3. Presentation Overview
• What is a “pen test”?
• Why do companies “pen test”?
• Who does “pen testing”?
• What skills are required?
‒ Non Technical Skillset
‒ Basic Technical Skillset
‒ Offensive and Defensive Knowledge
• What are some Common Tools?
• Pen Testing as a Career
• Attack Demo: SQL Inject World
• Questions
4. What is Penetration Testing?
Our Definition:
“The process of evaluating systems,
applications, and protocols with the intent
of identifying vulnerabilities from the
perspective of an unprivileged or
anonymous user to determine the real
world impact…”
“…legally and under contract”
6. What are the Technical Objectives?
• Client specific objectives first
• Identify and verify all entry points
• Identify critical escalation points
• Gain unauthorized access to:
‒ Application functionality
‒ Critical systems
‒ Sensitive data
7. Assessment VS. Penetration
• Vulnerability Assessment and
Penetration Testing Answer:
‒ What are my system layer vulnerabilities?
‒ Where are my system layer vulnerabilities?
‒ How wide spread are my system layer
vulnerabilities?
‒ Can I identify attacks?
‒ How do I fix my vulnerabilities?
8. Assessment VS. Penetration
• Penetration Testing Answers:
‒ What are my high impact network layer issues?
‒ What are my high impact application layer
issues?
‒ Can an attacker gain unauthorized access to:
• critical infrastructure that provides
privileged access or cause service disruptions
• critical application functionality that the
business depends on
• sensitive data that the business would be
required to report on if a breach occurs
‒ Can an attacker bypass our IPS / WAF?
‒ Can an attacker pivot from environment A to
environment B?
9. Common Penetration Test Approach
• Kickoff: Scope, cost, testing windows, risks etc
• Information Gathering
• Vulnerability Enumeration
• Penetration
• Escalation
• Evidence Gathering (Pilfering)
• Clean up
• Report Creation
• Report Delivery and Review
• Remediation
11. Rules of Engagement
• Have fun, but…Hack Responsibly!
• Written permission
• Stay in scope
• No DoS
• Don’t change major state
• Restore state
• Clear communication
12. What Skills are Needed?
• Non Technical
• Basic Technical
• Offensive
• Defensive
• Common Tools
13. Non Technical Skillset
• Written and Verbal Communications
• Emails/phone calls
• Report development
• Small and large group presentations
• Professionalism
• Respecting others, setting, and
meeting expectations
• Troubleshooting Mindset
• Never give up, never surrender
• Where there is a will, there is a way
• Ethics
• Don’t do bad things
• Pros (career) vs. Cons (jail)
• Hack responsibly
14. Basic Technical Skillset
• Windows Desktop Administration
• Windows Domain Administration
• Linux and Unix Administration
• Network Infrastructure Administration
• Application Development
• Scripting (Ruby, Python, PHP, Bash, PS, Batch)
• Managed languages (.Net, Java, Davlik)
• Unmanaged languages (C, C++)
15. Offensive and Defensive Knowledge
• System enumeration and service
fingerprinting
• Linux system exploitation and escalation
• Windows system exploitation and escalation
• Network system exploitation and escalation
• Protocol exploitation
• Web application exploitation (OWASP)
• Reverse engineering client-server
applications + AV Evasion
• Social engineering techniques (onsite,
phone, email)
16. Common Tools
There are hundreds of “hacker” tools.
Generally, you need to have enough
knowledge to know what tool or tool(s) is
right for the task at hand….
…and if one doesn’t exist, then create it.
18. Common Tools
• Knowledge > Tools
• Understand the core technologies
• Understand the core offensive techniques
• Understand the core defensive techniques
• Network Penetration Testing
• BT, CAIN, YERSINIA, NCAT, NMAP, NESSUS,
NEXPOSE, WCE, MIMIKATZ, AirCrack-ng,
METASPLOIT… and NATIVE TOOLS!
• Application Penetration Testing
• BURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQL
Ninja, and BEEF…. and commercial tools
19. Pen Testing as a Career: Common Paths
• Internal Paths
• Help Desk
• IT Support
• IT Admin
• Security Analyst
• Senior Security Analyst
• Internal Consultant
• CISO
• Security Consulting Paths
• Internship
• Consultant
• Senior Consultant
• Principle Consultant
• Team Lead
• Director
Security consultants
often end up in
malware research or
exploit
development, but
some go corporate.
Internal employees
often stay internal.
20. Pen Testing as a Career: How to Start
• Read and learn! – There is no “end”
• Tap into the community!
• Research and Development
• Contribute to open source projects
• Present research at conferences
• Training and Certifications
• Community: DC612, OWASP, Conferences, etc
• Professional ($): SANS, OffSec, CISSP, etc
• Volunteer
• Internships