Pen Testing for NOT Dummies

we're going to talk about pen testing and Pen testing uh from a different perspective a lot of pen testing that's happening today is really for them is in fact there are books fantastic for dummies I think uh but uh we'll make it more complex more interesting and we'll explain demystified couple things throughout uh presentation I'm going to give you actual practical hints what to try and what uh things you can do in 2023 to do pen testing successfully with actionable results I'm going to introduce myself a little bit uh tell you who I am this is what I look like if I'm wearing a tie but I consider myself a Nike professional yes I have an accent and my native language is Russian but I'm not from Russia I was born in Ukraine great many years ago and I the United States since 1989 so this is my home I uh never been a hacker uh I've been a Nike professional and that was my initial calling um I became began to try to understand how things work because of curiosity Natural Curiosity and as I progressed I became a security cyber security professional actually a great time to be growing up in technology in early 2000s I started questioning if even commercial software is it written correctly if it's bug free how things really work and how to get further um in the past uh decade and a half I really start watching uh how uh hackers work how the minds work and start hunting cyber criminals if you Google my name uh there are quite a few hits there about successes of me and my company achieving really big victories against cyber criminals one of the last things that we did that hit uh Forbes Magazine was uh taking um Bitcoin and a half from Russian drug lords and moving into Ukrainian charity so we try to do good things uh and uh really uh you know use cyber security for the good stuff but stopping cyber crime is very very important and uh my not only guilty pleasure but the oldest cyber security skill that I have is penetration testing pen testing uh and that's what I'm going to be talking about today I'm talking about uh a lot of uh history uh literally more than ten thousand pen tests uh behind me and my team on the companies of all sizes from very small companies to million plus device pen tests so uh this is all from experience and really good hints uh uh for us I'm going to tell you a story about my first pen test it happened in 1997. some of us maybe not born then definitely not many been doing pen testing in 1997. uh this was also the year nmap was invented by the way so I I didn't use Anna for the first pen test I was very very young uh in my early 20s uh I uh was hired by a relatively small company to do a security test and they had this new cool thing called firewalls so um I was hired to do it over the weekend so not to impact the stability of computers that were rebooting anyways by themselves so uh did the pen test uh I remember I got paid 500 for roughly four years of work that was normal labor at the time but it was the first pen test that I've done and it was so much fun and exciting uh on Monday Cole was the guy who hired uh me the I.T manager I told him about the results and said hey you know you guys as far as I can tell don't have a firewall and the guy got really upset he uh yelled at me on the phone and pretty much fired me so that was my first pen test uh uh and uh but I I I I got into the router in the internet router I saw a number of hops I didn't see extra hop I didn't see any traffic filtering I didn't see any other entries you know I was relatively smart at the time didn't get better afterwards but um two weeks later the guy the manager called me and said hey you know they want to meet for lunch and you know like okay well you know you can you want to yell at me in person go ahead so so I came out and I didn't have a car at the time so you know I it took me a while to get to a place he went for a bunch uh and uh he sat down with me and said I found the firewall so this is a story how uh what happened to the viral so the company which spent quite a bit of budget at the time uh to buy uh Fireball Appliance uh send two guys an I.T to get trained on the fireball one of them got certified uh one guy left was in the months another guy left within three months before the second guy was leaving and nobody really had any certification or really clue how to use that firewall uh he was asked to put any any rule on the firewall uh so that you know to make things uh more uh easy to support uh but the first time they had Network problem uh the brilliant Network guys actually routed all the traffic around the firewall a couple weeks later somebody needed a network cable uh that the switch was full so they took the network cables from the firewall uh and disconnect the firewall from the network uh and then at some point somebody needed direct space and they removed that uh big black box uh that was taking uh four use at a time uh and put it in a storage room that's where the manager found the firewall so he said that technically they have a fireball it's just not in the right place so I got paid uh but um this the the pen testing is not an easy science if you understand uh if you ever done this and I'm gonna Usher you through some challenges some interesting things that are out there to consider what pen testing uh should be and really is uh so uh penetration testing is not um like compliance compliance to me is best practices because if we don't have best practices we're not going to do the right thing if we don't have uh the rules how to drive we all gonna drive crazies but we need to follow the driving signs and stuff like that uh but uh you know or speed so you know it's uh we know where to bend the rules compliance is to keep us within those lines uh vulnerability testing is also not uh pen testing because vulnerabilities actually show you a classical vulnerability cves and stuff guys but you're not going to discover things vulnerability testing is another type of assessment it's a valid assessment but it's not a pen test and red teaming which is uh also a good way to do this but the red team is more about capture the flag for me a red team would uh go through tools available to them but they are not always going to test everything pen test to me is about thoroughness if you found one way in good you document it you keep going to the next next vulnerability red team is more Capture the Flag they use one vulnerability to get in in and go get further further further to show the impact pen testers only if they want to show off uh want to use that access to get much further but the goal of pen tester is to test all the ways in because uh I uh over say that hackers when they attack cyber criminals when they attack your infrastructure they are like panthers they just don't share dependence results with you they keep it to themselves and also on the Defenders on The Blue Team side we need to be uh 100 uh right because bad guy is only looking for one way in and Panthers uh we have a job to do this 100 find as many vulnerabilities as possible so from uh that perspective I want to talk about ideal pentaster who is a pen tester I hire a lot of pen testers we are hiring uh and uh we uh definitely look for certain things I'm not only going to look at technical capabilities of person they can be brilliant they can win a lot of uh Capture the Flag exercises and stuff like that but the question is okay do you know how things work do you have Natural Curiosity or are you gonna follow uh the step one steps two step three of a fantastic manual which doesn't exist in my head so curiosity is extremely important if you're curious about things how things work and then you have basic technical capabilities you're going to be a potentially good pen tester you need to understand Technologies I think Technologies are the key if you understand how technology works you can take things apart we have a different type of job so developers who don't really like pen testers because we really figure out uh things that they screwed up but we need to be partners for these guys because if we understand technology we can find weaknesses technology if you have no clue about technology about the protocol about infrastructure we now going to be effective finding every single thing that's out there uh experience with system administration how the network infrastructure Works how interactions work a lot of pen testers come in and say hey I can break any web application what about not web application what about the client what about ad what about Linux infrastructure we want pen tester to be versatile I mean there are folks who specialize in certain Technologies by all means you're going to end up doing that but you also going to be a very good at everything but you need to specialize in something if you don't understand how the infrastructure Works uh you don't have much of a chance to be versatile and then today uh more and more fantastic is about developer skill set or about base scripting you don't have to be a full scale developer but you need to know how to do automation not being driven by tools and we're going to talk about that more but you want to be actually a developer uh have developer skill set and you can automate everything that you're doing I end up in pen test writing two or three my own tools because I need to automate certain functions some of it is very simple some of it may get more complex but if even if you're not a developer if you're not good at scripting you need to have a friend who is and that way uh and the team is going to be much more worse though if you have a system admin experience then you you your friend can be a developer and both of you can do really really cool uh pen tests uh from the different types of Panthers and we'll get into details just shortly but there are different types of pandas and sometimes you're getting uh do one or the other I want to explain the difference and why each one of them is important sometimes uh Black Box pen test when you were given almost zero knowledge I mean besides what you have to uh your target is a it is a good thing but uh it's not always an easy thing it's probably imitating the real life the most because the bad guy walks around the internet they find your website now they're going to be attacking it that's pretty much the idea of the black box without any additional knowledge without any additional information but uh there are some caveats and some weaknesses in especially today's infrastructure uh in the gray box um components which is probably the most common type of pen test day is when there is basic knowledge shared not only about uh what you're testing but you're given some kind of user access uh for the most part most of the applications most of uh interfaces today require some kind of authentication and that authentication may be open to a small group of people like employees some some of these components may be open to anybody who wants to register so if you can register if you want to test certain functionality you need to be you doing it as a user as a user on a deeper level because the bad guys know how to register for things look at some of the vulnerabilities some of the breaches that coming out today somebody goes ahead and fills out information hey I want to register for Access that on that website and somebody in you can help that says oh yeah I approve it great now the bad guy is in the inside of your infrastructure and they may have access on a basic user can that basic user own the system we don't know but pen tester can tell you so make sure that uh when you talk about pen test you're not only doing complete Black Box but you have abilities to look inside of the application and it's extremely critical to understand how things work there the other type probably more thorough uh but uh different is uh the white box where you are given access not only to the front end but to the back end and you're going to do an assessment based on what you see on both sides this is not realistic the bad guys if they have access to the back end they already end so they got all the data but here's what you can do as a pen tester as a good experience uh professional you can look at what happens when an attack actually ensues you can identify a root cause of a problem we deal with SQL injections still uh so many years later because of uh this vulnerability being out uh for a number of decades and still uh leaving certain things vulnerable well to write us write SQL instruction uh uh sequence is not easy and even some tools are not smart enough to do this but what if you can put a sniffer as a logging agent on your SQL server and you can during your pen test during your SQL instruction attempts you can see how many of your uh signals actually getting to the SQL database maybe it's not in the right format maybe you're not escaping every single uh sequence maybe number of columns that you're trying to put in uh is wrong or whatever but if the signal is getting across it means it's possible and the bad guy with a different approach but with slightly different tools can be successful same thing uh works on a certain 500 errors sometimes uh you don't see other component opponents what are out there and my favorite is that when you see certain vulnerabilities um you may not react to them appropriately but behind them maybe much much more information it starts with a single file that may be exposed and that may give the bad guy a naming convention that you would not guess otherwise so if you see the file infrastructure you will be much further in so white box has its own uses uh but level sophistication of that is obviously different uh scoping to scope a pen test also takes a special skill if you ever scoping your own pen test if you're setting up make sure that you are mentioning certain things you can have internal external pen tests which are different pen tests and make sure that you do the external pen test first not internal because with internal if you do doing the same guys they're coming up with so much about your internal infrastructure that they may not have a fair advantage over uh the standard Outsiders so outside pen tests first but inside uh should be also a consideration third party now we are within third party space whether it's Cloud whether it's um you have a host application make sure that uh you test these things thoroughly but you also need to make sure that you're obtaining proper permissions just because it's sitting in the Azure Azure has its own set of roles versus uh Google Cloud versus AWS and stuff like that so you need to follow their rules and uh breaking uh into uh into the environments is different and sometimes not easy if it's a third-party hosted application you still can pen test there's still maybe additional uh limitations but you uh can actually request these tests to be on a different level and then uh looking at the infrastructure what are the components of the infrastructure that you need to test uh if it's going to be all or some specific components or applications because at the end of the day most requests today coming in for pen test is a test pen test this application besides this here are the common mistakes that are given let pen tester to figure out you know we just got the request from client saying hey here are five RPS you figure out the rest great thank you well at least you get that list because uh we would not start a pen test without knowing the limitations it's very simple to assume that everything on the subnet or was in this domain belongs to a client sometimes it does not and you definitely don't want to be breaking into somebody who is not related to a coin it's very easy to make that mistake and attack the wrong infrastructure plus pen testers may not know every single component they may not have all understanding of all the different components what's out there uh one of my least favorite things is very very nerd test scope saying hey here here's an environment here's a test environment that you can do all your work in and don't do anything else and also making sure that you're not doing tests with an empty system too many times our pentascope is within a test or QA system here's here's what happens here's an issue with uh this um we in 2006 uh the company was working for decided to acquire uh McAfee's EPO e-polic orchestrator and this product uh was relatively new for Mcafee and uh we said hey can we do a pen test against uh your infrastructure and they said well of course we already did the pen test go ahead see what we find so we've we found uh over 100 vulnerabilities critical vulnerabilities McAfee EPO is really cool botnet if you think about it you know if you take over you know you got agents on every computer that completely 100 trust you can do you can run viruses on uh antivirus software because you can just exclude the your signature on there so why not uh and it would do any command it's impossible to shut down remotely so it's it's really really cool about that so we showed that automatically and they said well no that you know you must be running all the old version no it's the latest one that you gave us um they came back and uh wow uh later the product owner manager from McAfee called and he said hey you know in our pen testing we made a slight mistake there uh when we tested EPO it has a whole bunch of modules like firewall antivirus stuff like that when we tested if you we didn't enable any modules it was completely you know just the framework and like okay finding framework we found no vulnerabilities the framework is good but within the environment when you are enabling features and functions you need to be testing something realistic if you're looking at a lot of movements from user a to user B make sure that the user in user B actually have data if these are just empty accounts uh it's impossible for you to see user B is data because there is no data and if there is no data on assist in the system at all there is no way to actually get into the system and retrieve the data because it's absolutely empty so more the more you look more you find that certain Panthers are always set for failure I've been doing pen test on the system but I'm the only user well can I become a natural user I don't know nobody else to become I can create a user so make sure that when you test you test in the right place in the right side excluding environments uh also a bad idea because uh certain environments are similar so if you can get into one environment you can transfer Knowledge from one environment to another sometimes a QA environment is less protected or double test environment less protected than fraud why can't you apply knowledge that you get from less protected environment against production environment the bad guys are doing it why can't he so you know it's it's it's really common sense that we as humans we learn if I see uh the structures and the naming conventions what was in the the dev site I can translate it across everything instead of that it's going to be PRD or product or whatever and it's gonna work so don't exclude environments but be careful about breaking production environment and also uh be careful because even Dev environment sometimes if you ask the owners really has connections to production just called Dev also uh you know when we do pen testing sometimes they're Blacklist or biteless only uh go to these IPS addresses so don't go to these IP addresses my question is that uh is your buck and white list uh also published on your website so when the bad guy comes in and it's like I'm gonna hack the system no no this is bad IP address you can go there um no uh you know at some point you need to test everything if you have problems with stability over certain IP addresses uh or certain devices make sure you fix it uh instead of just excluding on the pen test uh and then uh let's talk abou