Asking the Hive Mind who might play with HTB, vulnhub and other labs (OSCP paid one):
1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
2. How is MFA beaten in today's enterprises ?
3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
e.g. Alphabet soup of products in a large enterprise for defensive solutions - NGAV, EDR, SIEM, honeypots etc. etc.
5. How do you keep up ? aside from Reddit
6. any advice to future job seekers working their way into learning more infosec ?
1. Dozens (if not hundreds) of tools are used. It's all about personal preference, and what you're used to. Personally, I don't often use most of the tools you mentioned except Mimikatz; I use a commercial framework paired with many open source or private PowerShell scripts and .NET tools.
2. Something like evilginx2 can provide man in the middle functionality for stealing MFA tokens, or I try to find endpoints that have misconfigured or absent MFA.
3. It depends on the engagement. We like assumed breach scenarios because they're more effective for the time and money involved, but clients want entirely black-box engagements fairly often as well. Otherwise, I'll focus on using OSINT to develop a phishing target list, assuming I do basic scans against the organization's external network footprint and don't find anything egregious.
4. It's all about experience. You have to come up against the tools, and then see what works. It's really a lot of trial and error, though a lot of common bypass techniques will work against multiple products. There's no one-size-fits-all bypass.
5. Twitter, public Slack channels, and research performed by myself and my coworkers.
6. Learn soft skills. It's easy to teach someone how to do the technical part of the job, but you have to be able to communicate it to stakeholders. Technically, you should focus on the areas that interest you, but ensure that it's something used by the types of clients you're doing work for. It doesn't help to know the latest and greatest Linux attacks if none of your clients even know what Linux is. It doesn't help to be a badass web application pentester if you're expected to be able to move through a large Active Directory environment. Personally, I focus on Windows and Active Directory environments.
1. Google/bing dorks still work well, burp suite..
2. Phishing still works, a few platforms steal MFA input - u2f/Fido is pretty robust tho. The trick is to find apps and federation that don’t enforce
3.you would see all kinds, no one size fits all
4. Really good shops and teams know the defense and countermeasures but the vast majority I would say don’t care
5. Infosec communities and such really are key - moves so damn fast
6. Learn how the sausage is made, I feel like I have way more insights from my Unix/network admin and SDE days which let me predict how stuff was put together - makes it so much easier to know how to break it. There is no quick path here though..
>>1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
I think those + your typical scanners (Nessus, Nexpose, etc). One gap I know of, is proper organizational tooling. I.e how do store your results / reports / findings in an effective manner to be consumed downstream via other tooling. For us, it was a big uplift to standardize how our pen testers store and score results. We ultimately end of settling on a numeric score rather than "High" "Medium", "Low", etc and mapping back to CWE.
>>2. How is MFA beaten in today's enterprises ?
I think there are a variety of ways -- the biggest gap I've seen is improper configuration. I.e, not properly enforcing MFA on all aspects of your application. What if I steal your session and call the API to disable MFA on your account? Are all of your forms / pages / etc accounted for? Or just your home page?
>>3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
There are definitely multiple levels of how tests happen in larger enterprises, we have some pivot externally to internally (both virtually externally, and physically externally, e.g getting past physical security). So it really depends on how much your budget is and your paranoia level :)
>>4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
Some testers come from engineering backgrounds and have deployed the tooling in the past and know a bit about it. We've even found vulnerabilities in some of the defensive tooling and products themselves. But, I've enforced the policy of not caring for my organization. Controls fail, new techniques come out, tooling becomes out dated.
We do factor defensive controls into the localized "prioritization" score for how we make developers and engineers prioritize what to fix, but ultimately, our pen testers do not care. Not to say that's the same for everyone else.
>>5. How do you keep up ? aside from Reddit
The "massive" banks have a lot of great user groups and information sharing -- personally, I keep up by constantly developing in my free time. If I'm not a great developer, then I'm not going to be great at what I do now.
>>6. any advice to future job seekers working their way into learning more infosec ?
Don't focus too much on being the most skilled hacker. Focus on the field you want to work in, and target the types of attacks and vectors that would be relevant to that area. Too many testers I interview are only focused on "look at how quickly I can place a shall on this box!" vs. talking to me about how "as a bank, you are more likely susceptible to physical attacks on ATMs and tunneling through some approved firewall rules to the core infrastructure, here's how I'd scope out some of the issues and pivot from there".
Granted my view is from more of an executive level than an actual tester these days, but I still have my share of fun finding things broken across the environment and discovering vulnerabilities and flaws :)
JFYI: There's a rule on HN that "Show HN's" can't just be sign-up pages or require invite codes; people have to be able to actually interact with whatever you're "Showing".
YMMV, but, in my experience the biggest difference between these platforms and "real world" is the amount of data available (generally). At big companies, if you were to run a red team exercise or pen test, most of the probing and data gathering you do is on confluence, open git repos, and other places of documentation. Not running nmap or sitting in the middle of two services and inspecting packets. That's not to say that more advanced testers don't employ those methods, but the reality is, the most effective way is to expose yourself to the data available in front of you.
Disclosure: I run Vulnerability Management and Assessments globally for one of the largest companies in the world
I've been trying to learn infosec for a few years now with the eventual goal of either an offense/defense role. Plan to work on my OSCP next.
I have a few basic questions please:
1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
2. How is MFA beaten in today's enterprises ?
3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
e.g. Alphabet soup of products in a large enterprise for defensive solutions - NGAV, EDR, SIEM, honeypots etc. etc.
5. How do you keep up ? aside from Reddit
6. any advice to future job seekers working their way into learning more infosec ?
I must say it presents many scenarios that are easily found "into the wild". Google and Shodan finds tons of vulnerable machines that match some HTB scenarios.
I've been on HTB for 4 months.
If you want to get into pentesting this is a very good resource.
If you reach the "Pro Hacker" level you should be able to pass OSCP first try.
I love Pentester Academy. I've had a subscription to it for the last year or so.
And OffSec is nice, too. I've got OSWP, OSCP, OSCE, and I'm in the Black Hat training this year for OSEE. So we'll see how that goes. I haven't tried their On-Prem labs though, but I think they'd be pretty fun.
I've browsed a few times the assembler courses on Pentester Academy. I'm not sure I'm up for being a pentester but I do like the particulars of assembler and CPUs.
Would you recommend those courses in particular (looking as amd64 and arm ones)?
Yep, they're great courses. Make sure you actually do it.
Vivek is an excellent instructor, and he goes from nothing to getting you up to speed pretty quickly.
The first parts might be a bit dry, because it's a lot of architecture and theoretical stuff. But after you get through that, and start doing things, you'll find that it's awesome.
Also, if you don't want to be a pentester, you might find a particular affinity for exploit development. And that's a niche field that pays well. That's where I'm going with my training, research, job. Not easy, at all, but it's deep, and fun.
Thanks for that recommendation and advice, I appreciate it. Yeah, I'd definitely prefer to find and propose fixes for exploits over full pentesting (reporting/client work).
I dont get it. Why not put a pc on your lan and try to hack that? What is the benefit to me here? How do i know that the 'labs' i am participating in are safe? Are they honeypots? or perhaps i am just being used in a covert plan to crowdsource an attack on a vic?
Yeah you dont get it. Have you even read the website? Like...why are you jumping onto the fear bandwagon before understanding what hackthebox is about. When you turn on you fill your car with gas do you worry about an oil tanker spill?
The clue is on the page... "Feel free to hack your way in :)" Should take you a moment or two if that's your mind set, a little longer if you need to brush up on your JavaScript, or a little quicker if you Google a walkthrough :-)
If you just want to see what it's about then google works I guess, but if you can't get registered on your own I'm not sure that Hackthebox is the best place to start for pentesting.
1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
2. How is MFA beaten in today's enterprises ?
3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
e.g. Alphabet soup of products in a large enterprise for defensive solutions - NGAV, EDR, SIEM, honeypots etc. etc.
5. How do you keep up ? aside from Reddit
6. any advice to future job seekers working their way into learning more infosec ?