Saturday, June 15, 2013

Welcome to the Club: Advice to First-Time Pentesters

This is the first post in a series offering advice to InfoSec newcomers. Not being the most colorful crayon in the box, I'll just call it "Welcome to the Club", and will tag all posts in the series accordingly.

Giant pit mine in the Siberian tundra
Hop in. I'll be right behind you.
Occasionally, folks starting out in InfoSec will ask me for advice. I try to give it without sending them screaming toward a different, less-punishing career, like working in a Siberian diamond mine.

An acquaintance recently contacted me via LinkedIn to ask for advice on his first paid pentest gig, and this is what I told him.

As you progress from pentest to pentest, your skill and ability to find flaws, use tools, etc will increase, so I'm not going to give you any technical advice at this point. On the first gig, it is more important to ensure there will be a second gig than to try to cover every technical avenue possible. It would also be ideal for your first gig to also be the client's first pentest - then as your skills increase, their ability to implement your findings (in theory) and security posture should increase as well.

The best way to have a good first pentest is to focus on good communication with the client. This skill is important for consultants of any kind, but more so in any situation where there is the potential to cause harm in the course of doing the job they are paying you for. Relationship building is also important. Don't think about any gig as just one job. Think of it as the potential to start a relationship where you could potentially establish yourself as their go-to for any security work.

Burning Building
Yeah, could you stop scanning? It isn't going well for us.
Come up with a good plan, share it with the customer, and stick to it. If something changes, e.g. you find issues going deeper than you expected and you need to change the plan, notify them before going down any "rabbit holes". Make them aware that pentesting - even just scanning - is a potentially disruptive activity, but that you'll do your best to minimize the risks to their network. Make sure they know how to contact you, and that you can stop scanning/pentest activities relatively quickly if there are any issues.

Manage the client's expectations well, and they should be happy. Happy clients spread your services via word-of-mouth and rehire you. Positive word-of-mouth and reoccurring gigs build a solid business. Never stop learning and trying new things on pentests, and the technical side will improve as you gather experience.

There is also a ton of advice posted by the "Pentest Lessons" Twitter account.

Tuesday, May 7, 2013

OpUSA and HTP5: Winners and Losers

We were warned.

MAN were we warned.

On May 7th, some serious shit was going down.

*** Part1: The Losers ***
The warnings started going out weeks ago. Banks and other financial institutions on the Anonymous "hit list" were warned ahead of time. Some took services offline as a preventative measure. As it turns out, these self-inflicted "lock downs" appeared to be the only damage done. I've seen no reports of any of organizations on the target list being affected by #OpUSA.

It started out with some dire warnings, a hit list and a lot of talk. Tweets like this were a common sight:

#OpUSA Hackers plan "Day to Remember" with May 7 attacks on banks, government agencies

Thousands of sites hacked, defaced and down during #OpUSA. Here's an update list.

The only thing likely to be remembered about this day though, is how the boasts were quickly overshadowed by sarcasm and jeers:

At this point I doubt #OpUSA could shut down their own computers. Using the power button.

#OpUSA hits an online bakery, but banks and the FBI are safe

Their own attempts to brag were more entertaining than some of the jokes going around. They hacked an unused Kansas pawn shop website. Someone spitting in the local Taco Bell's sour cream would be more newsworthy.

Patriot Pawn & Gun of USA Fucked by AnonGhost for #OpUSA

The hackers also have a site set up to act as a running tally of their accomplishments. By midday, the
list looked pretty impressive. That is, until you started digging into the details.
  • For an attack on the US, they reported hitting quite a few non-US websites, and much of the breached data was international.
  • The 100k breached accounts appeared to be from a 2009 breach
  • The ~12k breached accounts appeared to be from a 2005 breach
  • All breached credit cards were long expired
  • Many websites were misrepresented. One that appeared to be a Dallas criminal attorney's office was actually an abandoned WordPress blog with a few criminal law-related posts.
  • Another,, didn't even pass as believable, and I couldn't find any evidence it existed before a few days ago. I suspect they might even be registering domains and setting up sites just to make it look like they were hacked.
  • Little to no notable websites appear to have been affected
  • A XSS vuln found in the "Municipal Chambers of Brasil" website. As part of #OpUSA? Really?
Why so lame? I see three possibilities: These "hackers" really are that incapable, that their activities were only meant to cause fear and an overreaction (which worked, to a small extent), or that this whole thing was an intentional diversion from something more devious going on. I doubt the latter, but I'm no threat intel expert. I just know what I've seen.

Jaeson Schultz of Cisco touches on another possibility: that #OpUSA is a sting of sorts, set up to help law enforcement catch members of anonymous. It would be interesting to test the claim that the tools linked for this operation are backdoored.