Web Application Scanning Automation

Some functions within penetration testing can be mundane and repetitive. To feed some life into these parts of the test, it can be fun and challenging to develop an automation script for these elements of an assessment. Furthermore, automating parts of a penetration test can help the output to be more consistent, reproducible, rigorous, and introduce some quality control as suggested by the OWASP Testing Methodology[1]. This article will introduce a few features of nmap and Nikto that support script automation, and walk through building a simple starter automation script.

Ready, Aim, FIRE!

To feed your automation, you will need a way to document your target information. Frequently a flat-text file with one target per line is sufficient. Other formats, such as XML, may be helpful depending on the tools you intend to use within your automated scripts.

Most command-line tools have features, such as reading target information from files, that facilitate automation nicely.

NMAP

The popular port scanning tool, nmap[2], can read a list of targets from a file through the “-iL” switch. For nmap, the file can specify targets in the same format that they can be listed on the command line, and multiple target designations can be placed on separate lines.

The following sample shows the flexibility nmap offers in the formatting of files it can read through the “-iL” switch:

192.168.17.34
10.23-25.0.0/24
172.16.1.1-10

Table 1: Sample nmap “targets.txt” File

The nmap tool also permits the results to be saved into several different formats:

  • Normal: The same output as nmap sends to STDOUTXML:
  • The results in XML data structure
  • Greppable: Output with scan results for each host on a single line
  • Script Kiddie: Results are in “L33T” speak

Using the “-oA” switch, nmap will output the results into three (3) separate files associated with the first three (3) output options listed above.

These file outputs will become the inputs for other tools to select targets.

Putting the input and output options together, the following nmap command will read in targets from the “targets.txt” file and output results to the three (3) useful file formats.

 nmap -iL targets.txt -oA $(date +%Y%m%d)_nmap_tcp

Table 2: Example nmap Command

The “$(date +%Y%m%d)” portion of the filename in the previous command causes the current date to be prepended to the file names nmap creates.

Nikto

A tool commonly used to perform initial web application scans is Nikto[3]. Nikto looks for common web application vulnerabilities associated with outdated software, misconfigurations and dangerous files.

Nikto’s ability to read an nmap greppable format file, a flat-text file with targets listed within, and the specification of a target on the command line makes target selection versatile. Each of these ways to target hosts can be specified by using the “-h” switch.

There are several conditions in which Nikto may prompt for further input, pausing the scan process until a response is received. To prevent a situation where Nikto is waiting for feedback, rather than scanning targets, the following switches can be used to disable prompts.

  • -ask no: disables the prompt that asks if you want to submit new banners for software identified while scanning.
  • -nointeractive: disables all other prompts.

Like nmap, Nikto has the ability to save results to multiple file formats by using the “-Format” switch. Some of the formats available include those in the following list:

  • -Format HTM: Saves an HTML formatted report.
  • -Format CSV: Saves Nikto’s results in comma separated value format.
  • -Format XML: Results are stored in XML format.

Multiple file types can be specified after the “-Format” switch by separating them with a comma.

Additionally, Nikto can save a replay file associated with each finding it reports, making it easy to jump in and verify findings or exploit the vulnerability.

The following example Nikto command reads the “nmap_output.gnmap” file for hosts for which the HTTP/HTTPS protocol was discovered, disables all interactive prompts, and saves a report in the “nikto_nmap-scans.html” file using HTML format.

 nikto -host nmap_output.gnmap -ask no –nointeractive -Format htm -output   nikto_nmap-scans.html

Table 3: Example Nikto Command

Automation: Bash Script Magic

Armed with script specific features of nmap and Nikto, it is time to build a basic automation script. This script can be used to begin the automation process, and expanded to include more tools.

Script Setup

To start the script out, it is best to define the path to the command interpreter you want the script to use, in this case we will point to bash. Afterwards, the definition of a couple variables, “ports” and “date”, will be useful for this script.

  • ports: Stores the list of ports Nikto will scan. For this starter script the focus will be on 80/tcp and 443/tcp.
  • date: Stores the date to use as a timestamp in filenames.

The beginning of the script will look like this:

#!/bin/bash
ports="80 443"
curdate=$(date +%Y%m%d)

Table 4: Start of Automation Script

The $(date +%Y%m%d)is used to execute the date command with parameters to specify the format YYYYMMDD and its output will be stored in the $curdate variable.

Grab Those IPs

The tools run by the script will need the IP addresses of the targets to run. There are many tactics to provide the targeting details, some of which are dependent upon the tool’s capabilities. Though Nikto can read a greppable nmap output file, for demonstration purposes let’s look at how the addresses can be pulled from nmap’s output.

Grep is a tool that searches through a file and returns the line that matches a specified query.

  • The following grep command could return the results shown below:
grep '80/open' $curdate\_nmap_tcp.gnmap
Host: 10.10.10.10 () Ports: 80/open/tcp//http///

Table 5: Grep Command to Find Lines with Port 80/tcp

The cut command can extract a section of text using a delimiter.

  • In the following example, a will be used as the delimiter, and the second “field” will be extracted. Based on the previous output from the grep command, this should isolate the IP address of the host with port 80/tcp available.
$grep '80/open' $curdate\_nmap_tcp.gnmap | cut –d ' ' -f2
10.10.10.10

Table 6: Grep + Cut to Return Only the IP Address for Systems Listening on Port 80/tcp

Another way to extract the IP address uses the tool awk.

  • This command searches for instances where port 80/tcp are reported open, and then prints the second field within each of the search results. By default awk will use whitespace (tabs and spaces) as the field delimiter.
$awk '/80\/open/{print $2}' $curdate\_nmap_tcp.gnmap
10.10.10.10

Table 7: Another Way to Extract the IP Address using Awk

Note that in the previous commands the “$curdate” variable was used as part of the file name. The “\_” in the filename uses the backslash to tell bash that the “_” is a literal underscore character and not part of the “$curdate” variable. Otherwise bash would look for the variable “$curdate_nmap_tcp.gnmap”, which does not exist.

Throw Us for a Loop

Bash includes the ability to iterate through a set of items using the for loop. A simple example of the for loop is:

$for a in hello there; do echo $a; done;
hello
there

Table 8: Simple for Loop Example

The above loop iterated through the two items hello and there, then wrote each item to stdout using the echo command.

There are a few features of for loops that are useful in scripts.

  • The loops can be nested inside of each other to iterate through multiple sets of data. As can be seen in the code snippet below, the script will loop through each of the ports specified in the $ports variable, as well as all the IP addresses inside the nmap output.
  • The semicolon (“;”) can be replaced with a carriage return to make the loop easier to read in a script.
  • The set of items the for loop will iterate through can be returned by a command.
    • As an example, the following command will loop through each of the results in the ls command, and print them to the screen.
 for a in $(ls -1); do echo $a; done;

Table 9: FOR Loop Using a Command’s Results as the Iterable Data

At this point, the details about pulling the IP addresses and the for loops can be combined.

for testport in $ports
do for targetip in $(awk '/'$testport'\/open/{print $2}' $curdate\_nmap_tcp.gnmap)
do nikto -host $targetip -ask no –nointeractive
done
done

Table 10: FOR Loop to Iterate through Ports and IP Addresses

NOTE: To expand the $testport variable in the search string, the string delimited by the single quotes must be terminated before the variable is referenced, and then resumed afterwards.

The Initial Automation Script

All the pieces necessary to build the initial automation script have been presented. The following code block puts everything together.

#!/bin/bash
ports="80 443"
curdate=$(date +%Y%m%d)
nmap –n -Pn -iL targets.txt -oA $curdate\_nmap_tcp –-reason
for testport in $ports
do for targetip in $(awk '/'$testport'\/open/{print $2}' $curdate\_nmap_tcp.gnmap)
do nikto -host $targetip:$testport -ask no –nointeractive -useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" -Format htm -output
     $curdate\_nikto_$targetip\_$testport.html
done
done

Table 11: The Initial Automation Script

If a targets.txt file contains the target hack.me in the same folder as the automation script (test.sh in this case), the following files will be present in the directory from which the script is run.

Files created by the Initial Automation Script

Screenshot 1: Files Created by the Initial Automation Script

An Alternative Path

Leveraging Nikto’s ability to read target details from nmap’s greppable formatted output, another way the script could be written is provided below.

#!/bin/bash
curdate=$(date +%Y%m%d)
nmap –n -Pn -iL targets.txt -oA $curdate\_nmap_tcp –reason
nikto -host $curdate\_nmap_tcp.gnmap -ask no –nointeractive -useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" -Format htm –output  .

Table 12: An Alternative Initial Automation Script

The alternative version of the script differs from the first script in the following ways:

All of Nikto’s results for every target will be stored in the same file.
Nikto identifies other ports that nmap reports as using http/https protocols, and scans those systems as well.A small amount of flexibility is lost, as the tools are making decisions about what to scan; but, the script is easier to read.

Homework

This article focuses on starting an initial script. Be like the crew members of the Enterprise and go where no hacker has gone before… Change the script, add in your favorite tools, and enjoy the productivity gains from introducing automation to improve your pen test methodology.

More Information

Webcast

Web Application Scanning Automation

Abstract:  Many functions within a penetration test are routine, and using a script to automate portions of the process can provide a consistent, repeatable and auditable process.  This presentation will begin with a walk through the command-line switches of a couple well-know tools that aid automation.  By the end of the hour, attendees will have an automation script that they can use to run their own tests, and grow to incorporate more of their own tools and methodology.

Course

SEC542: Web App Penetration Testing and Ethical Hacking

Upcoming classroom opportunities with instructor Tim McKenzie include

  • Tysons Corner, VA – Feb 11
  • Singapore – Mar 18

For the course syllabus, additional classroom opportunities, and online training options, visit the SEC542: Web App Pen Testing and Ethical Hacking course description. 

 

[1] https://www.owasp.org/index.php/Testing:_Introduction_and_objectives

[2] https://nmap.org/

[3] https://github.com/sullo/nikto

Secrets to Successful Cybersecurity Writing: Hack the Reader

My new writing course for cybersecurity professionals, SEC402, teaches how you can write better reports, emails, and other content you regularly create. It captures my experience of writing in the field for over two decades and incorporates insights from other community members.  (This is Lenny Zeltser writing, by the way, the author of SEC402.)

It’s a course I wish I could’ve attended when I needed to improve my own writing skills. And it’s especially useful for penetration testers, because of the critical role that the final report plays as part of the security assessment project.

I titled the course The Secrets to Successful Cybersecurity Writing: Hack the Reader. Why “hack”? Because strong writers know how to find an opening to their readers’ hearts and minds. SEC402 explains how you can break down your readers’ defenses, and capture their attention to deliver your message—even if they’re too busy or indifferent to others’ writing.

Here are several examples of such “hacking” techniques from course sections that focus on the structure and look of successful security writing:

  • Headings: Use them to sneak in the gist of your message, so your can persuade your readers even if they don’t read the rest of your text.
  • Lists: Rely on them to capture your readers’ attention when they skim your message for key ideas.
  • Figure Captions: Include them to influence the conclusion your readers reach even if they only glance at the graphic.

This is an unusual opportunity to improve your writing skills without sitting through tedious lectures or writing irrelevant essays. Instead, as you learn how to avoid common pitfalls, you’ll make your writing remarkable.

For instance, this slide opens the discussion about expressing ideas clearly, concisely, and correctly:

How would you improve this excerpt from a status report

SEC402 is grounded in the idea that you can become a better writer by learning how to spot common problems in others’ writing. This is why the many examples are filled with delightful errors that are as much fun to find as they are to correct.

One of the practical takeaways from the course is a set of checklists you can use to eliminate issues related to your structure, look, words, tone, and information.

For example:

Rating Sheet for the Right Look

SEC402 will help you stand out from other cybersecurity professionals with similar technical skills. It will help you get your executives, clients, and colleagues to notice your contribution, accept your advice, and appreciate your input.

You’ll benefit whether you are:

  • A manager or an individual team member
  • A consultant or an internally-focused employee
  • A defender or an attacker
  • An earthling or an alien

You have a limited opportunity to attend a beta version of SEC402. You will not only get an early adopter discount and bragging rights, but also shape the course for future participants. I’ll teach the 1st beta in Orlando in April 2019–registration is now open.

I’ll present the 2nd beta in New York City in June 2019. Starting around September 2019 you’ll be able to take the course almost exclusively through the SANS OnDemand platform.

Reach out to me if you have any questions about the course. I’m easy to find online.

Lenny Zeltser

Using gdb to Call Random Functions!

By Ron Bowes

Sometimes reverse engineering is graceful and purposeful, where you thread the needle just right to figure out some obscure, undocumented function and how it can be used to the best of your ability. This article isn’t about that.

In this post, we’ll look at how we can find hidden functionality by jumping to random functions in-memory! This is normally a good way to crash the program, but who knows? You might find a gem!

This technique is useful for finding hidden functionality, but it’s somewhat limited: it’ll only work for applications that you’re capable of debugging. With few exceptions (I’ve used a technique like this to break out of an improperly implemented sandbox before), this technique is primarily for analysis, not for exploitation or privilege escalation.

Creating a Test Binary

Let’s start by writing a simple toy program. You can download this program as a 32- and 64-bit Linux binary, as well as the source code and Makefile, here

Here’s the full code:


#include <stdio.h>

void random_function() {
  printf("You called me!\n");
}

int main(int argc, char *argv[]) {
  printf("Can you call random_function()?\n");
  printf("Press <enter> to continue\n");
  getchar();

  printf("Good bye!\n");
}

Put that in a file called jumpdemo.c and compile with the following command:

gcc -g -O0 -o jumpdemo jumpdemo.c

We add -O0 to the command line to prevent the compiler from performing optimizations such as deleting unused functions under the guise of “helping”. If you grabbed our source code, you can simply run make after extracting it.

Finding Interesting Functions

Let’s assume for the purposes of this post that the binaries are compiled with symbols. That means that you can see the function names! My favorite tool for analyzing binaries is IDA, but for our purposes, the nm command is more than sufficient:


$ nm ./jumpdemo
0000000000601040 B __bss_start
0000000000601030 D __data_start
0000000000601030 W data_start
0000000000601038 D __dso_handle
0000000000601040 D _edata
0000000000601048 B _end
0000000000400624 T _fini
                 U getchar@@GLIBC_2.2.5
                 w __gmon_start__
0000000000400400 T _init
0000000000400630 R _IO_stdin_used
                 w _ITM_deregisterTMCloneTable
                 w _ITM_registerTMCloneTable
                 w _Jv_RegisterClasses
0000000000400620 T __libc_csu_fini
00000000004005b0 T __libc_csu_init
                 U __libc_start_main@@GLIBC_2.2.5
0000000000400577 T main
                 U puts@@GLIBC_2.2.5
0000000000400566 T random_function
0000000000400470 T _start
0000000000601040 D __TMC_END__

Everything you see here is a symbol, and the ones with T in front are ones that we can actually call, but the ones that start with an underscore (‘_’) are built-in stuff that we can just ignore (in a “real” situation, you shouldn’t discount something simply because the name starts with an underscore, of course).

The two functions that might be interesting are “main” and “random_function”, so that’s what we’re going to target!

Load in gdb

Before we can call one of these functions, we need to run the project in gdb — the GNU Project Debugger. On the command line (from the directory containing the compiled jumpdemo binary), run ./jumpdemo in gdb:


$ gdb -q ./jumpdemo
Reading symbols from ./jumpdemo...(no debugging symbols found)...done.
(gdb)

The -q flag is simply to disable unnecessary output. After you get to the (gdb) prompt, the jumpdemo application is loaded and ready to run, but it hasn’t actually been started yet. You can verify that by trying to run a command such as continue:


(gdb) continue
The program is not being run.

gdb is an extremely powerful tool, with a ton of different commands. You can enter help into the prompt to learn more, and you can also use help <command> on any of the commands we use (such as help break) to get more details. Give it a try!

Simple Case: Just Call It!

Now that the program is ready to go in gdb, we can run it with the run command (don’t forget to try help run!). You’ll see the same output as you would if you’d run it directly until it ends, at which point we’re back in gdb. You can run it over and over if you desire, but that’s not really going to get you anywhere.

In order to modify the application at runtime, it is necessary to run the program and then stop it again before it finishes cleanly. The most common way is to use a breakpoint (help break) on main:


$ gdb -q ./jumpdemo
Reading symbols from ./jumpdemo...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x40057b
(gdb) 

Then run the binary and watch what happens:


(gdb) run
Starting program: /home/ron/blogs/jumpdemo

Breakpoint 1, 0x000000000040057b in main ()
(gdb) 

Now we have control of the application in the running (but paused) state! We can view/edit memory, modify registers, continue execution, jump to another part of the code, and much much more!

In our case, as I’m sure you’ve guessed by now, we’re going to move the program’s execution to another part of the program. Specifically, we’re just going to use gdb‘s jump command (help jump!) to resume execution at the start of random_function():


$ gdb -q ./jumpdemo
Reading symbols from ./jumpdemo...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x40057b
(gdb) run
Starting program: /home/ron/blogs/jumpdemo 

Breakpoint 1, 0x000000000040057b in main ()
(gdb) help jump
Continue program being debugged at specified line or address.
Usage: jump <location>
Give as argument either LINENUM or *ADDR, where ADDR is an expression
for an address to start at.
(gdb) jump random_function
Continuing at 0x40056a.
You called me!
[Inferior 1 (process 11391) exited with code 017]

We did it! The program printed, “You called me!”, which means we successfully ran random_function()! Exit code 017 means the process didn’t exit cleanly, but that is to be expected. We just ran an unexpected function with absolutely no context!

If for some reason you can’t get breakpoints to work (maybe the program was compiled without symbols and you don’t actually know where main is), you can do the same thing without breakpoints by pressing ctrl-c while the binary is running:


(gdb) run
Starting program: /home/ron/blogs/jumpdemo 
Can you call random_function()?
Press <enter> to continue
^C
Program received signal SIGINT, Interrupt.
0x00007ffff7b04260 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:84
84      ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) jump random_function
Continuing at 0x40056a.
You called me!
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000001 in ?? ()

Don’t worry about the segmentation fault, like the 017 exit code above, it’s happening because the program has no idea what to do after it’s finished running random_function.

Another mildly interesting thing that you can do is jump back to main() to make the program think it’s starting over:


(gdb) run
Starting program: /home/ron/blogs/jumpdemo 
Can you call random_function()?
Press <enter> to continue
^C
Program received signal SIGINT, Interrupt.
0x00007ffff7b04260 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:84
84      ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) jump main
Continuing at 0x40057b.
Can you call random_function()?
Press <enter> to continue

I use jump-back-to-main a lot while doing actual exploit development to check whether or not I actually have code execution without trying to develop working shellcode. If the program appears to start over, you’ve changed the current instruction!

Real-world Example

For a quick example of this technique doing something visible against a “real” application, I took a look through my tools/ folder for a simple command line Linux application, and found THC-Hydra. I compiled it the standard way — ./configure && make — and ran nm against it:


$ nm ./hydra
0000000000657abc b A
0000000000657cb4 B accntFlag
                 U alarm@@GLIBC_2.2.5
000000000043baf0 T alarming
0000000000657ae4 B alarm_went_off
00000000004266f0 T analyze_server_response
0000000000654200 B apop_challenge
                 U ASN1_OBJECT_free@@OPENSSL_1.0.0
                 U __assert_fail@@GLIBC_2.2.5
0000000000655c00 B auth_flag
0000000000657ab8 b B
0000000000408b60 T bail
000000000044b760 r base64digits
000000000044b6e0 r base64val
0000000000433450 T bf_get_pcount
…

Turns out, there are over 700 exported symbols. Wow! We can narrow it down by grepping for T, which refers to a symbol in the code section, but there are still a lot of those. I manually looked over the list to find ones that might work (ie, functions that might print output without having any valid context / parameters).

I started by running the application with a “normal” set of arguments to make note of the “normal” output:


$ gdb -q --args ./hydra -l john -p doe localhost http-head
Reading symbols from ./hydra...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/ron/tools/hydra-7.1-src/hydra -l john -p doe localhost http-head
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2018-10-15 14:47:12
Error: You must supply the web page as an additional option or via -m
[Inferior 1 (process 3619) exited with code 0377]
(gdb)

The only new thing here is --args which is simply a signal to gdb that there are going to be command line arguments to the binary.

After I determined what the output is supposed to look like, I set a breakpoint on main, like before, and jumped to help() after breaking:

$ gdb -q --args ./hydra -l john -p doe localhost http-head 
Reading symbols from ./hydra...(no debugging symbols found)...done. 
(gdb) break main 
Breakpoint 1 at 0x403bf0 
(gdb) run
Starting program: /home/ron/tools/hydra-7.1-src/hydra -l john -p doe localhost http-head [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, 0x0000000000403bf0 in main () 
(gdb) jump help 
Continuing at 0x408420. Syntax: (null) [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [server service [OPT]]|[service://server[:PORT][/OPT]]

Options: -R restore a previous aborted/crashed session -S perform an SSL connect ..

I tried help_bfg as well:


(gdb) jump help_bfg
Continuing at 0x408580.
Hydra bruteforce password generation option usage:

  -x MIN:MAX:CHARSET

     MIN     is the minimum number of characters in the password
     MAX     is the maximum number of characters in the password
     CHARSET is a specification of the characters to use in the generation
             valid CHARSET values are: 'a' for lowercase letters,
             'A' for uppercase letters, '1' for numbers, and for all others,
             just add their real representation.

Examples:
   -x 3:5:a  generate passwords from length 3 to 5 with all lowercase letters
   -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
   -x 1:3:/  generate passwords from length 1 to 3 containing only slashes
   -x 5:5:/%,.-  generate passwords with length 5 which consists only of /%,.-

The bruteforce mode was made by Jan Dlabal, http://houbysoft.com/bfg/
[Inferior 1 (process 9980) exited with code 0377]

Neat! Another help output! Although these are easy to get to legitimately, it’s really neat to see them called when they aren’t expected to be called! Stuff “just works”, kinda.

Speaking of kinda working, I also jumped to hydra_debug(), which had slightly more interesting results:


(gdb) jump hydra_debug
Continuing at 0x408b40.
[DEBUG] Code: ����   Time: 1539640228
[DEBUG] Options: mode 0  ssl 0  restore 0  showAttempt 0  tasks 0  max_use 0 tnp 0  tpsal 0  tprl 0  exit_found 0  miscptr (null)  service (null)
[DEBUG] Brains: active 0  targets 0  finished 0  todo_all 0  todo 0  sent 0  found 0  countlogin 0  sizelogin 0  countpass 0  sizepass 0
[Inferior 1 (process 7761) exited normally]

It does its best to print out the statistics, but because it didn’t expect that function to be called, it just prints nonsense.

Every other function I tried either does nothing or simply crashes the application. When you call a function that expects certain parameters without any such parameters, it normally tries to access invalid memory, so it’s pretty unsurprising. It’s actually surprising that it works at all! It’s pure luck that the string it tried to print is an invalid string rather than invalid memory (which would crash).

Conclusion

This may not seem like much, but it’s actually a very simple and straightforward reverse engineering technique that sometimes works shockingly well. Grab some open source applications, run nm on them, and try calling some functions. You never know what you’ll figure out!

–Ron Bowes
@iagox86

SANS Pen Test Poster: Pivots Payloads Boardgame

 

We are excited to introduce to you the new SANS Penetration Testing Educational Poster, “Pivots & Payloads Board Game”! It is a poster and a board game. How is it a board game? You can lay it down on a table, cut out the game pieces and game modifiers, use a dice to move your piece around the board…and play with your friends, colleagues, and/or family.

The board game takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker. The game helps you learn while you play. It’s also a great way to showcase to others what pen testers do and how they do it.

We have made the poster/board game available to download, with additional downloads of the cheat sheets, game pieces, and game modifiers. We will add additional content to this blog page as we continue to evolve the board game and improve on it in future versions.

Download PDF of Pivots & Payloads:

http://blogs.sans.org/pen-testing/files/2018/11/PEN-PR-BGP_v1_1018_WEB_11052018.pdf

PEN-PR-BGP_v1_1018_WEB_FINAL_11052018_web_front

PEN-PR-BGP_v1_1018_WEB_FINAL_11052018_web_back

Additional Pivots & Payloads:

Desktop Wallpaper

PEN-PR-BGP_v1_1018_wallaperV1

PEN-PR-BGP_v1_1018_wallaperV2

Game Pieces – Print PDF

Pieces

Cheat Sheets – Print PDF

HashCat

Recon

NetCat

Pen Test Cheat Sheets:

SANS Pen Test Training:

SANS Pen Test Posters:

Build your Skills (Free):

SANS Penetration Testing Webcasts (YouTube):

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

The Secrets in URL Shortening Services

The secrets in URL shortening services

 

Authors: Chris Dale (@ChrisADale) and Vegar Linge Haaland (@vegarlh) created this post to bring awareness to the dangers of using URL shortening services. They both work at Netsecurity, a company which serves a multitude of customers, internationally, with services within networking, security operations, IR and Penetration Testing.

 

URL shortening services are common use for many today. They allow you to create convenient short URL’s that serves as a redirect to otherwise long and complex URLs. Such a shortened URL can look like this: https://bit.ly/2vmdGv8 . Once clicked, you will be immediately redirect to whichever URL bit.ly has stored behind the magic value of 2vmdGv8. A team from archiveteam.org, called URLTeam, has taken on the task of discovering what secrets these magic values hold.

 

URLTeam’s mission is to take these shortening services, i.e. https://bit.ly, https://tinyurl.com, and bruteforce the possible values they can hold for their magic values. Currently the team is working across a bunch of shortening services, all of which can be found here: https://www.archiveteam.org/index.php?title=URLTeam#URL_shorteners, currently about a 130 different services supported. Their efforts effectively reveal the destination redirect of the magic values, and we can very quickly find juicy information!

 

Some of the information one can find are e.g. URLs pointing to file shares otherwise un-discoverable, links to testing and staging systems and even some “attack-in-progress” URL’s where we can see attacks against target systems. For penetration testers, searching through the bruteforced results might be a helpful addition to the reconnaissance process, as it might reveal endpoints and systems which would have previously gone undiscovered..

This blog post describes how to set yourself up with a setup for easy searching through this amazing set of data. That’s what we got for you in this post. First, some analysis of the data available, and then some quick and dirty setup descriptions to make this amazing data-set available for yourself.

image3

 

Revealing secrets

Let’s take a look at what type of sensitive, funny and otherwise interesting information we can find  in URL shortener data. Below are some examples of the things we found by just casually searching, and utilizing Google Hacking Database (https://www.exploit-db.com/google-hacking-database/) type of searches. We have tried to redac the domain names in question in order to protect the companies vulnerable.

 

Hack in-progress

First out is the “Hack In-Progress” type of URLs. I am guessing black-hats, and perhaps others too, are using these to share their work in progress with their peers. Some of the identified URLs seem to be simple Proof-Of-Concepts, while others are designed for data exfiltration.

 

Below we see attacks trying to exploit a Local File Inclusion (LFI) by including the Linux file /proc/self/environ. This file is commonly abused to try get a shell from having found a LFI vulnerability.

Search term Example data
 {“wildcard”: {“uri_param.keyword”: “*/proc/self/environ”}}  image9

Then we can see some further expansions on the LFI vulnerabilities, using a Nullbyte (%00) to abuse string terminations, a common vulnerability on e.g. older PHP installations.

Search term Example data
{“wildcard”:{“uri_param.keyword”:”*%00″}}  image15

We also see attacks containing carriage-return (%0D) and line-feeds (%0A). In this example we see an attempted command injection, trying to ping the localhost 5 times. The attacker will measure the time taken from a normal request, i.e. without attack payload in it, vs. the request below. If the time taken for the request to complete is approximately 5 seconds higher using the attack, it confirms the attack vector and a command injection is very likely to be possible.

Search term Example data
{“wildcard”:{“uri_param.keyword”:”*%0a”}}  image19

And finally, of course, SQL Injection queries.

 

Search term Example data
“Union all”  image20

 

Backup data

Next up in line of examples is backed up data. Many developers and IT-operators make temporary backups available online. While sharing these, it is evident that some of them have used URL shorteners to make life more convenient. This vulnerability classifies as a information leak.

 

Search term Example data
{“wildcard”: {“uri_path.keyword”: “*.bak”}}

 

 image6
{“wildcard”:{“uri_path.keyword”:”*.sql”}}  image18

File sharing

Another common finding is people sharing files with no password protection, assuming that the random identifiers (magic values) will keep the documents safe. But when they use URL shortener they effectively share the URL with the world. In this case we’re looking for Google Documents, and honestly there is so many sensitive documents leaked here, across a plethora of different file sharing services.

 

Search term Example data
uri_domain:docs.google.com

 

 image14
uri_main_domain.keyword:mega.nz  image16
uri_main_domain.keyword:1drv.ms  image1

 

 

Booking reservations and similar

Cloud storage links are not the only passwordless links that are being shared online. Hotel and travel ticket systems also commonly send you emails with passwordless links for easy access to your booking details, as handily provided below:

 

Search term Example data
uri_domain:click.mail.hotels.com  image8

 

 

 

Test, Staging and Development environments

There are also a lot of test systems being deployed, and links are often shared between developers. Searching for test, beta, development etc. often reveal some interesting results as well.

 

Search term Example data
uri_lastsub_domain:test  image13
uri_lastsub_domain.keyword:staging  image11

 

Login tokens and passwords

Session tokens in URL’s have for years been considered as a bad practice, primarily because proxies and shoulder surfing attacks could potentially compromise your current session. In the dataset there were many examples of URL’s containing sensitive info, e.g tokens and passwords.

Search parameter Example data
{“wildcard”:{“uri_param.keyword”:”*password=*”}}  image10
{“wildcard”:{“uri_param.keyword”:”*jsessionid=*”}}  image5

Conclusions

By looking at the archiveteam.org’s data it is very evident that sensitive data is being shortened unscrupulously. It is definite that these services are being used without properly thinking through who else can gain access to the URLs, a classic example of security through obscurity. Obviously, someone with bad intentions could abuse this to their advantage, but it is also clear that organizations could utilize these same services to look for their own data being leaked, and possibly compromised. Furthermore, penetration testers could use these techniques to look for their customer data, providing potential valuable intelligence into attack surface they could work on.

 

What type of vulnerabilities and information leaks can you find? Please share in the comments below. In the next section we share how to get this setup running on your own server, so you can start analyzing and protecting yourself.

 

Setup and Installation

A detailed description of the configuration in use would probably require it’s own article so to avoid making this one too long we will not go deep into the configuration in details but we will give a brief description of the components in use.

Our current setup involves two servers. One OpenBSD server which is used for fetching files and sending them to the database server, relaying https requests, and another running an ELK (Elasticsearch / Logstash / Kibana) stack. The ELK stack is running on FreeBSD with ZFS. It is  composed of the following components:

  • Elasticsearch: The database.
  • Logstash: Log and data-parser. Parses the data to a common format and feeds it into Elasticsearch.
  • Kibana: A web server and frontend for Elasticsearch.

 

Setting up these services are a common practice today, and there exists a multitude of tutorials on how to accomplish this today.

 

On the OpenBSD server we have a script for downloading archives from archive.org. Files are decompressed and content is appended to a file which is monitored by Filebeat. Filebeat then sends the data to Logstash on the server which is running on the Elasticsearch server. Logstash is set up with some custom grok filters which splits up the URLs into separate fields. We created some handy fields to use for filtering and graphs. Logstash then sends the processed data to elasticsearch. The data is stored in indices based on their top domain (.com .org .no etc). This is done to speed up searches for specific top level domains. Below you can see the fields we have extracted from the URLs.

image4

 

As an example, uri_lastsub_domain contains the bottom level domain name. This is handy for when you want to filter on any sub-domains starting with “api” or “dev” etc.

 

After feeding the data to the database we can start searching and looking through the data.

We can use the Discovery page in Kibana to discover interesting data. We can also use the Dev tools page to make more advanced queries, e.g. regex searches for hashes.

 

Example of use:

Searching through archives from the last 60 days, including only .com domains using the string “(union AND select) OR (select AND concat)” yields an amazing 6,995 results as per the following screenshot:

image17

The Kibana Dashboard allows us to present some colorful and useful graphs:

image2

 

Performance and Speed

Currently, the DB server with the ELK stack runs on a low end VPS. Searching for “test” through all 83,927,323 .com records currently in Elasticsearch, via Kibana, takes 3-5 seconds. Speed will depend on the type of search though, so if we want to search through a specific field for a non-analyzed string through the same index it takes about 23 seconds. Still not too bad. This is particular useful when a search term includes special characters.

 

Search Options

In Kibana the main search options are the search bar in Discover and custom queries using dev tools. The former is good for quick searches, and provides a nice list of the results. The listing can be easily modified to include the fields you need and you can modify as you go. When working with results in the discover page you can also easily filter on specific field data, allowing you to very easily to filter out uninteresting data as you browse though the results. This is shown in the screenshot below:

image12

 

The console UI in the dev tools page is a great place to build up specific queries. It let’s us query elasticsearch directly:

image7

Searching and processing data from the terminal

ElasticSearch results are returned in JSON format. This makes it easy to write tools to interact with the data, and also to process the data on e.g. a UNIX terminal. Let’s say we want to get all results containing the string “../” and see how many different domains we get hits on. To do this we can simply query the elasticsearch server with a curl and pipe the output to a file. For example:

curl -s -X POST -H "Content-Type: application/json" 'http://localhost:9200/logstash-shorturls-.com/_search?scroll=10m&size=5000' -d '

{

"query": {

"wildcard":{

"uri_param.keyword":"*../*"

}

}

}' > res

 

This normally results in a huge block of json text, so we pipe it to jq and extract just the information we need:

cat res | jq .hits.hits[]._source.uri_domain > res.dom

Finally we summon the power of standard Unix tools to process the data:

cat res.dom | cut -d"\"" -f2 | sort | uniq | wc -l

873

This could obviously be done all in a single command, without storing any files, however it is just a trivial example to show you that we can easily process the data in whichever manner we want. Now that we have the domains we can do more fun stuff like:

grep -f res.dom bug-bounty-domains.txt

 

Happy hunting!

 

SANS Note:

Chris Dale has four upcoming SANS Pen Test Webcasts scheduled –

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Pen Test Challenge Coin: SEC460

 

SEC460Coin

With every SANS Pen Test Challenge Coin comes a story. In addition to symbolizing achievement and knowledge, a Pen Test Challenge Coin is a physical manifestation of the keyboard skills demonstrated by the winners of our course’s Capture-the-Flag exercise.

The front of the SEC460: Enterprise Threat and Vulnerability Assessment challenge coin carries the SEC460 logo and title.  Great Vulnerability Assessors require an unwavering, burning passion to overcome the endless river of vulnerability data that major corporate networks are inundated with. The SEC460 logo represents this enthusiastic perseverance and attention to detail, the hallmarks of any excellent vulnerability team.

Hands-on labs and challenges are all conducted on a cyber range featuring the components of a large corporate environment. To represent this leap into the deep, dark, and unknown corners of large-scale network environments, the rear of the coin is adorned with an image of the HMS Enterprise – a vessel whose very name attests to daring military engagements.

The reverse side of the coin carries the SEC460 slogan: We cannot direct the wind, but we can adjust the sails. A defining and shared experience of all Vulnerability Assessors is the constantly shifting corporate environments we are charged to protect. While we may not be able to define the direction our organizations take, we are endowed with the opportunity to observe and think opportunistically in protecting them.
Like all other Pen Test coins before it, the SEC460: Enterprise Threat and Vulnerability Assessment challenge coin is its own challenge. The cipher itself connects to the nautical history of the image of the vessel above it. Who will be the first to crack it?

460FRONT

SEC460: Enterprise Threat and Vulnerability Assessment

How do you protect an organization with 1,000+ nodes from the crippling damage of wide-spread malware like WannaCry and NotPetya? Our brand-new 400-level course is designed to help you and your organization detect, prioritize, and mitigate enterprise-scale vulnerabilities.

Syllabus & Training Schedule: https://www.sans.org/course/enterprise-threat-vulnerability-assessment

Register for this brand-new course today!

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Cheat Sheet: Python 3

 

by: Mark Baggett

Python 2 – The end of the world as we know it.

It will happen. In the year 2020 an event will occur that will alter the course of information security forever. What is this apocalyptic event? The end of life for Python 2. Is it that big of a deal? Meh. I’m just being dramatic. As of 2020 they will stop releasing updates and patches to Python 2. But Python 2 isn’t going anywhere. If history has taught us lessons about what happens to unsupported software then we will continue to see it running critical infrastructure and hospital equipment for many years to come. Those programs that run in Python 2 interpreters today will continue to run in Python 2 interpreters well after 2020. Sadly today some organizations are still running old Python 2.5 interpreters despite the fact that it is now 13 years old and has serious security issues. It’s pretty safe to say that we will continue to see Python 2 for the foreseeable future.

That said, I think it is a little short sighted to continue to develop new tools and automation in Python 2 today. Today you should definitely be developing new code that works in Python 3. Any new tools you purchase and plan to use for more than a year should run in Python 3. You should also evaluate the risk associated with running that old Python 2 interpreter that may have security vulnerabilities once it is no longer supported vs updating your code to work with a supported interpreter. As you look to the future you should do that with Python 3 in your sights.

SANS SEC573: Automating information Security with Python course and the associated GPYC certification rides the Python2/Python3 fence along with the rest of the Industry. The course teaches you to build new tools for automation of common defensive, forensics and offensive task in Python 3. Developing new tools in Python 3 will set you up for success moving forward. We also covers what you need to know to convert your existing Python 2 code to Python 3. If you need to continue to use Python 2 we will teach you how to write code that is forward compatible to Python 3 so you are ready to switch when you are eventually forced to. In my opinion it isn’t really a choice between Python 2 and Python 3. The answer is both. We will supporting both versions for a while. In celebration of that fact here are the SEC573 Python2 and Python3 cheat sheets available for you to download and print! Enjoy!

 

DOWNLOAD – Python 2.7 Cheat Sheet

Python2_7

DOWNLOAD – Python 3 Cheat Sheet

Python3

 

Pen Test Cheat Sheets:

 

SANS Pen Test Training:

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Cheat Sheet: Netcat

 

by SANS Pen Test Team

We are adding another SANS Cheat Sheet to our arsenal of information security/penetration testing cheat sheets available here at the SANS Pen Test Blog. If you would like additional cheat sheets, click on the “cheatsheet” category or see below to find them all.

This cheat sheet is from our SANS SEC560: Network Penetration Testing and Ethical Hacking course, authored by SANS Fellow, Ed Skoudis. To learn Netcat in-depth along with many other tools, methods, and techniques of penetration testing, please consider taking our core pen testing course, SEC560.

What is Netcat… from the wiki:

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built-in capabilities.

Download PDF: netcat-cheat-sheet

Netcat1

 

Other Netcat Resources:

Bash’s Built-in Netcat Client

Netcat without -e? No problem!

 

Pen Test Cheat Sheets:

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Poster – White Board of Awesome Command Line Kung Fu (PDF Download)

 

by: SANS Pen Test Team

Imagine you are sitting at your desk and come across a great command line tip that will assist you in your career as an information security professional, so you jot the tip down on a note, post-it, or scrap sheet of paper and tape it to your white board… now imagine you do this all the time until your white board is completely full of useful tips you’ve found and can use daily.

That is the concept behind the SANS Pen Test Poster: White Board of Awesome Command Line Kung-Fu created by the SANS Pen Test Instructors. Each tip was submitted by the Pen Test Instructors and curated by SANS Fellow, Ed Skoudis.

We are giving you a complete white board full of tips you can use to become a better InfoSec professional.

Now it is available for you to download.

Download PDF – PENT-PSTR-WHITEBOARD-V3-0118_web.pdf

PENT-PSTR-WHITEBOARD-V3-0118_web_small

PENT-PSTR-WHITEBOARD-V3-0118_web_small_back

 

Additional Educational Posts based on the Poster:

Python:

“White Board” – Python – Python Debugger
“White Board” – Python – Python Reverse Shell!
“White Board” – Python – Pythonic Web Server
“White Board” – Python – Raw Shell -> Terminal
“White Board” – Python – Pythonic Web Client

Bash:

“White Board” – Bash – Useful IPv6 Pivot
“White Board” – Bash – Encrypted Exfil Channel!
“White Board” – Bash – What’s My Public IP Address?
“White Board” – Bash – Bash’s Built-In Netcat Client
“White Board” – Bash – Check Service Every Second
“White Board” – Bash – Make Output Easier to Read
“White Board” – Bash – Website Cloner
“White Board” – Bash – Sudo… Make Me a Sandwich
“White Board” – Bash – Find Juicy Stuff in File System

CMD.exe:

“White Board” – CMD.exe – C:\> netsh interface
“White Board” – CMD.exe – C:\> wmic process

PowerShell:

“White Board” – PowerShell – Add a Firewall Rule
“White Board” – PowerShell – Built-in Port Scanner!
“White Board” – PowerShell – Get Firewall Rules
“White Board” – PowerShell – One-Line Web Client
“White Board” – PowerShell – Ping Sweeper!
“White Board” – PowerShell – Find Juicy Stuff in the File System

 

Desktop Wallpapers based on Poster:

Bash, PowerShell, Python…

Python_1280x1024(example)

 

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

So You Wanna Be a Pen Tester? 3 Paths To Consider (Updated)

Tips for Entering the Penetration Testing Field

By Ed Skoudis

It’s an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.

In the courses I teach on penetration testing, I’m frequently asked about how someone can land their first job in the field after they’ve acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I’ve counseled a lot of my friends and acquaintances as they’ve moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let’s zoom into three of the most promising. It’s worth noting that these three paths aren’t mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.

Path A: General Enterprise Security Practitioner Moving to Penetration Testing

First, you could parlay a job in the security group of an enterprise (whether a corporate, government, or educational position) into vulnerability assessment and then penetration testing. For example, today, you may be a security auditor, administrator, analyst, or a member of a Security Operations Center (SOC) team. Tell your management that you are keenly interested in vulnerability assessment and penetration testing, and offer your support in existing projects associated with those tasks. You might have to start by taking one for the team and putting in your own hours in helping out, without getting a break from your “regular” job. Consider this extra time an investment in yourself. At first, you could help with tasks such as project scoping, false positive reduction, and remediation verification. Later, offer help in preparing a high-quality penetration testing report. Over the space of several months or even a year, you’ll demonstrate increasing skills and can ask management or other groups in your enterprise for a move more directly in the heart of penetration testing work.

Path B: Working for a Company or Division that Focuses on Penetration Testing

There are many companies that provide third-party penetration testing services to other companies, including organizations such as Verizon, Trustwave, and FishNet Security. Many of these organizations are looking to hire exceptional penetration testers, especially those who have experience. If you have no direct penetration testing experience, you may still want to try your hand by applying for a junior role in such organizations. A solid background in secure networking, development, or operations will prove helpful. But, if experience is absolutely required, consider moving through Paths A or C to hone your skills before jumping to Path B.

Path C: Going Out on Your Own

If you are more entrepreneurially minded, you may want to consider forming your own small company on the side to do vulnerability assessment for local small businesses, such as a local florist or auto mechanic. Start with just vulnerability assessment services, and build your skills there before going into full-blown penetration testing. There are a couple of huge caveats to take into account with this path, though. First off, make sure you get a good draft contract and statement of work template drawn up by a lawyer to limit your liability. Next, get some liability and errors & omissions insurance for penetration testing. Such protection could cost a few thousand dollars annually, but is vital in doing this kind of work. Once you’ve built your vulnerability assessment capabilities, you may want to gradually start looking at carefully exploiting discovered flaws (when explicitly allowed in your Statements of Work) to move from vulnerability assessment to penetration testing. After your small business is humming, you may decide to stick with this path, growing your business, or jump into Paths A or B.

Regardless of whether you go down paths A, B, C, or your own unique approach to entering the penetration testing industry, always keep in mind that your reputation and trustworthiness are paramount in the information security field. Your name is your personal brand, so work hard, be honest, and always maintain your integrity. Additionally, build yourself a lab of four or five virtual machines so you can practice your technical skills regularly, running scanners, exploitation tools, and sniffers so you can understand your craft at a fine-grained level. Learn a scripting language such as Python or Ruby so you can start automating various aspects of your tasks and even extend the capabilities of tools such as the Metasploit framework. And, most of all, give back to the community by writing a blog, sharing your ideas and techniques, and releasing scripts and tools you’ve created. You see, to excel in pen testing, you can’t think of it as a job. It is a way of life. Building a sterling reputation and contributing to others is not only beneficial to the community, but it will provide many direct and indirect benefits to you as you move down your path from new penetration tester to seasoned professional.

Additional SANS Penetration Testing Resources

Watch: WEBCAST – So, You Wanna Be a Pen Tester?

EdSkoudis_SoYouWannaBeAPenTester_06192018

Available Now!
Recorded: 6/19/2108
https://www.sans.org/webcasts/so-wanna-pen-tester-3-paths-106920

 

Upcoming SANS Pen Test Webcasts:

Pen Test Cheat Sheets:

SANS Pen Test Posters:

Build your Skills (Free):

SANS Penetration Testing Webcasts (YouTube):

SANS Pen Test Training:

–Ed.

https://twitter.com/edskoudis

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02