Penetration Testing Q&A with Jason E Street

Jun 15, 2024

Penetration Testing Q&A with Jason E Street

Introduction

  • Presenter: Jason E Street, a penetration tester.
  • Event: Answering internet questions about penetration testing (pen testing).

What is Penetration Testing?

  • Penetration testing involves a company hiring a hacker or security professional to test their security by breaking into their systems (websites, buildings, internal network devices) to validate security measures.

Underrated Physical Pen Test Tools

  • Glasses with Camera: Installed with a Micro SD card for data recording.
  • Microsoft Employee Badge Clone: Effective even with old versions as people don't notice details.
  • Cup of Coffee/Clipboard: Helps in recording discreetly with a watch camera.
  • Video Recorder Pens: Carries 1-2 for covert recording.
  • iPhone Charger Clone: Micro computer with Wi-Fi and Bluetooth, loaded with payloads that can be launched from a phone.
  • Screen Crab: Connects via HDMI to record and wirelessly transmit the content displayed on high-end HDMI monitors.
  • Cufflinks USB Wireless Adapter: Turns devices into wireless access points with drivers and malware for launching attacks.

Process of a Penetration Test

  1. Reconnaissance: Collecting as much information as possible about the target (social media, blueprints, pictures, technology used).
  2. Scanning: Performing scans to detect open ports and vulnerabilities.
  3. Compromise and Escalation: Gaining access and escalating privileges or pivoting to other parts of the network.
  4. Exploitation: Running code and attempting to download data.
  5. Exfiltration: Transferring the gathered data out of the target’s network.
  6. Reporting: Documenting findings and results, a crucial yet tedious part of the process.

Miscellaneous Questions

  • Robbing a Bank from a Phone: Technically possible but illegal and unethical.
  • Hacker Attire: Stereotypes (e.g., hoodies) can be misleading. Professional attire (suits) can be more effective for deception.
  • Documentation for Physical Pen Test: A “Get Out of Jail Free” card (letter of engagement) and a forged emergency contact list.

Social Engineering Techniques

  • Using forged identity badges or documentation to gain unauthorized access.
  • Planting malicious USB drives in strategic locations (desks, bathrooms) to exploit human curiosity.

Open Source Intelligence (OSINT)

  • Instagram: Employees posting about new badges or secure areas.
  • LinkedIn: Employees listing their skills and job roles help to understand the company’s security landscape.

Tools for Reconnaissance

  • Google: Provides comprehensive details about a company.
  • Google Dorking: Using specific search terms to find vulnerable information.
  • LinkedIn: Insights into employee roles and technologies used by the target company.

Red Team vs Blue Team

  • Red Team: Offensive security professionals (pen testers) who test and expose vulnerabilities.
  • Blue Team: Defensive security professionals who protect the company.
  • Red teams make blue teams better by identifying security gaps.

Home Wi-Fi Security

  • Check the web interface of your router for unknown devices to detect unauthorized access.

Risks of Clicking Links

  • Simply clicking a malicious link can result in hacks. Vulnerabilities in email clients or messaging apps can exploit even without user action.

Legal Aspects

  • Pen testing without owner permission is illegal. Permission is what distinguishes ethical hacking from criminal activity.

Data Misuse by Hackers

  • Stolen data is often bundled and sold. Misuse includes opening lines of credit, obtaining passports, and assuming identities.

Email as a Target for Phishing

  • Companies often underinvest in employee training, making them susceptible to phishing attacks.

Common Misconceptions from Movies

  • Hacking in movies is dramatized and visualized to be engaging, unlike the real, mundane nature of actual hacking activities.

Firewall Analogy

  • A firewall is like a bouncer at an exclusive club, deciding which packets (data) can enter based on set rules.

Key Takeaway: Penetration testing is an intricate field that combines technical skills with social engineering and requires thorough reconnaissance, exploiting vulnerabilities, and detailed reporting. Ethical considerations and legal permissions are paramount.