Writing good reports is in my opinion one of the most import tasks for people who work in security, no matter if pentesting, forensics or other topics. The report is the final product of your work, it is leaving an impression even after some time and it represents your company, your department and yourself. Unfortunately some people underestimate this topic.
Course Syllabus: * Module 1: Telling a Story * Module 2: Writing Penetration Testing Reports * Module 3: Forensic Writing * Module 4: Most Common Writing Mistakes
The price is pretty fair, 97$ at the time of this writing. Even folks who don’t like to write reports gave me great feedback, and for myself I can highly recommend it. It takes about 6-8h for going through, you have access to forums and in the end you get a certificate of completion. Although writing lot’s of reports over the past years I got some great new ideas for imrovement.
Hello All, this is a review of Pentest Academy and AttackDefense Labs. The content is really huge:
So it is not possible to review all of it, this post is just meant to give a rough overview and some examples.
Currently I started the course Traffic Analysis: Tshark unleashed, so this is the short example for this post.
What comes really handy is that you can just start the labs in the AttackDefense labs, so you don’t need to setup own VMs only for following the courses:
What is also great, you can download the videos, so you can also watch them later.
As far as I can say, all the videos are suitable more or less for beginners.
The labs include a huge amount of topics, including: Webapps, MSF, Pivilege Escalation, Eploiting, Wi-Fi, Forensincs, Reversing, Cracking, Python and so on. Some labs include a small task, but others include for example full blown webapps like juiceshop.
In this case there was a small issue (for me), the labs are timing out after some time, which might be a bit annoying when having a full web app. For the smaller labs I never had problems.
As advanced labs there are also some CTF style labs available.
With verifiable badges it is possible to verfiy your knowlege to an external source, as I did here:
As far as I could see all badges have three small challenges where you have to find flags (like a small CTF), badges are available for lot’s of topics (19 badges are available at the time of this writing) and most of them can be done after you viewed and worked through the courses.
Yes, the machine itself is called writeup. My first step was running nmap:
# nmap 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 21:54 CEST
Nmap scan report for 10.10.10.138
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds
# nmap -A -p 22,80 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 22:06 CEST
Nmap scan report for 10.10.10.138
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 20.28 ms 10.10.12.1
2 20.47 ms 10.10.10.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds
Login to cms is protected with a .htaccess file, creds are not valid here. Good that there is a thing called password re-use.
But ssh worked with the creds:
# ssh firstname.lastname@example.org
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 4 14:51:59 2019 from 10.10.12.57
jkr@writeup:~$ cat user.txt
So user flag was done…
For escalating to root I first used exploit suggester and tried the exploits, but without success.
So I did some research and came across a tool called pyspy. For transfering the file I used apache and wget.
So here is just a very short one. Always when I have to set up a new pentest machine, I have to look it up again, so here is a small list of browser addons that are usefull for webapp pentesting (using Firefox):
One of the good things about Defcon is that there is a No Starch Press store at the vendors area.
So I bought it for the flight, but it took a bit longer until I was through the book.
The book has 20 chapters, starting with Bug Bounty Basics. The next 17 chapters go through different classes of vulnerabitlites like XSS, SQLi, memory corruption, CSRF and so on.
After an explanation of the vulnerabilty itself, real reports are also included with further hints. At the end of each chapter the reader can find useful takeaways.
The last two chapters are not about bugs, one is about finding bugs in general, including some descriptions for tactics and tools. The last chapter is about writing a good report, communication to the companies and how to deal with the different programmes, which seems very useful to me.
Real-World Bug Hunting is helping to maximaize payouts and finding more bugs. It shows up lots of attack vectors and creative way for exploing them.
Real-World Bug Hunting: A Field Guide to Web Hacking Author: Peter Yaworski Content: A very practical guide to bug hunting and bug bounties Career: Penetration Tester, Bug Bounty Level: Beginner, Intermediate
End of August I travelled from Germany to far away Kathmandu in Nepal for visiting threatcon and the browser security workshop by Mario Heiderich and the beautiful country. Here is a short review.
Browser Security Workshop
With the conference I booked the 2 days workshop Offensive HTML, SVG, CSS & Other Browser-Evil. The covered topics:
History of browser security and the browser market
Unicode, character sets
Breaking Filters (WAF)
IE/Edge compatibility modes
The presentation includes 255 slides, so in 2 days it was not possible to cover everything, also there was no time for the hands-on parts. XSS is not the big topic anymore, but I was happy I can fresh up my knowlege and also learned some new stuff.
The conference was one day with a single track, so contrary to Blackhat & Defcon everything was clearly arranged. On the speaker list were Mario Heiderich, Jim Manico, Georgia Weidman, Vignesh, Yogesh Ojha, Aniruddha Dolas and Prashant Tilekar, you may see some familiar names here.
Between the presentations there was lot of time for networking and discussions, with the business pass I also joint the evening event which came with great drinks & food.
For me the best at conferences, of course, is the networking part. It was a great pleasure to meet and connect with new people and friends.
When you are new to IT security I highly recommend to visit smaller and local conferences if possible, it is much easier to connect and to visit.
Thanks to the organizers of threatcon for a great event.
After the conference I took four days for traveling and sightseeing, this is just a very small impression (I made >1000 shots). I travel a lot, and this was one of the most impressive experiences I’ve had.
A short interview with Christoph Haas with some advise for career starters.
What brought you to IT security? How did you get into penetration testing? I started with an apprenticeship as a developer. After that I made my Bachelor in Business Informatics. During this I worked three days a week in the security department of a bigger company in the technology sector. However, during this phase I found out that my part is more in the “offensive” field 😉 . So I met the company I started working as a penetration tester at a small German conference (Backtrack-Day).
You are the owner of Securai, a penetration testing company that is specialized in application security. Why did you specialize? I believe that specialization is the key success factor. IT security is a complex topic, but if you really want to be good at it, you have to focus on one thing.
Do you also look for newbies in the field? Sure, always 🙂 !
What do you expect from applicants? What do you think makes a good penetration tester? They really have to want it. If someone is getting frustrated easily, I would recommend another career. They also should be happy about communicating with other people. Penetration testing is a consulting business, so you have to deal with people a lot. They should have fun learning new things, because this is what you have to do all the time, even after years in pentesting. From a technical perspective we are looking for people with a development background, as I think they can communicate better with devs and as we focus on appsec, we mostly have those types of customers.
What has been the best or worst moment in your penetration testing career? The best moment is, when after hours or days of struggling you finally get an application to fall. This is the fun part about pentesting 🙂 .
What is your thought about certifications? I think they are necessary and sometimes even are fun to do. I personally like the OSCP and we basically use it as a test for new colleagues.
Christoph is Founder and Owner of Securai, a company focusing on application security.
Black Hat is a pretty commercial conference, tickets for two days cost more than 2000$, if you want to attend the briefings. There are also trainings, costs vary and are much higher. The content qualitiy is usually very high, the attendees vary from consultants, CISOs, developers, and all kind of IT security professionals. There is a big crowd with about 17000 attendees in 2017.
The briefings are picked by a review board in a call for papers process. Researchers present their top work, often campaigned weeks before the conference. In the business halls all kind of vendors are present and giving away loads of swag for attendees and also throwing parties.
Black Hat USA 2019 Keynote: Every Security Team is a Software Team Now by Dino Dai Zovi
I am mainly at the Black Hat for the Arsenal. It is a great opportunity for developers to present their work at booths that are also located at the business hall. For the last three years I could thankfully present AVET (AntiVirus Evasion Tool), which is giving presenters a briefings pass. The tools are also picked by a review board.
Defcon is the “real” hacker event in Vegas and is completly different as Black Hat (although both have the same founder). Black Hat and Defcon overlap one day, Defcon is four days. Costs for 2019 were 300$, qualitiy of the talks is also high and more fun might be included (like talks about phreaking). More offensive security stuff seems to be included here.
This year the event was spread over four hotels including four presentation tracks, several villages (areas with talks and hands-on for several topics), parties, CTFs, movies and so on. It was said that about 30000 people attended defcon in 2019, so everything was pretty crowded and also a bit confusing. Walking between the different spots can take between 10-20 minutes.
Defcon is meant to be a hacker con, which is true. Also, there is a strong drinking culture present, fist time speakers must drink a shot (and attendees demand it loudly).
If you have the chance to attend Black Hat/Defcon you should give it a try. It is great to connect and develop your skills and I have met some great people and made new friends. For people who want to advance their career it is definetly great, but if it is your first conference you might consider to go to a smaller event. The atmosphere in Las Vegas is somewhat special, with the hotels, the casinos and the tourists around.
Security Researchers work in the field of bug bounties and exploitation, often they are independent but sometimes they also work as employees. I think that both paths are not easy, but of course it can be done. On both paths you can earn lots of $$$ but I also heard of people who came out disappointed. Some people starting this as a side job and then go independent. If you don’t know some basics look here and here.
The reason why I put both paths in one post is that for me you need a similar mindset. You have to be highly motivated, need to learn a lot before you gain some success (well, at least for most people) and if you go independent you work on your own. For both you need a plan or tactics, you can’t just start hacking and hope to find something.
When you want to participate in bug bounties normally you are using platforms like hackerone or bugcrowd, but lot’s of companies have their own bounty programs. Since most of these programs are public this makes starting easy.
On the other hand, when you want to start as a researcher and do exploit development, you also have some public resources like ZDI or zerodium. But what is more important than in bug bounty, is networking with other researchers and companies. One way is to go at conferences and trainings, have a look at the links section of this article.
Both paths might take months or even years until you get into it, so this article can only be a starting point that I hope is helpful.
Hands-On Bug Hunting for Penetration Testers Author: Joseph Marshall Content: Go through common bugs in Webapps and introduction to bug bounties Career: Penetration Tester, Bug Bounty Level: Beginner
The Shellcoder’s Handbook Authors: Chris Anley, John Heasman, Felix “FX” Lindner, Gerardo Richarte Content: Exploiting security holes for Windows, Solaris, MacOSX, Cisco. Although from 2007 still worth reading. Career: Penetration Tester, Exploiter Level: Intermediate, Experts
Hacking: The Art of Exploitation Author: Jon Erickson Content: Goes from the first steps in Bash and C to in depth exploitation and debugging on Linux. Career: Penetration Tester, Exploit Developer Level: Beginner, Intermediate, Expert