Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- ║ Some Dark Corners of Pentesting ║
- =-=-=-=-=-=- s1m0n -=-=-=-=-=-=
- > Intro
- > Sins of the pentesters
- > Finding and hiring pentesters
- > Retaining pentesters
- > Engaging a pentest(er| provider)
- > Pentest planning
- > Pentest delivery
- > Missed vulnerabilities
- > Credits
- > References
- --[ Intro
- To be totally honest with you dear reader, I wasn't sure if I want to
- write this text at all but at some point there was this one straw that
- broke the camel's back. It's a non-technical text revolving around random
- issues in pentesting that are often annoying, rarely interesting and
- sometimes remain unspoken. Even though I'm mainly focusing in it on
- pentesting and pentesters, then I believe that some of the points made
- herein are generic enough so they can be also applied to other infosec
- areas. I wrote it without any expectations but it would be cool if it
- would contribute to some changes for better. And let's be clear about one
- thing, the text was not meant to attack anyone. If you feel offended by
- it, then there's a big chance that perhaps you're doing something in the
- wrong way.
- --[ Sins of the pentesters
- Howdy fellow pentesters. From time to time we can be perceived by others
- as a special breed with better than average computer skills. However,
- talking like one tester to another now. We're not free of annoying habits
- and... let's call it logic flaws.
- We all know it's great to break stuff, isn't it? Similarly, ranting about
- things being broken is so common and easy. Everyone can do that. However,
- building/fixing/improving/... it is equally hard if not harder. Some
- people say defence is sexy. No it's not. It's a constant hard work,
- underpaid, quite often frustrating and not appreciated enough by so many.
- All it takes to be blamed and finger pointed is one fail, one oversight,
- one weak spot. Keep it in mind next time you will rant about devs and
- blue-team's incompetence. Sharing is caring. If you can, then contribute
- ideas, submit code and suggest solutions to problems after you dropped the
- bomb. Surely you can do better than that.
- If your pentester's work is limited to running tools written by others and
- reading security news, then congrats, you just earned a pro-skiddie award.
- It doesn't matter if you're an experienced pentester/ethical
- hacker/whitehat/cyber security professional or whatever the name is in use
- today. If you're not inquisitive anymore, you became lazy, you burned out,
- you look for excuses instead of solutions, you mainly rant about
- everything and everyone, you're known nowadays only because you know
- everyone else on the security band wagon, you spend more time drinking
- booze and attending conferences instead of reading and writing code (don't
- get me wrong on this one though, most of us know how to party properly;>),
- then know you can do much better than that. Continuously learn and adapt
- or... else.
- It's not uncommon to encounter pentesters who eagerly express their
- opinions on basically anything security related. There's nothing wrong
- about it until they have at least some experience on the matter
- (preferably not based on factoids). Unfortunately, quite often pentesters
- talk without actually knowing or checking facts first. Talking about
- memory corruption when they didn't write a single rop chain in their life,
- about malware when they never actually analysed a sample, one form of
- disclosure being better over another if they published no advisory,
- talking about the source code when all they wrote was pascal decades ago
- etc. Such approach doesn't give them too much credibility, does it? The
- general advise is to stick to what you know or keep it quiet until you do
- your homework. If unsure (RTFM|POC)||GTFO.
- Oh, and if your work is publicity driven, then it might be a good time to
- re-think your approach. It's never too late.
- --[ Finding and hiring pentesters
- For some time now the "skills gap in security" term is omnipresent and
- people are generally getting very excited about this phenomenon. It was
- already the case during my uni times circa 2004. In fact, it was the same
- long before that. Sure, the problem of skills shortage was called
- differently and it wasn't of the same scale as it is presently but
- unquestionably the problem was already there. Educated workers, engineers,
- programmers, analytics, mathematicians, scientists and other bright minds
- were always difficult to find and hire. After they were found, they could
- then work on/with "new technologies" and whenever we deal with new
- technologies, there's practically always a security factor involved. Think
- for a moment of cryptography & intelligence during and after IIWW,
- mainframes, ALGOL/COBOL/..., financial institutions, industrial PLCs,
- telcos, NASA and more. I believe it means the underlying problem is at
- least 60-70 years old and only the names and technologies change. It seems
- there will still be a deficit of capable people in a foreseeable future
- because nothing indicates otherwise.
- Why finding people with IT security capabilities became such a big deal?
- If you consider recent years and state-sponsored attacks/groups,
- high-profile hacks & data leaks, GDPR/Patriot/Cyber Privacy
- Fortification/... acts, national cyber security strategies, exploit
- markets, IoT, transportation and generally the way technologies are used
- to gather and process information about everyone and everything, the
- answer is obvious.
- Getting capable people to join the team is really hard[1][2]. The
- following observations are from the perspective of being recruited,
- occasionally being involved in recruiting others and from numerous
- discussions with friends.
- If you even think about becoming a respectable and prospering company
- providing security services, then take a good care of your employees in
- the first place. It is no one else but them who will take you there.
- The important question that you should ask yourself before you even start
- looking for pentesters is who are you looking for exactly? Knowing your
- own expectations regarding the position you're hiring for, you should
- consider that security is a specific field comprising of voodoo people
- [3]. Let those people know beforehand if you're looking for someone in a
- shiny shoes, tie and suit, or perhaps a wool picker who will run tools all
- day long, or perhaps you need a security rockstar travelling from one conf
- to another etc. You can save yourself and others lot of time/effort/money
- by simply being honest and transparent.
- Remember that interviews do work both ways. Candidates will know if you
- actually spend time reading their CV and any other information they
- possibly provided to you. It also doesn't hurt to do a quick web search
- about your candidate on your own. If you show at this stage that you don't
- care about them they will more likely choose employer that will.
- During technical interviews avoid asking blatant questions. Common
- examples includes, but are not limited to:
- * what service is listening on port A?
- * how B works/is implemented in tool C?
- * what parameter/argument X will do?
- * would you be able to write a script in Y?
- * can you run a scan using Z?
- If you ask similar questions then it means you're doing it wrong. This is
- definitely not the way to find a capable pentester. Instead you could ask
- candidate to solve a practical problem or confront him with a hands-on
- challenge. Next time you can ask candidate to review a source code, solve
- a technical challenge, document her findings and walk you through it.
- That would be for a good start.
- Please, save candidates time and money. If possible provide them with a
- toll free numbers or call them, and don't make them wait for you on the
- line for minutes because you had another meeting etc. Reimbursing and/or
- participation in candidate's costs (e.g. travel tickets) is an extra mile
- that some companies are willing to walk and believe me, they benefit from
- it in the long term. Remember that pentesters and voodoo people in general
- meet and discuss from time to time despite general opinions about them.
- This means no more no less that if you're failing on one candidate it's
- very likely that at the same time you're failing on many.
- Are you asking your candidates about salary expectations? No one told you
- it's millions of billions? Seriously, it's optimal to inform candidates
- how much is the offer (even range will do) before anything else. Otherwise
- it's again, only waste of everyone's time.
- Yes, do not provide candidates with updates, give them no feedback and you
- will surely not burn any bridges. Such bad experiences travel via word of
- mouth and people will be less eager to apply to/via such companies.
- --[ Retaining pentesters
- If you hired people only to tell them what to do, then I believe any
- person who knows how to turn on the computer will be able to follow your
- instructions. On the other hand, if you hired smart people/talents/top
- performers/A-players/..., then it's probably because they can
- invent/improve/create/deliver/... amazing things. Listen to those people
- then and let them tell you what can be done and how. It would be also wise
- not to kill their ideas. Even if you have to (for whatever the reason),
- then don't do that using weak or worse, dumb arguments.
- Probably all of us are familiar with cases where pentesters are kept
- artificially on their positions for way too long (think of
- tenures/grads/juniors/seniors/...). If the main reason for doing so is to
- keep their salaries low(er), then you should be aware they will eventually
- be picked up by companies which see value in them, or they'll become a
- contractors, or they'll decide to start their own business or... They will
- simply fly away somewhere else as soon as they'll see a better opportunity
- on the horizon.
- If you don't want to make your pentesters feel bad, then appreciate their
- work. Believe me, you're not doing it by informing your pentester that the
- 4 week engagement they're just delivering is an equivalent of their annual
- salary. Furthermore, stories told by executives about their yachts,
- horses, golf games, new rides and similar don't build morale within the
- team too well. Better keep those for your fellow execs.
- Another great example of how to loose people quickly is, to give them
- unreal deadlines, force them to work after hours and on the weekends only
- to tell them afterwards, that you wanted to see how they behave under
- stress. Nope, it's not gonna fly.
- Offering budget to your pentesters so they can spend it on trainings and
- conferences is awesome and a necessary thing. However, even better is to
- give them time so they can do their own research. Through research they
- learn, they can share with results at conferences, give trainings, gather
- experience and also promote your company in many other ways. Allow them
- that time so they can focus on what hacking is really about.
- --[ Engaging a pentest(er| provider)
- You want someone to check security of your assets? Even if you used in the
- past security services from different providers, I think you may still
- find a useful pointer or two in the following section about how to find
- the right one.
- First and foremost, remember it's a pentester who will be doing the job
- for you and not the company/brand/sales/managers/ads/... Therefore, focus
- on pentesters when choosing your next provider or hire those pentesters
- directly as freelancers/contractors/self-employed/... Keep also in mind
- that pentest is a technical exercise. You don't want people who can talk
- about it, you want people who can actually do it.
- Some providers are a pure disasters. The have all the know how about
- pentesting and they will use it to sell you as many services they can. In
- practice however all the technical skills, spirit of hacking, ethics and
- quality is long time gone along with people who left these companies.
- I'm going to skip the part about where to look for a good
- pentesters/companies. If you would need help with that, feel free to
- contact me directly and I'll be happy to advise something.
- Naturally, first thing to ask about are testers CV's/bio's. Next step
- would be to verify by yourself information contained within. Some good
- ways of verifying pentester's capabilities would be to see if she:
- * Published security advisories.
- * Has any CVE numbers for vulnerabilities found.
- * Did security research.
- * Wrote custom code/tool.
- * Has some kind of a certificate(s).
- * Presented at conferences.
- * Published technical content in e-zine/book/magazine/blog/...
- You should consider in the first place pentesters who demonstrated their
- capabilities based on any of the above. However, there's also a tricky
- part about it. Some pentesters can probably tick off some or even most of
- those boxes but they still won't be technically skilled enough to do a
- good job. To find the bests in the field further verification is required.
- You should be aware that too many individuals publish for various reasons
- advisories that are of a very low impact/value/quality. If you don't
- understand contents of the advisory, then don't blindly assume it must be
- good.
- More and more people is interested in security nowadays. Some really great
- tools are available for the masses like
- fuzzers/compilers/analysers/scanners/... Unsurprisingly it is now much
- easier to use them and find defects in code and potential vulnerabilities
- in anything that electricity flows through. Quite often however finders
- don't bother or don't know how to verify if the given finding has security
- implications or not. They announce that this is a security issue and
- that's it. Just so you know, there's not enough people (including vendors)
- who have time/willingness/resources to verify/debunk all of those
- findings. Many findings ultimately end up being classified as security
- vulnerabilities with the CVE number being assigned and/or fix being
- released.
- I'm pretty sure that if you can read phrack/poc||gtfo/projectzero with
- understanding, then you know how to filter out crap and distinguish good
- security research/presentation/code/publication. If in doubt, find someone
- who can do that and ask for help.
- Some companies/markets have culture of interviewing and even training
- pentesters before they are allowed to participate in the engagement.
- Pentesters might not necessarily like it but it's your money in the end
- and you want to make sure that you have the best people for the job. That
- should be your next step on the way to choosing the right pentester(s).
- If you can afford, then hire different providers for testing different
- targets/assets. After some time you'll be able to stick to those who
- proved themselves and avoid botchers. Some obvious stuff but good to
- remind it at this point:
- * Competition is healthy.
- * Size does matter, sometimes in a positive sometimes in a negative way.
- * Low(est) price usually means that you sacrifice time and/or quality
- (there are exceptions like e.g. freelancer vs. company with
- execs/sales/HR/PR/... you're paying for).
- * One provider will be better in testing A and another will be in testing
- B.
- Try to sond a pentester/provider using different (unofficial) channels.
- Sadly, there's too many unethical people and companies in this business.
- Would you choose a pentesting company for your job where (yes, this
- actually happened):
- * Sales ask over the phone customer and not recognising who he is - "Who
- the hell are you"?
- * Chief Officer says after finishing a call - "Cunt will wait for a week
- now" only because customer was late with things on her end?
- * Business strategist admits with disarming honesty - "If i were them I
- would have changed our services long time ago"?
- Sometimes customers are after someone who could test
- uncommon/peculiar/exotic/complex... target of theirs. In most cases the
- only question asked is if that someone has experience in testing such
- target? There are chances that they eventually will find someone who
- tested something like that before. But be aware of one thing. There are
- people and companies who will say literally anything you want to hear only
- to get your money. It should be fairly easy to verify their claims though.
- There aren't too many companies in the world which can say they have
- pentesters with experience in testing almost anything you'll throw at
- them. There are however companies with capable people, a real hackers, who
- can dissect/adapt/learn/harness/mangle/test/improve/... your target. It is
- them and their knowledge you're after and not company's portfolio and its
- marketing bullshit. You are reading how to recognise them in the crowd in
- this very moment.
- Ultimately, what you get after paying for a pentest is a report. Request
- sample to avoid any unpleasant surprises [4][5]. It is good to see a
- sample but remember that majority of reports are very similar in terms of
- their structure and contents. Yes, some might be prettier than others but
- that's it. I know of one company who charges its customers big bucks and
- justifies it by claiming it's because their reporting is elite and
- consistent. But what's the point if they keep missing serious stuff during
- the tests? So keep calm and choose wisely.
- --[ Pentest planning
- From time to time people are asking me how much time do I think is needed
- to test Q? That usually triggers a series of questions from my end to
- better understand context/expectations/target/limitations/... Scoping is a
- tricky beast and without a little of ping-pong it can hardly be done
- right. Based on my experience the scoping process is non or at best
- semi-transparent to customers. Projects occasionally are under or over
- scoped, that happens, everywhere. It is however unacceptable if that
- happens intentionally. Some people just want to rip you off and it doesn't
- matter to them what you need from a pentest. They will attempt to sell you
- as many days as possible or, regardless the target, constant number of
- days without any questions asked about the target(s) in scope. In that
- case you know you ended up with a money factory and do not expect a
- profound testing and customised approach. If something doesn't seem sound
- request for the assessment breakdown/plan.
- Pentest engagements are delivered within a pre-defined time frames. In
- order to avoid confusion and frustration everyone should be on the same
- page and know if that time means effort or perhaps the overall
- engagement's duration. The difference between one and another can be
- substantial and will determine if the total engagement cost will be lower
- or higher.
- Practically every pentest requires some sort of pre-requisites. If all
- parties involved won't be able to sort that bit before the start date,
- then it can have serious impact on the overall delivery. Skipping all
- possible scenarios when that can happen, it is clear that it's a customer
- in the end who will be mostly impacted by this. Hence, don't wait to the
- last minute to sort out what needs to be. Every hour pentester spends her
- time on twiddling thumbnails means customer is wasting money. My personal
- best was being for seven days on-site waiting. Customer during that time
- was sorting out access issues on their end.
- Only on rare occasions people who are more security aware request
- additional and very specific information from pentesters/providers. For
- instance, when discussing pentest details they ask:
- * What tools/techniques/procedures/scenarios will be used during the
- assessment?
- * If any third party assets will be involved in testing, e.g. cloud
- providers/VPSs/VPNs/proxies/... ?
- * How data will flow, how and where it will be stored?
- * What are the risks of something going wrong during testing and
- suggested precautions?
- Way too often there are companies contacting pentest providers only to
- tick off a compliance box. All they care about is to get it done quickly,
- possibly cheap and the report to be all roses. Those guys can be a real
- pain in the arse. They will question your every finding, attempt to modify
- your report to make it look better, won't tell you everything or will be
- trying to bend the reality, they'll give you only access to targets
- prepared especially for that occasion while everything else is running on
- aid-bands and using sticky tape. If your consultancy skills failed and you
- weren't able to show customer there are other and better ways to address
- security, then honestly, they deserve to get pwned. History shows that
- many companies changed their thinking and started taking things seriously
- only after such incidents. Anyway, avoid if possible, not worth it.
- Pentesting won't go away anytime soon but at the same time, it might not
- be the best option to assess/implement security of the given target
- anymore. Depending on the circumstances more appropriate might be to use
- devsecops or purple/black/red teaming for that purpose. This is where
- consultancy skills comes into play.
- --[ Pentest delivery
- Probably every pentesting company will communicate to you at some point
- that it uses some kind of methodology for testing. The truth is that
- pentesters rarely follow methodologies, fully. That can be the case
- because:
- * They are not familiar with it.
- * There is no time to follow it within the test's time frame.
- * It is incomplete/wrong/outdated/...
- * Pentester intentionally deviates from it as it seems to be in the best
- interest of the customer.
- Sometimes this will lead to various problems and sometimes it's even
- better that methodology wasn't followed throughly. It's a gray area I
- would say. After all common reason supported by experience is what should
- guide a pentester I suppose.
- Next issue affects to some extent all pentest providers. Pentesters
- performance is measured mainly by their utilisation. The minimal
- utilisation varies from one company to another but it starts from around
- 65% and sky is the limit. There are wool factories where 110% utilisation
- is a norm. To meet management/board/stakeholders expectations in this area
- pentesters are squeezed like lemons. That means they are frequently forced
- to do multitasking. They jump from one engagement on another without time
- required to properly prepare to the job. They handle two, three and more
- engagements concurrently. This leads to a number of issues like
- errors/miscommunication/decrease of quality/burn out/... That's exactly
- why finding a right pentester/provider and pentest planning is so
- important, to avoid situations like this.
- Some people just love meetings. I wouldn't be surprised if someone already
- wrote a book or two on the subject. I'll keep it brief then. Daily catch
- ups/mails/calls/SCRUM sessions/... make sense only if they serve a
- purpose. Otherwise it's waste of time (and money). I remember engagements
- where there were three meetings per day with different people involved but
- working on the same project. True, it's rare and extreme example but
- proves my point. The more and longer the meetings the less time lefts for
- testing itself. It's simple as that.
- Penetest finished and you got yourself a lengthy report. Depending on its
- contents (how it looks is a secondary issue) it will be either good or
- not. Some indicators the report is good includes, but are not limited to:
- * It has been customised, e.g. references & recommendations were adjusted
- to technologies and configuration you use, severity rating was calculated
- including any worsening and/or mitigating factors etc.
- * Based on the finding's description you're able to understand the
- problem's root cause and reproduce/verify/remediate the issue.
- * It doesn't contain copypasta from the net, tools or worse, other
- customers reports.
- * It doesn't contain false positives.
- * If not provided by you, it used a reasonable risk matrix (the one from
- OWASP is a good example).
- * If not specified by you, it used a reasonable risk scoring system (e.g.
- CVSS/low/med/hig/Bugbar/custom/...).
- * It was written using correct grammar.
- It is only my personal opinion that any medium and higher severity
- vulnerability should come with a working proof of concept demonstrating
- the problem. The POC||GTFO principle applies here more than anywhere else.
- Otherwise customer is flooded with bunch of maybe's/could's/if's and left
- with a lot of FUD.
- Pentesters should be able to provide customers at any time with the
- evidences of work they performed. It is however a good idea to ask them
- beforehand if you will need anything extra to avoid disappointments. On
- the flip side, pentesters have supporting evidences in case customer would
- accuse them for wrongdoing or not doing something. Examples of such
- evidences includes, but are not limited to:
- * The times during which testing was conducted.
- * Any customers' data acquired during testing.
- * Logs and dumps from tools that were used.
- * PCAPs containing generated network traffic.
- * Screen captures.
- --[ Missed vulnerabilities
- As a pentester you can be challenged and asked why the frag didn't you
- report some serious vulnerability that was out there? Obviously,
- consequences if that would happen can be severe, e.g. lost customer/trust,
- reputational/brand damage, lawsuits, target was pwned but not by yourself
- etc. Nevertheless, shit happens, and then what? I discussed the issue with
- some fellas and we all agreed on one thing - this can occur for various
- reasons and there's no one good answer. I know, shocker.
- Before the engagement it should be communicated to customer in one way or
- another that missed vulnerabilities should be a calculated risk. It's a
- separate issue how to minimise such risk. The risk management however is
- not my cup of tea. The clause stating that "pentest is a snapshot in
- time", or something between those lines, is not enough on its own.
- You may have no opportunity to respond to missed vuln situation whatsoever
- and then it's most likely game over at this point.
- If you failed as a pentester, then of course admitting it would be the
- first step. Don't play dumb and look for fault somewhere else.
- Assuming that customer wants to discuss with you what went wrong, try to
- get from them as much information as possible about the vulnerability they
- know about but was overlooked during the pentest. Based on that
- information you should be able to determine the root cause for the fail,
- e.g.:
- * Target was not in scope.
- * Pentest pre-requisites were not delivered.
- * Some tests/vectors were not covered by the methodology.
- * The vulnerability/technique was not publicly known when testing was
- done.
- * Vulnerability presents itself only when specific conditions occur.
- * Target was in scope but due to limitations testing didn't cover it.
- * Testing tools were not configured properly.
- * Pentesters are only humans and do mistakes too.
- Remember that pentesters/pentests are limited by
- methodology/scope/time/costs/... and attackers usually aren't tied to any
- of these.
- During some types of assessments it is more probable to overlook vulns. I
- would say that pentesting of web/native/mobile apps is less prone to such
- situations as it's very repeatable process. If that happens it's most
- likely due to limitations mentioned above.
- On the other hand, during pentests involving vulnerability assessment,
- networks testing, reverse engineering and most tricky of them all, source
- code reviewing, pentesters are more likely to miss things. That's simply
- nature of those tests in the great scheme of things. There are too many
- random factors for which pentesters could account them all for.
- Explain to all interested parties what went wrong and advise what can be
- done to improve things to minimise chances of occurring similar situations
- in the future. You should also describe methodology that was used in every
- detail, how it was followed and support everything with evidences that you
- have. Not perfect but it's still better than "sorry, we'll try better next
- time".
- --[ Credits
- Thanks guys for all the discussions over the beers. You know who you are.
- Keep doing the amazing things that you do.
- --[ References
- [1] http://carnal0wnage.attackresearch.com/2012/11/the-biggest-problem-in-computer-security.html
- [2] http://blog.silentsignal.eu/2015/04/03/the-story-of-a-pentester-recruitment/
- [3] http://www.unicri.it/special_topics/securing_cyberspace/current_activities/hackers_profiling/
- [4] http://it.toolbox.com/blogs/securitymonkey/the-worlds-worst-penetration-test-report-by-scumbagpentester-58747
- [5] http://ipsec.pl/penetration-testing/2014/writing-meaningful-and-professional-penetration-testing-reports.html
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement