Good morning. Well, I know noon is DEFCON morning, so good morning.
How many of you guys are hungover? Raise your hand.
Seriously? Only one? Maybe two?
You guys are doing DEFCON wrong.
Alright, wait, wait, wait. Another drunk.
Another question. How many of you are still drunk?
Alright. Not me.
I actually got like six hours of sleep last night, which is fucking fantastic.
Alright, so welcome to So You Think You Want to Be a Penetration Tester.
My name is Ansh.
Long story, well, short story, but long story about my handle I'm not going to go into.
There's some people that I want to introduce to.
You notice there's some logos on my slide.
I'm a member of a fantastic organization called the Security Tribe.
These guys are all smarter.
I am, and I'm super, super happy to be surrounded by very smart people.
I also have my wife in the audience, and she's a hacker like the rest of us,
even though she doesn't admit it.
She hacks kids' brains.
She's a university professor, and she does a fantastic job.
I have been a penetration tester for ten years.
I've led red teams for five of those ten years, and so I'm going to talk a little bit about what the job actually is like,
dispel some misconceptions, let you guys know a little bit about what the realities are, and such and such.
Now, I have a little thing on the bottom of this slide that says the leprechaun, question mark.
Now, I requested in my CFP submittal.
That there would be a leprechaun dancing on stage while I was giving my talk, and that didn't happen, and I'm severely disappointed.
Just kidding.
All right.
You'll notice my slides have a little bit of humor in them, and I do that intentionally, so feel free to laugh, and, you know, it's designed to try to keep you awake.
So let's talk a little bit about the wonderful world of penetration testing.
You know, this job.
Is a tough one.
And I'm going to do a quick survey.
How many in here are already penetration testers?
Raise your hands.
Okay.
How many in here want a job in penetration testing?
Raise your hands.
Cool.
All right.
Now.
Stand up.
If you think penetration testing has to do with porn.
Nobody standing up?
That's, you know, you get into this job just for the title, because it's fantastic at parties.
People ask you, what do you do?
Well, I'm a penetration tester, and they give you this look of.
What the fuck is that?
Yeah.
I've had various answers from.
Oh.
Like serious answers.
Let me guess.
You're the guy that tests the lighting in pornography, right?
No.
No.
It's a fantastic title.
It's fun.
It's really cool to explain, because people always ask you questions about it.
And I apologize.
I'm getting over pneumonia.
So I'm going to cough a little bit.
So let's talk a little bit about.
What my family thinks I do.
My mom and dad seriously think that I'm some kind of super spy.
I'm not kidding.
They're like, yeah, you travel all over the country.
And you break into shit.
And you're like James Bond.
I'm like, no, I'm not.
It's actually really fucking boring.
So I want to talk through.
Some of the misconceptions and realities.
To kind of dispel some myths.
And.
Some of you out here that are already penetration testers will laugh at these.
Because they're pretty funny.
I think.
You know, I think I'm funny.
Apparently there's a lot of people in here that need to get laid.
So.
You know.
Misconception number one.
There will always be somebody.
More elite.
Than you.
We all have something to learn.
There is nobody.
On this planet.
That is an expert at everything.
And.
I talked a little bit earlier about surrounding yourself.
With people that are smarter than you.
And.
My team.
Is super smart.
All of these guys.
Are just fucking geniuses.
And it baffles me sometimes.
That they let me hang out with them.
And this fucker down here.
Stand up Jeremy.
He is the leprechaun that is supposed to be dancing.
Catch my lucky charm.
Blow your ass to pieces.
Now.
Can I sit?
Yeah you can sit.
He is a member of my team.
I'm pretty sure that there's more in here.
I just can't see you.
If you work with me stand up.
Really?
I guess they don't.
I guess they don't really want me to hang out with them.
That kind of sucks.
Assholes.
Seriously.
There's always going to be somebody.
That is more.
That is better than you.
At something else.
And your job.
As a part of this job.
Is to learn from them.
You learn all you can.
Because you're going to run into shit.
That you have no idea what it is.
And if you can learn it the first time.
The next time you run into it.
You'll know how to deal with it.
So.
Misconception number one.
You will never be the most elite guy in the room.
Reality number two.
If somebody told you this job.
Is easy money.
They're a fucking liar.
We work.
Well.
When we're on site.
When we're actually doing an assessment.
We work probably.
Between eight to ten hours a day.
And that's pretty easy.
We travel 25% of the time.
And we have a good time.
While we're working.
When we're not traveling.
We're doing research.
We're honing our skills.
We're doing things that.
Excuse me.
I'm sorry.
We're doing things that.
Make us better at our job.
And that can take.
Oh I don't know.
It can take 15 hour days.
It can take 10 hour days.
You know.
My wife puts up with me.
So well.
Because she'll come home.
I'm like I'm still working.
And she's like.
But I thought we were going to have dinner.
Yeah.
We can eat at nine.
So it's not an easy job.
It's not something you can sit.
And do.
You know.
Nothing.
Oh what do you do?
I surf the internet all day.
Oh.
Yeah.
I can do that.
This is funny.
Hold on just a second.
My mom bought me this shirt.
And we were.
We were out here.
On Friday.
Last Friday.
From Friday.
Because we.
We do in human reg.
And so we help prep con.
And she panicked.
Because she saw me check in in Vegas.
And she's like.
But I had a shirt for you to wear at DEF CON.
Okay.
It says penetration on the front.
If you can't read it.
The back has a definition of penetration.
Penetration.
And when your mother gives you a shirt.
That says penetration on it.
It's kind of awkward.
Not really.
My wife just asked.
Do you want me to read the back?
No.
It's kind of.
It's awkward.
All right.
There's no bullshit.
In this job.
And if you can't read the slide.
It says.
Just because I appear to believe your bullshit.
Doesn't mean I'm as stupid as you think I am.
I'm just laughing inside.
And waiting to see what you come up with.
You can't fake it.
Until you make it in this job.
It doesn't work.
You will crash and burn.
Miserably.
And.
Unfortunately.
There's a lot of people that are trying to do that.
In this industry.
And so I would encourage you.
If you really want to get in this job.
Have a passion for it.
And we'll talk a little bit about what that passion entails.
Here a little bit.
I have seen a lot of bullshit.
In my time.
I've seen a lot of people stand up and say.
Oh yeah.
And when you ask them to prove it.
They're like.
Oh wait.
Hacking into something is more than just pressing start.
On a Nessa scan.
Yeah.
It is.
So there's no bullshit in this job.
This is my favorite comment.
Yes.
You have to have experience to get experience.
And I'm not telling you.
That you have to be a penetration tester.
To be a penetration tester.
I hire.
I prefer.
That we hire.
Sysadmins.
It's easy for me.
To turn a sysadmin.
Into a penetration tester.
And that's because a sysadmin knows how.
To.
Build something.
You can generally take it apart.
And that's what we do.
We take things apart.
We try not to have missing pieces.
At the end.
Where the fuck did this screw come from?
But.
Yeah.
We take things apart.
We analyze it.
We look at it.
And it's easy for me to take a sysadmin.
Who knows how to put something together.
And teach them the skills that they need.
To be able to take things apart.
I also look for an attitude.
How many in here.
Would consider themselves a hacker?
Raise your hands.
Every fucking one of you.
Should be raising your hand right now.
Let's try that again.
How many people in here.
Would consider themselves a hacker?
Alright.
That was better.
We'll give you a pass on that.
And give it about a D.
60%.
I'm totally going to give you the D later.
Just a tip.
Just to see how it feels.
The mentality of a hacker.
Is one.
That questions things.
That's curious.
And if you're not curious about something.
I mean.
I'm not talking about a computer hacker.
I'm talking about a hacker.
If you're not curious about something.
You're dead.
And you need to be revived.
And so.
I challenge everybody in this room.
That didn't raise their hand.
Like I said.
There was about 40% of you.
To wake up.
Get curious about something.
I don't care what it is.
It can be knitting.
It can be underwater basket weaving.
It can be computers.
Just be curious about something.
Learn something.
That's how you get experience.
If you come to me and say.
Hey.
I've been a sys admin for five years.
And this is what I did.
And I really want to be a penetration tester.
I'm going to look at you and say.
Cool.
Let's talk about your mindset.
What are you curious about?
What do you like to do?
I like computers.
Actually.
I love computers.
I spend a lot of my time on computers.
I do electronics too.
I build stuff.
I build planter boxes for my wife.
I do carpentry.
I do all kinds of stuff.
Because I want to learn.
I want to exercise my brain.
I want to keep things elastic.
And not get stale.
You guys want to do some penetration testing?
They don't pay you.
To sit around and do nothing.
This is work.
It's a job.
People forget that sometimes.
I think.
They get going with a.
Hey.
I'm going to be a hacker.
And I'm going to get to hack into things.
Which is true.
But it's also a job.
You don't get to just show up.
And hack into shit.
And go away.
It's work.
And I tucked my shirt in because I had that.
So I'm going to untuck it because it's hot.
Is it hot in here?
Yeah.
I'm not going to take off all my clothes.
So remember.
They're not paying you to do nothing.
They're paying you to actually do work.
And we're going to talk a little bit about.
What that work is.
And what your clients are going to expect from you.
And what you're going to have to be able to do.
In order to be a penetration tester.
I love the Kim Jong Il memes.
They're so funny.
So how many of you.
In here.
Think you know what a red team is?
Raise your hand.
Okay.
I know you do.
I know you do.
Keep your hands raised.
I'm going to call on somebody.
Stand up.
Shout loud.
Go ahead.
The team is a group of individuals.
That work with.
Trying to break into a company.
That's pretty good.
Okay.
He said a red team is a group of individuals.
That try to break into a company.
Either physical security.
Or information security.
Pretty close.
I'm going to tell you.
The definitions.
Differ vastly.
Between organizations.
In my line of work.
In my organization.
A red team is simply.
An unannounced assessment.
Now there's more to it than that.
But it just means that.
We're not going to tell IT we're coming.
When we come.
To penetrate them.
Over and over and over again.
A red team activity.
Is very different than a penetration test.
And I kind of want to cover.
Walk through some definitions here.
As we.
You know just to kind of level set.
What we're talking about.
Okay.
I'm going to start out with a vulnerability assessment.
A lot of people.
A lot of companies out there.
Big companies.
And I'm not going to name any names.
Sorry.
Call a penetration test.
Call a vulnerability assessment.
A penetration test.
You're not actually doing a penetration test.
Okay.
If you walk in with Nessus.
Nmap.
Old ones.
Saint.
Satan.
Who here knows what Satan is?
Raise your hand.
Yes.
I love Satan.
Best tool ever.
I wish it still existed.
Well it does.
But they don't call it Satan anymore.
If you walk in with one of those tools.
Spit out a report.
And hand it to your client.
You did not perform a penetration test.
You performed a vulnerability assessment.
And.
You know.
There's more.
You could add more to it than that.
You could do a threat assessment on top of that.
But if you did not try to exploit the vulnerabilities that you found.
And try to dig deeper.
You did not perform a penetration test.
Penetration test.
Like I said.
Is.
Something that.
You take your vulnerability assessment.
And you try to take it one step further.
You're gonna try to actually.
Exploit the vulnerabilities.
Now.
When you exploit those.
You're gonna take.
And see how far the rabbit hole goes.
Rabbit hole typically goes pretty damn far.
Um.
That's the fun part.
Of this job.
The boring part is sitting there waiting for the vulnerability assessments to come back.
Now.
Red teams.
Red teams are.
The most fun.
In my opinion.
They're the thing that everybody wants to do.
But not everybody can do it.
A red team.
Differs.
Largely in the.
Aspect of a penetration test.
In that you are trying not to get caught.
Penetration tests are loud.
You're gonna get caught.
All over the place.
You're gonna sit down with your clients.
They're gonna know you're there.
They're gonna treat you like auditors by the way.
Um.
Do we have any auditors in the room?
We have one.
I'm sorry.
Um.
We're gonna.
We're going to.
They're gonna treat you like an auditor.
They're gonna hide things from you.
They're gonna do all kinds of shit.
And we'll talk about that in a little bit.
But you really.
You know.
You're gonna do that same digging.
You're gonna do it from outside.
You're gonna do it from.
As sneaky as possible.
Whether you're breaking into something.
You know.
Physically you're jumping a fence.
You're planting a device.
You're doing social engineering.
You know.
Those are the kinds of concepts that differ.
Between a red team and a penetration test.
Okay.
At least in where I'm at right now.
Let's talk a little bit about.
Adaptation.
How many of you guys.
Like to plan.
Let's just say.
Plan your day.
Put two hands up.
I know.
You really want to throw a monkey wrench.
In Crip's life.
Toss him something.
That's not gonna fit in his day.
Cause he will try to make it fit.
And it'll be funny.
Um.
Um.
No.
You're gonna have to adapt.
You're gonna have to think on your feet.
Um.
How many of you guys were up here for Lost's talk.
When he talked on Thursday.
I know I was.
You know he talked a little bit about.
He gave this whole speech about thinking outside the box.
Right.
I like to talk about non-linear thinking.
You can't think in a straight line.
If you think this leads to this.
Leads to this.
You're never going to find.
Everything you need to find.
Oh.
He's getting trash.
Nice.
Okay.
Well.
I'm not gonna wait for him.
Okay.
So yeah.
We're gonna talk about adaptation.
You're rolling.
Oh.
Hi.
Ladies and gentlemen.
I know.
I know that there's a very good reason that you're late.
But I do that to everybody that comes in late to my talk.
So.
Um.
So yeah.
So.
One plus one.
Might equal five.
And the reason why.
Is because.
You think it equals two.
But there's three more things out here that the client hasn't told you about.
So.
So really.
It's not one plus one.
It's one plus four.
So you have to learn to adapt.
You have to learn to.
To sit down and be like.
Oh.
Well.
So I didn't think about that.
So I'm gonna take a step here.
And then I'm gonna shift.
A lot of people call that a pivot.
So.
Learn to adapt.
Be flexible.
Start running out of time.
So.
We all like to win.
How many of you guys like to win?
Raise your hand.
Again.
Jesus.
We're gonna try that one more time.
I'm trying to get people to wake up and get active.
Because I realize it's early.
On a Sunday.
Or late Saturday.
Is it late Saturday for you?
I'm sorry.
You know.
I'll let you sleep.
There's a nice comfortable spot up here.
You can lay down behind the table.
And take a nap.
No.
We all like to win.
My team especially likes to win.
We like to break into things.
And say.
Yes.
We win.
But I want to take the concept of winning out of this.
Everybody needs to win.
Your client.
Needs to be as secure as possible.
Your job.
Is to come in and tell them where they're not secure.
Not to come in and embarrass their sysadmins.
That's a bonus.
I'm gonna get water poisoning by the way.
Lost.
No.
I've got about half of that left.
It's great.
So.
Your job isn't to embarrass the sysadmins.
Your job is to tell your client where they're weak.
And what they can do to improve.
And.
So take winning out of the equation.
You know.
You don't get to win.
You get to help.
You're not there to conquer the network.
You're there to assess it.
You're there to assist.
Who you're there.
You're there to assist your client.
In making themselves as secure as possible.
Yeah.
Thank you.
Oh my God the report.
How many of you like to write.
How many of you are technical writers in this room.
Good.
Thank you.
I'm a thank you right now.
I actually.
I hate to write.
I hate it.
It's not my job.
my least favorite thing but I do it and I've been told I'm quite good at it yeah it's a damn good
thing I married an English teacher oh my god my boss told me you shouldn't tweet without letting
her look at it first and he wasn't kidding seriously she helps me a lot she corrects my
grammar a lot she has a large red pen and I love it learn to write learn to write well you're
gonna have to do it my last report was
I can you can tell who I worked on it with a crypt crypt and I wrote this report it took us
what what three weeks three and a half weeks to write it was PTSD yeah it was long and it's
detailed because again you have a job to do your job is to make sure your client knows where they're
weak and so you want to outline all that you also want to make sure that you're telling them how
they can make themselves better
you also want to make sure that you're telling them how they can make themselves better
so the report is important
and the client
so let's talk a little bit about
how
you interface with your client
first thing you're going to do when you get on site
is you're going to sit down
and you're going to say hey
plug me into the network
and they're going to look at you and go
are you fucking nuts
and you're going to go
no seriously plug me into your network
and they're going to give you this ream of paper
that's about
500 pages long
because I guess that's technically a ream
and they're going to say
this is the exclusion list
and it's going to have
an IP address on each line
for 500 pages
and you're going to look at this and go
okay do you have this in electronic form
and they're going to go
no seriously
know. Remember how I said that they're treating you like an auditor? They don't want you to
get started. So your job as a penetration tester, when you come into a client, is to
make them feel comfortable. Shh, does this smell like chloroform? You make them feel
comfortable, and then you do what you're going to do. You're going to find their weaknesses.
And then when you find their weaknesses, you're going to show them how to fix them. And the
more you do that, the more your client will trust you. And the less that exclusion list
will become a factor. Your job is to convince the client that you need to look at every
single IP address on that exclusion list. And it's not because, again, you want to embarrass
the sysadmins. That's a blessing.
bonus, remember. Oh, teleprompter went out. I didn't even bring my besotomizer. Oh, that's
a bummer. I like messing with that. I like watching my words. Oh, well. I'm going to
be like Romer. Hopefully they'll catch up to me. Fuck, fuck, fuck, fuck, fuck. Anyway.
So, yeah, your job is to make the client feel comfortable. And they're going to try
to change things. You know, they don't like the report. You said you hacked into this.
Did you really do that? Can we say that you almost got in? We have a plan to mitigate
that vulnerability. Can we just not write that in the report? What was the last one,
the favorite one? Oh, yeah.
Can we ‑‑ if I provide you email evidence that we're working on that, can we say that
vulnerability didn't actually exist? Yeah, no. Yeah, no. That's not how ‑‑ yeah,
that's not how this works. I unfriend you. At least I got some laughs. Okay.
We'll test you. The point is you need to be able to deal with people. You need to be
able to answer questions in a diplomatic way instead of saying, no, you're a fucking
idiot. Stop that. Just don't use the word fuck. You can say, hey, you're an idiot.
Stop that. Okay. I realize that was kind of a rambling talk. And I appreciate you guys
listening to me. But I'm going to give some time for some questions. And I will answer
anything if you guys have questions. Just stand up and say, yeah.
Do you have clients that you want to see one-off clients or do you have recurring
clients that you want to back at the time of the client?
Right now I work for one large client. And we do all of the penetration tests for that
one client. Next.
Yeah.
So you mentioned that you like to hire sysadmins. I'm wondering, are we looking at the sysadmin
that you have networking guys? What would you recommend for that?
Yeah, yeah. So the question was that I said that I hire sysadmins. He's like, well, what
about network guys? Those two. I'm just looking for somebody with experience that can build.
All right. So we're going to, yeah, it's about time. So I'm like four minutes early,
but that's okay.
Okay. Fine. Leave me. Yeah.
What do I think about pen testing certifications? They're all shit. No, seriously.
Certification letters after your name, that's an HR filter. Okay. You have to get past HR at some
point. So you're going to need them.
Yeah.
So I don't generally look at them. I will actually give you a test if you come to come work
for me. I have a test that I give. And if you can ‑‑ you know, I'm not looking for if you can
pass the test. I'm looking for how you approach the test. All right. Any others? Just stand
up and start shouting. Yeah.
Yeah. So what happens on a pen test if you come across an existing compromised ‑‑
What happens on a pen test if I come across an existing compromised ‑‑
compromise. That's what we call an all stop moment. Everything stops at that point. And
then we help the client troubleshoot it and do their incident response. Yeah. That's we
don't mess around with that shit. Anything else? Anybody want to? Yeah.
Specific vulnerabilities in OpenStack. Come grab me at the bar and we'll talk. Yeah.
Yeah, I get your question. I'm going to rephrase it if it's okay.
Okay. So the question was what am I, you know, basically what am I actually looking for in
somebody that builds systems, right? If I'm looking for a potential employee. I'm looking for
somebody that has the background in building systems, whether it be operating systems,
networks, switching and routing, stuff like that. Because that stuff, that level of experience
is hard to teach a penetration tester. Because if you don't have that background, you're
not, you're not going to get it, penetration testing. You're not going to get it, penetration
testing. You're not going to have that depth of something, you know, when you walk in and see,
oh, that switch is configured wrong, right? There are a lot of penetration testers out there
that can't tell that. But I'm not going to hire just network guys, not going to hire just
sys admins. I'm going to hire a breadth across the team so that we have, you know, nobody, no
one, there's no one wealth of knowledge and we're not lacking someplace else. Does that make sense?
I'm sorry? I didn't mean to interrupt you. You're not going to hire people. We're not
going to hire one group. So there's no one wealth of knowledge that we're not lacking
somewhere else. Does that make sense? Yeah, that makes sense. Yeah. We've developed a lot of
Oh wait, stop. This is my brother-in-law. I'm not shitting you. He's a ginger. But he does have a soul.
Go ahead.
Alright, so other than your own mind, what is your most useful tool?
My useful tool, other than my own mind. Well, we won't go into that because you're my brother-in-law.
We won't talk about that.
You know, I have a huge lab at home that I use a lot.
And I use it to learn. I actually have a gigantic lab.
And that lab is used for me.
Yeah, yeah.
Thoughtful pause.
Yeah, that lab is useful for me to do my education.
Alright, a couple more and then we'll be done.
When you're on a team, what sort of communication do you use when you're inside the lab?
Do you have a certain structure that you bring in or do you kind of...
Yeah, yeah. What kind of infrastructure do we bring in to an announced assessment?
We actually have a server and a switch we bring in.
We use IRC to communicate between each other locally.
We don't communicate outside with IRC.
No Google Docs.
Lost has a question.
I know you need a lot of scripting ability.
I am a level 5 script kiddie.
No, you do. You need to learn to program in something.
Python, Ruby. Ruby's a good one because you can write Metasploit modules.
Those are always fun.
Yeah, that's important.
That's a tough one.
Come here. Talk to people.
Seriously.
He asked me how do you find pen testing job opportunities.
You come here. You talk to people.
You sit at the bar and you'd be outgoing enough to be able to sit down and talk with somebody.
You'd be able to talk to somebody about what you're doing and what you'd like to do.
What's that?
DEF CON groups.
That's another good one.
Local meetups.
What's that?
Local meetups.
Yeah.
Use the Exchange.
Yeah. Your local meetups too are great.
Those are awesome answers.
Anything else?
Yeah.
I'm a global author.
And so, I know like when there's a financial investigation and it's a suspected fraud,
The question was what kind of language do we use to describe ourselves in our reviews
to the site.
And yeah, we do very similar things. We make softer claims. This is an assessment, for instance.
It's a review. We do a cyber security review. We don't generally do incident response. So we're
coming in to actually do an assessment of the network itself. But yeah, we use, we do soften
things. I'm not coming in, I'm not going to say I'm not going to say I'm not going to say
I'm coming to fuck your shit up, although sometimes I'd like to. All right. That's crypt.
Okay. Fantastic question. What's a good starting point if you've never touched a computer, but
we want to get here? Fundamentals.
It's a tough question. Learn how the computer works. Learn how it works. Take it apart, put it
back together again. It's hard to do with, you know, the computers these days, but do it.
Build one from scratch. Take Lost's How to Build a Processor in 10 Minutes. Watch that. That
was fucking phenomenal. Seriously, it was. And the secret is, he did that all off the cuff.
That's how smart he is. All right, last question. How do you prepare your reports so
that it doesn't sound like an indictment against the staff? Very carefully. I'm going to
repeat the question. How do I prepare my report so it doesn't sound like an indictment against
the staff? What do you mean by that?
Yeah. No shit. I call my wife. We actually have a set of people that look at the reports.
And so we'll write our report and it will go through a review board and they will tell us if
we're being too harsh or not. But we just carefully select our language, you know. I'm
trying to get us, as an industry, I'm trying to get us to make sure that we don't get
our industry away from softening things too much. Because I think we are too soft on our
clients. You know, you can't sit here and say, well, that's a really, it's a critical
vulnerability, but maybe you should take care of that, you know. You're not going to go in
and say, well, this is a huge fuck up and you fucked up and you need to be fired. But you're
going to go in and say, this is a critical vulnerability. You're going to go in and say, this is a
critical vulnerability. You need to prioritize this in your break fix system. And so, you
know, you just, I think we're too soft, to be honest. And so I'm trying to get us not to soften
the language as much as we soften it now. All right, guys. That's all the time I have.
. I will be downstairs at the end of the elevator for about a minute.
I'm going to go into the escalator at the bar for about 30 minutes if you guys want to come catch
up with me. Oh, yeah. I need a drink.