them of this is kind of like you have to throw a minute of an environment so if you're an educator and the person is completely focused on windows won't make them boot into linux on their workstation so have a multiboot environment make them do their work in a lynx environment yes

absolutely clear that being Zoey I think the particular now I have no experience another University except for Community College in auburn hills so the way i think if you if you create an ethical hacker out of a university you're robbing them it's important to teach them skills outside of penetration testing or hacking you need to say go take this 2003-2008 2000 possibly 12 now server admin class learn how to be good server admin first but i do think that everybody in here at least that at this point ivan everybody saying anything otherwise so you've had your hand up again just speak up please open discussion hell if emily wants to come up here there's an extra mic so too

congratulations

you're not getting away from it and how many students are here can if your student please raise your hand and if you're also professional raise your other hand if you're pursuing and professional go like this so I see a lot more students and a small array of student and professionals in there if you the student professionals in the room are you attaining masters bachelor's pad so you're working the industry currently looking and obtaining your bachelor's degree how many just peer professionals do we have in the room out of those peer professionals how many of you guys do mentorship have somebody you directly work with right now so three people for people found I think all of us could actually do a lot

more than that either by blogs or stepping up to the community to send of itself I don't know we're just like a basics in business so you can speak the language I can take care of that that should be something students should be learning but that's all like can you can you as a professional can you step up and teach that to a kid though would you be willing to include that and discussion at APIs like meet up Bruce Schneier yeah well Bruce chris potter so did you guys know b-sides is not actually information security conference maybe actually if you did know that raise your hand no okay two people so besides is actually a

generalized conference it's a conference which allows for any how to talk any type of engagement you can be absolutely so absolutely conference is exactly what happens with penguicon we get weird talks about furries and that has happened so I'm not going to discuss my opinions and furries however if that's your thing then cheers to you sir sorry what was that do you have personal experience are you sure this is a security conference know it but legitimately the way BTW i just found it this is not a security conference this is an open conference that attracts security professionals and that's how it should be so if you have a talk on how to be consultants do it bring it out

there because there are students coming to this group that don't know how to be a consultant like myself two years ago that I would have loved to hear about so

as somebody's looked into going to the bunny ranch from Def Con as a hell of a long drive

I'm married so it's kind of so you can't go to the bunny ranch with me next year it's not Vegas you know it always seems like well that's not my scene right you know it's not as a professional and all this great stuff hoping up having bell face he's stumped next here hello you wanna pop him that's actually a really valid question because a lot of conference scenes there's a lot of drinking occurs and you know what I mean so it happened this is a lot of drunken debauchery that does happen however there are people who don't drink there and have the hallway con experience is I think really important you may not be interested in ninety two percent of the

talks but you're gonna meet somebody who knows something that you want to know that has some experience or some business connection or some what the [ __ ] were you talking about there buddy can we talk about this later cool yeah that thing that happens and you find out about how the open prison doors remotely using SCADA which is cool and they didn't talk on that in DC 19 I went there I attended a party I met a guy who was standing out by corner by himself because he was fantastically paranoid about anybody approached him so I just went up there is art smoking with his friend and started talking with them SE my way into the group and lo and behold

he's the guy who developed the methodology and how to do that and the next thing I know his rooms getting broken into and he needs bodyguards and is packing a gun so I'm like this guy's legit is craziness but you know you find people conference is not always about the talk but the your fellow attendees your speakers your volunteers you'll have made this happen and a place like Def Con 20,000 people it's hard to going through group of people a lot more valuable going to a place like a smaller conference like falcon or nada con you're going to have possibly a lot more success I think we're getting to know different people Derby con fantastic I'd like to bring that up yes

there we consummate place but it's getting bigger unfortunately I think it's effing small cons are a lot more valuable

absolutely Niagara the hacker culture built this professional industry we work in agriculture is based upon freedom information sharing and an interaction participation and partnership professionally that's dying that's a problem we need to fix that

your skill set in your perspective i'm not sure your experience your knowledge your age but there's somebody out there who doesn't know a quarter of what you know and they want to talk to you and I'm not saying go out there present' yourself as an expert and everything but do go out there and say I know this stuff I can talk be confident in yourself with that

absolutely and mo e on the same token you yourself I have a wealth of knowledge that you share with the community and a regular basis journals people i would say people should look to to learn how to just develop in that so for those who don't know security maui actually helps organize is beset chicago and as very directly involved in the chicago security scene

absolutely so I wrote a blog post back in September about how slamming academia essentially and what it did that would have failed to produce her give me as a student and I got a number of emails Twitter's or tweets skype messages people for my sky panel is kind of creepy so the the thing is nobody dissented everybody agreed I call [ __ ] on that dissent with me disagree with me tell me what I'm doing wrong I'm not an expert on a professional none of us are experts we didn't write the books we didn't develop this so accept that take criticism we're with it and give criticism back please tell me how I'm an [ __ ] I appreciate

being told them an [ __ ]

that they're not afraid in their field and it takes all different types in all different areas of expertise to make this whole thing work and that's something I see a lot of people don't really know what not like no you know about what you know you may not know but that comes with we're technical p or engineers we're not social per se but some are forced to do with their jobs I guess having these meetups really does help to have us engaged and meet new people and get those contacts out there so the students in the crowd what would you guys like to be learning in school and how do you what do you think you

could not be not learn in school but learning these meetups resources would you like to see show these meetups share their information and before from that she demos more so with these meetups so more of a technical talk and this is how it happens okay it's just again hand up you're not you're not belt face you'll have to do dance just just talk I'm not gonna dance for yet i'm done white guy okay but how

and and having connections professionals allows them better job opportunities as well please we're at out of curiosity fantastic so here's i did teach at Eastern Michigan for about for a little while when i was there something i did is i made it not a requirement of the great but i made it extra credit so one of the first assignments week 2 of ethical hacking i would say to my students I want you to go out to a mall I want you to pick somebody and this could end poorly please get waivers I want you to pick somebody and convince them that you know them that they know you that you met him at a party jam in a

past or a bar in to place some event and it lets SE social sharing 101 you walk off and say hey dude it's been forever since I've seen you etc and I you know 6c seventy percent of my students did it it was fun the stories I wouldn't have them recorded I wouldn't have them I do anything creepy like audio video but I have them write about it and so they may have been bullshitting me but I got some really cool stories out of it from them and so I mean social engineering is a pretty critical skill I've real from being consultant now that you need to learn how to read people's body language their tone how they're using

certain words and inflections and so the more you push your students to do the social aspects of technical and information security the better off they are in the future I think

no in fact I think wired didn't are calm 2003-2004 where they stated that the future of technical is the information secure the information people person and that's when things started did start to change we are technically contacts and resources had to be able to talk to customers because the sales guys no offense the scales guys here or sales engineers or I love you all you make me happy because you keep me in employed but it says guys don't know what a pen test is most of the time they don't know what our swiving is and you have to work with them which is another conversation where technical resources should be dealing with sales but

oh yeah but the other part is the abuse of that you have to keep that line that you're not just doing some talking with people and I'm actually social engineering I'm like okay I just got this information that might have to change the conversation because unlike they don't understand that they're not giving me way too much information that's a beautiful thing in the process

well that's the class from the early 2000s variety is a cost set of a benefit and now securities facing the same problem and people much more experienced and better than I am have been talking about this James Arlen for example look him up if you haven't heard of a material has been talking about this since two thousand three dozen to where he said look security is not a cost but a benefit makes company money not costs it a breach costs tens if not hundreds if not millions of dollars believe me spiderlabs chairs is quite a bit to send one of our I are guys out there and then there's the fines associated with it so

it's it's advantageous to invest in security but we all know this

the industry needs to change we're no longer purely engineers were people were people engaging with other people whether it be interesting business or same unit or other companies

our kind of absolutely

everybody should work in a restaurant at least once in their life so all right I saw your hand off a bit you didn't say anything go ahead just speak up but go ahead yell over the crowd it's okay okay

absolutely

so when I was in school there is a concept I was taught called cost compliance versus cost of non-compliance this is one of the good things in business at one of the few business classes caught because compliance we understand costs money however cost of non-compliance you get pwned I mean high tech required i mean i think it's ten thousand dollars per hour almost depending on the size of your organization if you compromise for health care environment pci if you fail to comply you can't process credit cards [ __ ] like that into business so DT so just give curiosity did you stop using a bank because I gotta compromise I mean bank of america's got compromised how

many times in the past five years they don't leave them customers don't leave guess that i understand that to us yes that's valuable I'm a little bit more cautious about where I use my credit card or my debit card I look for skimmers but date today I'm I value wise saying we're secure I find at the bottom of the web page at the top and yeah it's unfortunate yeah good call out on that one that was a local event too right yeah sorry did it

okay and that that's a good thing the companies are required to do now they have to lay ten years ago they didn't have to but ten years ago we had open Wi-Fi networks with cardholder data being processed across the same net and that was fun well not that I did that so the other just security to a customer is it important I'm not sure to accompany absolutely because the fines they could find them out of existence small businesses medium sized businesses could go away instantaneously dt you had a comment earlier did your hand up

I completely agree now my experience is different from a lot of different people going into consulting but i think the pen testing world is very different from other consultants i was hired in and what occurred is i was signed my client on my third week and i was put into a key off call i was the one talking in the kickoff call not the senior consultant listening and then I was given notes afterwards nobody held my hand I had to figure it out as a wet it was you know swimmer died and i think consultants should if you're going to the pen testing world you should definitely be given a couple months lead a book cleaning class something shadow

somebody see our just thrown to the wolves and you know if your first client happens to be an [ __ ] well i mean you're kind of screwed because then you've got a bear taste in your mouth and no note to do but if you're lucky and your first clients awesome and he's willing to be like yes you totally hacked my [ __ ] that was awesome knocking the report so Zoe

I'm sorry could you repeat that in a lot of voice I think what yesterday was valuable but I could barely hear it

agree so I just got the time sign any any comments from anybody else here please stop raising your hand see something just hey stand up come on up I'm gonna make You dad look Bell feasts in here nice dance

I think pushing those people who've been there for 10 years that aren't exactly like I'm sorry to call you out I don't even know you but you said you don't feel comfortable going to like em I choice Center def cons like that and speaking up and saying something but you know I don't know what you know but I probably could learn a lot so that's a perspective you should have and somebody who's new in the industry like myself look at somebody else say you know you're new let me help you

absolutely so I'm got him sorry panel time yes so thank you guys I first you