I’m Jayson E Street, a penetration tester,
and I’m here today to answer your questions
from the internet.
This is Pen Testing Support.
First up, John Hannon.
Hey Siri, what is penetration testing?
Penetration testing is basically a company hiring a hacker
or security professional to test their security
by breaking in via the website
or the building itself
or their internal network devices,
just any way they can to validate their security.
What’s the most underrated physical pin test tool
you use a lot?
I got a lot of them.
It’s hard to narrow it down to just one.
One of the things that you want to get
when you’re doing a physical pin test
is you wanna record as much data as you can.
I just need my glasses that has a camera installed in it
with a micro SD card to store the data.
I have the newer version of the Microsoft employee badge,
but quite frankly why mess with the good thing?
No one knows what the new employee badge looks like anyway,
so I’m still using this one
on mostly every engagement I go to.
I’m always carrying a cup of coffee or a clipboard
because that way the camera is facing the right way
when I’m recording it with my watch
and I have at least one or two video recorder pins
that I carry with me.
This is actually what the video camera looks like.
This will, if I get close enough
it will copy the employee badge
of an employee going through the door.
I can clone it and then I can resend that to the gate
or the door and it’ll let me in thinking I’m that employee.
This looks like a typical iPhone charger.
That’s a micro computer with wifi and Bluetooth
with several different payloads installed on it
that I can launch individually from my phone.
A lot of CEOs,
a lot of executives have those high-end HDMI monitors.
That’s perfect because this screen crab
plugs in HDMI from the monitor into here
then back to the computer through here
and records it onto a micro SD card
and also will wirelessly transmit it to you
so you’re seeing their whole desktop.
When I’m feeling really fancy,
I like to wear my cuff links
because this cuff link is a USB wireless adapter,
turning any desktop or any device
or any server into its own wireless access point
into its company’s network.
And then this one has the drivers
and malware that I can read and copy over
onto that drive and use it to launch the attacks with.
Stylish and also scary.
More Ocean Sun.
Can you walk me through the process of a penetration test,
including the different phases
and types of tests that may be performed?
90% of what you’re gonna be doing
on a penetration test is recon.
Reconnaissance is actually finding out
all you can about the target,
all the different variables,
checking their websites,
trying to look to see what technology they have,
looking at their location,
seeing if you can find blueprints online,
seeing if you can see pictures from social media
of what the directions of the flows
or what people are doing,
what their security looks like.
Then with the scanning
what you’re doing is usually you’re doing different kinds
of scans to see what kind of port responds,
which will give you a better way
of trying to exploit it
to see if there’s vulnerabilities in it.
Then you’re going to try to see what you can compromise
and what kind of privileges you can escalate
or how you can pivot to other parts of the network
that can give you more privilege.
And then you do the exploitation phase
where you’re actually running the code
and trying to download the data
and then you exfiltrate,
try to get all that data out,
try to show that it can be successfully taken away
from the client.
Then the worst part
of the penetration test report is the reporting
because the report writing
is the boringest and the most important part
of the whole engagement.
Can someone teach me how to rob a bank for my phone?
Yes, and no, I’m not going to.
@DudeWhoCode, What’s a hacker attire?
Everybody thinks it wants to be a hoodie.
I am way more scarier when I’m dressed up in my suit.
The whole stereotypes are what’s gonna get you in trouble
because when they’re not dressed like that stereotype,
you’re more likely to trust that person
or that attacker.
What documentation should you carry on site
for a physical pen test?
A get outta jail free card.
And a get outta jail free card is going to be the letter
of engagement that the client gives you.
So when someone catches you,
you show it to them and it says,
Hey, they’re supposed to be here,
call me if you’ve got problems.
I create a forged one that says,
Yes, I’m supposed to be here and do these things.
You’re supposed to help me and not report it
and here’s some phone numbers of the people to call,
but those numbers actually goes to my teammates
who will then impersonate the voice of the person
that gave me the authorization.
I can show you a video
of when I was conducting a physical pin test on a bank.
Here you can see me going in
and compromising the first machine within 15 seconds.
Then you see the manager.
I’m just here to do the USB audit,
so I need to look at your computer real quick, okay?
Actually escorting me into the data server
to lead me unattended into their vault.
Appreciate your help.
Thank you very much.
Y’all take care.
I gave them no documentation, no validation.
All it took was a forged Microsoft employee badge
to get me all this access.
How the did that just happen?
Saraf 10 million.
If you don’t say I’m in,
are you really a hacker?
No, and you’ve gotta say it properly.
What do you think is on this USB drive
that I found on my gate?
I always assume kitty pictures,
but I’ll never know
because I never plug in devices that I find.
This isn’t an episode of Mr. Robot.
I’m not gonna go plug in stuff
that I find lying around,
but you should be worried about this.
‘Cause yes, that is a valid tactic.
I will leave USB drives in company bathrooms,
in lobby bathrooms and more importantly
when I’m on an engagement,
I have a stack of blank envelopes.
When I see someone that’s not at their desk
or in their office,
but I see their nameplate,
I write their name on the empty envelope,
I put a malicious USB drive in it,
I leave it on their desk,
99.9% success rate because who’s not going to open up
a sealed envelope in the secured area that they’re in
and not plug that into their computer?
My fellow physical pin testers,
what are some of your go-to resources for doing OSINT
to gather info about security measures your targets have
Which do you think are underrated?
Instagram is an absolute goldmine.
OSINT means open source intelligence,
trying to gather information on companies
using open information like social media like Google.
I am not gonna argue with that.
I totally agree.
I love Instagram.
If you wanna know why security professionals drink,
go to Instagram and type in a search hashtag new badge
or hashtag new job.
You have employees showing their employee badges.
Sometimes in secure locations
they’re taking pictures that they shouldn’t take.
But I will tell you this one that’s underrated.
Going to LinkedIn,
looking at the employees in the IT and security department
and what you see is everybody’s listing their skills.
They are telling you what they were hired for,
so that means that’s what the company is working with
and there’s no alerts that’s gonna go off on the company
that you’re doing it.
@5m477M, Good recon skill is the most important key
to being a good penetration tester.
What are the tools you use for recon?
Main tool that I use to be honest, Google.
Google is one of the best hacking tools ever invented.
As soon as you list the company in the Google search
it’s gonna tell you who the CEO is,
what their subsidiaries are,
what are their similar companies.
They give you all their social media profiles nicely listed,
shows you the geographical location
of their main headquarters building.
Also what might show you how many employees they have,
gives you the direct link to their website,
and then when you start adding different keywords
like problem with your target
or target vulnerabilities or target harassment,
which is called Google Dorking,
you get way more information
than probably the company even wants you to have about them.
And then going to LinkedIn and finding their employees,
finding their job postings,
which list the different technologies that they have.
Employers will actually post nice events that they’ve had
with their employees
and the employees are wearing their company badges
so you can copy that.
I robbed a telecom company in another country once
and by rob I mean assimilating
what an actual criminal will do.
The CEO of the company
had went to a conference three months before
and I went to that conference page,
found a speaker that was in the same business as him,
and then I assumed that guy’s identity
and I sent an email to the CEO saying,
Hey, like we discussed three months ago at this conference,
we would like you to be on the board of directors
for our new initiative that we’re having.
Here’s the link to our website.
Within 12 hours, the CEO clicked the link.
He was the one who hired me to do the spear phishing attack
and he still got caught.
A fiery debate in cybersecurity is red team
versus blue team, which is better?
For those who don’t know,
red team usually means the offensive security,
the people testing the security, the penetration testers.
Blue team is the defensive team working
for the company to protect their company and their assets.
As a person who does a lot of red teaming
I will tell you this,
the red team only exists to make the blue team better.
So the blue team is the ones doing the hard work.
They’re the ones trying to build the defenses
to keep criminals out.
Red teams are there just to help them do their job better.
From Be Healthy by Natu.
How do I know if my home wifi is being hacked?
You go to the web interface for your router
and then there’s going to be a field
where it says devices connected.
If it’s got a name that you’ve never seen before
or too many devices,
you know something’s up.
Do you get hacked just by clicking the link somebody sent?
Not only that,
but there have been certain vulnerabilities
in office products
where just having the reading pane open
would attack your machine.
Just receiving an SMS message
or iMessage on an Apple phone would compromise your machine.
So yes, it is just that simple.
Web it legal question.
Is it legal to try and hack a website
as part of penetration testing without the owner knowing?
The main difference between criminal activity
and hacking is permission.
If you may been hired by the client to do certain things,
in that scope of work,
it has to say that the website owner
or the hosting has given permission to also test that asset.
@MikeMac29, What do hackers actually do with your data?
They bundle it up and they sell it in bulk.
Your data’s not worth that much by itself
and what they can do with that information
is not just open up lines of credit,
they can try to go get passports,
they can try to get identities,
they can try to create
and assume your identity,
and then sell these to criminals.
Why is email still such an easy target for hackers?
My hot take,
because companies are too busy investing in technology
instead of investing in their employees.
If they invested more time
and money in educating their employees
on what kind of attacks are going on
and how they’re part of the security team from day one,
you would have a lot less successful phishing attacks.
Phishing attacks are becoming more and more prevalent.
82% of attacks are started with the phishing email.
Over $30 billion has been lost
because of these kind of phishing attacks.
What do movies frequently get wrong about hacking?
Because of the very essence of what hacking is, it’s boring.
When you talk about straight up computer network hacking,
it’s bunch of command prompts
and it’s just looking at a screen as it does letters
and executing commands and then downloading a file.
That’s not exciting.
The reason why Hackers, which was a great movie,
War Games, which was a great movie,
they visualized how the breaches were happening.
They visualized how the hacks were going
because no one wants just to see a bunch of lines
and a bunch of code screaming around on a screen.
What does a firewall do?
You’ve ever been to a club that’s been very exclusive
and they’re like, Nah, you can’t come in.
That’s a firewall.
A firewall inspects packets going into the network
and it dictates.
It’s based on a certain set of rules
that have set by the client to allow packets in or not
and only in certain use cases.
That was all the questions.
I’m hoping you learn something and until next time.