Blog: SANS Penetration Testing

Blog: SANS Penetration Testing

Pen Testing Payment Terminals: A Step-by-Step How-To Guide

[Editor's Note: Here is a super useful how-to guide for penetration testing payment terminals by Miika Turkia. Given recent breach news headlines, payment terminals are getting much more security scrutiny. Bad guys are exploiting and undermining them, so we as penetration testers need skills to be able to properly evaluate the security stance of these payment devices. Miika delivers by providing step-by-step instructions for evaluating the security of payment terminals. And, furthermore, his suggestions and insights go beyond payment terminals as well, revealing some strategies and tactics we can use in all kinds of penetration testing. Well done, Miika! --Ed.]

By: Miika Turkia

There is plentitude of payment terminals out there and the design principles vary quite a bit. The ones I have run into in Finland appear to be tightly secured with no attack surface. At first glance, that is. These generally open only outbound connections and use SSL


Five Things Every Pen Tester Should Know About Working with Lawyers

[Editor's Note: Here is a great article by John Strand about a topic that is sometimes difficult for pen testers: interacting with lawyers. But, John engages the topic in his signature fun, quirky, and highly informative way that provides practical insights into how to keep yourself safe and legal when dealing with some sticky issues in penetration testing. Nice work, John! --Ed.]

By: John Strand

Ed absolutely loves sharing the various challenges of professional penetration testers. We have had a couple of instances here at BHIS where we have had to walk away from contracts because lawyers have gotten far too involved in some of our contracts. So, just a small bit of background before we delve into the insane antics of various wielders of legal might.

We have had a couple of contracts at BHIS where we had to move to a no bid position, effectively walking away. It is a tough place to find your company. But, as professional penetration testers, we


My Juiced Up WiFi Pineapple Configurator Script

By Chris Crowley

I recently acquired a WiFi Pineapple Mark V to replace my Mark IV, and I've got a config script to help folks simplify the config and use of this amazing product.

For those of you unfamiliar with the WiFi Pineapple, it is a wireless attack platform in a box, excellent for penetration testers. It collects a variety of tools into a pen test specific device, a convenient single portable appliance for all kinds of wonderful Wifi hacks. The ability to impersonate a specific access point (AP) is present, as well as abusing client preferred network lists using Karma. You can do funny things like rick rolling, or nasty delivery of a meterpreterer with every page that the user browses to. There are configurable options to exclude specific devices from testing (a black list), or provide a list of devices that are within scope (a white list, which is a much safer way to ensure you don't end up attacking a bunch of nearby


Data, Data, Everywhere What to do with Volumes of Nessus Output

[Editor's note: Here's a really nice article by Kevin Fiscus on a tool that'll help you analyze and manage a great deal of Nessus vulnerability scanner output. This is really helpful, cool stuff! Thanks, Kevin. --Ed.]

By Kevin Fiscus

Doing really good, high-value penetration testing is hard. You have to start with a solid, repeatable methodology on which you build a process implemented via tools and techniques. It is a technical endeavor that is, more often than not, remarkably creative. But, to do it well, you need to understand hacker techniques, cyber defense, protocols, packets, and even people. Sometimes, however, basic logistics get in the way. The problem, in many cases, is that the tools are simply too good, or rather, they give too much information but lack a particularly effective way for a penetration tester to use that information. Case in point: Nessus.

Nessus is a fantastic vulnerability scanner. It has the capability to perform both


Dealing with the Many Stages of Pen Test Result Grief Part 1

By Ed Skoudis

If you've done penetration testing for any length of time, I'm sure you've encountered it. You perform a beautiful penetration test — technically rigorous, focused on real business risk, all wrapped up with a solid report. You don't wanna brag, but you feel pretty darned proud of completing a job well done.

And happens. Target system personnel, the very people you've labored to help secure, blindside you with a barrage of criticisms of your findings in your draft report. Some penetration testers are shocked as target system personnel, both business decision makers and the technical people responsible for acting on the pen test findings, reject your results. It's almost as though they willfully don't understand your findings and the associated business risk. Your findings make perfect sense to you, yet they just don't get it despite your efforts to explain things as best you can. And, you still have to turn your draft report into a final