00:00:00.067,00:00:05.272 >> Good morning, well, I know noon is DefCon morning so good 00:00:05.272,00:00:09.376 morning. How many of you guys are hungover? Raise your hand, 00:00:09.376,00:00:13.814 one.. seriously? Only one? Maybe two? [laughter] You guys are 00:00:13.814,00:00:16.950 doing DefCon wroooong! [laughter] Okay, no, wait, wait, 00:00:16.950,00:00:20.454 wait... Another drunk... Another question, how many of are still 00:00:20.454,00:00:27.160 drunk? [laughter] Alright, not me. I actually got like 6 hours 00:00:27.160,00:00:30.430 of sleep last night which is f*king fantastic. [ahem] 00:00:30.430,00:00:35.502 Alright, so welcome to "So you think you wanna be a penetration 00:00:35.502,00:00:41.275 tester". Uhm, my name is Anch, uh, long story, well short 00:00:41.275,00:00:46.346 story, but, long story about my handle, I'm not gonna go into. 00:00:46.346,00:00:49.850 Uhm, there's some, some people that, uh, that I want to 00:00:49.850,00:00:53.453 introduce to you. If you've noticed there's some logos on my 00:00:53.453,00:00:56.156 slide - I'm a member of a fantastic organization called 00:00:56.156,00:01:00.460 the security tribe. Uhm, these guys are all smarter than I am 00:01:00.460,00:01:04.564 and I am super, super happy to be surrounded by very smart 00:01:04.564,00:01:09.136 people. Uhm, I also had my wife in the audience and, uh... 00:01:09.136,00:01:15.609 [applause] She's, uh... [whistling] She's a hacker like 00:01:15.609,00:01:18.445 the rest of us even though she doesn't admit it she hacks kids 00:01:18.445,00:01:23.684 brains... [laughter] Uhm, she's a, a university professor and 00:01:23.684,00:01:27.521 she does a fantastic job. Uhm, I have been a penetration tester 00:01:27.521,00:01:33.327 for 10 years. Uhm, I've lead red teams for 5 of those 10 years 00:01:33.327,00:01:37.130 and so , uh, I'm gonna talk a little bit about what the job 00:01:37.130,00:01:42.002 actually is like. Uh, uh, dispel some misconceptions, let you 00:01:42.002,00:01:44.705 guys know, know a little bit about what the realities are 00:01:44.705,00:01:50.610 and, uh, such and such. Now, I have a, a little thing at the 00:01:50.610,00:01:53.113 bottom of this slide that says "The leprechaun" question 00:01:53.113,00:01:59.219 mark... Now I requested... [laughter] In my CFP, uh, 00:01:59.219,00:02:03.256 submitted that there would be a leprechaun dancing on stage... 00:02:05.625,00:02:08.028 while I was giving my talk. And that didn't happen and I am 00:02:08.028,00:02:11.164 severely disappointed. [pause] Just kidding. [chuckle] Alright, 00:02:11.164,00:02:16.870 you will notice my slide have a little bit of humor in them and 00:02:16.870,00:02:20.640 I do that intentionally so feel free to laugh and... you know. 00:02:20.640,00:02:23.977 [laughter] It's designed to try to keep you awake. [laughter] So 00:02:23.977,00:02:25.846 let's talk a little bit about the wonderful world of 00:02:25.846,00:02:32.252 penetration testing. You know this job is a tough one and I'm 00:02:32.252,00:02:37.157 gonna do a quick survey. How many in here are already 00:02:37.157,00:02:40.827 penetration testers? Raise your hands. [pause] Okay, how many in 00:02:40.827,00:02:44.231 here want a job in penetration testing? Raise your hands. 00:02:47.067,00:02:52.072 [pause] [ahem] Cool, alright... Now, stand up [pause] if you 00:02:54.474,00:03:01.281 think penetration testing has, has to do with porn. [laughter] 00:03:01.281,00:03:07.687 What, nobody standing up? [laughter] That's the, you know, 00:03:07.687,00:03:10.891 you you get into this job just for the title because it's 00:03:10.891,00:03:14.127 fantastic at parties. [laughter] People ask you "What do you 00:03:14.127,00:03:16.930 do?", "Well, I'm a penetration tester." And they give you this 00:03:16.930,00:03:23.070 look of... [laughter] "What the f*ck is that?" [chuckle] >> 00:03:23.070,00:03:27.874 Exactly... >> Yea, yea. I've had various answers from "Oh..." 00:03:27.874,00:03:32.145 like, like serious answers "Let me guess you're the guy to test 00:03:32.145,00:03:37.818 the lighting in pornography, right?" ... "No" [chuckle] 00:03:37.818,00:03:42.489 [laughter]... "No". Uhm, it's a fantastic title, it's fun. Uhm, 00:03:42.489,00:03:44.791 it's really cool to explain because people always ask you 00:03:44.791,00:03:48.595 questions about it. [cough] And I apologize, I'm getting over 00:03:48.595,00:03:55.068 pneumonia so I'm gonna cough a little bit. Uhm, so let's talk a 00:03:55.068,00:04:01.408 little bit about what my family thinks I do... My mom and dad 00:04:01.408,00:04:05.312 seriously think that I'm some kind of super spy. [audience 00:04:05.312,00:04:08.415 noise] I'm not kidding, like, they're like "Yeah, you travel 00:04:08.415,00:04:12.486 all over the country and, and you break into sh*t, and you're 00:04:12.486,00:04:14.554 like James Bond", and I'm like "No, I'm not..." [laughter] 00:04:14.554,00:04:20.760 "That's actually really fucking boring". [chuckle] Uh, so I 00:04:20.760,00:04:24.598 wanna talk through some of the, the misconceptions and 00:04:24.598,00:04:29.603 realities, uh, to kinda dispel some myths. And, uh, uhm, some 00:04:31.705,00:04:34.074 of you here are already penetration testers will laugh 00:04:34.074,00:04:36.910 at these cause they're pretty funny, I think, you know, I 00:04:36.910,00:04:41.915 think I'm funny. [laughter] [pause] Uhu... [laughter] 00:04:51.391,00:04:53.627 Apparently there are a lot of people in here that need to get 00:04:53.627,00:04:58.632 laid. [laughter] Uhm, misconception number one, there 00:05:01.835,00:05:08.208 will always be somebody more elite than you. We all have 00:05:08.208,00:05:13.013 something to learn. There is nobody on this planet that is an 00:05:13.013,00:05:17.083 expert on everything. And, uhm, I talked a little bit earlier 00:05:17.083,00:05:20.787 about surrounding yourself with some people that are smarter 00:05:20.787,00:05:25.792 than you... [coughing] And, uhm, my team that I work with is 00:05:25.792,00:05:31.831 super smart. All of these guys are just fucking geniuses and it 00:05:31.831,00:05:34.301 baffles me sometimes... [coughing] That they let me hang 00:05:34.301,00:05:40.807 out with them. [pause] [audience noise] And this fucker down her, 00:05:40.807,00:05:44.144 stand up, Jeremy. [laughter] >> I'm the leprechaun that was 00:05:44.144,00:05:47.747 supposed to be doing the dancing. >> He is the leprechaun 00:05:47.747,00:05:54.020 that is supposed to be dancing. [laughter] [applause] [cheering] 00:05:54.020,00:05:59.059 Catch my lucky charms or I blow your a** to pieces. [laughter] 00:05:59.059,00:06:03.396 [ahem] Now... >> Can I sit. >> Yea you can sit. >> Thank you. 00:06:03.396,00:06:05.999 >> Uhm, he is a member of my team. I'm pretty sure that 00:06:05.999,00:06:09.169 there's more in here, I just can't see you. If, if you work 00:06:09.169,00:06:14.174 with me stand up... [pause] Really? [laughter] I guess they 00:06:16.476,00:06:19.779 don't... [laughter] I guess they don't really want me to hang out 00:06:19.779,00:06:24.784 with them, that kinda sucks. [laughter] A**holes. [laughter] 00:06:26.953,00:06:31.057 Uhm. [ahem] There's always gonna be somebody that is more, that 00:06:31.057,00:06:35.495 is better than you at something else and your job as a part, a 00:06:35.495,00:06:40.200 part of, of, of this job is to learn from them. You learn all 00:06:40.200,00:06:44.537 you can because you're gonna run into shit that you have no idea 00:06:44.537,00:06:48.108 what it is and if you can learn it the first time the next time 00:06:48.108,00:06:51.278 you run into it, you'll know how to deal with it. So, 00:06:51.278,00:06:54.281 misconception number one - you will never be the most elite guy 00:06:54.281,00:07:00.920 in the room. [pause] Reality number two... [laughter] If 00:07:00.920,00:07:03.590 somebody told you this job is easy money... [laughter] They're 00:07:03.590,00:07:07.093 a f*cking liar! [audience noise] We work, uhm, well, when we're 00:07:07.093,00:07:10.797 on site, when we're actually doing an assessment we work 00:07:10.797,00:07:14.067 probably, uhm, between 8 and 10 hours a day. That's pretty easy. 00:07:14.067,00:07:17.003 We travel 25% of the time and, uhm, we have a good time while 00:07:17.003,00:07:20.206 we're working. When we're not traveling we're doing research. 00:07:20.206,00:07:25.211 Uhm, we're honing our skills, we're doing things that... 00:07:35.922,00:07:40.927 [cough] [cough] Excuse me, I'm sorry. We're doing things that, 00:07:43.029,00:07:48.601 uh, uhm, make use better at your job and that can take, oh, I 00:07:48.601,00:07:51.871 dunno, it could take 15 hour days, it could take 10 hour 00:07:51.871,00:07:57.877 days. You know, uhm, my wife puts up with me so well! Cause 00:07:57.877,00:08:03.717 she'll and I'm like "I'm still working", and she's like "Uuuh, 00:08:03.717,00:08:07.354 but I thought we were gonna have dinner". I'm like "Yea, we can 00:08:07.354,00:08:13.526 eat at 9..." [laughter] Uhm, so, it's not an easy job. It's not 00:08:13.526,00:08:19.699 something you can sit and do... you know, nothing. I mean, you 00:08:19.699,00:08:22.369 know, it's like "Oh, what do you do?" , "I surf the internet all 00:08:22.369,00:08:27.374 day.. shhh." [laughter] Uhm [chuckle] Yeah, I can't do that, 00:08:30.276,00:08:33.947 this is funny. Hold on just a second. [microphone noise] 00:08:36.282,00:08:41.287 [pause] [laughter] My mom bought me this shirt... [laughter] And, 00:08:44.391,00:08:49.362 uh, we were, we were out here. [cough] We were out here on 00:08:49.362,00:08:54.667 Friday, last Friday, a week from Friday cause we, uhm, we're 00:08:54.667,00:08:59.038 doing human reg and so we helped prep 'con. And she panicked 00:08:59.038,00:09:02.342 because she saw me check-in in Vegas and was like "But I had a 00:09:02.342,00:09:07.013 shirt for you to wear at DefCon!". [chuckle] Okay, it 00:09:07.013,00:09:09.616 says "Penetration" on the front, if you can't read it. Uhm... 00:09:12.619,00:09:15.422 [laughter] And the back has a definition of penetration, 00:09:15.422,00:09:22.395 uhm... [laughter] And when your mother gives you a shirt that 00:09:22.395,00:09:27.400 says "Penetration" on it... [laughing] It's kinda awkward. 00:09:34.908,00:09:39.112 [laughing] [chuckle] [laughter] [cough] Not really... My wife 00:09:39.112,00:09:42.649 just asked "Do you want me to read the back?"... No [chuckle]. 00:09:42.649,00:09:47.654 It's kind of, it's awkward.... [laughter] Alright [pause]... 00:09:49.956,00:09:54.294 There's no bullshit in this job. If you can't read this slide it 00:09:54.294,00:09:57.664 says "If I appear to believe your bullshit doesn't mean that 00:09:57.664,00:10:01.267 I am as stupid as you think I am...". [pause] "I'm just 00:10:01.267,00:10:05.071 laughing inside waiting to see what you came up with..." You 00:10:05.071,00:10:10.810 can't fake it until you make it in this job, it doesn't work, 00:10:10.810,00:10:15.815 you will crash and burn miserably. And, uhm, 00:10:18.451,00:10:20.954 unfortunately there's a lot of people trying to do that in this 00:10:20.954,00:10:25.391 industry and so I will encourage you if you really gotta have a 00:10:25.391,00:10:28.995 passion for it. Uhm, and we'll talk a little bit about what 00:10:28.995,00:10:34.334 that passion entails in a little bit. Uhm, I have seen a lot of 00:10:34.334,00:10:38.037 bullshit in my time. I've seen a lot of people stand up and say 00:10:38.037,00:10:42.041 "Oh, yea, I can hack into anything". When you ask them to 00:10:42.041,00:10:45.945 prove it they're like "Oh, wait, hacking into something is more 00:10:45.945,00:10:49.015 than just pressing start on a Nessus scan?", "Uhm, yea, it 00:10:49.015,00:10:50.350 is". Uhm, so there's no bullshit in this job. [pause] [chuckle] 00:10:50.350,00:10:51.684 [laughing] This is my favorite comment! [cough] Yes, you have 00:10:51.684,00:10:56.689 to have experience to get experience. Yes, and I'm not 00:11:16.209,00:11:19.178 telling you that you have to be a penetration tester to be a 00:11:19.178,00:11:24.183 penetration tester, uhm... I hire, I prefer that we hire 00:11:26.986,00:11:32.625 sysadmins, uhm, it's easy for me to turn a sysadmin into a 00:11:32.625,00:11:36.963 penetration tester. And that's because a sysadmin knows how to 00:11:36.963,00:11:42.402 build something and if you know how to build something you can 00:11:42.402,00:11:47.140 generally take it apart. Uhm... [laughter] And that's what we do 00:11:47.140,00:11:51.210 - we take things apart! Uh, we try not to have missing pieces 00:11:51.210,00:11:55.048 at the end... [laughter] "Where's the.... where the f*ck 00:11:55.048,00:11:58.651 did this screw come from?" Uhm... but yea, we, we take 00:11:58.651,00:12:03.456 things apart. We analyze it, we look at it and it's easy for me 00:12:03.456,00:12:07.527 to take a sysadmin who knows how to put something together and 00:12:07.527,00:12:10.296 teach them the skills that they need to be able to take things 00:12:10.296,00:12:17.203 apart. Uhm, I also look for an attitude. [laughter] Uhm, how 00:12:17.203,00:12:21.240 many in here would consider themselves a hacker? Raise your 00:12:21.240,00:12:24.644 hands. [pause] Every fucking one of you should be raising your 00:12:24.644,00:12:31.017 hand right now! Let's try that again... [laughter] How many 00:12:31.017,00:12:35.688 people in here would consider themselves a hacker? [pause] 00:12:35.688,00:12:40.627 [laughter] Alright, that was better. We give you a pass on 00:12:40.627,00:12:45.632 that... I give it about a "D", 60%. I'm totally gonna give you 00:12:48.101,00:12:54.040 the "D" later... [laughter] Just the tip... [laughter] Just to 00:12:54.040,00:12:59.045 see how it feels... [laughter] [coughing] The mentality of a 00:13:01.347,00:13:07.420 hacker is one that questions things. That's curious and if 00:13:07.420,00:13:10.690 you're not curious about something, I mean, and I'm 00:13:10.690,00:13:13.559 not... I'm not talking about a computer hacker. I'm talking of 00:13:13.559,00:13:16.729 a hacker, if you're not curious about something you're dead.... 00:13:19.265,00:13:23.302 and you need to be revived. [laughter] And so, I challenge 00:13:23.302,00:13:26.606 everybody in this room who didn't raise their hand, like, I 00:13:26.606,00:13:31.511 said, there was about 40% of you... To wake up. [audience 00:13:31.511,00:13:33.846 noise] Get curious about something. I don't care about 00:13:33.846,00:13:38.151 what it is, it could be knitting, it can be underwater 00:13:38.151,00:13:44.557 basket-weaving... [pause] It can be computers, just be curious 00:13:44.557,00:13:48.995 about something, learn... something. That's how you get 00:13:48.995,00:13:53.032 experience! If you come to me and say "Hey, I've been a 00:13:53.032,00:13:57.103 sysadmin for 5 years and... this is what I did and I really wanna 00:13:57.103,00:13:59.839 be a penetration tester". I'm gonna look at you and say "Cool, 00:13:59.839,00:14:03.376 let's talk about your mindset... what are you curious about? What 00:14:03.376,00:14:08.948 do you like to do?". You know, I like computers, actually, I love 00:14:08.948,00:14:11.384 computers, I spend a lot of my time with computers. I do 00:14:11.384,00:14:16.289 electronics too. [cough] ...you know, I build stuff. Uhm... 00:14:16.289,00:14:20.193 [coughing] I... build planter boxes for my wife - carpentry. 00:14:20.193,00:14:23.663 Uhm, I do all kinds of stuff cause I want to learn. I want to 00:14:23.663,00:14:29.202 exercise my brain. I wanna keep things elastic and not get 00:14:29.202,00:14:34.207 stale. [pause] [chuckle] You guys wanna do some penetration 00:14:41.280,00:14:46.285 testing? [pause] [laughter] They don't pay you to sit around and 00:14:48.921,00:14:53.926 do nothing. [cough] This is work! It's a job! Uhm, people 00:14:59.432,00:15:04.203 forget that sometimes, I think.. [cough] The get going with a, a 00:15:04.203,00:15:09.642 "Hey, I'm gonna be a hacker! And I'm gonna hack into things..." 00:15:09.642,00:15:14.614 Which is true but it's also a job. Uhm, you don't get to just 00:15:14.614,00:15:19.118 show and hack into sh*t and go away. It's work... And I tucked 00:15:19.118,00:15:23.923 my shirt in just to add that and I'm gonna tuck my shirt in cause 00:15:23.923,00:15:28.427 it's hot. [pause] Is it hot in here? [pause] Yea, I'm not gonna 00:15:28.427,00:15:33.399 take off all my clothes. [laughter] Uhm, so remember, 00:15:33.399,00:15:36.302 they're not paying you to do nothing, they're paying you to 00:15:36.302,00:15:39.505 actually do work and we're gonna talk a little bit about what 00:15:39.505,00:15:42.742 that work is. And, uhm... [audience noise] What you're 00:15:42.742,00:15:46.078 clients are gonna expect from you, and what you're gonna have 00:15:46.078,00:15:51.083 to be able to do in order to, to a penetration tester. [pause] I 00:15:57.190,00:16:00.660 love the Kim Jong Il memes, they're so funny! [audience 00:16:02.728,00:16:05.565 noise] So how many of you in here think they know what a "Red 00:16:05.565,00:16:11.370 Team" is? Raise your hand... [pause] Okay, I know you do... 00:16:11.370,00:16:14.807 [laughter] Uhm... I know you do. Keep your hands raised, I might 00:16:14.807,00:16:20.046 call on somebody. [laughter] Uh... you stand up. Shout loud. 00:16:20.046,00:16:26.285 [pause] You... good. >> A red team is a group of individuals 00:16:26.285,00:16:32.525 that work with, uhm, trying to break into a company their 00:16:32.525,00:16:35.528 security or, information security. >> That's pretty good. 00:16:35.528,00:16:38.831 Okay, he said "A red team is a group of individuals that work 00:16:38.831,00:16:41.467 with, trying to break into a company their physical security 00:16:41.467,00:16:46.472 or, uh, information security." Pretty close, uhm... I'm gonna 00:16:48.808,00:16:55.481 tell you the definitions differ vastly between organizations. 00:16:55.481,00:17:02.421 [pause] In my line of work, in my organization the red team is 00:17:02.421,00:17:05.725 simply an announced assessment. [pause] Now, there's more to it 00:17:05.725,00:17:09.295 than that, it just means that we're not gonna tell IT we're 00:17:09.295,00:17:12.865 coming when we come to penetrate them... [laughter] [coughing] 00:17:12.865,00:17:17.870 Over and over and over again... [pause] [coughing] A red team 00:17:25.711,00:17:29.548 activity is very different to a penetration test and kinda wanna 00:17:29.548,00:17:34.253 walk through some definitions here, uh, as we, just kinda 00:17:34.253,00:17:37.890 level set what we're talking about. So I'm gonna start out 00:17:37.890,00:17:41.928 with vulnerability assessment. A lot of people, a lot of 00:17:41.928,00:17:44.897 companies out there, big companies and I'm not gonna name 00:17:44.897,00:17:48.734 any names... [cough] "Wallace"... Oh, sorry... 00:17:48.734,00:17:52.038 [pause] Call, uhm, a penetration test of... call a vulnerability 00:17:52.038,00:17:55.708 assessment a penetration test. You're not actually doing a 00:17:55.708,00:17:58.311 penetration test unless you're trying to actively exploit 00:17:58.311,00:18:03.249 vulnerabilities. If you walk in with NESSES and MAP, old ones, 00:18:06.519,00:18:11.691 SAINT... uhm, "SATAN". Who here knows what SATAN is? Raise, 00:18:11.691,00:18:15.695 raise your hand. [pause] Yes! [chuckle] I love SATAN's, best 00:18:15.695,00:18:20.299 tool ever. I wish it still existed, well it does but they 00:18:20.299,00:18:25.771 don't call it SATAN anymore. Uhm... [pause] If you walk in 00:18:25.771,00:18:31.010 with one of those tools. [coughing] Hit the button, spit 00:18:31.010,00:18:35.615 out a report and hand it to your client - you did NOT perform a 00:18:35.615,00:18:40.820 penetration test. You performed a vulnerability assessment. And, 00:18:40.820,00:18:43.356 you know, there's more, you can add more to that. You could add 00:18:43.356,00:18:46.792 a threat assessment on top of that. Uhm, but if you did not 00:18:46.792,00:18:49.929 try to exploit the vulnerabilities that you found 00:18:49.929,00:18:53.099 and tried to dig deeper - you did not perform a penetration 00:18:53.099,00:18:58.637 test. [pause] Penetration test like I said... [cough] Is 00:18:58.637,00:19:03.042 something that you take your vulnerability assessment and you 00:19:03.042,00:19:06.312 try to take it one step further. You gonna try to actually 00:19:06.312,00:19:10.383 exploit the vuln, the vulnerabilities. Now, when you 00:19:10.383,00:19:13.386 exploit those [ahem] [cough] you're gonna take it and see how 00:19:13.386,00:19:16.889 far the rabbit hole goes. [pause] A rabbit hole typically 00:19:16.889,00:19:22.028 goes pretty damn far... Uhm... [laughter] That's the fun part! 00:19:22.028,00:19:26.732 ...of this job. The boring part is waiting for the vulnerability 00:19:26.732,00:19:31.737 assessments to come back. Now... red teams. Red teams are the 00:19:34.673,00:19:39.078 most fun, in my opinion. They're the thing that everybody wants 00:19:39.078,00:19:44.083 to do but not everybody can do it. A red team differs largely 00:19:46.886,00:19:51.357 in the aspect of a penetration test in that you're trying not 00:19:51.357,00:19:56.695 to get caught. A penetration tests are loud! You're gonna get 00:19:56.695,00:19:59.331 caught all over the place, you're gonna sit down with your 00:19:59.331,00:20:01.100 client. they're gonna know that you're there. They're going to 00:20:01.100,00:20:04.970 treat you like auditors by the way. Uhm, do we have any 00:20:04.970,00:20:10.943 auditors in the room? [laughing] We have one, I'm sorry. 00:20:10.943,00:20:13.512 [laughing] Uhm, we're, we're going to, they're going to, 00:20:13.512,00:20:15.881 they're gonna treat you like an auditor. They're gonna hide 00:20:15.881,00:20:18.117 things from you, they're gonna do all kinds of sh*t. We will 00:20:18.117,00:20:23.656 talk about that in a little bit. [cough] [ahem] You, you really, 00:20:23.656,00:20:26.192 you know, you wanna take it to the next level and so you wanna 00:20:26.192,00:20:29.228 keep digging until you can dig no more. And in the red team 00:20:29.228,00:20:31.831 you're gonna do that same digging, you're gonna do it from 00:20:31.831,00:20:37.603 outside, you're gonna do it from... [pause] As sneaky as 00:20:37.603,00:20:40.106 possible, whether you're breaking into something, you 00:20:40.106,00:20:42.875 know, physically you're jumping the fence; you planted a device; 00:20:42.875,00:20:45.911 you're doing social engineering, you know... Those are the kinds 00:20:45.911,00:20:49.381 of concepts that differ between a red team and a penetration 00:20:49.381,00:20:54.386 test. At least where I'm at right now. [pause] Let's talk a 00:20:58.958,00:21:03.729 little bit about ada, adaptation. How many of you guys 00:21:03.729,00:21:08.734 like to plan... let's just say, plan your day? [pause] [chatter] 00:21:10.870,00:21:14.640 Alright... You put two hands up, I know. You really wanna throw a 00:21:14.640,00:21:19.578 monkey wrench in an encryp's life? [chuckle] Toss him 00:21:19.578,00:21:23.382 something that's not gonna fit in his day... [laughter] Cause 00:21:23.382,00:21:25.885 he will try and make it fit and it'll be FUNNY! [laughter] Uhm, 00:21:25.885,00:21:30.890 no.. you're gonna have to adapt. You're gonna have to think on 00:21:33.526,00:21:37.363 your feet. Uhm, how many of you guys were up here Lost's talk? 00:21:37.363,00:21:41.901 Kuwait talk on Thursday? I know I was. You know, he talked a bit 00:21:41.901,00:21:45.404 about, he gave this whole speech about thinking outside the box, 00:21:45.404,00:21:51.844 right? I like to talk about non-linear thinking. You can't 00:21:51.844,00:21:55.247 think in a straight line, if you think "this" lead to "this" 00:21:55.247,00:21:59.118 leads to "this" you're never going to find everything you 00:21:59.118,00:22:04.056 need to find. [chatter] Oh, he's getting trashed? Nice... well, 00:22:06.525,00:22:10.129 okay, I'm not gonna wait for him cause I have a limited amount of 00:22:10.129,00:22:14.867 time. [pause] [cough] Okay! So, yea, we're gonna talk about 00:22:14.867,00:22:19.405 adaptation. Your role in, you know... [pause] Oh! Hi... 00:22:21.740,00:22:26.745 [background noise] Ladies and gentlemen... Lost! [applause] I 00:22:28.781,00:22:34.820 know... I know that there's a very good reason that you're 00:22:34.820,00:22:37.856 late. But I do that to everybody who comes late to my talks, 00:22:37.856,00:22:42.861 so... [laughter] Uhm, so, so yea. One plus one might equal 00:22:47.399,00:22:51.303 five and the reason why is because you think it equals 00:22:51.303,00:22:54.406 "two" but there's three more things out here that the client 00:22:54.406,00:22:58.777 hasn't told you about. So, really it's not "one plus one" 00:22:58.777,00:23:03.916 it's "one plus four". [pause] So you have to learn to adapt, you 00:23:03.916,00:23:08.220 have to learn to sit down and be like "Oh, well so I didn't think 00:23:08.220,00:23:11.190 about that so I'm gonna take a step here then I'm gonna 00:23:11.190,00:23:17.963 shift..." A lot of people call that a "pivot". [background 00:23:17.963,00:23:22.568 noise]. So, learn to adapt, be flexible, don't think linear and 00:23:22.568,00:23:27.039 gonna really spin things up a little, speed things up a little 00:23:27.039,00:23:30.843 bit cause I'm gonna start running out of time. So... 00:23:30.843,00:23:35.014 [pause] We all like to win. How many of you guys like to win? 00:23:35.014,00:23:39.885 Raise your hand... [pause] Again? Geez... We're gonna try 00:23:39.885,00:23:44.490 that one more time... I'm trying to get people up to wake up and 00:23:44.490,00:23:49.495 get active because I realize it's early... on a Sunday. >> Or 00:23:52.197,00:23:54.633 late Saturday... >> Or late Saturday... [laughter] Is it 00:23:54.633,00:24:00.272 late Saturday for you? I'm sorry... [chuckle] [laughter] 00:24:00.272,00:24:02.308 You know, I'll, I'll let you sleep. There's a nice and 00:24:02.308,00:24:04.610 comfortable spot up here, you can lie down behind the table 00:24:04.610,00:24:11.383 and take a nap. Uhm... No! We all like to win, uhm, my team 00:24:11.383,00:24:16.021 especially likes to win, we like to break into things and say, 00:24:16.021,00:24:20.492 "Yes, we win!". [laughter] But, I want to take the concept of 00:24:20.492,00:24:27.366 winning out of this. Everybody needs to win. Your client needs 00:24:27.366,00:24:31.170 to be as secure as possible, your job is to come in and tell 00:24:31.170,00:24:34.640 them where they're not secure. Not come in and embarrass their 00:24:34.640,00:24:39.645 sysadmins. [pause] That's a bonus! [laughter] [chuckle] 00:24:45.384,00:24:48.020 [pause] I'm gonna get water-poisoning, by the way, 00:24:48.020,00:24:51.991 Lost. No, I've got about half of that left, tht's great, thanks. 00:24:51.991,00:24:57.062 Uhm, so yea... so you're just isn't to embarrass sysadmin, 00:24:57.062,00:25:01.834 your job is to tell your client where they're weak and what they 00:25:01.834,00:25:06.705 could do to improve. And, so, take winning out of the 00:25:06.705,00:25:12.277 equation, you know, you don't get to "win", you get to "help". 00:25:12.277,00:25:16.849 You're not there to, to conquer the network you're there to 00:25:16.849,00:25:20.919 assess it, you're there to assist, who you're there... 00:25:20.919,00:25:24.323 you're there to assist your client in making themselves as 00:25:24.323,00:25:29.328 secure as possible. [pause] Oh my G*d... the report... [pause] 00:25:35.000,00:25:40.406 How many of you like to write? [pause] Ooh, a fair amount. How 00:25:40.406,00:25:44.243 many of you are technical writers? ... In this room? 00:25:44.243,00:25:48.914 [pause] Good! Thank you. I'm gonna thank you right now, uhm, 00:25:48.914,00:25:53.919 I actually, I hate to write. I hate it. It's my least favorite 00:25:56.422,00:26:00.058 thing... Uhm, but I do it. And I've been told that I'm quite 00:26:00.058,00:26:05.230 good at it. [background noise] Uhm... It's a damn good thing I 00:26:05.230,00:26:10.135 married an english teacher. [laughing] Oh my God... [pause] 00:26:10.135,00:26:15.140 You shouldn't tweet without, her, without her look at it 00:26:17.776,00:26:23.315 first. [laughter] [chuckle] And he wasn't kidding! [laughter] 00:26:23.315,00:26:26.952 [cough] Seriously, she helps me a lot. Uhm, she corrects my 00:26:26.952,00:26:32.591 grammar a lot. Uh, she has a large red pen and I love it! 00:26:32.591,00:26:36.628 [laughter] Uhm, learn to write, learn to write well. You're 00:26:36.628,00:26:41.733 gonna have to do it. Uhm, my last report was... [pause] 00:26:41.733,00:26:46.705 [chuckle] Can you tell... can you tell who I worked on it 00:26:46.705,00:26:50.242 with? Crypt, Cryptonite wrote this report. It took us, what, 00:26:50.242,00:26:53.912 th, three weeks? Was it three and a half weeks are right? 00:26:53.912,00:26:58.917 [pause] Why is... PTSD. Uhm, yea, it was long. [cough] And 00:27:00.919,00:27:05.224 it's detailed, because again, you have a job to do. Your job 00:27:05.224,00:27:09.094 is to make sure your client knows where they're weak and you 00:27:09.094,00:27:11.964 wanna, you also wanna make sure that you're telling them how 00:27:11.964,00:27:16.568 they can make themselves better. So... the report is important. 00:27:19.037,00:27:24.042 [pause] And the client... [pause] Let's talk a little bit 00:27:27.446,00:27:32.584 about how you interface with your client. First thing you're 00:27:32.584,00:27:36.054 gonna do when you get on site is you're gonna sit down and you're 00:27:36.054,00:27:39.525 gonna say "Hey, plug me into the network" And they're gonna 00:27:39.525,00:27:43.862 look at you and go "Are you fucking nuts?". [laughter] And 00:27:43.862,00:27:46.298 you're gonna go "Seriously, plug me into your network". So then 00:27:46.298,00:27:48.700 they plug you in and they're gonna give you this ream of 00:27:48.700,00:27:52.604 paper that's about... I dunno ooh, 500 pages long, cause like 00:27:52.604,00:27:56.008 it's, that's technically a ream, right? And they're gonna say 00:27:56.008,00:28:00.946 "This is the exclusion list"... [laughter] And it's gonna have 00:28:03.949,00:28:08.186 an IP address on each line for 500 pages. Now you're gonna look 00:28:08.186,00:28:10.656 at this and go "Okay, do you have this in electronic form?" 00:28:10.656,00:28:16.695 and they're gonna go "No...". [laughter] Remember how I said 00:28:16.695,00:28:19.031 they're treating you like an auditor? They don't want you to 00:28:19.031,00:28:25.170 get started... Uhm, so your job as penetration tester, when you 00:28:25.170,00:28:30.842 come into a client is to make them feel comfortable. [pause] 00:28:30.842,00:28:37.082 Shhhh... does this smell like chloroform? [laughter] You make 00:28:37.082,00:28:40.352 them feel comfortable and then you do what you're gonna do 00:28:40.352,00:28:44.823 which is A: you're gonna find their weaknesses and then when 00:28:44.823,00:28:48.193 you find their weaknesses you're gonna show them how to fix them. 00:28:48.193,00:28:51.730 And the more you do that the more your client will trust you 00:28:51.730,00:28:56.001 and the less that exclusion list will become a factor. Your job 00:28:56.001,00:28:59.204 is to convince the client that you need to look at every single 00:28:59.204,00:29:03.642 IP-address on that exclusion list. [pause] And it's not 00:29:03.642,00:29:07.079 because... again, you wanna embarrass the sysadmins, that's 00:29:07.079,00:29:12.651 a bonus, remember? [background noise] Uhm... oh, teleprompter 00:29:12.651,00:29:19.324 went out... I didn't even bring my mp [00:29:17] ... [pause] 00:29:19.324,00:29:23.595 Oh... that's a bummer. I like messing with that. I like 00:29:23.595,00:29:28.433 watching my words... oh well. [cough] [pause] I'm gonna be 00:29:28.433,00:29:30.836 like Rommer, hopefully they will catch up to me... fuck, fuck, 00:29:30.836,00:29:35.841 fuck, fuck, f*ck... [laughter] Anyway... so, yea. Your job is 00:29:40.078,00:29:42.214 to, is to make the client feel comfortable and they're going to 00:29:42.214,00:29:45.751 try and change things. You know, they don't like the report 00:29:45.751,00:29:52.090 Uh... you said you hacked into this, did you really do that? 00:29:52.090,00:29:56.862 Can we say that you almost got in [laughing] [background 00:29:56.862,00:30:00.065 noise] "Uhm, we have a plan to mitigate that vulnerability. Can 00:30:00.065,00:30:04.069 we just not write that in the report?". Uhm, that was my... 00:30:04.069,00:30:10.642 that was my favorite one. "Can, can we... If I provide you email 00:30:10.642,00:30:15.480 evidence that we're working on that... [laughing] Uhm, can we 00:30:15.480,00:30:19.317 say that vulnerability didn't actually exist?". "Uh, no... no, 00:30:19.317,00:30:24.423 no, no." [chuckle] [laughter] "Yea, no. That's not how... 00:30:24.423,00:30:28.193 that's not how this works.". "I gotta friend you...". [laughter] 00:30:28.193,00:30:34.633 [pause] At least I got some laughs... Okay they will test 00:30:34.633,00:30:39.638 you, the point is. You need to be able to deal with people. 00:30:44.676,00:30:48.313 [pause] You need to be able to answer questions in a diplomatic 00:30:48.313,00:30:52.017 way instead of saying "No, you're a fucking idiot, stop 00:30:52.017,00:30:56.855 that!" [laughter] Just don't use the word "fuck", like you'll say 00:30:56.855,00:31:03.361 "You're an idiot, stop that!". [laughter] Kay? I realized that 00:31:03.361,00:31:07.299 was kind of a rambling talk and I appreciate you guys sitting 00:31:07.299,00:31:09.134 and listening to me... [laughter] Now I'm gonna give 00:31:09.134,00:31:13.538 time for some questions. And I will answer anything if you will 00:31:13.538,00:31:18.009 guys have questions. Just stand up and say.. yea. >> Uhm, do you 00:31:18.009,00:31:21.980 have uh, clients or are the mostly one-off things? Or do you 00:31:21.980,00:31:25.250 have to bring, like, big companies? What exactly are your 00:31:25.250,00:31:29.921 clients like? >> Uh, right now I work for one large client and 00:31:29.921,00:31:35.494 uh, we do all of the, uh, the penetration tests for that on 00:31:35.494,00:31:41.333 client. Next? Yea. >> So, you mentioned that you like to hire 00:31:41.333,00:31:45.270 sysadmins. I was wondering, you know, sysadmins what about 00:31:45.270,00:31:49.674 networking? What would you recommend in terms of, you know, 00:31:49.674,00:31:51.977 sysadmins. >> Oh yea.. The questions was that... [laughter] 00:31:51.977,00:31:55.614 That I, I, I hire sysadmins, he's like, "Well, what about 00:31:55.614,00:31:57.249 network guys?" Those two? [laughter] >> Just two, just 00:31:57.249,00:31:58.984 finish that one. >> I'm just looking for somebody with 00:31:58.984,00:32:01.553 experience who can build... [laughter] [chatter] Alright, so 00:32:01.553,00:32:05.190 we're gonna uh... Yea, it's about time. Yea, I'm like 4 00:32:05.190,00:32:08.827 minutes early, but that's okay. [laughter] [background noise] 00:32:08.827,00:32:12.831 Fine, leave me, yea. [chatter] >> Uh, what do you think about 00:32:12.831,00:32:14.966 pen testing certifications? [laughter] >> What do I think 00:32:14.966,00:32:18.003 about... what do I think of pen testing certifications? 00:32:20.238,00:32:26.912 [chatter] [sigh] They're all sh*t! [laughter] Uhm, no, 00:32:26.912,00:32:29.614 seriously. [chatter] Certifications, letters after 00:32:29.614,00:32:35.053 your name, that's HR filter, okay? You have to get passed HR 00:32:35.053,00:32:39.324 at some point so you're gonna need them. Uh, I don't generally 00:32:39.324,00:32:42.961 look at them. I will actually give you a test if you're gonna 00:32:42.961,00:32:47.465 come work for me... Uhm, I have a, I have a test that I give and 00:32:47.465,00:32:51.369 if you can... you know, I'm not looking for if you can pass the 00:32:51.369,00:32:56.141 test, I'm looking for how you approach the test, alright? 00:32:56.141,00:32:58.443 [background noise] Any others? [pause] Just stand up and start 00:32:58.443,00:33:02.814 shouting. >> Yea, so what happens on a pentest if, if you 00:33:02.814,00:33:05.517 come across an existing compromise? >> What happens on a 00:33:05.517,00:33:08.186 pentest if I come across an existing compromise? >> Yea... 00:33:08.186,00:33:11.890 >> That's what we call, an, an "all-stop moment". Everything 00:33:11.890,00:33:16.528 stops at that moment, uhm, and the we help the client... uhm, 00:33:16.528,00:33:21.199 uh, troubleshoot it and do the incident response. Yea... 00:33:21.199,00:33:24.369 that's... we don't, we don't mess around with that shit. 00:33:24.369,00:33:28.874 [background] Anything else? Anybody want to...? Yip? >> Have 00:33:28.874,00:33:33.945 you dealt with openstack and existing vulnerabilities on open 00:33:33.945,00:33:36.848 stack? >> Specific vulnerabilities in open stack? 00:33:36.848,00:33:41.519 Uhm, come grab me at the bar, we'll talk. [coughing] Kay.. 00:33:41.519,00:33:46.524 Yea? >> So, you were mentioning about working for uhm... 00:33:54.766,00:33:56.101 [coughing] [indistinct] >> Yea, I get your question, I'm just 00:33:56.101,00:34:00.171 gonna rephrase it a bit. Uhm, so the question was, uh, what am I, 00:34:00.171,00:34:03.174 basically, what am I actually looking for in somebody's built 00:34:03.174,00:34:07.012 systems, right? So what if I'm a potential employee, I'm looking 00:34:07.012,00:34:10.282 for somebody that has the background in building systems, 00:34:10.282,00:34:13.785 whether it be operating systems, networks, switching and routing, 00:34:13.785,00:34:17.122 stuff like that. Cause that stuff, that, that level of 00:34:17.122,00:34:21.559 experience is hard to teach a penetration tester because if 00:34:21.559,00:34:26.031 you don't have that background you're not, you're not gonna get 00:34:26.031,00:34:30.101 it - penetration testing. Uhm, you're not, you're not gonna 00:34:30.101,00:34:33.071 have that depth of something, you know, when you walk in and 00:34:33.071,00:34:36.541 see "Oh, that switch is configured wrong", right? There 00:34:36.541,00:34:40.545 a lot of penetration testers out there that can tell that but I'm 00:34:40.545,00:34:43.648 not gonna hire network guys, I'm not just gonna hire just 00:34:43.648,00:34:47.552 sysadmins - I'm gonna try and hire a breath across the team so 00:34:47.552,00:34:52.824 that we have, you know, no one, compart, there's no one wealth 00:34:52.824,00:34:58.263 of knowledge and we're lacking somewhere else. That make sense? 00:34:58.263,00:35:00.899 [pause] You? Oh, wait! Stop... [pause] This is my 00:35:00.899,00:35:05.937 brother-in-law. [laughter] I'm not shitting you. He's a ginger, 00:35:05.937,00:35:10.442 but he does have a soul... [laughter] All right, so other 00:35:10.442,00:35:17.115 than Satan, what is your most useful tool? >> My useful tool.. 00:35:17.115,00:35:20.785 my own mind. But we go into that because you're my brother in 00:35:20.785,00:35:25.790 law... [laughter] [chuckle] Different context.. Yea, we 00:35:29.627,00:35:35.667 won't go into that. Uhm, [ahem] You know I have a huge lab at 00:35:35.667,00:35:41.439 home that I use a lot and I use it to learn. I actually have a 00:35:41.439,00:35:46.745 gigantic lab and that lab is used for me... [pause] Yea, 00:35:46.745,00:35:52.550 yea... he's a... "Thoughtful pause". Uhm, yea that lab is 00:35:52.550,00:35:57.022 use, useful for me to, to, to do my educational things. Right, a 00:35:57.022,00:36:00.392 couple more.... and then we'll be done. >> Uh, when you're on a 00:36:00.392,00:36:04.396 team, uh, what sort of mitigation do you use, uh, when 00:36:04.396,00:36:08.066 working inside the networks? Do you use structures that you 00:36:08.066,00:36:12.437 bring in or do you... >> Yea, yea, what, what kind of 00:36:12.437,00:36:16.074 infrastructure do we bring into, into an analyses exploit? 00:36:16.074,00:36:19.978 [cough] We actually have a server and a switch, we use IRSP 00:36:19.978,00:36:24.716 so communicate which we use, uh, locally, uhm, we don't wanna, 00:36:24.716,00:36:28.753 uh, communicate outside with IRC. [background noise] No 00:36:28.753,00:36:31.990 GoogleDocs... [laughter] Lost has a question... >> I know you 00:36:31.990,00:36:35.260 require a lot of script building when you're pentesting, I'd just 00:36:35.260,00:36:38.730 like to know if level 5 script kitty is necessary? >> I am a 00:36:38.730,00:36:44.235 level 5 script kitty. [chuckle] Uhm, no, you need to learn to 00:36:44.235,00:36:50.408 program in something. Uhm, Python, Ruby - Ruby's a good one 00:36:50.408,00:36:53.278 because you can write exploit modules, those are always fun. 00:36:53.278,00:36:58.283 Uhm, yea... that, that's important too. Yea. >> How do 00:37:00.785,00:37:05.790 you find job opportunity, it never seems unjust... >> That's 00:37:08.359,00:37:15.166 a tough one... Come here, talk to people, seriously, uhm, uh, 00:37:15.166,00:37:18.069 he's asking how you get pentesting job opportunities? 00:37:18.069,00:37:21.406 You come here and you talk to people; you sit at the bar and 00:37:21.406,00:37:26.845 you, you, you be outgoing enough to sit down and talk to somebody 00:37:26.845,00:37:30.882 about what you do and what you would like to do. Uhm... 00:37:30.882,00:37:33.485 [background noise] What was that? [audience noise] DefCon 00:37:33.485,00:37:40.058 groups, that's another good one. [audience noise] What was that? 00:37:40.058,00:37:43.161 >> Local meetups! >> Yea... your local meetups too are great. 00:37:43.161,00:37:48.933 Uhm, those are awesome answers. Alright, anything else? 00:37:48.933,00:37:54.172 [background noise] >> Yea... >> I am a auditor so I know like 00:37:54.172,00:37:59.410 when the're an investigation the auditors simply don't say that 00:37:59.410,00:38:03.548 there's an investigation. They'll say like, they'll use 00:38:03.548,00:38:09.821 other language and just like... >> Yea... >> So I was just 00:38:09.821,00:38:14.559 wonder what kind of language your team's using to 00:38:14.559,00:38:16.961 describe...? So, the, the question was what kind of 00:38:16.961,00:38:21.466 language we use to describe ourselves in our reviews to the, 00:38:21.466,00:38:25.170 uh, to the sight. We, yes, we do a very similar things, we make, 00:38:25.170,00:38:29.240 we make softer claims "This is an assessment..." for instance 00:38:29.240,00:38:34.245 "It's a review...", we, we do a "Cybersecurity review...". 00:38:36.548,00:38:39.884 [cough] We don't generally do incident response... So, uh, we, 00:38:39.884,00:38:41.252 we, we're coming in to actually do an assessment of, of the 00:38:41.252,00:38:42.587 network itself. Uhm, yea, we use, we do soften things, you 00:38:42.587,00:38:47.592 know, I can come in and say "I'm coming to f*ck your sh*t up...". 00:38:55.900,00:38:59.771 All those fun times I'd like to... alright, that's Crypt. >> 00:38:59.771,00:39:04.709 What would you say is the best starting point for someone? What 00:39:07.612,00:39:13.551 are the most important fundamentals? [indistinct] 00:39:13.551,00:39:15.253 [background noise] > Okay, fantastic question, what's a 00:39:15.253,00:39:17.422 good starting point if you've never touched a computer but 00:39:17.422,00:39:23.561 really wanna get here? The fundamentals... it's a tough 00:39:23.561,00:39:29.000 question. Learn how the computer works. Learn how it works - take 00:39:29.000,00:39:32.670 it apart, put it back together again, it's hard to do with, you 00:39:32.670,00:39:36.774 know, you know, the computers these days...but do it. Build 00:39:36.774,00:39:42.180 one from scratch. Take Lost's "How to build a processor in 10 00:39:42.180,00:39:46.651 minutes". [chuckle ]Watch that! [background noise] That was 00:39:46.651,00:39:51.856 fucking phenomenal! [laughter] Seriously, it was! Uh, and, and 00:39:51.856,00:39:55.793 the secret is he that all off the cuff. That shows you guys 00:39:55.793,00:39:59.230 how smart he is... Right, last question. >> Uhm, how do yow 00:39:59.230,00:40:03.668 prepare your reports so that you don't sound like an indictment 00:40:03.668,00:40:06.804 against the staff? >> Very carefully. I'm going to repeat 00:40:06.804,00:40:11.342 the question: "How do I repair, how do I prepare my report so it 00:40:11.342,00:40:16.014 doesn't sound like an indictment against the staff..." The... 00:40:16.014,00:40:21.853 [laughter] Yea... No shit, I call my wife. Uhm, we actually 00:40:21.853,00:40:27.191 have, uhm, a set of people that look at the reports and so we'll 00:40:27.191,00:40:30.828 write, we'll write the report and it'll go through a review 00:40:30.828,00:40:34.799 board and they will tell us if we're being too harsh or not... 00:40:34.799,00:40:38.503 Uhm, but we, we just carefully select our language, you know, 00:40:38.503,00:40:43.508 uhm, I'm trying to get us, as an industry, away from softening 00:40:48.579,00:40:52.617 things too much. I think we are too soft on our clients, you 00:40:52.617,00:40:58.656 know, you can't sit here and say "Weeeell... that's a really, 00:40:58.656,00:41:02.527 that's a critical vulnerability but, maybe, maybe you should 00:41:02.527,00:41:07.065 take care of that..." You know... [cough] You're not gonna 00:41:07.065,00:41:09.801 go in and say "This is a huge f*ckup and you f*cked up and you 00:41:09.801,00:41:14.672 need to be fired." But you're gonna go in and say uhm "This is 00:41:14.672,00:41:19.610 a critical vulnerability, you need to prioritize this in your, 00:41:19.610,00:41:24.816 in your break fix system." And so, you know, you just, i think 00:41:24.816,00:41:29.153 we're too soft to be honest and so I'm trying us not soften the 00:41:29.153,00:41:34.158 language as much as we soften it now. Alright guys, this is all 00:41:38.329,00:41:43.901 the time I have... [applause] I will be downstairs at the end of 00:41:43.901,00:41:46.871 the elevator for about 30 minutes, alright, in the 00:41:46.871,00:41:49.507 escalator at the bar for about 30 minutes if you guys wanna 00:41:49.507,00:41:54.512 catch up with me. [background noise] Oh, yea... I need a 00:41:57.949,00:41:58.216 drink.