Viktor Petersson logo

Podcast

Follow Me

Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.

Pentesting 101: Hacking Legally with Warren Houghton

Play On Listen to podcast on YouTube Listen to podcast on Spotify Listen to podcast on Apple Listen to podcast on Amazon music
31 JAN • 2025 1 hour 1 min
Share:

In my conversation with Warren Houghton, I gained a thorough understanding of penetration testing from both a strategic and technical standpoint. We started with the scoping process, which sets the stage for any successful test. I learned that having a clear agreement about what systems, applications, and IP addresses can be targeted is not just a legal safeguard; it also helps avoid accidentally bringing down critical services. Warren highlighted how testers confirm authorization by collecting signed documents, which eliminates any risk of unauthorized hacking activities.

Once the paperwork is settled, Warren described how he begins reconnaissance by using Nmap to scan for open ports and fingerprint the services running behind them. This step reveals the “attack surface,” giving a tester an overview of what might be vulnerable. He then uses the Metasploit Framework to match those discovered services with known exploits, adjusting configurations and payloads to see if a target can be compromised. Warren stressed that even a single exposed service or overlooked legacy system can provide a foothold for further attacks. Proper network segmentation becomes critical at this point because once an attacker gains any level of access, it is surprisingly easy to move laterally if different internal networks are not correctly isolated.

We also explored how web application assessments often involve Burp Suite, which intercepts traffic between the browser and the web server. Warren demonstrated how simple it is to bypass client-side JavaScript restrictions by modifying HTTP requests directly. This technique can reveal missing server-side checks, insecure file uploads, or subpar password handling. Warren also talked about finding an exposed .git directory that leaked source code and hardcoded credentials, opening the door to extensive compromise. He shared a few anecdotes about real-world breaches that began with these seemingly minor oversights, including one where a misconfigured IoT device acted as a springboard into a corporate network.

Our discussion then shifted to containerized environments, especially those running Docker. Warren pointed out that containers, when configured with strict isolation, can limit an attacker’s reach. However, he also noted that developers sometimes map the Docker socket into a container for convenience, effectively granting root-level access to the host if exploited. This tension between convenience and security reappeared throughout the conversation, reminding me that human error is often the weakest link in the chain.

As we wrapped up, I asked Warren about his favorite success stories and the times he encountered unexpected barriers. He recalled instances where small configuration tweaks stopped his attacks cold, underscoring how even basic security best practices can go a long way. On the flip side, he mentioned multiple tests where organizations missed routine patching or left default credentials in place, giving him unfettered access in minutes. Ultimately, our talk reinforced the idea that continuous learning, robust patch management, and persistent monitoring are essential. Even advanced tools like Kali Linux rely on the user’s knowledge, creativity, and ongoing vigilance to keep pace with evolving threats. I left the conversation with a renewed appreciation for how methodical, yet inventive, penetration testing can be in strengthening security at every level.

Transcript

Show/Hide Transcript
[00:00] Viktor Petersson
Welcome back to another episode of Nerding out with Victor.
[00:03] Viktor Petersson
Today I am going to do an episode about pen testing, which is something I wanted to do for quite some time.
[00:09] Viktor Petersson
So when I had Ken Munro on the show a few weeks ago, he introduced me to Warren Newton who will be with me today and do some pen testing exercises or speak about pen testing exercises at least.
[00:23] Viktor Petersson
So welcome to the show, Warren.
[00:25] Warren Houghton
Hey, how you doing mate?
[00:27] Viktor Petersson
Good.
[00:28] Viktor Petersson
So it's probably gonna make its way into a two part episode, I think because we in the pre recording conversations, I think we have enough me to do two episodes.
[00:38] Warren Houghton
Yeah, I do some other stuff that might make it into another episode.
[00:44] Viktor Petersson
Exactly.
[00:44] Viktor Petersson
And we had some backlinks to Iceman, who was on the previous episode as well, which relates to that regards to.
[00:50] Warren Houghton
All the listeners and you.
[00:52] Viktor Petersson
Amazing.
[00:54] Viktor Petersson
So what we're going to do today is basically walk through a theoretical exercise about how a pen test is structured.
[01:05] Viktor Petersson
We actually.
[01:06] Viktor Petersson
Well, this past week the company you work with work for, Pen Test Partners, did a pen test for screening.
[01:13] Viktor Petersson
So we literally did exercise ourselves a few weeks ago with you guys.
[01:18] Viktor Petersson
And so let's start there.
[01:21] Viktor Petersson
Okay, so the scenario that I want to use today in this episode is you are asked to do a pen test and in most engagements you are given kind of a hit list of what you are allowed to with some parameters.
[01:36] Viktor Petersson
Like you're allowed to do this, but you're not allowed touch that and so on.
[01:40] Viktor Petersson
Right.
[01:41] Viktor Petersson
So let's start there.
[01:43] Viktor Petersson
Like usually given either a domain name or IP address to hit or.
[01:48] Viktor Petersson
And then you basically start from there.
[01:50] Viktor Petersson
Right?
[01:50] Warren Houghton
Yeah.
[01:51] Warren Houghton
So in terms of pen testing, it's like you're hacking something legally or you're allowed to hack it.
[01:57] Warren Houghton
So the first thing I want to do, the pen tester is make sure I'm hacking the right thing.
[02:01] Viktor Petersson
Right.
[02:02] Warren Houghton
Like make.
[02:03] Warren Houghton
Confirm that.
[02:04] Warren Houghton
Yeah.
[02:04] Warren Houghton
Like you say the domain name is now Scope.
[02:08] Warren Houghton
Make sure.
[02:09] Warren Houghton
Right.
[02:09] Warren Houghton
If there's some big bad pace that they really don't need touch, make sure you don't go to that.
[02:14] Warren Houghton
It's all within the confines of the.
[02:17] Viktor Petersson
Right, so.
[02:17] Viktor Petersson
So the very first thing you do is actually get your paperwork in order.
[02:21] Warren Houghton
Yeah.
[02:21] Warren Houghton
Make sure you don't end up in jail is the first one.
[02:25] Warren Houghton
Really.
[02:26] Warren Houghton
Yes.
[02:27] Warren Houghton
So yeah, that'd be the first thing.
[02:29] Warren Houghton
And then yeah, once day one hits, you just start firing your laser.
[02:35] Warren Houghton
Just see what sticks and see what there is.
[02:38] Warren Houghton
So it depends on what you're testing really.
[02:42] Warren Houghton
So what am I testing?
[02:45] Viktor Petersson
So let's assume you're like it's some kind of SaaS company.
[02:50] Viktor Petersson
I would imagine it's your bread and butter normally for pen testing, right.
[02:53] Viktor Petersson
So you would have some kind of web app.
[02:55] Viktor Petersson
I would imagine that you're testing.
[02:57] Viktor Petersson
So let's assume you're given a range of IP addresses and you have some course body domain names.
[03:03] Viktor Petersson
And let's fire lasers.
[03:06] Viktor Petersson
What's the first thing you do when you have these IP addresses?
[03:09] Warren Houghton
If it's a web app, I want to load the web app.
[03:11] Warren Houghton
And one of the main tools I like to use is Burp Suite.
[03:15] Warren Houghton
And what Burp Suite does is proxy.
[03:18] Warren Houghton
So whenever you go to a website in the back end and the Burp Suite acts as sort of a middleman.
[03:28] Warren Houghton
So between your browser and the website in.
[03:32] Warren Houghton
And Burp Suite will sit in the middle.
[03:34] Warren Houghton
And what Burp Suite will let you do is screw around with the traffic as it's going through and start firing lasers, bypassing any controls that the browser.
[03:46] Warren Houghton
So for example, certain things like if you're setting a password and you go, right, I want to set my password.
[03:52] Warren Houghton
I want to use the word password, stupid person.
[03:57] Warren Houghton
Then your web app might stop you be like, no, no, that's not allowed.
[04:01] Warren Houghton
That's a.
[04:02] Warren Houghton
That's a bad password.
[04:03] Warren Houghton
I'm going to stop.
[04:04] Viktor Petersson
Right?
[04:04] Warren Houghton
But the server might allow it.
[04:06] Warren Houghton
And what's like clients rather than server side.
[04:10] Warren Houghton
So right through Burp Suite instead of your browser, you'll bypass.
[04:15] Viktor Petersson
So you bypass all the JavaScript kind of validation.
[04:18] Warren Houghton
You can bypass a little.
[04:19] Warren Houghton
An awful lot of checks that are, well, all checks that are clients.
[04:23] Viktor Petersson
Right.
[04:23] Warren Houghton
If you do it through Burp Suite, it's just a little bit more.
[04:31] Viktor Petersson
Right.
[04:32] Viktor Petersson
So you start with Burp Suite and then you, you basically poke.
[04:37] Viktor Petersson
You basically log in, you record the sessions and then you see what's going on behind the scenes.
[04:40] Viktor Petersson
Really?
[04:41] Warren Houghton
That's it.
[04:42] Warren Houghton
Yeah.
[04:42] Warren Houghton
I think the first thing I'd like to do is understand before I start breaking it, understand what it's doing.
[04:48] Viktor Petersson
Right.
[04:49] Warren Houghton
It's working, right.
[04:50] Warren Houghton
Understand that website as well as I could like understand what technology is being used, understand what parameters being used, understand what cookies are being set for certain sessions, right?
[05:00] Warren Houghton
How they're being and all that.
[05:03] Warren Houghton
And then I'll start going, testing very certain things that maybe feel.
[05:10] Viktor Petersson
So it's your Spidey senses when you look through those sessions, you're like, my Spidey sense says it's something in this area that feels funky.
[05:17] Warren Houghton
Yeah, that's it.
[05:19] Warren Houghton
Some tools like start highlighting stuff and go, right, you need to look here.
[05:22] Warren Houghton
And Burstuite does do that and sometimes years in the industry go.
[05:27] Warren Houghton
I should probably look here.
[05:28] Warren Houghton
This looks a bit snippy.
[05:29] Warren Houghton
You know.
[05:30] Viktor Petersson
And you mentioned password recovery in password setting is one of the first usual suspects.
[05:35] Warren Houghton
Exactly.
[05:35] Warren Houghton
You want to make sure like when the client gives you a website, you want to make sure that if there's a client session, the people can make accounts grocery.
[05:46] Warren Houghton
Then those cl.
[05:49] Warren Houghton
Those sort of accounts can be secured effectively.
[05:53] Warren Houghton
It's one of the things we do.
[05:54] Warren Houghton
Make sure you're allowed to pass words that significant level.
[05:59] Warren Houghton
You're not limited to like 8 characters long.
[06:01] Warren Houghton
I've seen that on websites.
[06:03] Warren Houghton
Like anything over eight characters.
[06:06] Viktor Petersson
Yeah.
[06:07] Viktor Petersson
That's your password.
[06:08] Warren Houghton
What's.
[06:08] Warren Houghton
What's this?
[06:09] Viktor Petersson
Oh man.
[06:09] Viktor Petersson
That's one of my pet peeves.
[06:10] Viktor Petersson
Like when.
[06:11] Viktor Petersson
When they do that or they prevent people pasting in a password.
[06:14] Warren Houghton
Oh, it's so infuriating because.
[06:16] Warren Houghton
Yeah, pasting and password.
[06:17] Warren Houghton
I want to use a key manager.
[06:18] Warren Houghton
I'm not typing that stuff.
[06:20] Warren Houghton
I don't want to know it.
[06:21] Viktor Petersson
Right, exactly.
[06:23] Warren Houghton
Yeah.
[06:23] Warren Houghton
It's defeats the point.
[06:24] Warren Houghton
So that.
[06:25] Warren Houghton
That would be stuff we would raise for like account management.
[06:28] Warren Houghton
And then there.
[06:28] Viktor Petersson
Please tell us all the UK banks.
[06:30] Warren Houghton
Oh God.
[06:31] Warren Houghton
Banks.
[06:32] Warren Houghton
Banks.
[06:32] Warren Houghton
Banks are getting better.
[06:33] Warren Houghton
It's taken the pen testing community a long time.
[06:37] Warren Houghton
Generally.
[06:38] Warren Houghton
Yeah, they.
[06:39] Warren Houghton
They are getting some.
[06:42] Warren Houghton
So I'm just gonna leave.
[06:43] Warren Houghton
So I'm just gonna leave it at that.
[06:46] Warren Houghton
But yeah, then we want to test like.
[06:49] Warren Houghton
Like session management, for example.
[06:51] Warren Houghton
Like if I for example upload a file and I.
[06:55] Warren Houghton
I have like a little cache of files and blood out on my YouTube for whatever reason.
[06:59] Warren Houghton
I don't even theoretically can I upload a file or make a change or do something that affect your account.
[07:09] Warren Houghton
Right.
[07:10] Warren Houghton
Like when you do like a post request and it goes blah, blah, blah.
[07:14] Warren Houghton
User value 2.
[07:16] Warren Houghton
Can I go user value 3.
[07:18] Viktor Petersson
And it work, you know, so breaking.
[07:20] Viktor Petersson
Breaking the confinement and secure barrier for that count.
[07:23] Warren Houghton
It's like horizontal.
[07:25] Warren Houghton
Yeah, horizontal.
[07:28] Viktor Petersson
That's great.
[07:30] Warren Houghton
It's a like session.
[07:32] Viktor Petersson
Yeah.
[07:36] Warren Houghton
That'S.
[07:36] Warren Houghton
Well, that's websites and you generally look at.
[07:39] Warren Houghton
Websites are a bit of a.
[07:41] Warren Houghton
There's lots.
[07:42] Warren Houghton
There's lots.
[07:43] Warren Houghton
It's generally quite.
[07:45] Warren Houghton
Not dark in a bad way, but like dark because you don't see a lot.
[07:53] Warren Houghton
Yeah.
[07:53] Viktor Petersson
And like imagine this was like.
[07:56] Viktor Petersson
I know a large portion of the Internet runs on WordPress, right.
[08:00] Viktor Petersson
So yes, running.
[08:03] Viktor Petersson
Finding out what version of WordPress that's running is probably a key finding.
[08:07] Viktor Petersson
Right?
[08:08] Warren Houghton
Absolutely.
[08:08] Warren Houghton
If you're running an old version of WordPress or some plugins that haven't been updated.
[08:17] Warren Houghton
Running a dodgy site then.
[08:20] Warren Houghton
Yeah, absolutely.
[08:22] Warren Houghton
I mean WordPress can't remember it to the WordPress logon on a website by doing WP logon I'm like, cool, right?
[08:34] Warren Houghton
You probably shouldn't have that exposed.
[08:37] Warren Houghton
Like why does any Tom, Dick and Harry need access to that log?
[08:42] Warren Houghton
And that would be something that we would also find and usually at the bottom of that page it will also like you say what version it is.
[08:50] Warren Houghton
Well now I'm going to Google the how out and see if.
[08:56] Viktor Petersson
Right.
[08:58] Warren Houghton
Hopefully it's not a live web app.
[09:00] Warren Houghton
We always try to clients not have us testing live because if it goes down that's a live website which can impact.
[09:11] Warren Houghton
But then hopefully they've got a ua.
[09:18] Viktor Petersson
Right.
[09:19] Viktor Petersson
And I mean with the rise of.
[09:22] Viktor Petersson
I mean I'm thinking Cloudflare in particular because I think they probably did more to the web application firewall space than anybody prior to that.
[09:31] Viktor Petersson
Right.
[09:31] Viktor Petersson
So their WAF is actually pretty good, particularly for WordPress.
[09:35] Viktor Petersson
Right?
[09:35] Warren Houghton
Yeah, it's not bad.
[09:38] Warren Houghton
Not everything like WAF won't stop everything.
[09:42] Warren Houghton
There was always going to be something like anything like antivirus.
[09:46] Warren Houghton
You can always bypass antivirus.
[09:48] Warren Houghton
It just takes longer and longer.
[09:51] Warren Houghton
But having a.
[09:52] Warren Houghton
Having a web application firewall is looted and like it will if you start bombarding stuff with endless amount of traffic because you're trying to test password 1, 2 password.
[10:05] Warren Houghton
Yeah like usually find that or like if you send the malicious payload to go like script alert one script it would go probably a bad guy.
[10:15] Warren Houghton
You shouldn't come out and it'll stop that the barrier before it gets.
[10:20] Viktor Petersson
Okay, so pro tip then make sure you have Cloudflow or the likes of Improv your WordPress site.
[10:27] Warren Houghton
That's it.
[10:27] Warren Houghton
Vendor agnostic here.
[10:28] Warren Houghton
Yeah, just have something protecting like.
[10:32] Warren Houghton
Yeah, it's like you wouldn't just not have a door at your house.
[10:36] Warren Houghton
Right.
[10:36] Warren Houghton
Like it's like well if you can have it and it.
[10:42] Warren Houghton
You might.
[10:45] Warren Houghton
You won't see it.
[10:46] Warren Houghton
But yeah, that's good.
[10:48] Viktor Petersson
Yeah.
[10:48] Warren Houghton
Don't see it.
[10:50] Viktor Petersson
Right.
[10:51] Viktor Petersson
Yeah.
[10:52] Viktor Petersson
All right, so you poked it now you ran through Burp Suite.
[10:58] Viktor Petersson
You.
[10:59] Viktor Petersson
You saw some interesting stuff, started poking at the password reset your spider senses as you browse through the website.
[11:04] Viktor Petersson
That's kind of like your main thing there.
[11:06] Warren Houghton
Like what else?
[11:07] Viktor Petersson
Like the password reset is an obvious one.
[11:09] Viktor Petersson
What else is like an upload said.
[11:12] Warren Houghton
That's it.
[11:12] Warren Houghton
If you depends on what you can do on the website.
[11:15] Warren Houghton
It all depends on what the website.
[11:18] Warren Houghton
Like if you go To a website.
[11:19] Warren Houghton
It's just one page.
[11:21] Warren Houghton
Well, there's nothing to.
[11:23] Viktor Petersson
Right.
[11:23] Warren Houghton
But if there's like some crazy file upload or some like rendering software in the background that like renders everything you upload, then, oh, happy days, let's go.
[11:32] Warren Houghton
Because you can start uploading stuff and see what happens.
[11:36] Warren Houghton
Like if there's any AV checks on anything you upload should be like.
[11:44] Viktor Petersson
Well, it depends on this.
[11:45] Viktor Petersson
Depends on the scenario to some extent.
[11:47] Warren Houghton
Right, it does.
[11:48] Warren Houghton
So like if it was a bank and you actually upload an invoice, whatever you wanted to upload, be checked by some person working the bank, go, yeah, this is legitimate.
[11:59] Warren Houghton
Or like a picture of your passport or something.
[12:01] Viktor Petersson
Yeah.
[12:04] Warren Houghton
Who's to say I can't just embed a virus into that?
[12:07] Warren Houghton
And sure, it would be loaded within the bank's domain by somebody.
[12:13] Viktor Petersson
Right.
[12:13] Warren Houghton
We can all imagine how that can go badly.
[12:16] Viktor Petersson
Yeah.
[12:17] Warren Houghton
In the right you.
[12:18] Warren Houghton
There are a lot of dots and maybes there.
[12:20] Warren Houghton
Like that attack quite hard.
[12:22] Warren Houghton
But you get the picture, right?
[12:23] Warren Houghton
Yes.
[12:24] Warren Houghton
So it's.
[12:26] Warren Houghton
Yeah, it's all about what the functionality is.
[12:28] Warren Houghton
If you can upload a file.
[12:30] Warren Houghton
Can I upload a bad.
[12:32] Warren Houghton
The thing I always say with everything, if it could go wrong, how bad could.
[12:40] Viktor Petersson
Right.
[12:40] Warren Houghton
If I can upload, what's the worst file I could upload?
[12:45] Warren Houghton
So how about we stop that?
[12:47] Viktor Petersson
Yeah.
[12:48] Viktor Petersson
And I mean, that opens a Pandora's box of attacks vectors in general.
[12:53] Viktor Petersson
Right.
[12:53] Viktor Petersson
Because then you have both rootkits, you have like various types of.
[12:59] Viktor Petersson
Well, it kind of hits.
[13:01] Viktor Petersson
Wow.
[13:03] Viktor Petersson
I guess we should also cover how you could get executables onto the actual server that's running this.
[13:09] Warren Houghton
That's it.
[13:10] Warren Houghton
So, yeah, if you can upload a file, for example, and then you can browse to that file.
[13:14] Viktor Petersson
Right, Right.
[13:15] Warren Houghton
Okay.
[13:16] Warren Houghton
You've uploaded test1.
[13:18] Warren Houghton
And then you can go website domain slash, test1.
[13:21] Warren Houghton
You'll load.
[13:22] Warren Houghton
What happens if I upload test1 HTML and bad HTML in it?
[13:27] Warren Houghton
Will it render that?
[13:28] Warren Houghton
Will it render that on the server?
[13:29] Warren Houghton
Can I just upload a shell and start typing in commands on the server that it will render on the server?
[13:36] Warren Houghton
Then you've got a terminal on the server and that's.
[13:40] Warren Houghton
It's not.
[13:40] Warren Houghton
That's not ideal, is it?
[13:42] Viktor Petersson
Let's, let's go.
[13:43] Viktor Petersson
Let's go down that path further.
[13:45] Viktor Petersson
Right.
[13:45] Viktor Petersson
Because that's an interesting attack vector.
[13:47] Viktor Petersson
Like once you can actually start executing commands on the server.
[13:50] Warren Houghton
That's scary.
[13:51] Warren Houghton
I mean, that's.
[13:52] Warren Houghton
That's when the fun really starts.
[13:54] Warren Houghton
Right.
[13:54] Warren Houghton
You're like you know what?
[13:55] Warren Houghton
I can start.
[13:56] Warren Houghton
Screw your web app.
[13:57] Warren Houghton
I don't want to test that.
[13:58] Warren Houghton
Now I've got access.
[14:00] Warren Houghton
Yeah.
[14:00] Warren Houghton
I want to pop a shell, start, get cloned.
[14:03] Warren Houghton
I don't know, do everything.
[14:04] Warren Houghton
Metasploiting the hell out of it.
[14:06] Warren Houghton
And then.
[14:07] Warren Houghton
Yeah, like, that's when it really goes bad.
[14:10] Warren Houghton
Imagine if somebody just connected to your.
[14:14] Warren Houghton
Like, we'll retract that.
[14:16] Warren Houghton
When you, when you make a website, you've given it permissions, blah, blah.
[14:20] Warren Houghton
Maybe you've connected it to your domain internally.
[14:22] Warren Houghton
I don't know.
[14:23] Warren Houghton
You maybe.
[14:24] Warren Houghton
Who knows?
[14:24] Warren Houghton
We don't know, but people do.
[14:26] Warren Houghton
And if I can get a shell on that, I've got a domain box on your network.
[14:32] Warren Houghton
Yeah.
[14:32] Warren Houghton
I've got a domain machine and I can start running commands in your network when I shouldn't be allowed.
[14:39] Warren Houghton
Yeah, yeah, go very bad.
[14:43] Warren Houghton
Very, very quickly.
[14:44] Viktor Petersson
And this is.
[14:45] Viktor Petersson
I mean, I'm gonna go on a tangent here a bit, but this is why I've had a passion for IoT security for a long time, in particular with my DJ bot.
[14:53] Viktor Petersson
Screenly, like, IoT devices are deemed kind of unsecure, like, because they don't really need to be secure.
[15:01] Viktor Petersson
But what a lot of people fail to understand is if I can pop that Iot device, I can use that to move lateral on the network.
[15:08] Viktor Petersson
Just like if you pop a shell on that server.
[15:11] Viktor Petersson
Right.
[15:11] Warren Houghton
Yeah, I mean, we hear about, like, Iot stuff and that's why it says, like, put it in a DMZ vlan, like segregate it all.
[15:22] Warren Houghton
Yeah.
[15:23] Warren Houghton
Like, if it could get popped.
[15:25] Warren Houghton
Let's not.
[15:25] Warren Houghton
Let's not make it the worst.
[15:26] Warren Houghton
I mean, we heard about years ago, the casino in.
[15:29] Viktor Petersson
Yeah, the aquarium one.
[15:31] Warren Houghton
Yeah, that was awesome.
[15:34] Viktor Petersson
Yeah, that's a recap.
[15:35] Viktor Petersson
That story.
[15:35] Viktor Petersson
Somebody.
[15:36] Viktor Petersson
That was a Bluetooth Explorer, I think.
[15:39] Warren Houghton
Yeah, it was.
[15:39] Warren Houghton
Somebody basically hacked.
[15:41] Warren Houghton
It was like a smart fish tank.
[15:42] Viktor Petersson
Yeah.
[15:43] Warren Houghton
And somebody hacked the fish tank.
[15:45] Warren Houghton
But then it was like.
[15:46] Warren Houghton
If I remember correctly, it's been a year.
[15:48] Warren Houghton
It was connected to the corp of.
[15:50] Warren Houghton
For some reason, because people like to monitor their fish tanks.
[15:55] Warren Houghton
Don't know why.
[15:55] Warren Houghton
Why would you.
[15:56] Warren Houghton
So by hacking the.
[15:58] Warren Houghton
The IoT device or the fish tank, you had Core pack and then.
[16:03] Warren Houghton
Well, that was it.
[16:04] Warren Houghton
The casino was hacked.
[16:05] Warren Houghton
It was done.
[16:05] Warren Houghton
Yeah, I mean, yeah, it was just.
[16:09] Warren Houghton
That was a.
[16:10] Warren Houghton
That was many years.
[16:12] Warren Houghton
Yeah, but it was.
[16:14] Warren Houghton
There's, There's.
[16:14] Warren Houghton
It all depends on what you see on a web app.
[16:18] Warren Houghton
I mean, I've seen.
[16:19] Warren Houghton
I've seen a web app once where you could send an email, basically.
[16:22] Warren Houghton
When you like almost like a confirmation email a few years ago and it was all like, I make an account or I've uploaded and it was like a confirmation email.
[16:32] Warren Houghton
Like, good.
[16:33] Warren Houghton
We see that all the time.
[16:34] Warren Houghton
The issue is the confirmation email was generated on client that I had control on.
[16:41] Viktor Petersson
Oh.
[16:42] Warren Houghton
And it was like just almost sent to the server that was MP.
[16:46] Viktor Petersson
Shelling after like mail, right?
[16:47] Warren Houghton
Yeah.
[16:48] Warren Houghton
So I was like, well, what happens if I change that?
[16:50] Warren Houghton
And I'll just send an email and just whatever and I'll just type.
[16:54] Warren Houghton
I was like, oh, it worked.
[16:55] Warren Houghton
And I just got my own email from them.
[16:57] Warren Houghton
I was like, well, that's a great phishing.
[17:01] Viktor Petersson
Right.
[17:02] Warren Houghton
I can just send emails as them and go, oh, your account has been locked.
[17:05] Warren Houghton
You need to click this link to unlock it.
[17:07] Warren Houghton
And it's coming from them.
[17:09] Warren Houghton
So it's all legit, it's all trusted, it's all good.
[17:13] Warren Houghton
And then they.
[17:14] Warren Houghton
People could just click those links.
[17:19] Warren Houghton
But like, yeah, people probably just click those links because it's trusted.
[17:24] Warren Houghton
And then I'll just start hoovering up all their clients and information and password everywhere else.
[17:32] Viktor Petersson
Right.
[17:32] Warren Houghton
But it all depends on what the web apps.
[17:35] Viktor Petersson
Right.
[17:35] Warren Houghton
That's where I like.
[17:37] Warren Houghton
That's why I like to completely map out first and go, let me see all the functionality.
[17:43] Warren Houghton
And then I'm going to sniff something that's bad.
[17:45] Warren Houghton
Like an email being like a file up that isn't.
[17:53] Viktor Petersson
Yeah.
[17:54] Viktor Petersson
And I guess that brings us into the other category of like the most common vulnerabilities, which is like injection attacks or SQL injection attacks, depending on the target.
[18:04] Viktor Petersson
Right?
[18:05] Warren Houghton
Yes.
[18:06] Warren Houghton
So SQL injection attack, I mean, they've been.
[18:09] Viktor Petersson
Yes.
[18:09] Warren Houghton
Donkeys before I was even a pen.
[18:12] Warren Houghton
Right.
[18:13] Warren Houghton
And it's the oldest form of attack is like all one equals one.
[18:18] Warren Houghton
The classic.
[18:19] Warren Houghton
So when you go, okay, I'm going to send.
[18:22] Warren Houghton
Imagine a login username and it sends it to the backend.
[18:26] Warren Houghton
Cool.
[18:27] Warren Houghton
And it.
[18:28] Warren Houghton
The idea is I'm trying to.
[18:29] Warren Houghton
Trying to make people visualize that.
[18:31] Warren Houghton
It's quite weird because imagine that's been put into a sequel and it was like, select username from users list where password.
[18:42] Warren Houghton
And what happens if I could just screw with that and inject my own thing instead of saying it will say all one equals one, which will return a true.
[18:52] Warren Houghton
One does equal.
[18:55] Warren Houghton
So if you can make it return a true, because that's what you're looking for in order to log in and be like, yeah, login password equals correct true.
[19:02] Warren Houghton
Yeah, login good to go.
[19:04] Warren Houghton
If I can just go, well, one equals one.
[19:05] Warren Houghton
If like, yeah, it does.
[19:06] Warren Houghton
True.
[19:07] Warren Houghton
Yeah.
[19:07] Warren Houghton
We're like, wow, cool.
[19:08] Warren Houghton
I'm going to log in because I got my.
[19:11] Viktor Petersson
Right.
[19:11] Viktor Petersson
Right.
[19:12] Viktor Petersson
Or you could do more nasty things.
[19:15] Warren Houghton
Yeah.
[19:16] Warren Houghton
You could dump the entire database at that point instead of just logging in.
[19:19] Warren Houghton
But the.
[19:20] Warren Houghton
Yeah.
[19:20] Warren Houghton
Be like, okay.
[19:20] Warren Houghton
Or Bobby drop tables.
[19:23] Warren Houghton
Or just like delete the whole.
[19:25] Warren Houghton
Delete the entire database.
[19:27] Warren Houghton
Because some people are just.
[19:29] Warren Houghton
They just want to see the world burned.
[19:31] Warren Houghton
And.
[19:32] Viktor Petersson
Yeah.
[19:32] Viktor Petersson
What's.
[19:33] Viktor Petersson
I mean, what's the craziest one you've seen with regards to these?
[19:36] Viktor Petersson
Like, what's the crazy.
[19:37] Viktor Petersson
Like, you mentioned the mail story already with that.
[19:40] Viktor Petersson
What's the craziest finding you've had where you're like, really?
[19:43] Warren Houghton
Yeah, I.
[19:44] Warren Houghton
I had one of my first web apps, right.
[19:46] Warren Houghton
And this was way back.
[19:47] Warren Houghton
Way back when, before I.
[19:49] Warren Houghton
I didn't really know what I was doing.
[19:51] Warren Houghton
I was still learning.
[19:52] Warren Houghton
I was.
[19:52] Warren Houghton
I was.
[19:54] Warren Houghton
I was on a job with a good man.
[19:55] Warren Houghton
I won't say his name.
[19:56] Warren Houghton
I don't know whether he wants me.
[19:58] Warren Houghton
He.
[19:58] Warren Houghton
He will know if he is.
[20:00] Warren Houghton
There was a web app and there was a page which we found, which you could generate your own report.
[20:06] Warren Houghton
Right.
[20:07] Warren Houghton
And it was all like.
[20:09] Warren Houghton
It was to do with, like.
[20:11] Viktor Petersson
Right.
[20:12] Warren Houghton
Deal with.
[20:12] Warren Houghton
But before you generate the.
[20:14] Warren Houghton
It gave you the option to.
[20:16] Warren Houghton
To put your own generation code into it to say, like, I want to use this code as well as generating my.
[20:24] Warren Houghton
And it was in C Sharp.
[20:26] Warren Houghton
And I don't quite understand the logic of them letting you put any C Sharp you wanted into a web app and it would just render it.
[20:35] Warren Houghton
I didn't.
[20:36] Warren Houghton
I don't quite understand.
[20:37] Warren Houghton
But effectively we just got Metasploit, a meterpreter shell, who were like, well, we're just gonna put bad C Sharp on and then just got a beacon back.
[20:46] Warren Houghton
And we're like, well, now we've.
[20:48] Warren Houghton
Now we've popped your web.
[20:49] Warren Houghton
Why did you have that page?
[20:50] Warren Houghton
Why was that there?
[20:52] Warren Houghton
Right.
[20:53] Warren Houghton
And it was just more confusing than anything.
[20:56] Warren Houghton
We've also had.
[20:57] Warren Houghton
Also had a website where they didn't hide the git directory.
[21:03] Warren Houghton
So which I don't know why that would ever be a thing.
[21:08] Viktor Petersson
Why would it even be the first place is the biggest question.
[21:10] Viktor Petersson
But yes.
[21:11] Warren Houghton
Would you still the.
[21:12] Warren Houghton
Basically they hosted their website and it's still within the.
[21:16] Warren Houghton
Within the directory of the website.
[21:17] Warren Houghton
It wasn't like linked anywhere, but find it.
[21:20] Warren Houghton
If you go to the website, slash, dot, git.
[21:23] Warren Houghton
And then it just listed all the git files and it was all the source code for the website.
[21:29] Warren Houghton
I'm like, well, that's not good because there was like hard coded credentials.
[21:34] Warren Houghton
There was like information in like internal, direct, like networking information.
[21:38] Warren Houghton
They were like.
[21:39] Viktor Petersson
So you can literally clone their website by just putting it.
[21:42] Warren Houghton
Yeah, I just get cloned the entire website.
[21:44] Warren Houghton
I was like, I'm just gonna host your website now.
[21:48] Warren Houghton
Like this is not a good thing, guys.
[21:51] Warren Houghton
So it was like instantly on the phone client, go in.
[21:54] Viktor Petersson
Right.
[21:55] Warren Houghton
Take this offline now because you're like, yeah, this shouldn't be there.
[22:01] Warren Houghton
And if anyone finds this, you're going to be in a bad way.
[22:04] Viktor Petersson
Right.
[22:05] Viktor Petersson
I mean, yeah, if they also had hardcore credentials, like you have multiple levels of no's there.
[22:11] Warren Houghton
Yeah, there was so many bad things.
[22:14] Warren Houghton
It was like the perfect storm.
[22:16] Warren Houghton
I had a great day and.
[22:18] Viktor Petersson
Right.
[22:19] Warren Houghton
Yeah, I had a really fun day.
[22:21] Warren Houghton
But the climb.
[22:22] Warren Houghton
But that was, that's the, that's the point of being a pen tester.
[22:25] Warren Houghton
If I'm happy, the client usually isn't.
[22:28] Warren Houghton
Right.
[22:30] Warren Houghton
You're always the bad guy.
[22:32] Warren Houghton
But yeah, it's good fun.
[22:36] Viktor Petersson
Yeah, I can imagine.
[22:38] Viktor Petersson
All right, so we talk a bit about Burp Suite and obviously that's kind of like the go tool for a lot of like early stage recon, I guess for any pentas engagement.
[22:50] Viktor Petersson
You alluded to metasploit, which is another very common tool for using in these engagements.
[22:56] Viktor Petersson
You want to talk a bit about that?
[22:57] Warren Houghton
Yeah, happily so Metasploit is, I think, imagine you found something that's old talk about.
[23:03] Warren Houghton
We talked about WordPress being like updated.
[23:06] Warren Houghton
I mean everything could be outdated.
[23:08] Warren Houghton
So a metasploit is effectively a framework for going.
[23:12] Warren Houghton
I have an exploit.
[23:13] Warren Houghton
I'm going to say, oh, I want to.
[23:15] Warren Houghton
It's this IP address, this fundable.
[23:18] Warren Houghton
I want this and it will fire it.
[23:22] Warren Houghton
It's a, it's a framework for going for firing exploits app or different tools at things like you can proxy.
[23:32] Warren Houghton
If you get a shell on a box, you can hop through that box.
[23:38] Viktor Petersson
So lateral movement on the network.
[23:40] Warren Houghton
Yeah, lateral movement.
[23:41] Warren Houghton
So sometimes like if you've got a web.
[23:42] Warren Houghton
Web app.
[23:43] Warren Houghton
Talk about web app.
[23:44] Warren Houghton
I know.
[23:45] Warren Houghton
So if I popped a website and I've got a shell on the website and I'm like, cool, happy days.
[23:49] Warren Houghton
What's further on from.
[23:51] Warren Houghton
I want to use this website as like a stepping stone to start attacking more things.
[23:56] Warren Houghton
Sometimes you can't, you haven't got the tools on.
[23:59] Warren Houghton
You know, you can't just install exploits and stuff on that.
[24:02] Viktor Petersson
Right.
[24:03] Warren Houghton
It might be tiny.
[24:04] Warren Houghton
It Might be like AV on it, but maybe you can use that box as like a stepping proxy and that's where like metasploit can come in handy.
[24:13] Warren Houghton
There are other tools that can do it quite handy.
[24:16] Warren Houghton
You can go, okay, I'm going to pop it and now I'm going to funnel all my traffic through that.
[24:21] Warren Houghton
All my traffic from my box is going to proxy through the website and then I'm going to start going, oh, well, what's on the other side of the website?
[24:28] Warren Houghton
Oh, it's your domain controller.
[24:29] Warren Houghton
Happy days to start attacking that.
[24:31] Warren Houghton
You know, it's because people don't have the domain controller online.
[24:37] Warren Houghton
People do.
[24:38] Warren Houghton
You shouldn't.
[24:40] Warren Houghton
So maybe it's hidden behind something and maybe I can just hack some more against.
[24:45] Viktor Petersson
So let's unpack that a bit.
[24:48] Viktor Petersson
So let's imagine that this example web app that we're talking about, you managed to pop a shell one way or another and now you have abilities to execute.
[24:58] Viktor Petersson
But it might be like a pre lockdown Docker container or if it's a modern thing, so like you have nothing in there.
[25:04] Viktor Petersson
Right.
[25:04] Viktor Petersson
You might have write access to say like that slash TMP folder.
[25:08] Warren Houghton
But.
[25:08] Viktor Petersson
But that's.
[25:08] Viktor Petersson
That's all you got, right?
[25:10] Viktor Petersson
Because that's kind of hard to run a system without anything that's writable.
[25:13] Warren Houghton
Yes.
[25:13] Warren Houghton
Yeah.
[25:13] Warren Houghton
You have to be able to write to it somewhere or at least be able to load something into memory or.
[25:19] Viktor Petersson
Right.
[25:20] Warren Houghton
Docker can be a different beast.
[25:22] Warren Houghton
Breaking out of Docker, it can be done, but like it's getting harder if you've mounted like Docker Sock or something like that.
[25:32] Viktor Petersson
Let's assume people are not crazy.
[25:34] Warren Houghton
Let's assume I've seen crazy people.
[25:38] Warren Houghton
Yeah, they exist.
[25:40] Warren Houghton
But yeah, it's like, it's usually you've made a mistake if you've done everything to guidelines and everything like that now, don't you Wrong people.
[25:50] Warren Houghton
People are wrong.
[25:51] Warren Houghton
Right.
[25:52] Warren Houghton
Guidelines aren't always correct, but generally they're the best thing you can do.
[25:58] Viktor Petersson
Right.
[25:58] Warren Houghton
So if you follow the guidelines with Docker, you shouldn't mount Docker Sock, because that's.
[26:06] Viktor Petersson
Convenience is usually the reason why people do things like that.
[26:09] Warren Houghton
Right?
[26:09] Warren Houghton
Yeah, it's usually a dev going, oh, I can't be bothered to drop out of this and mount this.
[26:14] Warren Houghton
I'm just going to mount it in here.
[26:16] Warren Houghton
And then he forgets to unmount because people do.
[26:19] Warren Houghton
They like, oh, I'm working till 8 at night and I'm going, oh God, my wife calls me in for dinner and suddenly You've got a massive vulnerability in your system.
[26:26] Warren Houghton
Yeah, it happens all the time and that's where wrecks you in.
[26:31] Viktor Petersson
Yeah.
[26:33] Viktor Petersson
So, yeah, but you, one way or another, you are now in access of some kind of shell in a VM or DOC container where you can write and execute commands.
[26:45] Viktor Petersson
Like, what do you do now?
[26:46] Viktor Petersson
Like, what do you start with your network discovery to like lateral movements?
[26:49] Warren Houghton
Well, first question, am I trying not to get caught?
[26:53] Warren Houghton
Right.
[26:54] Warren Houghton
Yeah.
[26:55] Warren Houghton
So there are a few things.
[26:57] Warren Houghton
Like if you're trying, if you're on a red team, for example, and that's the basically a pen tester that doesn't want and they're doing everything very sneakily, then there are ways of doing it and they're very light and live off them.
[27:14] Warren Houghton
If you're just a pen tester and you're on an assessment, then you can fire all the lasers and don't have to worry about the sock.
[27:21] Viktor Petersson
So, so let's assume there's no IDS in place.
[27:24] Viktor Petersson
Right.
[27:24] Warren Houghton
So you, so if there's no one going to catch me, if I don't have to worry about being caught, I'd fire off like Nap, Right.
[27:31] Warren Houghton
Or Nessus, if you really want.
[27:33] Warren Houghton
Oh, right.
[27:33] Viktor Petersson
That's a blast from the past.
[27:34] Warren Houghton
Yeah, it's still pretty good.
[27:37] Warren Houghton
Like, well, I say good, it's useful but like, yeah, you start firing off discovery scans across the net and what NMAP does is like network nmap.
[27:50] Warren Houghton
You can just go, okay, I'm going to give you a range of IP addresses and give it/8 if you want, take a while, but you can give it the biggest range and it will start poking all of those IP addresses and seeing what's like.
[28:04] Warren Houghton
Or it will start pinging all those IP addresses, see if they're there or go, oh, is there a web server on this ip?
[28:11] Warren Houghton
No.
[28:11] Warren Houghton
And then when it finds something, it will start going or identifying what that is.
[28:17] Warren Houghton
It finds a web server.
[28:18] Warren Houghton
Be like, oh, this is an NGINX version blah web server.
[28:22] Warren Houghton
Or this, oh, 445 is open.
[28:24] Warren Houghton
This is, you know, Windows 10 or whatever.
[28:28] Warren Houghton
And we start identifying what you can get a layout of.
[28:34] Viktor Petersson
And then based on that finding, you redirect your lasers obviously towards the interesting targets.
[28:41] Warren Houghton
Yeah, hackers are lazy, I hate to say it, we're pretty like if there's an XP box on your machine on your network, we're going to hack that first.
[28:49] Warren Houghton
Because, you know, I mean, well, first.
[28:52] Viktor Petersson
Of all, you shouldn't have that in the first place.
[28:54] Warren Houghton
But yes, you Absolutely shouldn't have that.
[28:55] Warren Houghton
But there are councils still out there running it, I guarantee you.
[28:59] Viktor Petersson
Do you not doubt that?
[29:01] Warren Houghton
Yeah.
[29:01] Warren Houghton
So like, yeah, there are networks out there that still have very old stuff.
[29:07] Warren Houghton
Like I have seen NT in use and I've been pen testing for 7 years way after NT4 was end of life and I've seen it.
[29:17] Viktor Petersson
Well, Windows 10 is out of life, end of life, which is.
[29:20] Viktor Petersson
Yeah, yeah.
[29:21] Warren Houghton
So it's like you see all these things everywhere.
[29:24] Warren Houghton
So never assume that something like XP isn't going to be there and as soon as it is on the network I.
[29:29] Warren Houghton
Oh, happy days.
[29:30] Warren Houghton
Because it just, it's so much another.
[29:33] Viktor Petersson
Game is to get a persistent shell of sorts, I would imagine is your next step.
[29:38] Warren Houghton
Yeah.
[29:38] Warren Houghton
So there's one thing like getting on a network and there's another thing staying.
[29:43] Warren Houghton
Yeah.
[29:44] Warren Houghton
So if you can pop a website and you get your shell on that server, who knows when that's going to be found?
[29:51] Warren Houghton
Who knows when that's going to be turned off?
[29:53] Warren Houghton
Who knows when they go, oh, maybe the socks watching go, like we've been done, let's turn off the website and you've lost all your access.
[30:01] Warren Houghton
So as soon as you get on there, you want, and you want your beacon going out to your like C2, like Commander Control center, like, okay, I'm gonna get another way in another time then.
[30:15] Warren Houghton
Then if all hell breaks loose and I lose access, I've not lost.
[30:19] Viktor Petersson
Yeah, because that's.
[30:21] Viktor Petersson
We've seen quite a few stories in the press.
[30:24] Viktor Petersson
They're obviously spun from a marketing angle, but if you read between the lines you can say that they were definitely in some big company.
[30:34] Viktor Petersson
This is not like, this is like the origin story for Zero Trust at Google.
[30:37] Viktor Petersson
Right.
[30:38] Viktor Petersson
They, they find state sponsored attackers inside their network sniffing traffic.
[30:43] Viktor Petersson
And like this is like what, 2005 probably.
[30:47] Viktor Petersson
Right.
[30:48] Viktor Petersson
But they had persistent access to Google data inside the network.
[30:52] Viktor Petersson
Right.
[30:54] Viktor Petersson
And this is where Zero Trust started.
[30:55] Viktor Petersson
But the point is, yeah, like if you're now on the network, many if not most systems would not do encryption of the traffic going through that network internally.
[31:10] Warren Houghton
No, an awful lot of them don't.
[31:11] Warren Houghton
There are things that do like HTTPs and.
[31:14] Warren Houghton
Yeah.
[31:16] Viktor Petersson
But your database connections, even like the session connections to your database, like you might sniff the root password for.
[31:21] Warren Houghton
Database there you can just sit on the network and start sniffing because something is going to be clear text or you can use tools like responder, like so responder.
[31:30] Warren Houghton
When you say, like Mountish say everyone's got like mountain shares on it.
[31:36] Warren Houghton
When you boot up like obviously it reconnects, there's a connection.
[31:42] Viktor Petersson
Right.
[31:43] Warren Houghton
And what responder would do is almost like hear that and go whoa.
[31:47] Warren Houghton
You don't want to connect to that.
[31:48] Warren Houghton
You want to.
[31:48] Warren Houghton
You know, what about this?
[31:49] Warren Houghton
And basically long short of it, you end up with a hash.
[31:53] Warren Houghton
And a hash is basically your encrypted password.
[31:55] Warren Houghton
And you can just sit on the network.
[31:58] Warren Houghton
You don't need to connect to it.
[31:59] Warren Houghton
Just start sniffing these hashes and then you can just try and crack the password.
[32:05] Warren Houghton
Now if you've set a good password then this.
[32:08] Warren Houghton
That's not really an issue unless you've got.
[32:11] Warren Houghton
I know it is because you can have older versions of like relay and yeah, you sometimes don't even.
[32:22] Warren Houghton
That does have a snip.
[32:25] Warren Houghton
There are so many things you can do if you're just on a network like.
[32:28] Viktor Petersson
Right, right.
[32:29] Warren Houghton
It's trying to say like there it's.
[32:31] Warren Houghton
It's.
[32:32] Warren Houghton
It's a rabbit hole of just carnage.
[32:35] Warren Houghton
It gets on your network because I guarantee there will be someone that's shared a drive somewhere they should.
[32:44] Warren Houghton
Or there'll be a text document on a desktop saying passwords for Da.
[32:50] Warren Houghton
There'll be a box that nobody knows about because you know, Brenda wanted to use her laptop because that's one that she's got all her Google tabs on or something.
[32:58] Warren Houghton
You know.
[32:59] Warren Houghton
And you know there are so many things that in an organization go wrong.
[33:05] Viktor Petersson
Yeah.
[33:07] Viktor Petersson
I mean that's at screenly one of the rule of thumbs.
[33:10] Viktor Petersson
We've had it.
[33:10] Viktor Petersson
We have had two rule of thumbs really is a.
[33:13] Viktor Petersson
No Windows machines for anybody.
[33:14] Viktor Petersson
That's the quickest one.
[33:16] Viktor Petersson
Yeah, that's the quickest rule.
[33:17] Warren Houghton
Is it all Mac or something?
[33:18] Viktor Petersson
Mac or Linux or Chrome OS like that's.
[33:21] Viktor Petersson
Those are the only things I trust.
[33:22] Viktor Petersson
I do not trust any Windows boxes at all.
[33:25] Viktor Petersson
You can secure them.
[33:26] Viktor Petersson
You can secure them.
[33:27] Viktor Petersson
But it's a lot more effortless, right?
[33:29] Warren Houghton
Yes, yes.
[33:30] Warren Houghton
It's because everyone uses them.
[33:31] Warren Houghton
Right.
[33:32] Warren Houghton
There's a lot more effort putting in to breaking.
[33:35] Viktor Petersson
Well, that's part of it.
[33:36] Viktor Petersson
But also the security boundaries were a lot.
[33:38] Viktor Petersson
We could start with.
[33:39] Warren Houghton
I think there's a lot more you can do.
[33:44] Warren Houghton
I've never hacked them because not to.
[33:47] Viktor Petersson
Say it's not possible, but it's.
[33:48] Viktor Petersson
It's a lot more challenging.
[33:50] Warren Houghton
Yeah, that's it.
[33:50] Warren Houghton
They're not.
[33:51] Warren Houghton
Nothing's impossible like penta.
[33:53] Warren Houghton
Nothing is just how much effort you want to put in and how much time you have.
[34:00] Viktor Petersson
Right.
[34:01] Viktor Petersson
And also like who's your attack vector?
[34:03] Viktor Petersson
Attack.
[34:03] Viktor Petersson
I Mean it's.
[34:06] Viktor Petersson
If you are up against a state sponsored attacker, it's game over.
[34:10] Viktor Petersson
Right.
[34:10] Viktor Petersson
Like.
[34:11] Warren Houghton
Yeah.
[34:12] Viktor Petersson
When they've got, they're gonna pop a zero day that you have no idea even exist.
[34:16] Warren Houghton
Yeah.
[34:16] Warren Houghton
They find O days for that like every day.
[34:19] Warren Houghton
Like I know people that just drop O days every week, which is terrifying.
[34:24] Warren Houghton
And some of them are like terrifying.
[34:26] Warren Houghton
They get reported eventually and then get fixed.
[34:28] Warren Houghton
Yeah.
[34:30] Warren Houghton
Like if the private sector could do it, then absolutely state.
[34:36] Warren Houghton
And they won't disclose because why would.
[34:40] Viktor Petersson
Yeah.
[34:40] Viktor Petersson
And I mean this happens on both sides of the pond.
[34:43] Viktor Petersson
To be fair.
[34:43] Viktor Petersson
It's not only China and North Korea and the state sits in a lot of zero days too.
[34:48] Warren Houghton
Oh God.
[34:48] Warren Houghton
Yeah.
[34:49] Warren Houghton
As do we.
[34:49] Warren Houghton
Like the U.S.
[34:50] Warren Houghton
like, like all the four letter agencies around the world have got a little bank of zero days, I guarantee you.
[34:57] Warren Houghton
Yeah.
[34:58] Warren Houghton
Because why would they disclose them?
[35:01] Warren Houghton
They're.
[35:01] Warren Houghton
They're free ticket.
[35:02] Warren Houghton
If they want to hack something.
[35:03] Viktor Petersson
Yeah.
[35:04] Warren Houghton
Gonna get in because it's not gonna get found.
[35:06] Warren Houghton
Yeah.
[35:07] Warren Houghton
Because obviously there's no signatures for it and stuff like that.
[35:10] Viktor Petersson
Yeah.
[35:11] Warren Houghton
They'd be careful when they use them.
[35:13] Warren Houghton
Yeah.
[35:13] Viktor Petersson
You don't want to burn them.
[35:14] Warren Houghton
You don't want to burn them there.
[35:15] Warren Houghton
There's a lot of effort that goes into finding those.
[35:17] Warren Houghton
Yeah.
[35:18] Warren Houghton
So.
[35:19] Warren Houghton
But, but yeah, if a state sponsored actor is on your network, then imagine they've got infinite time and infinite budget and infinite capability because they have the budget to stand them.
[35:36] Warren Houghton
So the idea is.
[35:39] Viktor Petersson
Yeah.
[35:39] Viktor Petersson
And like, and you mentioned like you might get hashes from traffic you sniffed.
[35:45] Viktor Petersson
Right.
[35:45] Viktor Petersson
And then if they sit on a $5 million GPU cluster and just point hashcat or whatever the tool is today.
[35:54] Warren Houghton
Yeah.
[35:54] Warren Houghton
Maybe their, maybe their target isn't just wrecking you because you've got some really good stuff like we say like a huge password cracking rig or something and they're just going to mine bitcoin through you.
[36:04] Warren Houghton
Right.
[36:05] Warren Houghton
And just earn a ridiculous amount of money.
[36:08] Warren Houghton
Maybe they're hosted in Czech Republic apparently like capital gains tax anymore.
[36:13] Warren Houghton
So you know, so kudos.
[36:16] Viktor Petersson
Yeah.
[36:16] Viktor Petersson
All right.
[36:17] Viktor Petersson
It's interesting.
[36:17] Viktor Petersson
So right, so we covered that.
[36:19] Viktor Petersson
We covered nmap and then I guess one tool that we kind of need to cover as well is kind of the go to platform for everybody who's doing any kind of security work is Kali.
[36:29] Viktor Petersson
Right.
[36:30] Viktor Petersson
That's what most people run.
[36:31] Viktor Petersson
Right.
[36:31] Viktor Petersson
But maybe say a few words about Kali, what it is and.
[36:34] Warren Houghton
Yeah, yeah.
[36:35] Warren Houghton
So Kali is effectively an operator.
[36:37] Warren Houghton
Right.
[36:38] Warren Houghton
It's Linux based and it's preloaded with an awful lot of like many of them you will probably never use, but many of them like we spoke about MBAPP and Metasploite and Burp Suite, they're all preloaded.
[36:53] Warren Houghton
The Burp Suite, the free version, quite as good, but it is there.
[36:59] Warren Houghton
And you can just download that vm, it's free, there's no licensing needed.
[37:03] Warren Houghton
You don't need to be trained to use it.
[37:05] Warren Houghton
Which is terrifying because like a little 10 year old kid can download it.
[37:09] Warren Houghton
I can.
[37:10] Warren Houghton
Without any of the know how about the damage that operating system.
[37:16] Viktor Petersson
Yeah.
[37:18] Viktor Petersson
And it's so that's why you're running on your laptop normally when you do engagements.
[37:23] Warren Houghton
That's it.
[37:24] Warren Houghton
So I, I, I like to run it on the virtual machine.
[37:27] Warren Houghton
So generally I can't say it's for every pen, but every pen tester I know has a Windows base and then everything runs in virtual machines like VMware.
[37:38] Warren Houghton
The main priorities were that you can start isolating stuff and Snapshot and everything like that.
[37:43] Warren Houghton
So like because stuff breaks right.
[37:46] Warren Houghton
And maybe you've got client data, you start rolling back to Snapshot.
[37:50] Warren Houghton
But yeah, I have it on my laptop up staring at right now.
[37:53] Warren Houghton
There it is.
[37:54] Warren Houghton
And it's a very useful tool.
[37:57] Warren Houghton
It's a very useful thing to have because you can run anything on it generally and there are some that you know, it's around Windows.
[38:09] Warren Houghton
But a lot of things to run better on KALI or are built around because everyone uses it.
[38:17] Viktor Petersson
Yeah, yeah.
[38:18] Viktor Petersson
It has the audience.
[38:18] Warren Houghton
Right, cool.
[38:19] Viktor Petersson
So would you mind if we go through a bit of like show and tell off like how your environment looks like we talk about Burp Suite and like see how these like tools actually look like when you're working with them.
[38:31] Warren Houghton
Okay.
[38:32] Warren Houghton
Right.
[38:32] Warren Houghton
Let's make sure.
[38:33] Warren Houghton
I'm not going to share anything.
[38:34] Warren Houghton
Clyde.
[38:34] Warren Houghton
Data.
[38:37] Viktor Petersson
That is a good, that's a good call.
[38:41] Warren Houghton
So right, so this is kali.
[38:43] Warren Houghton
Now you can use like gui's and stuff like that to run stuff.
[38:48] Warren Houghton
I don't like it.
[38:49] Warren Houghton
And a lot of tools are made without a gui.
[38:52] Viktor Petersson
Yeah.
[38:53] Warren Houghton
For example, like nmap, you can start running NMAP against other things.
[38:57] Warren Houghton
So let's do what can we nmap, right this what to m map without.
[39:11] Warren Houghton
Let's have a look.
[39:12] Warren Houghton
So I'm going to search for port 22.
[39:14] Warren Houghton
So it's SSA, right?
[39:15] Viktor Petersson
Yep.
[39:16] Warren Houghton
On my route.
[39:22] Warren Houghton
That's my router.
[39:23] Warren Houghton
I know it's there if anyone gets access to my, where I live.
[39:27] Warren Houghton
That's my vlan.
[39:31] Warren Houghton
Doesn't matter because I'LL definitely not hard.
[39:33] Viktor Petersson
To find once you actually have access.
[39:34] Warren Houghton
I'll probably be home and I'll shortly kick you out, so.
[39:37] Warren Houghton
Stop it.
[39:39] Viktor Petersson
Oh, that's actually a good question.
[39:40] Viktor Petersson
Sorry to.
[39:41] Viktor Petersson
Sorry to derail you.
[39:42] Viktor Petersson
What's your network of choice?
[39:43] Viktor Petersson
How have you designed your home network to make sure that everything is.
[39:46] Warren Houghton
Yes, so.
[39:47] Warren Houghton
Because.
[39:48] Warren Houghton
Because I have a wife and she doesn't like the network going down or crazy amount of traffic I put over it and impacting Netflix and stuff like that.
[39:58] Warren Houghton
I have.
[39:58] Warren Houghton
I run two VLANs.
[40:00] Warren Houghton
The my home VLAN and my work VLAN and.
[40:04] Viktor Petersson
Right.
[40:04] Warren Houghton
Never the twange because.
[40:07] Warren Houghton
Yeah, just mainly.
[40:09] Warren Houghton
Mainly for usability.
[40:10] Warren Houghton
Less about security.
[40:11] Warren Houghton
It's more the fact I want to keep it all separate.
[40:13] Warren Houghton
I've got a lot of things in this office that need network connectivity and it's nice to keep it to know everything in this subnet is my work.
[40:25] Warren Houghton
And what, what to get into my office.
[40:28] Warren Houghton
Plug in.
[40:29] Warren Houghton
There's no WI fi.
[40:31] Viktor Petersson
And what gear do you trust?
[40:33] Warren Houghton
I have an open WRT router that flash.
[40:38] Warren Houghton
I flash myself.
[40:40] Warren Houghton
And then I screwed around with all the firewall.
[40:43] Warren Houghton
But yes, things like linksys.
[40:45] Warren Houghton
Links is hardware.
[40:46] Viktor Petersson
Yeah.
[40:47] Warren Houghton
Upgrade.
[40:48] Warren Houghton
It's showing.
[40:50] Warren Houghton
But it says custom firmware.
[40:52] Warren Houghton
Just because I like to tinker.
[40:55] Warren Houghton
I could have left it stock.
[40:56] Warren Houghton
But you know, as a pen tester, you never generally leave anything.
[41:00] Viktor Petersson
No.
[41:01] Warren Houghton
If you, if you can think.
[41:04] Warren Houghton
Yeah.
[41:05] Warren Houghton
So like this, I'm not going to do a full sweep of my network because I can't remember what's on it and don't want to just give everything away.
[41:17] Viktor Petersson
Fair enough.
[41:18] Warren Houghton
But, but generally if you've got a map, you go, okay.
[41:21] Warren Houghton
Right, I'm going to start searching the network.
[41:23] Warren Houghton
And you would.
[41:24] Warren Houghton
Instead of putting that.
[41:25] Warren Houghton
For example, if I'm on that subnet, you could do the network.
[41:28] Warren Houghton
Now I'm not going to click enter because I, I don't want to.
[41:32] Warren Houghton
But like, but you can just start searching the network.
[41:36] Warren Houghton
You don't have to give it a port either.
[41:38] Warren Houghton
So I give it port 22, which is SSH.
[41:41] Warren Houghton
But you can just search for all the port.
[41:43] Warren Houghton
And you.
[41:44] Viktor Petersson
But it's also.
[41:44] Viktor Petersson
You should.
[41:44] Viktor Petersson
I guess it should be said that there are these port scanning tools now that you can scan like the entire IPv4 Internet space in like hours.
[41:55] Viktor Petersson
Right.
[41:55] Viktor Petersson
Which is crazy.
[41:56] Warren Houghton
Like I could scan this entire subnet on every port in like five minutes.
[42:02] Viktor Petersson
Well, you could probably do it even faster.
[42:04] Viktor Petersson
Like, I mean they're like.
[42:05] Warren Houghton
Yeah, yeah, it was.
[42:07] Warren Houghton
I was being conservative.
[42:08] Warren Houghton
Yeah, it's like, it's.
[42:10] Warren Houghton
There are like per IP address, there's a total like 65,000 and a port.
[42:16] Warren Houghton
So like a website will run on 80 or 4.
[42:20] Warren Houghton
Yeah, they're just.
[42:21] Warren Houghton
They just want the.
[42:22] Warren Houghton
And then like 22 BS is like different things run on different.
[42:26] Warren Houghton
Yeah, you can have 65,000 of them per IP.
[42:30] Warren Houghton
And what this tool will do, go.
[42:31] Warren Houghton
I'm going to test each IP address and then also test each 65,000 ports for each IP address.
[42:37] Warren Houghton
So there's a lot of scanning goes on.
[42:39] Warren Houghton
And if your main monitoring the network, you can imagine the sheer amount of traffic.
[42:44] Warren Houghton
Yeah.
[42:45] Warren Houghton
Which is why my first.
[42:47] Warren Houghton
My first question, like, if I'm on the network, am I trying not to.
[42:52] Viktor Petersson
Right.
[42:52] Warren Houghton
Because if I'm not, if I'm trying not to get caught, I certainly.
[42:55] Warren Houghton
This.
[42:57] Viktor Petersson
Right.
[42:58] Viktor Petersson
Okay.
[42:58] Viktor Petersson
Yeah.
[42:59] Warren Houghton
Get found.
[43:00] Viktor Petersson
Yeah, Completely interesting.
[43:03] Viktor Petersson
Different tangent, but I saw a really interesting tweet the other day about how you sniff traffic between two switches by just connecting a hub between the two switches and then you break all the.
[43:14] Viktor Petersson
I mean, you break all the switch functionality, essentially, right?
[43:17] Warren Houghton
Oh, yeah.
[43:17] Warren Houghton
That's why hubs aren't on sale anymore.
[43:19] Viktor Petersson
Right.
[43:20] Warren Houghton
Like, hubs used to be like the go to.
[43:22] Warren Houghton
Right.
[43:24] Warren Houghton
Like with a.
[43:25] Warren Houghton
With a hub, like, if one thing gets sent in from one point, it gets sent out.
[43:29] Warren Houghton
All right.
[43:29] Warren Houghton
Everything's broadcasted, everything is sent out for everyone.
[43:33] Warren Houghton
So you just tap into that and just hear everything.
[43:36] Warren Houghton
Yeah.
[43:36] Warren Houghton
Whereas like a switch, obviously it'll go in like port A and like, I'm destined to go out of port F and it'll only go out for F.
[43:44] Warren Houghton
Yeah.
[43:45] Warren Houghton
Unless you've got, you know, you've got trunk port.
[43:49] Warren Houghton
Yeah, yeah, people do.
[43:52] Warren Houghton
It's fine.
[43:53] Viktor Petersson
Yeah.
[43:53] Viktor Petersson
I just.
[43:53] Viktor Petersson
Maybe it bleeds into the next episode, but I used those.
[43:56] Viktor Petersson
An interesting way of like, if you just attach hub between two switches, you can just like sniff all the traffic.
[44:01] Warren Houghton
Oh, I.
[44:02] Warren Houghton
I definitely.
[44:02] Warren Houghton
Yeah, we'll go over that next episode.
[44:03] Warren Houghton
I definitely, like, just sniffed it.
[44:07] Warren Houghton
Or like, pop their access control system to dump everyone's cars.
[44:11] Warren Houghton
Yeah.
[44:12] Warren Houghton
Right.
[44:12] Warren Houghton
I digress.
[44:13] Viktor Petersson
Right?
[44:14] Viktor Petersson
Yeah, that's cool.
[44:15] Viktor Petersson
All right, so.
[44:15] Viktor Petersson
So end up here.
[44:16] Viktor Petersson
You got the go to here.
[44:19] Viktor Petersson
And then.
[44:19] Viktor Petersson
Yeah, metaphor is next.
[44:21] Warren Houghton
See if this is.
[44:25] Warren Houghton
Oh, right.
[44:30] Warren Houghton
Console.
[44:31] Warren Houghton
Absolute moron.
[44:33] Warren Houghton
That was a new move.
[44:34] Warren Houghton
The command isn't metasploit.
[44:36] Warren Houghton
It's because were saying it.
[44:37] Warren Houghton
That's really what.
[44:39] Warren Houghton
So Metasploit framework.
[44:41] Warren Houghton
Console.
[44:43] Warren Houghton
So this will.
[44:44] Warren Houghton
This.
[44:45] Warren Houghton
Yeah, you know, a nice little bit of ascii.
[44:52] Warren Houghton
Sometimes it's not a G.
[44:55] Warren Houghton
But see, you see on this thing, I need to update it.
[44:59] Warren Houghton
But there's currently in this one instance there's 2408 exploits, 1240 auxiliary.
[45:08] Warren Houghton
So an auxiliary would be like, I'm going to get all the information of all your Windows, for example, poke each of the SMB port and pull back what version that would be.
[45:21] Warren Houghton
Instead.
[45:21] Warren Houghton
Instead of an exploit that would be just using Windows functionality, right.
[45:26] Warren Houghton
A scanner, right.
[45:28] Warren Houghton
Like, okay, I want to know, oh, you're Windows 10 or you're Windows 11, but that would be what that.
[45:34] Viktor Petersson
Right.
[45:36] Warren Houghton
Then there's obviously payloads.
[45:37] Warren Houghton
If like, okay, I want to drop interpreter payload.
[45:41] Warren Houghton
For example.
[45:42] Warren Houghton
It's like a shell that runs on the box and will let you do a lotbox mini framework.
[45:51] Warren Houghton
That box run lots then.
[45:59] Warren Houghton
But then you can just search for say like ssh.
[46:01] Warren Houghton
So imagine Amazon, you can get the port back for that, the version back for that by giving this a few extra tags like dash V.
[46:09] Warren Houghton
Or then you would know the version of ssh.
[46:15] Warren Houghton
But say, right, just search SSH and for example, say it's.
[46:21] Warren Houghton
Say it's vulnerable no matter what.
[46:24] Warren Houghton
But say I know because I found the version of SSH you're using.
[46:28] Warren Houghton
I'm on your network and yeah, version 1.8, sure.
[46:35] Warren Houghton
I could just search this and I Google the hell out of it.
[46:39] Warren Houghton
I know this is vulnerable or I've loaded my own export.
[46:42] Warren Houghton
This is a very easy way of doing it.
[46:45] Warren Houghton
There are better ways of doing it, but generally this is what it's for.
[46:48] Warren Houghton
Yeah.
[46:48] Viktor Petersson
Can you search by version as well?
[46:50] Warren Houghton
Yes.
[46:51] Warren Houghton
Yeah, you can.
[46:51] Warren Houghton
You can put loads more things in it.
[46:54] Warren Houghton
So yeah, whatever.
[46:56] Warren Houghton
So like this five, you can.
[47:01] Warren Houghton
There are lots of things you can search.
[47:04] Warren Houghton
Google is your friend with this.
[47:05] Warren Houghton
Because a lot of exploits aren't on this.
[47:09] Warren Houghton
You can load it in.
[47:10] Warren Houghton
A lot of them are just wrote in Ruby.
[47:12] Warren Houghton
So you can start loading your own stuff or you can just use something out of metasploit like.
[47:18] Warren Houghton
Right, but then.
[47:22] Warren Houghton
So let's.
[47:23] Warren Houghton
Let's load up a known one.
[47:26] Warren Houghton
So full search this one.
[47:38] Warren Houghton
Remember saying like there's a reason that people don't use on.
[47:43] Warren Houghton
On network because you see this exp.
[47:47] Warren Houghton
Yeah, this goes what, back in 2008.
[47:51] Viktor Petersson
Right.
[47:52] Warren Houghton
Long time ago, guys.
[47:54] Warren Houghton
All these things that is run that available to it.
[47:57] Warren Houghton
So Windows 2000, 2003.
[47:59] Warren Houghton
So all these XP boxes, all these.
[48:01] Viktor Petersson
2000 and SP2 was the last version of XP from not recalling.
[48:06] Warren Houghton
Yeah, SP3 actually.
[48:08] Viktor Petersson
Yeah.
[48:09] Warren Houghton
So all of them are vulnerable.
[48:12] Warren Houghton
Yeah, that's.
[48:13] Warren Houghton
Yeah, you can't really do anything about it.
[48:15] Warren Houghton
So you can use that because you know you can either type in and use or you just go and all you do then is go.
[48:35] Warren Houghton
So show options, for example.
[48:37] Warren Houghton
These are the options for this exploit and it will just give you stuff like what's the target?
[48:42] Warren Houghton
The target the port is running on.
[48:46] Warren Houghton
And then you can just go, right, what payload?
[48:49] Warren Houghton
This is where you do like Windows Reverse tcp.
[48:53] Warren Houghton
So what that means is you will fire something off, exploit it, run it, reverse tcp, fire something back to you to capture the shell.
[49:02] Warren Houghton
This is where you type in your ip, right.
[49:06] Warren Houghton
You just fire that boom and you've got a shell on the bottom.
[49:09] Warren Houghton
It's quite simple, right?
[49:12] Viktor Petersson
Yeah, it's a powerful tool and particularly if you marry that with things like public data sets like Shout at Shodan and these.
[49:22] Viktor Petersson
Now you have.
[49:23] Warren Houghton
You only need to go and showdown and just search like XP box people that have exposed like 4, 5 or 1, 3, the Internet and stuff like that.
[49:34] Warren Houghton
You're like these boxes like, yeah, there's nothing stopping if it's an XP box and it happens to, for whatever reason, like there are people stupid out there.
[49:46] Warren Houghton
Put SMB on you.
[49:49] Warren Houghton
Yeah.
[49:50] Warren Houghton
Get a sham on that box.
[49:51] Warren Houghton
There's actually nothing other than my box.
[49:55] Viktor Petersson
Yeah, I mean there was.
[49:57] Viktor Petersson
I'm sure you remember VNC roulette when that came out way back when.
[50:01] Viktor Petersson
Do you remember that story?
[50:03] Viktor Petersson
Like it's like they had like industrial control systems just like publicly available without any Internet connection, without any authentication.
[50:12] Warren Houghton
Stupid.
[50:13] Warren Houghton
Yeah.
[50:14] Warren Houghton
And then going back to what you said, it's usability.
[50:16] Warren Houghton
It's usually a dev that wants an easier day and it's like, oh, I can access this from home.
[50:21] Warren Houghton
I'll put it, I'll put the Internet on it because then I can just configure it from home in my pajamas and.
[50:27] Viktor Petersson
Yeah.
[50:28] Warren Houghton
And it never gets taken off.
[50:29] Viktor Petersson
I've.
[50:30] Viktor Petersson
I've been, I've heard stories from people who've done security work in like air gapped environments or like industrial control systems where when they did audit they found like a 4G modem connected to one of the devices because somebody wanted remote access.
[50:45] Viktor Petersson
It's like, yep, you kind of defeat the whole purpose of air gaping this day.
[50:50] Warren Houghton
Oh absolutely.
[50:52] Warren Houghton
I remember I was on, I've done a few air gap networks and you're always there and be like, huh, why can't I resolve 8.8.8.8 on DNS?
[51:01] Warren Houghton
I'm like, why does it resolve like.
[51:04] Warren Houghton
And then you're down a rabbit hole of something's got Internet access.
[51:08] Viktor Petersson
Right.
[51:09] Warren Houghton
And Then, yeah, all alarms start.
[51:12] Warren Houghton
You're like, why is it, why is this.
[51:16] Warren Houghton
Yeah, it's pen testing can be really fun.
[51:20] Warren Houghton
Obviously I've been in it a while now, so.
[51:22] Warren Houghton
Well, like, you know, it's.
[51:28] Warren Houghton
It's a lot of rabbit holes, a lot of.
[51:31] Warren Houghton
A lot of googling.
[51:33] Warren Houghton
Like.
[51:33] Warren Houghton
Yeah, yeah, it's good fun.
[51:38] Viktor Petersson
The last thing I want to cover is something that I'm sure has been on your radar lately.
[51:43] Viktor Petersson
Like, you already mentioned the idea of being detected.
[51:47] Viktor Petersson
Right.
[51:47] Viktor Petersson
That's a big part.
[51:48] Viktor Petersson
And if you have a payload you drop, if you have any level of sophistication on your network, you will have some kind of IDS or some kind of detection system.
[51:59] Viktor Petersson
Right, yeah, which, yeah, which usually works on signature of the payload.
[52:04] Viktor Petersson
That's how they detect it.
[52:07] Viktor Petersson
Now, with the state of AI tools today, it must be insanely easy to obfuscate those payloads.
[52:18] Viktor Petersson
And you basically have a unique payload for every single attack with very low effort.
[52:25] Warren Houghton
I think in theory, yeah, this is an area of expertise I do not specialize in, so I don't want to sound like I would, I would go to some of my friends like, mate, does this work?
[52:38] Warren Houghton
So.
[52:39] Warren Houghton
But in theory, yeah, I don't understand why you can just observe it, obfuscate it, or change the signature.
[52:47] Warren Houghton
But that is an area expertise.
[52:49] Warren Houghton
I do not.
[52:50] Viktor Petersson
Fair enough.
[52:51] Warren Houghton
Yeah, I can't really.
[52:52] Warren Houghton
I can't really say whether it's possible or not.
[52:55] Viktor Petersson
Yeah, it just seemed like an obvious thing to me at least.
[52:58] Viktor Petersson
But maybe I am wrong about that.
[53:00] Warren Houghton
Yeah, it's.
[53:01] Warren Houghton
It's, it's a lot of things.
[53:02] Warren Houghton
It sounds like it's going to be like obvious.
[53:04] Warren Houghton
Yeah, of course.
[53:05] Warren Houghton
Why can't you use AI to just rewrite it in a different way or do like, maybe it would work.
[53:09] Warren Houghton
Probably it does.
[53:10] Warren Houghton
But yeah, I can't say for sure because I know the red teams that I know are still worried about burning payloads and they're like, oh, let's not use this, let's protect this.
[53:23] Warren Houghton
And if it was easy just to remake it, then it wouldn't be a problem or we would just use loads of exploits.
[53:31] Warren Houghton
And just like anything that currently gets found, you just whack it through AI.
[53:38] Viktor Petersson
I suppose it has to do with.
[53:40] Viktor Petersson
I mean, they must have fingerprinting in them somehow, with which I presume might be based on the syscalls they make, which I guess are less obfuscated.
[53:49] Warren Houghton
There's always.
[53:49] Warren Houghton
Yeah, there's always going to be operations or things that exploit will do that it shouldn't do.
[53:55] Warren Houghton
Like calling out to a random IP address.
[53:58] Viktor Petersson
Right.
[53:58] Warren Houghton
Like if you want a beacon out or like a you know, foothold in a network, it's going to have to call out at some point or open up something at some point.
[54:06] Warren Houghton
Right.
[54:06] Warren Houghton
Otherwise you know, just made a worm and thing you're never gonna have.
[54:12] Warren Houghton
But that's like in a normal cor.
[54:18] Warren Houghton
Some random box maybe like somebody's work calling out to some IP address in Russia.
[54:25] Warren Houghton
I mean that looks dodgy.
[54:27] Warren Houghton
Regardless of.
[54:28] Viktor Petersson
Yeah, yeah.
[54:30] Viktor Petersson
If you reaching out to a CNC server in Russia then Yeah.
[54:33] Warren Houghton
It's like regardless of what signature that payload's got or regardless of calling out to that IP address is probably something that you should.
[54:41] Viktor Petersson
Yeah.
[54:41] Warren Houghton
And that.
[54:42] Warren Houghton
That will get found by like ids.
[54:46] Viktor Petersson
Yeah.
[54:47] Viktor Petersson
All right.
[54:48] Viktor Petersson
So I think we covered a lot of grounds.
[54:50] Viktor Petersson
We covered the basic tools.
[54:51] Viktor Petersson
Have we missed any tools that one should be aware of?
[54:55] Warren Houghton
There's so many.
[54:56] Warren Houghton
It all depends on what you're right.
[55:00] Warren Houghton
So like there's.
[55:01] Warren Houghton
There's old school tools.
[55:02] Warren Houghton
Like I haven't.
[55:05] Warren Houghton
I had a client question me why I didn't so only to go and I was like because it's bad.
[55:12] Warren Houghton
But like there are tools like that which people see or like they were.
[55:16] Warren Houghton
They were big back in the day but not Nikto's like just fire a web app.
[55:24] Warren Houghton
But the information it gives you.
[55:28] Warren Houghton
No, I don't think.
[55:29] Warren Houghton
I think the run of the mill things I feel with anything else.
[55:34] Viktor Petersson
And I'm also curious about your thoughts on the automated pen testing tools we've seen there's been rise of these in the last five, 10 years.
[55:44] Viktor Petersson
How good are they today from your vantage point?
[55:47] Warren Houghton
My opinion because I want to keep my job.
[55:49] Warren Houghton
They're rubbish.
[55:50] Warren Houghton
Don't use them.
[55:52] Warren Houghton
I don't think you'll ever be a person.
[55:54] Warren Houghton
I don't think you'll ever be the mindset of an attacker.
[55:58] Warren Houghton
Like assistance of a person that really wants to get in your network.
[56:03] Warren Houghton
A machine would never be.
[56:06] Viktor Petersson
So nobody probably can cover like common like cross site scripting attacks.
[56:10] Warren Houghton
Oh absolutely.
[56:11] Warren Houghton
But then there's always.
[56:12] Warren Houghton
There might be a payload that a person will get through.
[56:14] Warren Houghton
A cross site scripting attack is quite easy to protect against.
[56:17] Warren Houghton
Just have input filtering and output like running the milk.
[56:22] Warren Houghton
You're basically fine then.
[56:24] Warren Houghton
And a machine can find that quite easily.
[56:27] Warren Houghton
But it doesn't mean your website.
[56:28] Warren Houghton
If you've got like low budget for example, like you're a small firm and you know what Pen testing is bloody expensive.
[56:35] Warren Houghton
Like if you're looking at two grand a day person, like it's not cheap.
[56:39] Warren Houghton
An automated AI tool is probably good for you.
[56:43] Warren Houghton
Like it'll probably give you a lot of value and.
[56:47] Warren Houghton
But I hope it doesn't replace my job.
[56:52] Warren Houghton
I mean what I usually do in my like all the stuff behind me, computers can't.
[56:57] Warren Houghton
A computer can't do that.
[56:58] Viktor Petersson
That's fair enough.
[56:59] Viktor Petersson
That's fair enough.
[57:00] Viktor Petersson
You're safe, I think.
[57:01] Warren Houghton
All right.
[57:02] Viktor Petersson
So if somebody wants to get started.
[57:06] Viktor Petersson
Well, two questions really.
[57:07] Viktor Petersson
The first one is what advice would you give to yourself?
[57:10] Viktor Petersson
Like if you.
[57:11] Viktor Petersson
We're just getting into this world of pen testing, like where would you start?
[57:15] Warren Houghton
Read.
[57:16] Warren Houghton
Read a lot.
[57:17] Warren Houghton
Lots of things on YouTube.
[57:18] Warren Houghton
How I got started, I can't give like how everyone gets started because there are pen testing worlds full of everything and there are people that go through the uni route.
[57:28] Warren Houghton
There are people that go through like I just hack things in my spare time route.
[57:31] Viktor Petersson
Right.
[57:32] Warren Houghton
That break the law.
[57:33] Warren Houghton
How I got into it was I downloaded a lot of virtual machines off Vulnerabilities Hub, which is a website and you can download the virtual machines and they're all vulnerable and they all teach you different.
[57:45] Warren Houghton
Like oh, I downloaded one that was a website that was really bad.
[57:49] Warren Houghton
It's a website.
[57:52] Warren Houghton
Never give up learning.
[57:53] Warren Houghton
The reason that a lot of us are in this industry is because there's too much to learn and there's always new stuff.
[58:01] Warren Houghton
I think my word of advice is enjoy learning, enjoy discovering new things.
[58:08] Warren Houghton
Like just.
[58:12] Viktor Petersson
Do you have any recommendations for.
[58:14] Viktor Petersson
I'm not a fan of certificates, but in terms of.
[58:17] Viktor Petersson
Some people prefer structured learning offsec offensive security is one of the big ones.
[58:21] Warren Houghton
Yeah, like OSCP is offensive security is one.
[58:24] Warren Houghton
If you want to go like red teaming route like Raster Mouse's CRTO is really good.
[58:31] Warren Houghton
If you want to like be check.
[58:34] Warren Houghton
For example, you want to work with like government stuff like team member or TRT and stuff like that.
[58:43] Warren Houghton
There are so many certs assert doesn't necessarily make you a good pen tester.
[58:48] Warren Houghton
It just means they can sell you on things, you know.
[58:52] Warren Houghton
Yeah, you're more attractive to an employee.
[58:55] Viktor Petersson
I'm not a fan of certificates in general, but I do understand that if you're new to a field having some guardrails can be helpful to understand where you should at least focus on.
[59:05] Warren Houghton
Oh absolutely.
[59:06] Warren Houghton
If you're coming into this field.
[59:07] Warren Houghton
If you're new.
[59:09] Warren Houghton
Absolutely.
[59:10] Warren Houghton
Certs are 100%.
[59:12] Warren Houghton
It will encourage employers to look at you more favorably and you'll warrant.
[59:18] Warren Houghton
Which is always good.
[59:22] Warren Houghton
So.
[59:23] Warren Houghton
But for example, my certs have lapsed.
[59:26] Warren Houghton
Like I let my search lapse few years ago and I haven't bothered because I'm already in the industry.
[59:31] Warren Houghton
Once you get to the point of having years of experience, certs mean less and less.
[59:37] Viktor Petersson
Yeah.
[59:37] Warren Houghton
Depending on what you want to do.
[59:39] Warren Houghton
Yeah.
[59:39] Warren Houghton
If you want to go down a very certain route, cert will help you.
[59:42] Warren Houghton
If you want to.
[59:43] Warren Houghton
Yeah.
[59:44] Warren Houghton
Get like CSAs because you want to do regulatory red team work.
[59:47] Warren Houghton
You need a cert because.
[59:49] Viktor Petersson
Yeah.
[59:50] Warren Houghton
Need that.
[59:52] Warren Houghton
But fair enough.
[59:55] Viktor Petersson
Last question.
[59:56] Viktor Petersson
Favorite CV or exploit of all times.
[59:59] Warren Houghton
Favorite CV or exploit?
[01:00:01] Warren Houghton
I mean, my favorite would have to be something to do with access, but my.
[01:00:10] Warren Houghton
My personal favorite.
[01:00:12] Warren Houghton
Do you want.
[01:00:12] Warren Houghton
Personal favorite.
[01:00:13] Warren Houghton
Yes.
[01:00:14] Warren Houghton
Is there's an exploit for a Paxton control system where you could.
[01:00:21] Warren Houghton
You could poke the SQL data or like it was obviously you poke that pull and it gives you like a timestamp back.
[01:00:30] Warren Houghton
Right.
[01:00:31] Warren Houghton
And it says like this.
[01:00:33] Warren Houghton
You could then at a time.
[01:00:35] Warren Houghton
I'm not going to say what the latest.
[01:00:37] Warren Houghton
You could concatenate that with the word elephant and then send it back.
[01:00:42] Warren Houghton
And it would then send you back a SQL connection string and then you connect to the SQL database and dump all the activity.
[01:00:50] Warren Houghton
That's my personal favorite because I just find that hilarious that they won't use the word elephants.
[01:00:54] Warren Houghton
But that's.
[01:00:56] Viktor Petersson
That's a good exploit.
[01:00:57] Viktor Petersson
I think that's a really good note to end on.
[01:01:00] Viktor Petersson
So thanks so much, Warren.
[01:01:02] Viktor Petersson
Really appreciate this.
[01:01:03] Viktor Petersson
We will be scheduling another episode where we got to do fiscal pen testing, which.
[01:01:07] Viktor Petersson
Which is kind of like your red team hat.
[01:01:10] Warren Houghton
That's what I do.
[01:01:12] Warren Houghton
That's what I specialize.
[01:01:15] Viktor Petersson
That's going to be a lot of fun.
[01:01:16] Viktor Petersson
Again, thanks so much for coming on the show.
[01:01:18] Viktor Petersson
I really appreciate it.
[01:01:19] Viktor Petersson
Talk soon.
[01:01:20] Viktor Petersson
Cheers.
[01:01:20] Warren Houghton
Yeah.

Found an error or typo? File PR against this file or the transcript.