Let's assume you need heart sugery. I hope you don't, but let's just stick with it for a minute. How much would you be willing for someone to fix it and who would you hire to do it? If you are a suicidal emo kid, please do not answer, you are ruining the point here. Here's the thing: People want someone suitable and knowledgeable to cut them open and sew them up again and they are willing to pay good money for it. Here are two things you don't want to do:
1) You don't want to hire some old drunk with a pocket knife and a sewing kit from the dollar shop which claims to fix your heart for 100 bucks.
2) You don't want to hire the same guy for 100'000 bucks when he's wearing a white coat and got shiny high tech tools because the last guy paid in advance...
What does this have to do with penetration testing? More than we like, unfortunately. I have met companies that invested thousands of dollars, expecting a pentest and getting a spiced up Nessus report as a result. More subtle nuances of "crappy pentest" might overlook essential threats and leave customers at risk with a false sense of security.
This talk will explore the common mistakes made when performing pentests, which includes the test itself, as well as pre- and post-engagement matters. Also, it applies for testers and customers alike.
14. «Due to copyright reasons, all of our
documents are print-only by default. If
you would like to purchase an
electronic version at additional cost,
please contact our sales staff.»*
14
15. WAIT... BOMBS?
«Due to the incorrect input validation of the parameter
‘s’, arbitrary script code can be executed.»
15
17. YOU’RE ALL WRONG.
«The amount of bombs depends on the danger
the vulnerability causes. (...) There is no upper
limit.»*
* Translated from German
17
18. MS08-067: Microsoft Windows Server Service
RPC Handling Remote Code Execution
Vulnerability
18
30. SAY WHAT?
Management Summary:
«(...) While it was not possible to use
a reverse tcp shell to get an
outbound connection, we were able
to tunnel traffic through ICMP in
order to get a shell on the system.
(...)»
30
35. THINGS THAT DON’T EXIST.
• Unicorns
• Imaginary childhood friends (most of them)
• A decent Metallica album after 1991
• «No Scope, just look at everything.»
35
37. WHAT DO PEOPLE CARE
ABOUT?
STUFF THAT MATTERS TO
THEM.
37
38. KEEP IT REAL.
We have a pretty cool job.
Don’t let anyone change that.
38
39. DON’T BE THAT GUY.
Management Summary:
«(...) We were unable to complete
the task because it [the website] was
too big. (...)»
Thank you Ben Jackson.
http://code.google.com/p/weblabyrinth/
39
43. LIKE IT? MAKE IT BETTER!
Help killing bad pentesting.
http://www.pentest-standard.org
Check out the PTES-G!
DONE. IT’S OVER.
Thanks for being here,
feel free to ask questions
and have a great night!
43