SlideShare a Scribd company logo
1 of 15
Download to read offline
The Hitchhiker’s Guide to Galactic
Pentest Fails: Step 1 - Don’t Panic.
• Who/What am I?
• Simple answer:
• Father/Husband/Son/Brother
• Programmer/Pentester/Researcher
• Hillbilly
Me Me Me…
“The only real mistake is the one
from which we learn nothing.”
- Henry Ford
• /bin/sh used to truncate commands at a certain point.
• AAA.BBB.237.0/24 != AAA.BBB.2
• Nmap used to auto appent implied CIDR notation
• AAA.BBB.2 =>AAA.BBB.2.0/24
• AAA.BBB.2.0/24 != AAA.BBB.237.0/24
Watch those octets….
“I have not failed. I've just found
10,000 ways that won't work.”
-Thomas Edison
“You build on failure.You use it as a stepping stone.
Close the door on the past.You don't try to forget
the mistakes, but you don't dwell on it.You don't let
it have any of your energy, or any of your time, or
any of your space.”
- Johnny Cash
“Success is not final, failure is not
fatal: it is the courage to continue
that counts.”
-Winston Churchill
“A person who never made a mistake never tried
anything new.”
- Albert Einstein
“It is fine to celebrate success, but it
is more important to heed the
lessons of failure.”
- Bill Gates
“I thank God for my failures. Maybe not at the time
but after some reflection. I never feel like a failure
just because something I tried has failed.”
- Dolly Parton
• Always Double Check Everything
• If Something Does Not Feel Right, It Probably Isn’t
• Never Rely On Just One AccessVector
• Understand/UpdateYourTools
Lessons Learned
“Our greatest glory is not in never
failing, but in rising every time we
fail.”
- Confucius
¿Questions? ¿Comments? ¿Requests?
Contact Info:
• adam.compton@trustedsec.com
• adam.compton@gmail.com
• @tatanus
• https://www.hillbillystorytime.com
• https://youtube.com/hillbillystorytime
THANK YOU
www.hackerhalted.com 15

More Related Content

More from Adam Compton

Becoming a Pentester
Becoming a PentesterBecoming a Pentester
Becoming a PentesterAdam Compton
 
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVA HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVAdam Compton
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatAdam Compton
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINTAdam Compton
 
Bsides Knoxville - APT2
Bsides Knoxville - APT2Bsides Knoxville - APT2
Bsides Knoxville - APT2Adam Compton
 

More from Adam Compton (9)

Becoming a Pentester
Becoming a PentesterBecoming a Pentester
Becoming a Pentester
 
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVA HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White Meat
 
SecureWV - APT2
SecureWV - APT2SecureWV - APT2
SecureWV - APT2
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPF
 
DerbyCon - Legion
DerbyCon - LegionDerbyCon - Legion
DerbyCon - Legion
 
DerbyCon - APT2
DerbyCon - APT2DerbyCon - APT2
DerbyCon - APT2
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINT
 
Bsides Knoxville - APT2
Bsides Knoxville - APT2Bsides Knoxville - APT2
Bsides Knoxville - APT2
 

Recently uploaded

Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organizationchnrketan
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 
Ergodomus - LOD 400 Production Drawings Exampes - Copy.pdf
Ergodomus - LOD 400 Production Drawings Exampes - Copy.pdfErgodomus - LOD 400 Production Drawings Exampes - Copy.pdf
Ergodomus - LOD 400 Production Drawings Exampes - Copy.pdfgestioneergodomus
 
Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12cjchen22
 
input buffering in lexical analysis in CD
input buffering in lexical analysis in CDinput buffering in lexical analysis in CD
input buffering in lexical analysis in CDHeadOfDepartmentComp1
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewsandhya757531
 
Machine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdfMachine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdfadeyimikaipaye
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon
 
Introduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptxIntroduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptxPavan Mohan Neelamraju
 
The Satellite applications in telecommunication
The Satellite applications in telecommunicationThe Satellite applications in telecommunication
The Satellite applications in telecommunicationnovrain7111
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHbirinder2
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfsahilsajad201
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProRay Yuan Liu
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Design and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture NotesDesign and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture NotesSreedhar Chowdam
 

Recently uploaded (20)

Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organization
 
Versatile Engineering Construction Firms
Versatile Engineering Construction FirmsVersatile Engineering Construction Firms
Versatile Engineering Construction Firms
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 
Ergodomus - LOD 400 Production Drawings Exampes - Copy.pdf
Ergodomus - LOD 400 Production Drawings Exampes - Copy.pdfErgodomus - LOD 400 Production Drawings Exampes - Copy.pdf
Ergodomus - LOD 400 Production Drawings Exampes - Copy.pdf
 
Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12
 
input buffering in lexical analysis in CD
input buffering in lexical analysis in CDinput buffering in lexical analysis in CD
input buffering in lexical analysis in CD
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overview
 
Machine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdfMachine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdf
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
 
Introduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptxIntroduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptx
 
The Satellite applications in telecommunication
The Satellite applications in telecommunicationThe Satellite applications in telecommunication
The Satellite applications in telecommunication
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRH
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdf
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision Pro
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Design and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture NotesDesign and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture Notes
 

2018 HackerHalted - Hillbilly Storytime - Pentest Fails

  • 1. The Hitchhiker’s Guide to Galactic Pentest Fails: Step 1 - Don’t Panic.
  • 2. • Who/What am I? • Simple answer: • Father/Husband/Son/Brother • Programmer/Pentester/Researcher • Hillbilly Me Me Me…
  • 3. “The only real mistake is the one from which we learn nothing.” - Henry Ford
  • 4. • /bin/sh used to truncate commands at a certain point. • AAA.BBB.237.0/24 != AAA.BBB.2 • Nmap used to auto appent implied CIDR notation • AAA.BBB.2 =>AAA.BBB.2.0/24 • AAA.BBB.2.0/24 != AAA.BBB.237.0/24 Watch those octets….
  • 5. “I have not failed. I've just found 10,000 ways that won't work.” -Thomas Edison
  • 6. “You build on failure.You use it as a stepping stone. Close the door on the past.You don't try to forget the mistakes, but you don't dwell on it.You don't let it have any of your energy, or any of your time, or any of your space.” - Johnny Cash
  • 7. “Success is not final, failure is not fatal: it is the courage to continue that counts.” -Winston Churchill
  • 8. “A person who never made a mistake never tried anything new.” - Albert Einstein
  • 9. “It is fine to celebrate success, but it is more important to heed the lessons of failure.” - Bill Gates
  • 10. “I thank God for my failures. Maybe not at the time but after some reflection. I never feel like a failure just because something I tried has failed.” - Dolly Parton
  • 11. • Always Double Check Everything • If Something Does Not Feel Right, It Probably Isn’t • Never Rely On Just One AccessVector • Understand/UpdateYourTools Lessons Learned
  • 12. “Our greatest glory is not in never failing, but in rising every time we fail.” - Confucius
  • 14. Contact Info: • adam.compton@trustedsec.com • adam.compton@gmail.com • @tatanus • https://www.hillbillystorytime.com • https://youtube.com/hillbillystorytime THANK YOU

Editor's Notes

  1. Me? I have been around for a while… about 18 years or so in the InfoSec field. Over that time, I have been a programmer, researcher, and pentester (currently for TrustedSec). But most of all, I am a father, husband, son, and brother. As I am sure you know, especially as it is listed in your schedule and I placed it on the first slide, today I will be talking about mistakes, FAILS, and lessons learned.   What? I am not going to talk about some new exploit or some awesome new tool or something like that? Not this time.   In InfoSec, via social media, conference talks, colleagues, and the news, we hear a lot about new discoveries, new exploits, and new data leaks on a regular basis. But we typically do not hear about all the failed attempts and all the long hours that went into producing those awesome WINs.   Obviously, it is always fun to hear about those things, but at the same time it can be very discouraging, especially if you are one of the people who is not making the new discoveries or is simply prone to making lots of mistakes like I do.   My hope is that by bring stories of these difficulties and failures out into the open, it may help a few people learn that it is okay to make mistakes.
  2. When I first started in InfoSec, I had no idea of what I was doing.   1st day - build a lab 2nd week - go on an engagement (make mistakes) Usually paired with mentor took many months to feel competent   Over the years, I kept making mistakes and learning from them to become more proficient. Did I every stop making mistakes, of course not.
  3. ...  After it was all said and done, my boss and peers of course laughed about it a bit but no one tried to make me feel bad about it. The general response was that, we all make mistakes and it is fine. Just try to learn for them as to not make the same one again if possible. That stuck with me and has become a sort of life motto for me.   Enough of my life story, let’s laugh at and learn from some other people’s fails now shall we.
  4. Running a tool without understanding its issues Siet Cisco smart install exploit tool
  5. Talking about the customer in a restaurant.
  6. Let’s get Physical pen testing the wrong building locking ourselves out of the building on a physical Wrong door
  7. Pentesting when tired listening to the intern and closing out the only access we had
  8. On a different engagement, Cheap Pentests R Us was contracted to perform an electronic Social Engineering engagement consisting of just phishing emails.   copy-n-paste campaign scenario 1 - no success (servers not turned on) scenario 2 - limited success (wrong company name and logo) reports
  9. Network based web cameras…   I have some friends which work at another company,   One on particular internal engagement, they were targeting a university. --LEON On a different engagement, they were targeting a legal office’s Internet facing systems. --SCHOOL
  10. Always Double Check Everything If Something Does Not Feel Right, It Probably Isn’t Never Rely On Just One Access Vector Understand/Update your tools
  11. As anyone who knows me can attest to, I have made more mistakes than I can count.   Luckily I have slowly been learning from my mistakes and gradually I have been improving. I have made it a point to never let a mistake derail me.   Most mistakes I can shrug off and continue as normal. However, every once in a while, I will encounter a mistake/failure that it is so profound that it does stop me for me a bit. At those times, I stop, regroup, take it a step at a time and before I know it, I am back to fighting shape and on my way.   If you let them, fails and such will have a profoundly negative impact on you. Just remember that everyone makes mistakes. Just learn from them and try not to dwell to long on them.
  12. In closing, I would just like to repeat that mistakes do happen and that is ok.   It is a matter of how you deal with them and what you can learn from them that will determine how they affect you in the long run.   And if you are so inclined, please share your hard-earned lessons with others so that you can possibly help other to not make the same mistakes.   And Thank you.   Now, any questions?