This week, Omar Ganiev, founder of DeteAct
and a member of the Russian hacker team LC↯BC, spoke on our social networks . Omar can be safely called one of the best hackers in the country.
LC↯BC won first place in the finals of the 0CTF international computer security tournament in Shanghai in 2016.
For more than half of his life, Omar has been hacking computer systems. For him, this is primarily a hobby and a basic life skill, which gradually became a job, and only then a basis for entrepreneurship.
In addition to the work itself, Omar is very attracted to the research side of this activity, as well as the sports - hacking competition (CTF), in which he participated a lot, individually and as part of various teams.
Now the More Smoked Leet Chicken team, of which Omar is a member, consists of enthusiasts working in different companies and countries, and it is the strongest CTF team in Russia and one of the strongest in the world.
As for DeteAct (officially Continuous Technologies LLC), it provides security analysis and penetration testing services. Simply put, various companies ask guys to hack their systems in order to test their strength and learn how to prevent malicious hacker attacks and business losses.
We share with you the recording and transcript of the broadcast.
Hello everyone, my name is Omar Ganiev. I am also known as beched in the hacker community. I am a hacker, I have been involved in checking the security of computer systems for many years. It became a hobby for me at school, and for the last 9 years it has been my main profession. For the last 7 years I have been working in startups in the field of information security, I myself am the founder of the DeteAct company, also known as Continuous Technologies. Now we are 10 people, we are growing well and provide services in the field of practical information security. Penetration testing, security analysis, other types of security audits - we'll talk about all of this today.
Pentest, penetration testing. It is necessary to decide what it is, because even in the field of information security, among those who are involved in penetration tests and audits, there is often confusion and misunderstanding of terminology. It often turns out that different people mean different things by penetration testing; it is especially unpleasant when these people are the customer and the service provider. The main terms here are security audit, penetration test, security assessment and red team.
Security audit is the most general concept. It means any kind of security research of an object, checking its compliance with security requirements - not necessarily informational. For example, it could be fire safety.
Pentest (penetration testing) is a much more specific thing, although it can be understood in different ways. An immediate logical association is that a penetration test is a check to see if it is possible to penetrate a certain system, and the result of a penetration test should be a binary answer - yes / no: whether it was possible to penetrate or not. This is one of the understandings of this service - that is, it checks whether a potential attacker can penetrate the system, achieve some goals, say, in a week or two weeks. During this time, pentesters try to break the system, and thus the security level of the system can be checked. This is especially true in the area of compliance. Some organizations - government organizations, international payment systems - may require companies (banks,card acquiring) passing the penetration test in this sense. Such a penetration test should check whether it worked - yes or no - to gain access to the payment data. If not, then everything is fine; if yes, then everything is bad.
But there is another understanding of penetration testing, which is often called "security analysis". This is breadth-of-breadth work: instead of trying to penetrate deep into resources, hackers-pentesters are looking for as many vulnerabilities as possible in breadth. Most often, after all, customers want to see this particular service. They are interested not only in getting an answer (whether they were broken or not broken), but to find as many holes as possible in order to close them - so that they will not be broken in the future.
Redteaming is similar in meaning to how pentesting works in terms of penetration, but with some peculiarities. In general, most of the holivars are conducted on the topic of what red-timing is. In short, this is an event in which the attacking team aims to inflict certain damage, achieve certain threats or business risks - for example, theft of funds, customer databases, manager's mail (each company has its own business risk, to whom what is critical ). There are practically no restrictions placed before the attacking team (the only restriction is the scope of the law). Unlike regular security analysis or penetration testing, redtimers can reach business risks by any means: even to enter the office and physically steal paper with passwords or intercept wifi. The defending party - that is, the companywhich is being tested is also unlimited. Security officers, administrators, developers, devops resist this testing, try to identify attacks and prevent them. Thus, a realistic training and simulation of a real situation is obtained. Teachings, one might say.
Q: for the sake of interest: in which countries are penetration testers more in demand, and where do most of the orders for verification come from?
The widest demand for pentests is in the United States. If the second question is about Russian companies, then most of the orders come from Russia. This market is fairly isolated in every country, in and of itself. Everyone tends to order such services from those they know, because this is a sensitive issue; no one wants to entrust their safety to someone from another country or a stranger. From the West, moreover, almost no one will order such services from Russia - due to sanctions and a bad reputation.
So, we roughly figured out the penetration test and its varieties. You can tell briefly about how the projects are being conducted and what the methodology is. Here it is necessary to immediately divide the method of work into the so-called "boxes" of different colors. You can conduct a pentest in blackbox mode - testers are not given almost any information about the object of research, except for the site address (or even the name of the company). The other extreme is whitebox, when all information is given out. If it is an infrastructure, then all IP addresses, network diagram, access to the internal network (if necessary), all hostnames (domain names) are displayed. If this is software, some kind of web service, then source codes, configuration, accounts with different roles are issued, and so on. The most common mode is greybox,it can be anything from black to white. Some information is given, but not all. For example, for a web service, accounts with different roles can be issued, some basic information about the technological stack: the programming languages and databases used, the service infrastructure diagram. But at the same time the sources are not given out.
After they have decided on the methodology, on the mode of carrying out the work, the attacking side is given input data. That is, if necessary, accesses, host addresses, etc. are issued. The attacker can give out their IP addresses from which attacks will be carried out so that the customer can distinguish them from real attackers. Next, the classic steps of penetration testing are carried out; the specific implementation and breakdown may differ, but in general, exploration should be done first. Penetration testers look for points of entry into the infrastructure - hosts, network services, email addresses. If this is a web service, then they are looking for API Endpoints - various web interfaces, various API hosts for domains, and so on. After the reconnaissance has been carried out, the stage of scanning (phasing) begins, when the search for vulnerabilities in the found interfaces is carried out. When vulnerabilities are discovered,the next stage is exploitation: vulnerabilities are used to gain some kind of access. Further, depending on what kind of pentest it is, post-exploitation can be carried out: moving deeper into the system and obtaining additional access. Further, there may be a cleanup. The customer does not always want further exploitation to be carried out: sometimes it is enough just to find a vulnerability and report it.
In order to make it clearer what post-exploitation means: let's say pentesters have found a vulnerable server in the infrastructure that is accessible from the outside. For example, recently there were patches for a vulnerability in MS Exchange - Microsoft's mail server, which almost all corporations have and sticks out. A critical vulnerability was discovered in it. This vulnerability itself has a huge effect: attackers can use it to gain access to mail. But, in addition to this, they can carry out post-exploitation and from this mail server further propagate through the infrastructure. Seize some other servers, the infrastructure of the Windows Active Directory domain, get to the workstations of employees - that is, to the development infrastructure. Etc.
Q: what is the minimum input required from an organization for pentesting and auditing?
The minimum input data is the name of the company, that is, they may practically not be available. It is clear that at the reconnaissance stage, when we are looking for hosts by the name of a company, or we are looking for hosts associated with a site, we can make a mistake and find some IP addresses and hosts that do not belong to this company. Therefore, after reconnaissance, an agreement is usually passed - just in case, so as not to break something superfluous. It's pretty easy to make mistakes.
Q: are there real redtimeters with lockpicks and sledgehammers in Russia? : D
I think that many people have such skills. To be honest, I don’t know how much such projects are in demand and how often they are carried out. That it was required to walk and climb over the fences directly with the master keys. Probably, such projects are rarely carried out.
Q: how do you bypass Web Application Firewall or at least Windows Defender? What can you say about the Empire and Koadic frameworks, do you use them?
We bypass WAF manually, choosing the appropriate payload. The methods are standard here. The only difficulty with WAF is if it is a redirect, when the defending side prevents attacks - if we somehow burn our attack, or we are detected using some means of protection such as WAF, then we can cover up the vulnerability. Therefore, you need to act carefully and check the payload (i.e. your exploit) on some other hosts where there is no vulnerability. Thus, WAF can be checked and bypassed, but along the way, the vulnerability will not be detected by the defending party.
Q: what software is needed for attackers and for defense?
What software is needed for protection is a huge topic. It is much wider than a pentest. What software is needed for attackers is a good question, because it depends on what kind of work we are talking about. If we are talking about the analysis of software, web services, then practically no software is required. A Swiss knife like the Burp Suite is enough. The paid version costs $ 400 and contains almost all the necessary tools. Plus, of course, any working programming language - usually Python or GoLang for penetration testers. It's enough.
If we talk about infrastructure, about redirecting, the toolkit there is much wider. We need a variety of vulnerability scanners, we need tools to fix them on systems: after we have broken into a system, we need to gain a foothold in it, we need to obfuscate our payload so that it is not detected by an antivirus, and so on.
Q: what areas in the Russian Federation are most asked to test or conduct an audit?
Apparently, we are talking about in which industries the greatest demand for penetration testing. Obviously, it is needed by those companies that have IT; the more developed IT is, the more IT company it is, the more penetration testing is needed. The demand corresponds approximately to this. For some companies, penetration testing is mandatory because they are part of a critical information infrastructure: state-owned enterprises and banks. For banks, a pentest is needed at the request of the Central Bank, and also as part of obtaining a PCI DSS certificate for international payment systems. Other payment institutions need this certificate as well. That is, payment organizations, subjects of critical information infrastructure and IT companies require penetration tests. That is, any IT company, including startups, whose entire infrastructure is a web service with a user base: it is critical for them if they are broken.
Q: how important is an understanding of social engineering in penetration testing?
I did not mention her separately. I would say that this is one of the tools for redirecting; in addition, social engineering is often carried out separately, as a separate service, and looks like a simple mailing list. We create a phishing site, look for the email of company employees and send them a link to this site with some legend (for example, this is a new corporate portal, everyone needs to go in and enter their password).
Then we keep statistics - how many people viewed the letter, clicked on the link and entered the password. We show it to the customer, and he understands with whom we need to conduct an educational program. To be honest, practically no skills are required for such testing, and the company itself is able to easily conduct it using open source tools when it comes to a one-time mailing. In general, there is a whole separate business - the security awareness industry, raising people's awareness in the field of information security.
There are special products that regularly send phishing emails to the user base. If a person is seduced, then he will receive a training video or other interactive lesson that he will have to go through. And then it will be checked again, and the trend will be monitored - for example, a year ago 50% of employees fell for phishing, and now only 5%. Of course, getting rid of the phishing dangers completely is almost impossible.
How important is understanding - it is important if you are doing this kind of work, but it is easy enough. Or, if you are doing a redaction, social engineering is very effective within its framework. But at the same time, they will have to be much more accurate and precise, of course; it cannot be a mass mailing to all employees - they will notice it and understand where you can try to penetrate. You need to send it to individual specific people.
Q: what is the cost of the service?
Great question, because no one will really answer it for you.
This is very different. Usually a pentest costs how much the customer can pay, roughly speaking. This is one of the coefficients. The problem is that even the amount of work will initially not be deterministic - especially if it is a blackbox. Initially, we don't even really know how many hosts and interfaces there will be. We can only roughly understand what the nature of this company is, what kind of infrastructure it may have and how many people and time we need, and from this it will be possible to estimate labor costs in man-weeks. If we have some kind of pricing framework, we can multiply the person-weeks by our factor and give it as a price.
In fact, everything varies greatly; often, especially in large companies, the salesperson simply finds a company, knocks out some kind of budget, and then work needs to be done within this budget. And here, rather, labor costs are adjusted to the price, and not vice versa.
I can also say that in the end - since we have an opaque market with incomprehensible pricing - the cost of work can differ many times with the same quality and labor costs. You can find a pentest for 300 thousand and for 4 million rubles with the same amount of work. This is often seen even at tenders: there is a technical specification, you look at the price tags and offers - the spread is 5-10 times. Despite the fact that the quality is unlikely to differ 5-10 times.
Since we're talking about the quality and price of the penetration test. You need to understand whether your company needs a penetration test - and if you are a pentester, you need to understand how to justify a penetration test and sell it to the company. There is no universal answer here either. In my opinion, penetration test drivers are a few simple things. One of them is compliance, which I have already mentioned: when an organization is required to conduct a penetration test, and without this it will not be possible to carry out business functions, such as accepting payments with plastic cards. This is clear.
Another driver is incidents: when the company was already broken, it suffered damage and caught on. In order to protect yourself, you need to conduct an investigation, conduct a penetration test so that it will not be broken in the future, and take other measures. Everyone starts to run and think about what to do.
The third driver is fear: let's say there have been no incidents yet, but maybe other members of the industry have had them, and the company is afraid. Another driver that can be considered in conjunction with the fear driver is new companies, for example, startups that have just started some kind of development. They thought about it and decided that it was necessary to immediately conduct a penetration test in order to fix the vulnerabilities and prevent them in the future. So that by the time the service becomes public and, possibly, popular, there are no vulnerabilities. This is the soundest approach.
Another driver that is very common among startups is the requirements of counterparties. This kind of compliance, when you can carry out your business functions, but your counterparties want to verify that you are monitoring your security. Therefore, if you are a small company that wants to sell, for example, to large Western companies, then you will definitely have to pass a pentest. Especially if you offer SaaS (software as a service) - then a pentest report will certainly be required. This will be in their guidelines, their lawyers and security personnel simply will not allow such a contractor who has not passed the penetration test.
These are the reasons why companies turn to penetration testers and we conduct tests. But with the quality, in fact, it is very difficult. I have already said that in the penetration test the amount of work is not initially determined, but the result is also not deterministic. You can order a pentest for 6 million rubles and get a report consisting of the words "no vulnerabilities found." How to check that the work has been done, and with good quality? You cannot understand it. In order to verify this accurately, you need to practically do all this work anew. You can try to monitor the logs to see if the network activity was actually coming from the pentesters, but this is all complicated. And in a simple way, it is impossible to check the quality of work.
Possible measures besides tracking activity are to request detailed reports on what is being done, request artifacts, reports from scanners and other logs, for example, from the Burp tool. Initially, you can discuss the methodology - what the pentesters are going to do. It can be clear from this that they understand. But all this requires skills and knowledge - therefore, if the company does not have security personnel who have already interacted with pentesters and understand these services, it will not be possible to check the quality of the work.
Q: tell me where to start? What is the ideal age for deep diving into the pentest field?
Both of these questions are about career, and here you can change "pentest" to "programming", for example. I would say that there is no ideal age, but this is the kind of mantra that everyone repeats - supposedly it's never too late. But, of course, if a person starts to study at the age of 10, then he is more likely to achieve success and will learn faster than if he starts at the age of 40; although this does not mean that starting at 40 is useless. It just takes more effort. Secondly, if we talk from a utilitarian point of view - for work in the field of pentesting, in order to become a pentester and get a job, the entry threshold is lower than for development. Because in order to start being useful in development, you need at least be able to program and know some technologies. And in orderto start doing at least something in the penetration test - although it may be an "illusion of activity" - it is enough to learn how to use a couple of tools and interpret the results of this work. But this will be a very basic entry threshold. It will take more effort to get really cool in the penetration test than to develop it. In order to really get up to speed in hacking, you need to know development - and not even in one programming language and technology stack, but in several. You also need at least some (or better, good) knowledge of infrastructure, networking, Windows and Linux administration, and programming. You need a deep immersion in some area, and at the same time be able to break. That is, the lower threshold of entry in the penetration test is lower, but becoming a senior or higher is more difficult.it will take more effort to get really cool in penetration testing than development. In order to really get up to speed in hacking, you need to know development - and not even in one programming language and technology stack, but in several. You also need at least some (or better, good) knowledge of infrastructure, networking, Windows and Linux administration, and programming. You need a deep immersion in some area, and at the same time be able to break. That is, the lower threshold of entry in the penetration test is lower, but becoming a senior or higher is more difficult.it will take more effort to get really cool in penetration testing than development. In order to really get up to speed in hacking, you need to know development - and not even in one programming language and technology stack, but in several. You also need at least some (or better, good) knowledge of infrastructure, networking, Windows and Linux administration, and programming. You need a deep immersion in some area, and at the same time be able to break. That is, the lower threshold of entry in the penetration test is lower, but becoming a senior or higher is more difficult.You also need at least some (or better, good) knowledge of infrastructure, networking, Windows and Linux administration, and programming. You need a deep immersion in some area, and at the same time be able to break. That is, the lower threshold of entry in the penetration test is lower, but becoming a senior or higher is more difficult.You also need at least some (or better, good) knowledge of infrastructure, networking, Windows and Linux administration, and programming. You need a deep immersion in some area, and at the same time be able to break. That is, the lower threshold of entry in the penetration test is lower, but becoming a senior or higher is more difficult.
In order not to get stuck on the first rung, you need to start by learning the fundamental things. Programming, networks, technologies in general - how the OS, networks are arranged, how modern services are deployed, how various well-known attacks work in different programming languages, how to defend against them. There is a lot, but all of these are fundamental things that you need to know in order to advance.
Q: are attacks on wifi Evil Twin real now, or do companies have authorization via a RADIUS server?
To be honest, I cannot give an expert answer without having statistics. I think it's different for everyone; there are probably many places where Evil Twin works great.
Q: do you use in your work the methods and approaches of NIST, OSSTMM, OSINT, OWASP, etc., and which can you highlight?
OSINT is not really a technique, it is just open source intelligence. OWASP is generally an organization, but this organization has methodologies for testing web applications, mobile applications, and we follow them; at least in spirit, not doing every checklist by ticks - they can be quite controversial. We follow OSSTMM methodologies; in my opinion, it is in the OSSTMM that the steps for exploration, scanning, exploitation, post-exploitation, stripping are set out - that is, the main point of this methodology is that such steps should be applied, but then it goes into much more detail.
In short, yes, but not literally. We follow the spirit of this methodology.
Q: what are asked in interviews?
Differently. Depends on which position you are going to. There is often a question pattern like this. They describe a situation to you - for example, they say: you got the code execution on the Linux server from the outside, you made your way through the perimeter, broke the web server, you are inside, what actions should you take next? Or - you got to the employee's workstation, what are the next steps? Or - you found a vulnerability in cross-site scripting on some page, a content security policy is implemented there with such and such parameters, how will you bypass it? There are usually questions of this kind.
Q: what is the threshold for entering bug bounty, and is it really possible to live only on it?
Bug bounty is error rewards. Programs in which a company gives money to people who report vulnerabilities in that company's systems. Such crowdsourcing of a pentest, when it is carried out not under an agreement between two companies, but through a public offer. This is for those who don't know.
In fact, bug bounty is a growing thing. There are large venues with many programs. The entry threshold for participating in the bug bounty for pentesters is both low and high. Low in the sense that there are so many of these bug bounty programs and resources that can be broken that you can find some simple vulnerabilities. Not necessarily complicated. But, on the other hand, you can run into some program, where you have already found all the simple bugs, and spend two months digging in it without finding anything. This is very demotivating. Therefore, it often happens that people try themselves in this field, and they are unlucky - they run into something difficult and do not find vulnerabilities.
In general, there are many people in bug bounty who make big money without having unique and outstanding knowledge. Either they got lucky a couple of times, or they understood the bug bounty trick and learned how to find programs and resources that contain simple vulnerabilities. It also often happens that a person finds some kind of vulnerability on some resource and then realizes that it is actually very widespread, and in the same way many more companies can be broken by monetizing it. Is it realistic to live only on bug bounty - yes, there are even millionaires who make hundreds of thousands of dollars a year only on bug bounty. They are few; most, of course, earn quite little. But there is a large enough layer of people who earn at least tens of thousands a year. That is, not just a few and dozens of people, but hundreds.
Q: Tell us about the Metasploit versions. I heard that there are several of them, and among them there are paid ones. What is the difference?
I think you can go to the site of the paid version and read what is the difference. I haven't used Metasploit pro for a long time, but there is a web interface, at least. This is one of the differences; I will not say straight away what other fundamental differences are there. Perhaps there are some other modules.
I thought to tell you about the most common vulnerabilities. In fact, many companies conduct pentests throughout the year and count the number of different types of vulnerabilities to summarize the statistics for the year. I didn’t let down such statistics, but if we talk about the feelings and the simplest things that are found, the simplest and most effective vulnerabilities in the infrastructure that bring a lot of benefit to attackers are weak password policies. Banal brute force attacks are the scourge of infrastructures. If the company employs at least 500 people, then a fairly significant part of them will not be particularly tech-savvy. At least one of them can usually brute force the password. This works especially cool when a password policy is implemented in the company, which forces, for example, to have a password,containing a capital letter, a small letter and a number, at least 8 characters, and change it every three months or a month. This leads to poor results. If a person is forced to do this, then he cannot remember the password. If he does not use a password manager with random passwords, he sometimes just writes the current month with a capital letter (like "December2020"). In fact, it is very common in all typical corporate infrastructures - imagine Active Directory, hundreds of employees with Windows on their machines. You can just take the current or past month and year, go through all the accounts - someone will break. A very powerful attack.then he cannot remember the password. If he doesn't use a password manager with random passwords, he sometimes just writes the current month with a capital letter (like "December2020"). In fact, it is very common in all typical corporate infrastructures - imagine Active Directory, hundreds of employees with Windows on their machines. You can just take the current or last month and year, go through all the accounts - someone will break. A very powerful attack.then he cannot remember the password. If he doesn't use a password manager with random passwords, he sometimes just writes the current month with a capital letter (like "December2020"). In fact, it is very common in all typical corporate infrastructures - imagine Active Directory, hundreds of employees with Windows on their machines. You can just take the current or past month and year, go through all the accounts - someone will break. A very powerful attack.go through all the accounts - someone will break. A very powerful attack.go through all the accounts - someone will break. A very powerful attack.
If we talk about web services, then the simplest attack there is bypassing authorization and accessing data from other clients. The attack consists in the fact that you take a request to a web application, which gives, for example, your bank statement by account number. In the link or in the request to the site, the account number is transmitted, numerical, in response, a PDF file with the statement is issued. You change your account number to someone else's account number, and you get someone else's statement.
This vulnerability is called "insecure direct object reference" - insecure direct object reference. In modern services, this is the most common vulnerability, according to my observations. More classic vulnerabilities that have been prevalent in the past - such as SQL injection and cross-site scripting - are less common in services written using modern frameworks. Especially SQL injection. But logical errors come across, because frameworks do not save from them. The developer must himself think about how to protect himself, how to implement the role model and delimit access to objects.
Q: you are talking about a certain gradation of holes in the system, could you give examples of simple, medium, complex vulnerabilities?
I don't remember in what context I spoke about this, to be honest. Well, I just said that simple vulnerabilities are those that are easy to find and easy to exploit. Probably, these parameters can be used to characterize the complexity of the vulnerability - the complexity of the search and the complexity of exploitation. It may be difficult to find it - for example, this is some kind of tricky logical vulnerability, for the exploitation of which you need to understand the logic of the service and the interaction of various components, but at the same time, the operation is simple: you just need to send several requests. Or, for example, it may be difficult to find, because you were given 100 MB sources with a million lines of code - sit down and read.
Finding a vulnerability in those 100 MB can be difficult - but it can be easy to exploit. Or vice versa - it is difficult to exploit because of some restrictions, because of firewalls. But in pentest reports there is no “simple-complex” gradation: there is a gradation according to criticality. Criticality is made up of the level of risk — that is, the level of damage — and the likelihood of exploitation. Probability, though, is almost the same as complexity. If it took us a lot of time and the skills of a senior penetration tester to find the vulnerability, then we can estimate the likelihood of exploitation as low. We found it in three weeks of digging, while others may not find it at all. However, the damage from this vulnerability can be high. By combining such indicators, we get an "average" level of risk.
Pentest reports have a fairly standard template. There is an introductory part where it is simply described what we have tested and why, which model of the intruder - external or internal access, whether he has an account or not. Then there is a summary, which briefly describes the result: what vulnerabilities were discovered, what level of security - everything is bad or everything is good. Each vulnerability is described, demonstrated with screenshots, and a code is given for the company's developers to understand everything. And recommendations are given. It also provides an assessment of the likelihood and level of damage.
Q: how many unpatched Windows 7 with ms17-010 in the corporate sector have you encountered during the penetration test?
There are. Usually not in a domain, really. Not too much.
Q: how do you know when it's time for an interview? How will you stand out from other candidates? (possibly knowledge of programming languages or an account on sites like HackTheBox)
I would put more on an account on sites. If, of course, you honestly solve problems there. If it is not fair, then there will be no knowledge, and you will not pass the interview anyway.
In general, of course, there are also certifications. They do not really show anything, but they help to pass HR filters and break through.
Q: Can you provide guidance on literature and resources for laying the groundwork?
Yes, however, in a not very convenient format.
Links provided by Omar
:
docs.google.com/spreadsheets/d/15w9mA5HB9uuiquIx8pavdxThwfMrH7HSv2zmagrekec/edit#gid=0
:
blog.deteact.com/ru
blog.orange.tw
swarm.ptsecurity.com
malicious.link/post
adsecurity.org
posts.specterops.io/archive
:
portswigger.net/web-security
www.hackthebox.eu
overthewire.org/wargames
ctftime.org
:
.
Web Application Hacker's Handbook
The Tangled Web
docs.google.com/spreadsheets/d/15w9mA5HB9uuiquIx8pavdxThwfMrH7HSv2zmagrekec/edit#gid=0
:
blog.deteact.com/ru
blog.orange.tw
swarm.ptsecurity.com
malicious.link/post
adsecurity.org
posts.specterops.io/archive
:
portswigger.net/web-security
www.hackthebox.eu
overthewire.org/wargames
ctftime.org
:
.
Web Application Hacker's Handbook
The Tangled Web
But now there is no shortage of literature - the difficulty, rather, is to choose from the mass of materials what suits you. Google "pentest courses" - there will be a lot of everything at once. HackTheBox is great; I didn’t decide anything on it, but I have an idea. I think a lot of skills can be learned there.
Q: what other programming language is worth learning besides Python and Bash?
Bash probably really needs to be done. By the way, there is a great site OverTheWireBandit where you can practice Bash well. And so - just one language, which you know enough to complete the tasks. Of course, there are tasks for which Python is not suitable - for example, if you need to quickly collect data from many hosts all over the Internet. But for most tasks, it will do. However, the more languages you know - at least at the level of understanding the paradigm and reading syntax - the better. During penetration tests and audits, you will come across different stacks and applications written in different languages - you need to be able to understand how they work. In addition, even if you are not engaged in auditing software sources at all - you are only engaged in infrastructure - you should still know different languages.Many tools are not written in Python. If the tool does not work well, you may have to understand it, read the code, patch it. Let's say on a Windows infrastructure it's mostly C #.
Q: what certificates are most in demand for redtim, but besides OSCP?
Precisely for Redtim? There are certificates that are called so - Certified Redream Professional, Certified Redteam Expert, Pentester Academy. But they are not in great demand, they just exist. I find it difficult to answer which ones are really in demand. Demand is calculated by how many employers enter them in the requirements of vacancies, and how many customers - in the tender requirements. It often happens that the contractor's employees are required to have a certificate - and there most often OSCP or CEH - an old certificate, even more theoretical rather than practical.
Q: do you need decompiling skills in a pentest?
To some extent, yes. Especially if you work with application security, in the analysis of application security. There it might come in handy. But most often - with mobile applications: they may not give you the source code for them, but you will have the application itself, and you will decompile it, reverse engineer it.
In general, if you ask about “do you need skills” - well, about any skill you can say that it is useful. But it is impossible to know absolutely everything. Knowing a lot is good, but you still need to understand your specialization, understand what you can do better. Even within web applications, there are specializations; there are specializations by industries - for example, a person may well know the vulnerabilities of payment services. It doesn't matter at the web or financial logic level; there are people who are only engaged in testing payment terminals, Internet banking, card acquiring, and so on. It seems that this is all - one area, but in fact there are very different things. And the hardware can be different (smart cards, terminals), and web, and API, and mobile applications. In short, any skill can be useful, but not required.It is imperative to have some kind of critical mass of skills and knowledge.
I can add about the cost and demand. According to my estimates, the size of the Russian penetration testing market is about RUB 1-1.5 billion. This I counted at the end of 19. This means that this is exactly how much Russian companies spend on pentests. Of course, pentester companies can sell services abroad at least a little, so the total market size will be slightly larger. Of course, the pentest market is very fragmented; there are a lot of small companies that make little money. Customers tend to change their penetration test providers because rotation provides a fresh look and maximum coverage. One team, for example, misses one vulnerability, while the other will notice it, but may miss another. Because of this, there is no complete monopoly - for one team to sit down, and pentests buy only from it.They change every year.
Q: how many hours did you finish with the OSCP exams?
I don't remember, a few hours. To be honest, I passed twice; the first time I solved everything during the day, wrote an 80-page report, but did not read the requirements for it. It turned out that a certain format of screenshots was needed, and my report was not accepted, so I had to submit it again. It took 5 hours to retake the test .
Q: advise Russian-speaking bloggers in the field of pentesting
Our company has a blog. True, we rarely write. Basically, you need to follow people on Twitter; most pentesters write in English, including Russian-speaking pentesters. We try to duplicate - we write both in Russian and in English. I get information from Twitter - I subscribe to interesting people who, sooner or later, will repost everything interesting, so you don't have to follow the blogs specifically, but get everything through Twitter. Or via Telegram channels. There are no Russian-speaking bloggers, it seems to me.
Q: what are the chances of a Linux / Network Administrator getting into the Pentest?
Direct road to the infrastructure penetration test. It should be easy enough to roll in if the administrator has a good understanding of networking and Linux. The only thing is that the road will be even shorter if it is a Windows administrator; corporate networks are usually Windows. But it's okay anyway, it's a good background.
In fact, I have a Google-plate where I wrote out a set of knowledge for different specializations and levels of penetration testers. Intern, Junior, Intermediate, Senior, Web and Infrastructure. Probably, the link can be inserted; it will be on Habré, if there is a final post. These are my subjective requirements, but I changed them a little based on feedback from people who gave their comments and suggestions and added something. Therefore, we can consider them plus or minus adequate and focus on them. There are listed certifications, and even salary rates on the market, and directions for development.
Q: how beautiful is it to get away from the question from the customer, which he can ask during the penetration test - "Well, did you find something?"
Why go away from the question? Answer. If you haven't found anything yet, you haven't found it. Sooner or later, you will have to answer this question in the report. Therefore, it is normal that you were asked a week after the start of work and you say that you did not find it.
Q: where to look for vacancies on a pentester? There is very little in hh.
Yes, Headhunter doesn't have much. Usually everyone is looking for each other by acquaintance, so, probably, you just need to communicate with people. You can post your resume - perhaps in this mode there will be more attention. You can also search for jobs on LinkedIn. And there are also Telegram channels in which vacancies are posted.
Q: what do you think about tryhackme?
I don’t know one. Now there are a lot of sites, on the web I would recommend Portswigger Academy to decide. Portswigger is the company behind Burp.
Q: pentest and remote control. Is it real? Or, due to the specifics of the work, they try to recruit to the office?
Really. Well, now everyone works remotely, even large companies. It is clear that if you are considering a purely remote option, then there can be difficulties. There is also such a format that you first come to the office to work, for a month, for example, and then remotely.
Q: is there a public database or a list of typical vulnerabilities to learn from? Or a book of some kind?
Yes, for example, OWASP Top 10. This is a controversial thing, but these are the top 10 vulnerabilities in web applications. There is also CWE (Common Weakness Enumeration) - an attempt to classify all vulnerabilities, dividing them into a hierarchical system. You can see there are examples of specific vulnerabilities. Another directory is CVE, it is just a directory of vulnerabilities in various software. There are also real examples there, you can see and understand how exploits work.
Q: Can you read a little of your specification plate?
The voice format is, of course, strange. I can share the screen. [the screen is not shared] I think the link to the document will be on Habré. It says how much experience (in years) is needed for each level; this is, of course, subjective - rather, as a reference point. Skills are described, in no particular order. Salary and certification to target. And the path of growth - what to do to reach the next level. For example, for a junior pentester you need about a year of experience - either work or study; if a person has not studied for at least a year - has not been involved in IT or programming - and immediately tried to roll into the penetration test, then he hardly has the knowledge and skills. The main requirements at this level are general familiarity with the pentest methodology, knowledge of the basics of technology, the ability to use Linux and write simple scripts that work with the network (parsers, for example),knowledge of regular expressions, knowledge of the HTP protocol, working with tools - vulnerability scanners and Burp. In general, read it, I will not list everything.
Q: what to do in conditions when almost all vacancies require at least 2 years of experience? Sticking into Bug Bounty and HackTheBox, or trying to break through to a level you don't match?
It's buulshit. They demand and demand - in fact, they will look at knowledge. You can write into "experience" just bug bounty and HackTheBox. If you really do not correspond to the required level in knowledge and understanding, it means that you do not correspond. But the formal criterion for the number of years of experience is not so important, I think.
