Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
THE 99¢ HEART SURGEONDILEMMAStefan Friedli                        1
THE 99¢... WHAT?                   2
COMPARE.           3
THIS IS ABOUT BAD    EXAMPLES.                    4
WHO NEEDS A PENTEST?                       5
6
HOWTO:FIGURE OUT IF A PAINTER SCREWED             YOU OVER...   (EVEN IF YOU NEVER TOUCHED               PAINT.)   Good   ...
HOWTO:  IDENTIFY A GOOD PENTESTER.(... EVEN IF YOU WEAR A SUIT ANDTHINK “COMPUTER PEOPLE” SMELL               FUNNY.)   Go...
9
Overall Quality     ELIMINATE10
Pre-Engagement                  Interactions    Reporting                    Intelligence                                 ...
5173 PAGES             12
13
«Due to copyright reasons, all of ourdocuments are print-only by default. Ifyou would like to purchase anelectronic versio...
WAIT... BOMBS?«Due to the incorrect input validation of the parameter‘s’, arbitrary script code can be executed.»         ...
IMPACT METRICS?             Magic happens here.                                 16
YOU’RE ALL WRONG. «The amount of bombs depends on the danger the vulnerability causes. (...) There is no upper limit.»** T...
MS08-067: Microsoft Windows Server Service  RPC Handling Remote Code Execution               Vulnerability...
MAKING IMPORTANT  THINGS INVISIBLE.                      19
VISUALIZATION IS COOL      IF YOU DO IT RIGHT.                  Google this:                 Wim Remes @                  ...
MISE EN PLACE                21
Pre-Engagement                  Interactions    Reporting                    Intelligence                                 ...
SO YOU DIDN’T DO YOUR     HOMEWORK?                        23
SO YOU DIDN’T DO YOUR       HOMEWORK?XXX.213.XX.1/24   XXX.231.XX.1/24                                    24
IF THINGS DON’T ADD UP:     TALK TO PEOPLE.But... but... the bad guys don’t talk            to you either!                ...
26
BAD GUYS DON’T NEED TO WRITE REPORTS FOR YOU.                          27
COOPERATEConfrontation       Cooperation                                  28
TALK TO PEOPLE. ALL OF THEM.                  29
SAY WHAT?Management Summary:«(...) While it was not possible to usea reverse tcp shell to get anoutbound connection, we we...
“OH, A DOS BOX!”                   31
WHAT DO PEOPLE CARE       ABOUT?STUFF THAT MATTERS TO         THEM.                        32
SCOPE!         33
Pre-Engagement                  Interactions    Reporting                    Intelligence                                 ...
THINGS THAT DON’T EXIST.• Unicorns• Imaginary childhood friends (most of them)• A decent Metallica album after 1991• «No S...
SCOPING MAKES SENSE       BECAUSE...Scope   Time/Effort   Money                              36
WHAT DO PEOPLE CARE       ABOUT?STUFF THAT MATTERS TO         THEM.                        37
KEEP IT REAL. We have a pretty cool job.Don’t let anyone change that.                                38
DON’T BE THAT GUY.Management Summary:«(...) We were unable to completethe task because it [the website] wastoo big. (...)»...
HOW DO WE FIX IT?                    40
Just exploit stuff.                  41
Pre-Engagement                  Interactions    Reporting                    Intelligence                                 ...
LIKE IT? MAKE IT BETTER!         Help killing bad pentesting.         http://www.pentest-standard.org         Check out th...
Upcoming SlideShare
Loading in …5
×

The 99c Heart Surgeon Dilemma (BruCON 2011)

7,012 views

Published on

Let's assume you need heart sugery. I hope you don't, but let's just stick with it for a minute. How much would you be willing for someone to fix it and who would you hire to do it? If you are a suicidal emo kid, please do not answer, you are ruining the point here. Here's the thing: People want someone suitable and knowledgeable to cut them open and sew them up again and they are willing to pay good money for it. Here are two things you don't want to do:

1) You don't want to hire some old drunk with a pocket knife and a sewing kit from the dollar shop which claims to fix your heart for 100 bucks.

2) You don't want to hire the same guy for 100'000 bucks when he's wearing a white coat and got shiny high tech tools because the last guy paid in advance...

What does this have to do with penetration testing? More than we like, unfortunately. I have met companies that invested thousands of dollars, expecting a pentest and getting a spiced up Nessus report as a result. More subtle nuances of "crappy pentest" might overlook essential threats and leave customers at risk with a false sense of security.

This talk will explore the common mistakes made when performing pentests, which includes the test itself, as well as pre- and post-engagement matters. Also, it applies for testers and customers alike.

Published in: Technology, Health & Medicine
  • Be the first to comment

  • Be the first to like this

The 99c Heart Surgeon Dilemma (BruCON 2011)

  1. THE 99¢ HEART SURGEONDILEMMAStefan Friedli 1
  2. THE 99¢... WHAT? 2
  3. COMPARE. 3
  4. THIS IS ABOUT BAD EXAMPLES. 4
  5. WHO NEEDS A PENTEST? 5
  6. 6
  7. HOWTO:FIGURE OUT IF A PAINTER SCREWED YOU OVER... (EVEN IF YOU NEVER TOUCHED PAINT.) Good Bad 7
  8. HOWTO: IDENTIFY A GOOD PENTESTER.(... EVEN IF YOU WEAR A SUIT ANDTHINK “COMPUTER PEOPLE” SMELL FUNNY.) Good Bad 8
  9. 9
  10. Overall Quality ELIMINATE10
  11. Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 11
  12. 5173 PAGES 12
  13. 13
  14. «Due to copyright reasons, all of ourdocuments are print-only by default. Ifyou would like to purchase anelectronic version at additional cost,please contact our sales staff.»* 14
  15. WAIT... BOMBS?«Due to the incorrect input validation of the parameter‘s’, arbitrary script code can be executed.» 15
  16. IMPACT METRICS?  Magic happens here. 16
  17. YOU’RE ALL WRONG. «The amount of bombs depends on the danger the vulnerability causes. (...) There is no upper limit.»** Translated from German 17
  18. MS08-067: Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability 18
  19. MAKING IMPORTANT THINGS INVISIBLE. 19
  20. VISUALIZATION IS COOL IF YOU DO IT RIGHT. Google this: Wim Remes @ Blackhat EU 20
  21. MISE EN PLACE 21
  22. Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 22
  23. SO YOU DIDN’T DO YOUR HOMEWORK? 23
  24. SO YOU DIDN’T DO YOUR HOMEWORK?XXX.213.XX.1/24 XXX.231.XX.1/24 24
  25. IF THINGS DON’T ADD UP: TALK TO PEOPLE.But... but... the bad guys don’t talk to you either! 25
  26. 26
  27. BAD GUYS DON’T NEED TO WRITE REPORTS FOR YOU. 27
  28. COOPERATEConfrontation Cooperation 28
  29. TALK TO PEOPLE. ALL OF THEM. 29
  30. SAY WHAT?Management Summary:«(...) While it was not possible to usea reverse tcp shell to get anoutbound connection, we were ableto tunnel traffic through ICMP inorder to get a shell on the system.(...)» 30
  31. “OH, A DOS BOX!” 31
  32. WHAT DO PEOPLE CARE ABOUT?STUFF THAT MATTERS TO THEM. 32
  33. SCOPE! 33
  34. Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 34
  35. THINGS THAT DON’T EXIST.• Unicorns• Imaginary childhood friends (most of them)• A decent Metallica album after 1991• «No Scope, just look at everything.» 35
  36. SCOPING MAKES SENSE BECAUSE...Scope Time/Effort Money 36
  37. WHAT DO PEOPLE CARE ABOUT?STUFF THAT MATTERS TO THEM. 37
  38. KEEP IT REAL. We have a pretty cool job.Don’t let anyone change that. 38
  39. DON’T BE THAT GUY.Management Summary:«(...) We were unable to completethe task because it [the website] wastoo big. (...)» Thank you Ben Jackson. http://code.google.com/p/weblabyrinth/ 39
  40. HOW DO WE FIX IT? 40
  41. Just exploit stuff. 41
  42. Pre-Engagement Interactions Reporting Intelligence GatheringPost-Exploitation Threat Modelling Vulnerability Exploitation Analysis 42
  43. LIKE IT? MAKE IT BETTER! Help killing bad pentesting. http://www.pentest-standard.org Check out the PTES-G! DONE. IT’S OVER. Thanks for being here, feel free to ask questions and have a great night! 43

×