Abstract image of a woman sitting on books and studying on a laptop

Breaking, Entering and Pentesting

Security BSides London, profile picture
Security BSides London

The document discusses the varying roles and classes of penetration testers (pentesters) within cybersecurity, highlighting their motivations, experience, and common pitfalls. It features anecdotes from the speaker's experiences and observations about the pentesting community, including examples of vulnerabilities found during tests. The presentation aims to educate on the essential skills and attitudes of different types of pentesters while addressing misconceptions from clients regarding their responsibilities.

TechnologyEntertainment & Humor
1 of 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Breaking, Entering and Pentesting - Steve Lord
The Things Customers Say To me, at least... From a leading SI: “ That's not a risk. It's internal.”
Who is this guy? And what does he know? Steve Lord Founder, Mandalorian
TigerScheme SST and TP member
Co-Founder, 44Con - http://www.44con.com/ 12 Year Pentesting V ictim eteran Big gov, small gov, financials, defence, NGOs, small countries, small continents
What Does A Pentester Do? Other than drinking, natch
What Does A Pentester Do? In practice
What Does A Pentester Do? Don't believe me? 3 months ago we tested a government system
During the test we found a ColdFusion System
Tried requesting the following: /CFIDE/administrator/settings/mappings.cfm?locale=..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts%00en
What Does A Pentester Do? Don't believe me?
Did You Spot The Gorilla? Really? Shall we try again?
What Does A Pentester Do? Don't believe me?
What Does A Pentester Do? Grading time It was vulnerable to CVE-2010-2861 1 point
What Does A Pentester Do? Grading time The /CFIDE/administrator/ path was accessible from the Internet 1 point
What Does A Pentester Do? Grading time That Adobe acquired Macromedia in 2005, and as such this thing's been open for how long since an upgrade? 2 points – report due by end of talk pls
What Does A Pentester Do? Keep it going harder Can we get admin passwords? ..\..\lib\password.properties Add Scheduled Task
What Does A Pentester Do? Keep it going harder Can we get admin passwords? ..\..\lib\password.properties Add Scheduled Task
Leading to...
The Things Customers Say To me, at least... From another leading SI: “ We have a duty of care to protect customer data”
Classes of Pentester You mean there's more than one? Pentesters can be grouped into several classes based on: Experience
Attitude
Motivation
Ability
Classes of Pentester The Nessus Monkey Often fresh out of Uni
Runs tools
Follows methodology
Good at filling in checklists
Can do an OPTIONS request in a single bound
Might even know how to drive Ubuntu
Classes of Pentester The Nessus Monkey
Classes of Pentester Common Nessus Monkey Mistakes Wandering off-scope
Not choosing company wisely
Thinking it's someone else's job to teach you
Classes of Pentester Even Nessus Monkeys get root Nessus reports Tomcat HTML interface
Nessus Monkey fires up metasploit
Nessus Monkey own system
Nessus Monkey happy
Nessus Monkey graduates
Classes of Pentester Experts in Training Has written a tool
Knows a programming language
Can use a Linux commandline
Has read an RFC
Hungry for root, hungry to learn
Classes of Pentester Experts in Training
Classes of Pentester Experts In Training Observations As skills increase Awareness of problem space (usually) increases

More Related Content

PDF
3M results 2014 - Analysts and investors
Ageas
 
PPTX
Hogy néz ki egy pentest meló a gyakorlatban?
hackersuli
 
PDF
The_Pentester_Blueprint.pdf
gcara4
 
PPTX
WTF is Penetration Testing v.2
Scott Sutherland
 
PDF
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
PDF
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
PDF
Web hacking
Prashant Vashisht
 
PDF
Puppet for SysAdmins
Puppet
 
3M results 2014 - Analysts and investors
Ageas
 
Hogy néz ki egy pentest meló a gyakorlatban?
hackersuli
 
The_Pentester_Blueprint.pdf
gcara4
 
WTF is Penetration Testing v.2
Scott Sutherland
 
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Web hacking
Prashant Vashisht
 
Puppet for SysAdmins
Puppet
 

Similar to Breaking, Entering and Pentesting (15)

PDF
Bsides to 2016-penetration-testing
Haydn Johnson
 
PPTX
So, you wanna be a pen tester
Adrien de Beaupre
 
PPT
Penetration testing, What’s this?
Dmitry Evteev
 
PDF
CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) 1st Edition
ratishgephe76
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PPTX
Btpro-Penetration Testing Service
Btpro BilgiTeknolojileri
 
PDF
Puppet Camp Berlin 2015: Nigel Kersten | Puppet Keynote
NETWAYS
 
PDF
Puppet Camp Berlin 2015: Puppet Keynote
Puppet
 
PDF
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
PDF
The Web Application Hackers Toolchain
jasonhaddix
 
PPTX
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
PPTX
Automated tests
Damian Sromek
 
PDF
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
PDF
Intrusion Techniques
Festival Software Livre
 
PDF
2011 and still bruteforcing - OWASP Spain
Christian Martorella
 
Bsides to 2016-penetration-testing
Haydn Johnson
 
So, you wanna be a pen tester
Adrien de Beaupre
 
Penetration testing, What’s this?
Dmitry Evteev
 
CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) 1st Edition
ratishgephe76
 
Web Application Penetration Testing Introduction
gbud7
 
Btpro-Penetration Testing Service
Btpro BilgiTeknolojileri
 
Puppet Camp Berlin 2015: Nigel Kersten | Puppet Keynote
NETWAYS
 
Puppet Camp Berlin 2015: Puppet Keynote
Puppet
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
The Web Application Hackers Toolchain
jasonhaddix
 
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
Automated tests
Damian Sromek
 
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Intrusion Techniques
Festival Software Livre
 
2011 and still bruteforcing - OWASP Spain
Christian Martorella
 
Ad

More from Security BSides London (12)

PDF
Security YMCA
Security BSides London
 
PDF
Penetration testing must die
Security BSides London
 
PDF
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
PPSX
You built a security castle and forgot the bridge…now users are climbing your...
Security BSides London
 
PPT
Agnitio: its static analysis, but not as we know it
Security BSides London
 
PPTX
The Funny Thing About Information Security
Security BSides London
 
PDF
Breaking out of restricted RDP
Security BSides London
 
PDF
All your logs are belong to you!
Security BSides London
 
PDF
Practical Crypto Attacks Against Web Applications
Security BSides London
 
PDF
Jedi mind tricks for building application security programs
Security BSides London
 
PDF
Dns tunnelling its all in the name
Security BSides London
 
PDF
Cloud computing due diligence WTF?
Security BSides London
 
Security YMCA
Security BSides London
 
Penetration testing must die
Security BSides London
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
You built a security castle and forgot the bridge…now users are climbing your...
Security BSides London
 
Agnitio: its static analysis, but not as we know it
Security BSides London
 
The Funny Thing About Information Security
Security BSides London
 
Breaking out of restricted RDP
Security BSides London
 
All your logs are belong to you!
Security BSides London
 
Practical Crypto Attacks Against Web Applications
Security BSides London
 
Jedi mind tricks for building application security programs
Security BSides London
 
Dns tunnelling its all in the name
Security BSides London
 
Cloud computing due diligence WTF?
Security BSides London
 
Ad

Recently uploaded (20)

PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PDF
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
NU_I_TODALAB
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PDF
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PPTX
Microsoft User Copilot Training Slide Deck
zohoron1
 
PDF
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
PDF
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
PDF
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PPTX
Training Program for knowledge in solar cell and solar industry
RabindranathKaibarty
 
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
PDF
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
NU_I_TODALAB
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
Microsoft User Copilot Training Slide Deck
zohoron1
 
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Training Program for knowledge in solar cell and solar industry
RabindranathKaibarty
 
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 

Breaking, Entering and Pentesting

Editor's Notes

  • #3: I'm sure many of you will have come across this before, when I heard it I interpreted it as a sign of interesting things to come.
  • #5: How many pentesters does it take to change a light bulb? It's the customer's job to change it, we just break stuff. In theory the role of the pentester is to assist the information assurance process by providing a technical assessment of actual threats. In practice.
  • #7: The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
  • #16: Said to me during unlawful detention after 'impossible' route back to customer network from Indian Offshorer identified And after we'd found all manner of hideous stuff on the network proving that while they may have a duty, it wasn't being exercised
  • #17: I made this all up, but run with me
  • #20: Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
  • #21: Wandering off-scope See also, “Hey guys, I cracked this WEP network last night” Not choosing company wisely “ But those d00dz in #defacers really know their stuff” Thinking it's someone else's job to teach you “ I didn't know that'd down the server”
  • #22: Understands an RFC
  • #24: Experience increases Realisation of inability to effect change Depression Alcoholism Drugs Divorce Etc. As they transcend Able to take TigerScheme QSTM May pass first time Should pass second time
  • #25: The system was connected to the Internet, as well as to various HMG networks This was part of a mandated annual IT Health Check Can you spot what's wrong with this picture?
  • #27: I have a lot of respect for CLAS consultants, I was one for a year. Sadly this guy wasn't one of them. Yes he talked a bit like Hyperchicken too.
  • #28: The majority of team leaders fall into this Death by PCI/DII
  • #30: Putting up with management, followed by doing it
  • #31: “ But why would you want to leave?” There are many reasons, but pentesting is a strange job and if as with anywhere else they don't feel valued or that they're achieving they'll move on. “ You'll have to go into management to grow” Not only will you lose one of your best technical resources, but you'll gain someone probably unprepared for the horrors of management interaction. “ How do you feel about writing an RMADS?” Up until this point, the Jaded Cynic may have heard of IS1 but is unlikely to fully understand the fundamentals that drive the IAMM and SPF. Policy is mostly boring for pentesters.
  • #32: We found something on a pentest. Got all excited, wanted to call it Cross-Site Squirting then marketing looked up 'squirting' on google with safesearch off. Marketing doesn't click on links any more. Which was just as well, as we found out that it was an obscure issue, but documented on the interwebs. So we wrote a tool instead to automate it
  • #33: Subversion uses webdav to handle checkins and checkouts. Without webdav you can't just rock up and check out, which sucks because sometimes even with webdav you can't checkout as someone was clever with the permissions.
  • #34: Subversion uses the .svn directory structure Beneath this is an entries file for each subdirectory The entries file lists file and directory names that exist beneath the current directory root Subversion creates a backup of each file, with the name .svn-base at the end
  • #35: Where this gets interesting is this: Most HTTP servers treat .svn-base as an unknown extension so serve it as text/plain or similar This means that if you can parse the entries files and directory structures you can download all the .svn-base files And then you have a full backup of the svn tree
  • #36: Hidden admin interface Debug=1 variable Various RFI bugs
  • #42: Assimilates new information at lightning speed Makes their own tools Does or does not – there is no try Commercially aware Balances value and coverage At least moderately socially balanced Attempts to understand customer threat landscape before testing Goes beyond attack trees Builds attack avenues Scenario based testing
  • #44: Alright, one last war story
  • #45: Went to a Call Centre Found a PC Logged onto PC Hacked Siebel using MS Access and ODBC Forgot to link tables – FAIL Access tries to download full Siebel database across WAN link
  • #46: Putting up with management, followed by doing it