• Save
The 99c Heart Surgeon Dilemma (BruCON 2011)
Upcoming SlideShare
Loading in...5
×
 

The 99c Heart Surgeon Dilemma (BruCON 2011)

on

  • 5,623 views

Let's assume you need heart sugery. I hope you don't, but let's just stick with it for a minute. How much would you be willing for someone to fix it and who would you hire to do it? If you are a ...

Let's assume you need heart sugery. I hope you don't, but let's just stick with it for a minute. How much would you be willing for someone to fix it and who would you hire to do it? If you are a suicidal emo kid, please do not answer, you are ruining the point here. Here's the thing: People want someone suitable and knowledgeable to cut them open and sew them up again and they are willing to pay good money for it. Here are two things you don't want to do:

1) You don't want to hire some old drunk with a pocket knife and a sewing kit from the dollar shop which claims to fix your heart for 100 bucks.

2) You don't want to hire the same guy for 100'000 bucks when he's wearing a white coat and got shiny high tech tools because the last guy paid in advance...

What does this have to do with penetration testing? More than we like, unfortunately. I have met companies that invested thousands of dollars, expecting a pentest and getting a spiced up Nessus report as a result. More subtle nuances of "crappy pentest" might overlook essential threats and leave customers at risk with a false sense of security.

This talk will explore the common mistakes made when performing pentests, which includes the test itself, as well as pre- and post-engagement matters. Also, it applies for testers and customers alike.

Statistics

Views

Total Views
5,623
Views on SlideShare
4,909
Embed Views
714

Actions

Likes
0
Downloads
0
Comments
0

12 Embeds 714

http://www.scip.ch 455
http://paper.li 105
http://blog.stfn.ch 74
http://172.20.76.11 43
https://twitter.com 16
http://tweetedtimes.com 7
http://twitter.com 6
http://us-w1.rockmelt.com 4
http://www.test.scip.ch 1
http://translate.googleusercontent.com 1
https://crowdflower.com 1
http://www.scip.ch. 1
More...

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The 99c Heart Surgeon Dilemma (BruCON 2011) The 99c Heart Surgeon Dilemma (BruCON 2011) Presentation Transcript

  • THE 99¢ HEART SURGEONDILEMMAStefan Friedli 1
  • THE 99¢... WHAT? 2
  • COMPARE. 3
  • THIS IS ABOUT BAD EXAMPLES. 4
  • WHO NEEDS A PENTEST? 5
  • 6
  • HOWTO:FIGURE OUT IF A PAINTER SCREWED YOU OVER... (EVEN IF YOU NEVER TOUCHED PAINT.) Good Bad 7
  • HOWTO: IDENTIFY A GOOD PENTESTER.(... EVEN IF YOU WEAR A SUIT ANDTHINK “COMPUTER PEOPLE” SMELL FUNNY.) Good Bad 8
  • 9
  • Overall Quality ELIMINATE10
  • Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 11
  • 5173 PAGES 12
  • 13
  • «Due to copyright reasons, all of ourdocuments are print-only by default. Ifyou would like to purchase anelectronic version at additional cost,please contact our sales staff.»* 14
  • WAIT... BOMBS?«Due to the incorrect input validation of the parameter‘s’, arbitrary script code can be executed.» 15
  • IMPACT METRICS?  Magic happens here. 16
  • YOU’RE ALL WRONG. «The amount of bombs depends on the danger the vulnerability causes. (...) There is no upper limit.»** Translated from German 17
  • MS08-067: Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability 18
  • MAKING IMPORTANT THINGS INVISIBLE. 19
  • VISUALIZATION IS COOL IF YOU DO IT RIGHT. Google this: Wim Remes @ Blackhat EU 20
  • MISE EN PLACE 21
  • Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 22
  • SO YOU DIDN’T DO YOUR HOMEWORK? 23
  • SO YOU DIDN’T DO YOUR HOMEWORK?XXX.213.XX.1/24 XXX.231.XX.1/24 24
  • IF THINGS DON’T ADD UP: TALK TO PEOPLE.But... but... the bad guys don’t talk to you either! 25
  • 26
  • BAD GUYS DON’T NEED TO WRITE REPORTS FOR YOU. 27
  • COOPERATEConfrontation Cooperation 28
  • TALK TO PEOPLE. ALL OF THEM. 29
  • SAY WHAT?Management Summary:«(...) While it was not possible to usea reverse tcp shell to get anoutbound connection, we were ableto tunnel traffic through ICMP inorder to get a shell on the system.(...)» 30
  • “OH, A DOS BOX!” 31
  • WHAT DO PEOPLE CARE ABOUT?STUFF THAT MATTERS TO THEM. 32
  • SCOPE! 33
  • Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 34
  • THINGS THAT DON’T EXIST.• Unicorns• Imaginary childhood friends (most of them)• A decent Metallica album after 1991• «No Scope, just look at everything.» 35
  • SCOPING MAKES SENSE BECAUSE...Scope Time/Effort Money 36
  • WHAT DO PEOPLE CARE ABOUT?STUFF THAT MATTERS TO THEM. 37
  • KEEP IT REAL. We have a pretty cool job.Don’t let anyone change that. 38
  • DON’T BE THAT GUY.Management Summary:«(...) We were unable to completethe task because it [the website] wastoo big. (...)» Thank you Ben Jackson. http://code.google.com/p/weblabyrinth/ 39
  • HOW DO WE FIX IT? 40
  • Just exploit stuff. 41
  • Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 42
  • LIKE IT? MAKE IT BETTER! Help killing bad pentesting. http://www.pentest-standard.org Check out the PTES-G! DONE. IT’S OVER. Thanks for being here, feel free to ask questions and have a great night! 43