Hacker and expert security consultant Jayson E. Street joins WIRED to answer your penetration test questions from Twitter. What does penetration testing entail? What are some of the most underrated physical tools used for pen tests? How can I tell if my home wifi network is compromised?
Category
đŸ¤–
TechTranscript
00:00 I'm Jason E Street, a penetration tester,
00:02 and I'm here today to answer your questions
00:04 from the internet.
00:05 This is Pen Testing Support.
00:06 (upbeat music)
00:09 First up, John Hannon.
00:12 "Hey Siri, what is penetration testing?"
00:15 Penetration testing is basically a company hiring a hacker
00:18 or security professional to test their security
00:20 by breaking in via the website or the building itself
00:25 or their internal network devices,
00:27 just any way they can to validate their security.
00:29 @VulcasAU, "What's the most underrated
00:32 "physical pen test tool you use a lot?"
00:34 I got a lot of them.
00:35 It's hard to narrow it down to just one.
00:37 One of the things that you wanna get
00:39 when you're doing a physical pen test
00:40 is you wanna record as much data as you can.
00:43 I just need my glasses that has a camera installed in it
00:47 with a micro SD card to store the data.
00:49 I have the newer version of the Microsoft employee badge,
00:52 but quite frankly, why mess with the good thing?
00:54 No one knows what the new employee badge looks like anyway,
00:57 so I'm still using this one
00:59 on mostly every engagement I go to.
01:01 I'm always carrying a cup of coffee or a clipboard
01:04 because that way the camera is facing the right way
01:06 when I'm recording it with my watch,
01:08 and I have at least one or two video recorder pins
01:12 that I carry with me.
01:13 This is actually what the video camera looks like.
01:15 This will, if I get close enough,
01:17 it will copy the employee badge
01:19 of an employee going through the door.
01:20 I can clone it, and then I can resend that
01:23 to the gate or the door,
01:24 and it'll let me in thinking I'm that employee.
01:27 This looks like a typical iPhone charger.
01:29 That's a microcomputer with wifi and Bluetooth
01:32 with several different payloads installed on it
01:34 that I can launch individually from my phone.
01:37 A lot of CEOs, a lot of executives
01:38 have those high-end HDMI monitors.
01:41 That's perfect because this screen crab
01:43 plugs in HDMI from the monitor into here,
01:46 then back to the computer through here,
01:47 and records it onto a micro SD card,
01:50 and also will wirelessly transmit it to you
01:52 so you're seeing their whole desktop.
01:54 When I'm feeling really fancy,
01:55 I like to wear my cufflinks
01:57 because this cufflink is a USB wireless adapter,
02:00 turning any desktop or any device or any server
02:04 into its own wireless access point
02:05 into this company's network.
02:07 And then this one has the drivers and malware
02:10 that I can read and copy over onto that drive
02:14 and use it to launch the attacks with.
02:15 Stylish and also scary.
02:17 More ocean sun.
02:18 Can you walk me through the process of a pivotation test,
02:21 including the different phases and types of tests
02:23 that may be performed?
02:24 90% of what you're gonna be doing
02:26 on a penetration test is recon.
02:27 Reconnaissance is actually finding out
02:29 all you can about the target,
02:31 all the different variables,
02:32 checking their websites,
02:34 trying to look to see what technology they have,
02:36 looking at their location,
02:37 seeing if you can find blueprints online,
02:39 seeing if you can see pictures from social media
02:41 of what the direction of the flows
02:43 or what people are doing,
02:44 what their security looks like.
02:45 Then with the scanning,
02:46 what you're doing is usually doing different kinds of scans
02:49 to see what kind of port responds,
02:51 which will give you a better way of trying to exploit it,
02:54 to see if there's vulnerabilities in it.
02:55 Then you're going to try to see what you can compromise
02:58 and what kind of privileges you can escalate
03:00 or how you can pivot to other parts of the network
03:03 that can give you more privilege.
03:04 And then you do the exploitation phase
03:06 where you're actually running the code
03:08 and trying to download the data.
03:09 And then you exfiltrate,
03:11 try to get all that data out,
03:12 try to show that it can be successfully taken away
03:14 from the client.
03:15 Then the worst part of the penetration test report
03:18 is the reporting,
03:19 because the report writing is the boringest
03:22 and the most important part of the whole engagement.
03:24 @BellaPadaAnna,
03:27 can someone teach me how to rob a bank from my phone?
03:29 Yes, and no, I'm not going to.
03:32 @DudeWhoCode, what's a hacker attire?
03:34 Everybody thinks it wants to be a hoodie.
03:36 I am way more scarier when I'm dressed up in my suit.
03:38 The whole stereotypes are what's going to get you in trouble
03:41 because when they're not dressed like that stereotype,
03:43 you're more likely to trust that person or that attacker.
03:46 @AcornBack, what documentation should you carry on site
03:49 for a physical pen test?
03:51 A get out of jail free card.
03:52 And a get out of jail free card
03:54 is going to be the letter of engagement
03:56 that the client gives you.
03:57 So when someone catches you, you show it to them
04:00 and it says, hey, they're supposed to be here,
04:03 call me if you've got problems.
04:05 I create a forged one that says,
04:07 yes, I'm supposed to be here and do these things.
04:10 You're supposed to help me and not report it.
04:12 And here's some phone numbers of the people to call,
04:14 but those numbers actually goes to my teammates
04:17 who will then impersonate the voice of the person
04:20 that gave me the authorization.
04:21 I can show you a video of when I was conducting
04:24 a physical pen test on a bank.
04:26 Here you can see me going in and compromising
04:29 the first machine within 15 seconds.
04:31 Awesome.
04:31 Then you see the manager.
04:33 I'm just here to do the USB audit.
04:35 So I need to look at your computer real quick, okay?
04:37 Actually escorting me into the data server
04:39 to leave me unattended into their vault.
04:42 Appreciate your help.
04:43 Thank you very much.
04:43 Y'all take care.
04:44 I gave them no documentation, no validation.
04:48 All it took was a forged Microsoft employee badge
04:51 to get me all this access.
04:53 - How the, did that just happen?
04:54 - Seraf 10 million.
04:56 If you don't say I'm in, are you really a hacker?
04:58 No.
04:59 And you've got to say it properly.
05:01 I'm in.
05:02 @ToothandClawTV, what do you think is on this USB drive
05:06 that I found on my gate?
05:07 I always assume kiddie pictures, but I'll never know
05:10 because I never plug in devices that I find.
05:12 This isn't an episode of Mr. Robot.
05:14 I'm not gonna go plug in stuff that I find lying around,
05:17 but you should be worried about this
05:18 'cause yes, that is a valid tactic.
05:20 I will leave USB drives in company bathrooms,
05:23 in lobby bathrooms, and more importantly,
05:25 when I'm on an engagement,
05:27 I have a stack of blank envelopes.
05:29 When I see someone that's not at their desk
05:31 or in their office, but I see their name plate,
05:33 I write their name on the empty envelope.
05:35 I put a malicious USB drive in it.
05:37 I leave it on their desk, 99.9% success rate
05:41 because who's not going to open up a sealed envelope
05:43 in the secured area that they're in
05:45 and not plug that into their computer?
05:47 @hidenseek, my fellow physical pen testers,
05:50 what are some of your go-to resources for doing OSINT
05:52 to gather info about security measures
05:54 your targets have in place?
05:56 Which do you think are underrated?
05:57 I'll start, Instagram is an absolute gold mine.
06:00 OSINT means open source intelligence,
06:03 trying to gather information on companies
06:05 using open information like social media, like Google.
06:09 I am not gonna argue with that.
06:11 I totally agree.
06:12 I love Instagram.
06:13 If you wanna know why security professionals drink,
06:15 go to Instagram and type in a search, #newbadge
06:20 or #newjob, it's depressing.
06:22 You have employees showing their employee badges.
06:24 Sometimes in secured locations,
06:26 they're taking pictures that they shouldn't take.
06:28 But I will tell you this one that's underrated.
06:30 Going to LinkedIn, looking at the employees
06:33 in the IT and security department,
06:34 and what you see is everybody's listing their skills.
06:38 They are telling you what they were hired for.
06:41 So that means that's what the company is working with.
06:43 And there's no alerts that's gonna go off on the company
06:46 that you're doing it.
06:47 At 5M477, good recon skills,
06:50 the most important key to being a good penetration tester.
06:53 Agreed.
06:54 What are the tools you use for recon?
06:55 Main tool that I use, to be honest, Google.
06:59 Google is one of the best hacking tools ever invented.
07:01 As soon as you list the company in the Google search,
07:04 it's gonna tell you who the CEO is,
07:06 what their subsidiaries are,
07:08 what are their similar companies.
07:09 They give you all their social media profiles,
07:11 nicely listed, shows you the geographical location
07:14 of their main headquarters building.
07:15 Also might show you how many employees they have,
07:17 gives you the direct link to their website.
07:19 And then when you start adding different keywords
07:21 like problem with your target,
07:23 or target vulnerabilities, or target harassment,
07:27 which is called Google dorking,
07:28 you get way more information
07:31 than probably the company even wants you to have about them.
07:33 And then going to LinkedIn and finding their employees,
07:36 finding their job postings,
07:37 which list the different technologies that they have.
07:39 Employers will actually post nice events
07:42 that they've had with their employees,
07:43 and the employees are wearing their company badges.
07:45 So you can copy that.
07:46 I robbed a telecom company in another country once.
07:50 And by rob, I mean simulating
07:52 what an actual criminal will do.
07:53 The CEO of the company had went to a conference
07:57 three months before, and I went to that conference page,
08:00 found a speaker that was in the same business as him,
08:02 and then I assumed that guy's identity.
08:04 And I sent an email to the CEO saying,
08:07 "Hey, like we discussed three months ago at this conference,
08:10 "we would like you to be on the board of directors
08:11 "for our new initiative that we're having.
08:13 "Here's the link to our website."
08:15 Within 12 hours, the CEO clicked the link.
08:17 He was the one who hired me to do the spear phishing attack,
08:19 and he still got caught.
08:21 At Gossi84, a fiery debate in cybersecurity
08:24 is Red Team versus Blue Team.
08:26 Which is better?
08:27 For those who don't know,
08:28 Red Team usually means the offensive security,
08:30 the people testing the security, the penetration testers.
08:33 Blue Team is the defensive team,
08:35 working for the company to protect their company
08:37 and their assets.
08:38 As a person who does a lot of Red Teaming,
08:40 I will tell you this,
08:41 the Red Team only exists to make the Blue Team better.
08:44 So the Blue Team is the ones doing the hard work.
08:47 They're the ones trying to build the defenses
08:49 to keep criminals out.
08:50 Red Teams are there just to help them do their job better.
08:52 From BeHealthyByNatu,
08:54 how do I know if my home Wi-Fi is being hacked?
08:57 Very simple.
08:58 You go to the web interface for your router,
09:00 and then there's going to be a field
09:02 where it says devices connected.
09:04 If it's got a name that you've never seen before
09:06 or too many devices, you know something's up.
09:09 @Zephx2, do you get hacked
09:12 just by clicking the link somebody sent?
09:14 Yes.
09:15 Not only that,
09:17 but there have been certain vulnerabilities
09:19 in office products where just having the reading pane open
09:22 would attack your machine.
09:24 Just receiving an SMS message or iMessage on an Apple phone
09:29 would compromise your machine.
09:30 So yes, it is just that simple.
09:33 @joshsavage, web IT legal question.
09:36 Is it legal to try and hack a website
09:38 as part of penetration testing without the owner knowing?
09:41 No.
09:42 The main difference between criminal activity
09:44 and hacking is permission.
09:45 If you may have been hired by the client
09:47 to do certain things, in that scope of work,
09:49 it has to say that the website owner
09:53 or the hosting has given permission to also test that asset.
09:56 @mikemac29, what do hackers actually do with your data?
10:00 They bundle it up and they sell it in bulk.
10:03 Your data is not worth that much by itself.
10:05 And what they can do with that information
10:07 is not just open up lines of credit.
10:10 They can try to go get passports.
10:11 They can try to get identities.
10:13 They can try to create and assume your identity
10:15 and then sell these to criminals.
10:17 @rzcyber, phishing attacks.
10:20 Why is email still such an easy target for hackers?
10:23 My hot take, because companies are too busy
10:25 investing in technology
10:26 instead of investing in their employees.
10:28 If they invested more time and money
10:30 in educating their employees
10:32 on what kind of attacks are going on
10:33 and how they're part of the security team from day one,
10:36 you would have a lot less successful phishing attacks.
10:39 Phishing attacks are becoming more and more prevalent.
10:41 82% of attacks are started with a phishing email.
10:45 Over $30 billion has been lost
10:48 because of these kinds of phishing attacks.
10:50 @classicbreon, what do movies frequently
10:53 get wrong about hacking?
10:54 Because of the very essence of what hacking is, it's boring.
10:59 When you talk about straight up computer network hacking,
11:02 it's a bunch of command prompts.
11:04 And it's just looking at a screen as it does letters
11:07 and executing commands and then downloading a file.
11:10 That's not exciting.
11:11 The reason why "Hackers," which was a great movie,
11:13 "War Games," which was a great movie,
11:15 they visualized how the breaches were happening.
11:18 They visualized how the hacks were going
11:20 because no one wants just to see a bunch of lines
11:22 and a bunch of code streaming around on a screen.
11:25 @curbiliu, what does a firewall do?
11:27 You ever been to a club that's been very exclusive
11:30 and they're like, "No, you can't come in."
11:31 That's a firewall.
11:32 A firewall inspects packets going into the network
11:35 and it dictates, it's based on a certain set of rules
11:39 that have been set by the client to allow packets in or not
11:42 and only in certain use cases.
11:45 That was all the questions.
11:46 I'm hoping you learned something and until next time.
11:49 (upbeat music)