Interview with Christoph Haas

A short interview with Christoph Haas with some advise for career starters.

What brought you to IT security? How did you get into penetration testing?
I started with an apprenticeship as a developer. After that I made my Bachelor in Business Informatics. During this I worked three days a week in the security department of a bigger company in the technology sector. However, during this phase I found out that my part is more in the “offensive” field 😉 . So I met the company I started working as a penetration tester at a small German conference (Backtrack-Day).

You are the owner of Securai, a penetration testing company that is specialized in application security. Why did you specialize?
I believe that specialization is the key success factor. IT security is a complex topic, but if you really want to be good at it, you have to focus on one thing.

Do you also look for newbies in the field?
Sure, always 🙂 !

What do you expect from applicants? What do you think makes a good penetration tester?
They really have to want it. If someone is getting frustrated easily, I would recommend another career. They also should be happy about communicating with other people. Penetration testing is a consulting business, so you have to deal with people a lot. They should have fun learning new things, because this is what you have to do all the time, even after years in pentesting.
From a technical perspective we are looking for people with a development background, as I think they can communicate better with devs and as we focus on appsec, we mostly have those types of customers.

What has been the best or worst moment in your penetration testing career?
The best moment is, when after hours or days of struggling you finally get an application to fall. This is the fun part about pentesting 🙂 .

What is your thought about certifications?
I think they are necessary and sometimes even are fun to do. I personally like the OSCP and we basically use it as a test for new colleagues.

Christoph is Founder and Owner of Securai, a company focusing on application security.

Review Black Hat & Defcon 2019

Black Hat

Black Hat is a pretty commercial conference, tickets for two days cost more than 2000$, if you want to attend the briefings. There are also trainings, costs vary and are much higher. The content qualitiy is usually very high, the attendees vary from consultants, CISOs, developers, and all kind of IT security professionals. There is a big crowd with about 17000 attendees in 2017.

The Black Hat is being held at the Mandalay Bay.

The briefings are picked by a review board in a call for papers process. Researchers present their top work, often campaigned weeks before the conference. 
In the business halls all kind of vendors are present and giving away loads of swag for attendees and also throwing parties. 

Keynote

Black Hat USA 2019 Keynote: Every Security Team is a Software Team Now by Dino Dai Zovi

Arsenal

I am mainly at the Black Hat for the Arsenal. It is a great opportunity for developers to present their work at booths that are also located at the business hall. For the last three years I could thankfully present AVET (AntiVirus Evasion Tool), which is giving presenters a briefings pass. The tools are also picked by a review board.

A short thread

Defcon

Defcon is the “real” hacker event in Vegas and is completly different as Black Hat (although both have the same founder). Black Hat and Defcon overlap one day, Defcon is four days. Costs for 2019 were 300$, qualitiy of the talks is also high and more fun might be included (like talks about phreaking). More offensive security stuff seems to be included here.

This year the event was spread over four hotels including four presentation tracks, several villages (areas with talks and hands-on for several topics), parties, CTFs, movies and so on. It was said that about 30000 people attended defcon in 2019, so everything was pretty crowded and also a bit confusing. Walking between the different spots can take between 10-20 minutes.

Defcon is meant to be a hacker con, which is true. Also, there is a strong drinking culture present, fist time speakers must drink a shot (and attendees demand it loudly).

There is also a media server which is worth a look.

Conclusion

If you have the chance to attend Black Hat/Defcon you should give it a try. It is great to connect and develop your skills and I have met some great people and made new friends.
For people who want to advance their career it is definetly great, but if it is your first conference you might consider to go to a smaller event. The atmosphere in Las Vegas is somewhat special, whith the hotels, the casinos and the tourists around.

More free Pentesting resources

While I wrote the articles about how to start a pentesting career I came accross more great resources that I did not mention before, so here they are. Most of it is hands-on :).

The Complete Beginner Network Penetration Testing Course for 2019

CTP/OSCE Prep – Wrapping Up Our Prep
Article with OSCE resources.
https://h0mbre.github.io/CTP_Summary/#

Web Application Exploits and Defenses
Online Webapp hacking.
https://google-gruyere.appspot.com/

XSS challenges
Online XSS challenges.
http://xss-quiz.int21h.jp/

XXE Lab
XXE Lab for downloading and hacking.
https://github.com/jbarone/xxelab

Root Me
Hacking challenges online.
https://www.root-me.org/

Cryptopals
Crypto hacking CTF.
https://cryptopals.com/

RingZer0 CTF
https://ringzer0ctf.com/challenges

Damn Vulnerable Web Application (DVWA)
Vulnerable weeb hacking VM (download).
http://www.dvwa.co.uk/

Pentesterlab
List of the free Webapp hacking excercises.
https://pentesterlab.com/exercises?dir=desc&only=free&sort=published_at

Link List with more CTFs and excercises
https://wheresmykeyboard.com/2016/07/hacking-sites-ctfs-wargames-practice-hacking-skills/

Kali Training
https://kali.training/

Vulnhub
Loads of challenges and VMs (downloads).
https://www.vulnhub.com/

Career Path Security Researcher & Bug Bounty

Security Researchers work in the field of bug bounties and exploitation, often they are independent but sometimes they also work as employees. I think that both paths are not easy, but of course it can be done. On both paths you can earn lots of $$$ but I also heard of people who came out disappointed. Some people starting this as a side job and then go independent. If you don’t know some basics look here and here.

The reason why I put both paths in one post is that for me you need a similar mindset. You have to be highly motivated, need to learn a lot before you gain some success (well, at least for most people) and if you go independent you work on your own. For both you need a plan or tactics, you can’t just start hacking and hope to find something.

When you want to participate in bug bounties normally you are using platforms like hackerone or bugcrowd, but lot’s of companies have their own bounty programs. Since most of these programs are public this makes starting easy.

On the other hand, when you want to start as a researcher and do exploit development, you also have some public resources like ZDI or zerodium. But what is more important than in bug bounty, is networking with other researchers and companies. One way is to go at conferences and trainings, have a look at the links section of this article.

Both paths might take months or even years until you get into it, so this article can only be a starting point that I hope is helpful.

Links

Bug Bounty

Blog Articles, programs

LevelUp 0x02 – Bug Bounty Hunter Methodology v3

Advanced Web Attacks and Exploitation (AWAE)

Probably interesting for both paths, but web hacking is more bug bounty for me…
https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/

Exploiting

35C3 – From Zero to Zero Day

The Exploit tutorials from corelan

https://www.corelan.be/index.php/articles/
That said, I can highly recommend the trainings that you can book at several conferences:
https://www.corelan-training.com/

OSCE- Cracking the Perimeter (CTP)

Also mentioned here before, the Offensive Security course and certification:
https://www.offensive-security.com/information-security-training/cracking-the-perimeter/

OSEE – Advanced Windows Exploitation (AWE)

I also heard great things about the AWE (OSEE) for more in depth exploitation, but I don’t have personal experience here.

Even more links:
https://www.zerodayinitiative.com/
https://zerodium.com/
https://googleprojectzero.blogspot.com/
and especially this article from project zero:
https://googleprojectzero.blogspot.com/p/working-at-project-zero.html

Conferences

As said before, learning new things and networking is really important, so here are some conferences that seem good, you should also consider to take some trainings:

Books

Hands-On Bug Hunting for Penetration Testers
Author: Joseph Marshall
Content: Go through common bugs in Webapps and introduction to bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

The Shellcoder’s Handbook
Authors: Chris Anley, John Heasman, Felix “FX” Lindner, Gerardo Richarte
Content: Exploiting security holes for Windows, Solaris, MacOSX, Cisco. Although from 2007 still worth reading.
Career: Penetration Tester, Exploiter
Level: Intermediate, Experts
Buy at Amazon U.S.
Buy at Amazon Germany

Hacking: The Art of Exploitation
Author: Jon Erickson
Content: Goes from the first steps in Bash and C to in depth exploitation and debugging on Linux.
Career: Penetration Tester, Exploit Developer
Level: Beginner, Intermediate, Expert
Buy at Amazon U.S.
Buy at Amazon Germany

And here is a great free book:
Modern Windows Exploit Development
http://docs.alexomar.com/biblioteca/Modern%20Windows%20Exploit%20Development.pdf

Book review The Hacker Playbook 3

The Hacker Playbook 3
Authors: Peter Kim
Content: Main focus is on Red Teaming
Career: Penetration Tester
Level: Intermediate, Expert
Buy at Amazon U.S.
Buy at Amazon Germany

This week I did read the great book The Hacker Playbook 3 by Peter Kim. The focus of the book lies on Red Teaming, it makes sense to read also the first two books if you do not have prior knowledge to penetration testing.


Content:

  • Difference between pentesting and red teaming
  • MITRE ATT&CK framework
  • Tools setup
  • Reconnaissance phase
  • optional lab setup & exercises
  • about web attacks like node.js, nosql injections, deserializiation attacks and more
  • hacking the (windows) network for example with responder, password spraying
  • privilege escalation with misconfigured services, exploit suggester and more
  • mimikatz magic of course
  • attacks on macs with empire
  • bloodhound and sharphound
  • lateral movement using different techniques
  • pivoting
  • social engineering campaings & physical attacks
  • recompile meterpreter dlls for avoiding detection
  • password cracking
  • write your own droppers

I highly recommend this book, especially if you are into Red Teaming it is a good resource. Maybe a report about owing the Cyber Space Kittens lab would have been nice, since reporting in Red Teaming is a non trivial task.

Write-up hackthebox netmon

After the getting started article, here is a walkthrough for hackthebox netmon, to get an impression how to pwn machines. This was a nice one and I guess one of the the easier.

Portscan

Nmap 7.70 scan initiated Thu May 23 21:38:11 2019 as: nmap -A -oA netmon 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.043s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM inetpub
| 07-16-16 09:18AM PerfLogs
| 02-25-19 10:56PM Program Files
| 02-03-19 12:28AM Program Files (x86)
| 02-03-19 08:08AM Users
|02-25-19 11:49PM Windows | ftp-syst: | SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/23%OT=21%CT=1%CU=30959%PV=Y%DS=2%DC=T%G=Y%TM=5CE6F6C
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%CI=I%II=I%TS=A)SEQ(SP=1
OS:07%GCD=1%ISR=108%TS=A)SEQ(SP=107%GCD=1%ISR=108%II=I%TS=A)OPS(O1=M54DNW8S
OS:T11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54D
OS:ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=
OS:80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2
OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%
OS:F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL
OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: 11s, deviation: 0s, median: 10s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported | message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-05-23 21:38:48
|_ start_date: 2019-05-23 21:34:54
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 54.00 ms 10.10.12.1
2 54.08 ms 10.10.10.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu May 23 21:38:40 2019 -- 1 IP address (1 host up) scanned in 29.10 seconds

Connect via FTP

The user hash is easily found:

Now we have a look at the running web server. A PRTG instance is running here. After some searching the web it was clear that this might be a vulnerable version of PRTG (https://www.codewatch.org/blog/?p=453). No login with std creds (prtgadmin/prtgadmin) possible…

But we have the FTP server, which gives us some infomation:Some interesting stuff in the windows dir:

Here the credentials are encrypted. Some research show that in older versions that might be a problem (TODO, link). So I spent some time in finding valid credentials.

Also in c:\windows:

c:\ProgrammData is hidden but can be seen if you access it directly:

Get netmon prtgadmin credentials:

Something interesting in PRTG Configuration.old.bak:

After some trying I found out that the new password was: PrTg@admin2019, so this is something you have sometimes in real life, finding some credentials but still need to try around a bit. Then I followed mostly this description of the vulnerability: https://www.codewatch.org/blog/?p=453

Add a notification:

Leave defaults and choose “Execute Program” with the following settings:

Success, we can now get the hash from the test,txt file:

Pwnd! What I liked on this machine was that you needed to combine vulnerabilities. First find the credentials, then alter them to the working credentials. After that you had RCE.

Book Review Hands-on Bug Hunting for Penetration Testers

Hands-On Bug Hunting for Penetration Testers
Author: Joseph Marshall
Content: Go through common bugs in Webapps and introduction to bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

The main audience of Bug Hunting for Penetration Testers are coders and penetration testers interested in bug bounties. The book goes through bug bounty programs, penetration testing and the usual web security vulnerabilites like XSS, SQL injections, XEE and so on.

As the title sais, the book was written for people with prior knowledge in penetration testing. So the vulnerabtilies are not explained in depth, but nevertheless it is suitable also for beginners if they are willing to go deeper later and using other sources, after each chapter there are some recommendations for it.

For me the perspective as a bug hunter is pretty interesting, and the book is going into automatisation of some tasks and which vulnerabilites are usually interesting for bug bounty programs and how to report them. For getting an impression about the coding have a look here, unfortunatelly the code base is for python 2.7 and not python 3. The books is also informing about information gathering and bug bounty strategies. What I also like are the end-to-end examples, from finding and exploiting a vulnerability to a short example report. Later reporting is explained into more detail.

If you are interested in Bug Bounty programs you should have a look into this book.