.

Your First Pentest

<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Wed Jul 27, 2011 10:29 pm

Your First Pentest

I know there are a lot of Professional Pentester here so I wanted to ask if anyone would share their story of their first pentest? Without breaking their NDA of course.  Was it a piece of cake or a train-wreck? What would you have done differently knowing what you know now? Did your customer's restrictions kind of ruin the fun for you or made it more challenging? Would you have added more tools to your arsenal or just focused more on the tools you already had? Meh, just thought I would ask. 
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Wed Jul 27, 2011 10:30 pm

Re: Your First Pentest

Yep, I would like to read about that
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Jul 27, 2011 10:31 pm

Re: Your First Pentest

Great question! *grabs some popcorn* (I'll come back here and reply after I secure a pentest position and do my first pentest)
GSEC, eCPPT, Sec+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Jul 27, 2011 11:02 pm

Re: Your First Pentest

lorddicranius wrote:Great question! *grabs some popcorn* (I'll come back here and reply after I secure a pentest position and do my first pentest)


:P Too funny!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Jul 28, 2011 9:54 am

Re: Your First Pentest

I will bite on this although it will not be the first pentest but one of the funniest. It is also summarized as I'm swamped with work, studies, etc

Client - contractor in the defense sector. SOW - Attempt to pierce a tunnel between a moving vehicle and their connection to a five sided building in DC. Caveat according to the douchebag contractor: "There are M16s on each side of the tunnel"

Technology - Sprint EVDO private connection, moving GMC Tahoe with connections made via RSA tokens, etc.

We first thought about the parameters:

1) Hacking while driving, not an easy task, rent a truck, car, someone else driving? Too complex besides, we'd be so filled with false positive connections throughout the airways, we'd have a better chance at winning the powerball then finding a right connection. Even if we did, would be hellish to MITM 1) Sprint 2) anything in the truck. Even if we did, RSA keyfobs would be a hurdle

2) Social engineering was off the table. Besides, we didn't know who would be driving the vehicle, etc

3) Clusterfuck - we can't walk into the other endpoint not SE anyone there

Solution:

Visitor client side attack

Won't get too technical nor give away too much info. One of the contractors accidently decided to check their e-mail from a network with a loaded NAC (Packet Fence) with iFrames injected to compromise their machine.

They were owned before they got into the truck

Game time:

They get in the van, we drive maybe 100 feet, pull over, hazard lights on, explain, game over

Lessons learned:

Use your own darn connections. It doesn't matter if there are 50 cal sniper rifles behind any tunnel when you have no attacker to aim at. We explained to the client the difficulties associated with attacking them head on. We explained that "Hollywood" attacks are so unlikely that it would be an expensive task to pull off not to mention that driving while doing so would not be worth the effort. We explained why client sides are far more dangerous in the long run. They needed to understand this in order to understand the nature of defense via offense.

This was now 3 1/2 years ago ;) I miss those days. Nowadays things have sort of slowed down for me
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Jul 28, 2011 10:40 am

Re: Your First Pentest

Not my first pentest, but one of the early ones where I compromised the network from an empty office with an IP phone (not even on a separate voice vlan so no vlan-hopping tricks needed), found a server with an extremely weak local administrator account that I bruteforced via RDP, grabbed the hashes and starting having some serious fun on the rest of the network. The funny thing was when I started scanning the internal network I found a server full of really disgusting porn. (I can never un-see some of those images *shudder*) In addition to the porn, but likely as a result of it, after further inspection I realized the server had been compromised and had a persistent outbound connection to a server in South America. I immediately reported it to my contact and was told it was the CEO's private stash and to please please not mention it in the report and they would clean up the infection.

Here is where I reached a moral and professional dilemma. I stand by the contents of my report. I sign off on the validity of it. How could I with a good conscience neglect to mention such an egregious security issue? I went back to my rules of engagement to see if I could find anything contained within that would give me some leeway to honor the customer's request. I'm being paid for a service and want to honor that request but I have to draw a line at compromising my own professional integrity. Nothing in the rules of engagement gave me what i was looking for so I opted to include the discovered connection but omit any mention of the images or what caused the issue other than what I described as "indiscriminate internet usage." When I met the CEO later at the exit meeting he was introduced to me by my contact as "a man of discriminating tastes" ostensibly referring to his rather high priced Mercedes and love of expensive wines. When my contact walked away I could see him holding two crossed fingers behind his back as he winked at me. Funniest.Pentest.EVAR!

I also want to point out that we should include policy violations in our reports as they are indicative of a systemic security issue. Un-enforcable policies or inconsistently applied policies are actually worse than no policy at all in my opinion. Good pentests will identify those meta-issues that have far greater impact on the security of an organization than any single SQLi flaw or single missing patch. I had to make a call and to this day I'm still not sure if it was the right one but sometimes we do what we have to to satisfy the customer. Luckily I was able to identify other policy violations so I could still identify that meta-issue without embarassing the CEO but if I had not, I'm not sure how I would have handled it. These are the kinds of situations that no certification program on the planet will prepare you for.
Last edited by tturner on Thu Jul 28, 2011 10:44 am, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Jul 28, 2011 2:13 pm

Re: Your First Pentest

Probably doesn't count:

Last job, PM walked in to my office and handed me a sticky note. The note contained an ip address, a user name and a password. She told me to tell her everything I could about the box. And wouldn't give me any other information on it.

What had happened, we had a contract with a business partner, they created a box for us to use, but we were getting performance issues. the software we were running was known to have issues in Virtual Servers. What the partner had done was charged us for a physical box, and then gave us a VPS on one of their systems.

Literally 30 seconds after I got my CYA email from her, I asked her if it was supposed to be a virtual. I had to repeat the procedure when they actually gave us the physical box.

My list contained that it was a virtual, what virtual software they were using, what OS, mem allocated, cpu acclocated, software installed, and list of missing patches.

:) I would love to do something like that again.
OSWP, Sec+
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Fri Jul 29, 2011 2:54 am

Re: Your First Pentest

not my first (which was a complete fiasco because i was into security for about two weeks, firing random exploits and such) but a funny one:

i was doing a pentest on a web application that offered e-commerce functionality. it was possible to view the service after you purchased it. after providing your credentials it did around 2 or 3 authentication checks, but then you were redirected to an url that had the ordernr as an url parameter. changing this provided you with the order information of other customers. now the funny part was that all the information was provided in formfields, but were not editable. in the code there was a parameter like: CanModify=false. setting this to true lets you change the order and contact details of the person...
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

millwalll

Post Fri Jul 29, 2011 1:41 pm

Re: Your First Pentest

I just landed my first job but its junior role so I guess I be training for the first 6 months trying to get up to speed on stuff.

lorddicranius are you based in the UK ?
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Fri Jul 29, 2011 1:44 pm

Re: Your First Pentest

Jamie.R wrote:lorddicranius are you based in the UK ?


Nope, west coast U.S.
GSEC, eCPPT, Sec+
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Thu Aug 04, 2011 7:10 am

Re: Your First Pentest

First, thanks for all the replies.  I was curious of the "lessons learned" during everyone's pentests.  I have watched some of Joe McCray's videos and he always has some crazy stories. I guess I should have asked not only for first pentests, but craziest/funniest also. From the stories, it seems like the customers make the situation more unusual than it has to be. I have never heard of a pentest with those kind of parameters. A moving target in a van.  Ouch. And tturner brings up a good point. "These are the kinds of situations that no certification program on the planet will prepare you for". Anyone would have to agree with that. I guess that is why Sil made the point about paper certificates. Experience with knowledge helps with most obstacles especially with the unusal scenarios. I guess that is what brought up the question. I definitely learned a thing or two just by reading these stories.

Client side and web app attacks seem to crack any perimeter for one. Thanks again for all the replies.  Oh yeah, I did want to say, CONGRATS on the new job Jamie.R! Time to update the 'ol SET to v2....
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software