Hello everyone.
I receive got made some tiddler edits since start posting this every bit to farther clarify a distich of points.
I joined this community a spell ago; I have/had been a lurker for fifty-fifty longer. H5N1 huge component division of what made the hacker community what it was (and what it is here) involves a willingness to portion knowledge (without spoonfeeding).
I would experience remiss if I gained so much from so many of you lot too did non give something dorsum on occasion.
What follows are anecdotes, opinions too observations I tin portion after almost seven years working professionally inwards the InfoSec/Netsec field.
Most of my piece of job inwards this sphere has been anchored inwards Penetration Testing. Even when my official designation was Network Security Analyst, I spent most of those three years inwards engagements against PCI environments utilized for subcontracting piece of job from Comcast, Verizon, Time Warner, Sprint too AT&T (to call a few of my quondam employers clients).
Currently, I handle the Cybersecurity Lab of an International companionship that employees over 200,000 employees. Most of my piece of job inwards my electrical current seat involves Penetration Testing (every type imaginable, including focused blackbox testing against embedded devices too the network/control structures surrounding them).
I am also a atomic number 82 indicate of contact for our international teams during remediation too triage of major safety threats, incidents too breaches.
For example, I was the my company’s caput analyst for the recent Shamoon 2.0 attacks (W32.DisttrackB/W97M.Downloader) in conclusion February, every bit good every bit the recent Wannacry outbreak.
I also serve inwards a Security Engineer capacity, every bit I am regularly asked to evaluate facets of our products too supply feedback too opinions on the safety ramifications involved.
I am extremely busy too wanted to give dorsum what I receive got taken so far, so this is going to locomote long...
Here goes nothing:
1) I am completely self taught (meaning I acquired no college/formal didactics to acquire where I am).
That existence said, a corporation Computer Science grade is invaluable every bit a base of operations (I would mostly avoid Cybersecurity degrees too locomote for CS ), too fifty-fifty the grade itself volition opened upward doors into this business.
Also, I piece of job amongst high-level engineers (CS too Electrical Engineering PhDs); what they tin do inwards a brusque menses of fourth dimension 1 time they receive got an involvement inwards InfoSec/NetSec is frightening.
2) That leads me to this: to locomote neat at anything (including InfoSec/NetSec), I believe that your pursuit must acquire a sort of lifestyle. Between piece of job too farther study/skills edifice (as good every bit fourth dimension I invest inwards InfoSec/NetSec activities such every bit my daily reading), I easily invest 80+ hours per calendar week inwards this pursuit.
And I dear merely most every infinitesimal of it. There is a huge demand for InfoSec/NetSec professionals,which I experience is going to atomic number 82 to a overflowing of depression knowledge, depression passion, depression science hiring.
Anyone trying to acquire into this manufacture for the cash lone is going to receive got a rude awakening: at that topographic point are belike lower pressure, lower piece of job hr ways to earn the same money doing something that truly interests you..
Also, those of us truly invested inwards these arts tin pretty easily spot our own.
3) Learn to study, too acquire to dear the deed of studying. Much of this task is continual study; eventually, when presented with an number youare ignorant of, you lot volition experience confident inwards knowing that you lot tin uncovering the answers you lot need.
Break the number into small, manageable pieces (goals really), too lay the pieces together until you lot tin view the whole answer.
4) Most of my success inwards this manufacture has been due to a willingness to piece of job hard, persevere too never give up. Ever. Most of this task is the creative solving of problems that do non or may non receive got whatever like shooting fish in a barrel reply (or whatever reply at all…yet).
You receive got to construct a no retreat, no surrender, obsessive demand to conquer problems.
5) I specialize inwards network penetration, though I receive got acquire fairly good rounded. To me, network penetration is the fine art of acquiring advantages.
During an engagement, I am ever looking to acquire advantages. I study too prepare to amend recognize too maximize the resources inside an surroundings that allow me to gain those advantages.
Gaining these advantages are to a greater extent than a production of knowledge too experience too so an application of tools.
6) I am also looking to locomote efficient; the best penetration tests replicate existent globe attacks. In that vein, each activity you lot receive got raises the probability that you lot volition locomote detected.
For hackers too liberty fighters engaged inwards illegal activity,you may desire to consider the latter a bit. Once you lot brand ingress too launch whatever trend of offensive action, you lot receive got escalated the legal ramifications of your trespass past times multiple magnitudes.
Also call back that the probability of you lot getting caught too prosecuted is never 0.00%: you lot receive got to locomote prepared, you lot receive got to locomote careful, you lot receive got to locomote patient too you lot receive got to prepare contingencies.
7) I utilization a measurement/assessment of endangerment vs. payoff to brand each activity inside the network every bit efficient every bit possible; past times percentages,losing a queen to receive got a rook is mostly a loser’s bet.
The best agency I’ve learned to temper a careful approach is with an old sales slogan (“ Always locomote closing the deal”, which I modified to “Always locomote advancing your position(s)”).
7) I attempt every bit much every bit possible to engage a target every bit a stalking, ambush predator: I motion carefully too attempt to utilization the surroundings to shroud myself every bit I seek to exploit the target/objectives lack of awareness.
I piece of job to remain patient too identify/quantify every bit many of the variables of the electrical current environment/situation every bit possible.
Sometimes the best determination you lot tin brand is to wearisome downwards or concord your electrical current seat for a bit; watching Tcpdump or Wireshark spell thinking on a amend motion is nevertheless advancing your
position.
8) To lower the probability of detection (whenever possible) I endeavor to attack, enumerate or probe from an obfuscated position.
Configuring your assault host/node for the highest probability of situational anonymity (using tunneling, proxies, encapsulation ,etc.) is infinitely useful inwards pentesting, hacking and/or general
security/privacy.
Mastering the manipulation of proxy, tunneling too encapsulation protocols (which involves a deep agreement of networking/TCP/UDP) almost lends you lot quasi-magical invisibility too teleportation powers when involved inwards network penetration.
Obfuscation itself is 1 of 10,000 reasons why experience/knowledge inwards the disciplines of networking, OS too programming combined with safety enquiry are such huge advantages (and some other argue why if you lot receive got upward this path you lot may never halt learning).
9) Learn to utilization every tool you lot can, but to a greater extent than importantly, acquire why the tool works. If you lot piece of job in/at exploitation long enough, the principles governing the tools volition aid you lot exploit a box someday,regardless of whether you lot utilization that particular tool to acquire the wanted/needed result..
9) Knowledge/experience over tool utilization is specially of import today: regardless of what many sites say, you lot volition non uncovering many enterprise/corporate networks today (as a professional person penetration tester at least) where at that topographic point are gross configurations/deployments leading to an easy, out of the box (deploy tool== Meterpreter) exploitation.
10) When preparation for a fight, professional person mixed martial artists lay themselves inwards the worst possible positions so they react properly when the struggle is underway.
Eventually, training/practicing your exploitation/research techniques the same agency volition locomote a huge boon inwards engagements, POCs (or inwards the wild). I specially similar to circular difficulty upward during research; it is hard for someone else to minimize your findings if you lot receive got added (and circumvented) greater safety measures than the norm (rather than having reduced them).
11) Most of my exploitation of networks inwards the in conclusion distich years receive got been a procedure of discovering network misconfigurations too weaknesses (especially inwards Windows firewall, Programs too Features, LGPO/GPO policies and/or IE/Internet Options inside Window Domains/Networks) or information leaks that I locate online or through DNS enumeration that ultimately leads to my gaining access to a host.
From there, remote exploitation (toward postal service exploitation/privilege escalation/pivoting) volition oft occur This is largely when knowledge of things such every bit Powershell (leveraged past times itself or tools similar Powersploit/CrackMapExec/PsExec/Empire) acquire invaluable (in Windows networks).
I receive got truly been finding easier remote exploits when attacking Linux/Unix boxes inwards enterprise networks (finding Solaris with Apache Tomcat during enumeration nevertheless springs promise eternal inwards my human breast).
Many (actually, mayhap all) of these companies are/were novel at deploying Unix/Linux boxes inwards their networks too were making some serious mistakes with deployment.
12) Enumeration is the most of import component division of an engagement to me. You should acquire used to enumeration without automated tools; I dear Nmap, but many times it is non viable to usewithin the customer’s network (network overhead issues, the adventure of detection
past times IIDS, the adventure of breaking PLCs or other embedded devices, etc.).
In cases where you lot are on the customer’s network, tools similar Wireshark, Tcpdump, knowledge of networking protocols/ports too banner grabbing are your friends.
13) For those engagements where you lot start demand to gain access to the network, you lot definitely receive got to a greater extent than room for running some louder tools:
I dear Fierce (and DNS enumeration inwards general) every bit it oft presents my agency in.
Google dorking is nevertheless also an incredible tool, every bit is Firefox with the correct laid of extensions (Hackbar, Tamperdata, Wappalyzer, BuiltWIth, Uppity, IP Address too DOmain Information, etc,.).
Who loves Dirbuster inwards these cirumstances? This carbon/caffeine based lifeform correct here.
Whether you lot are pentesting, bughunting or hacking/freedom fighting, a paid Shodan subscription will($50) is worth every cent. The capacity to brand exacting, accurate searches for greater than 5 pages has helped me inwards to a greater extent than engagements/bughunts than I tin remember.
14) When I am explaining why a config/setting/LGPO /GPO (etc.) is a safety endangerment to a client or my beau employees, I similar to explicate that many of the advantages I hold back for inwards my surroundings are most oft advantages that are needlessly provided to me.
If it does non interruption commutation functionality or seriously impede efficiency/development time, than it is inwards their best involvement to deny me every bit many advantages every bit possible, fifty-fifty when the advantages appear every bit if they are minutia.
When dealing with a client or non-security beau employees,you should piece of job to do a human relationship of mutual aid too teamwork.
I am non at that topographic point to rub their noses inwards at that topographic point crap; I am at that topographic point to aid improve their safety so the companionship tin prosper. This is partially a client service gig where solutions (remediation/counter measures) are to a greater extent than beneficial to the client than the exploitation itself.
Whenever possible, I similar to destination the post-exploitation/penetration essay conversation/meeting/presentation with the mental attitude that I am hither to aid gear upward these issues , how tin WE best unopen these gaps? How tin I aid brand your (or our) companionship safer, so that nosotros tin become
to a greater extent than prosperous?
15) I personally despise Microsoft (and many proprietary products/companies) on many levels, but when it comes to work, I am platform agnostic. Whatever tool is needed to consummate the mission is the tool I am going to employ.
However, whenever possible without jeopardizing the mission, I am going to employ an Open Source/Unix/Linux-centric solution.
I piece of job hard to demo my companionship the value inwards Open Source. The agency to demo that value isn’t to locomote the super Unix/Linux/GPL neckbeard who constantly bemoans proprietary software./platforms.
The best agency (for me), is to demo how effective the strategy involving the Open Source tool is. Then, inwards my report, I explicate the concern claw of using Open Source (if the tool is gratis for commercial use).
I am sensitive to companies taking Open Source tools too turning them into something proprietary.
However, if I tin brand my companionship (which is both huge too almost universally recognized every bit ethical, which is rare) view the value inwards Open Source, I know they volition eventually contain Open Source into the back upward packages for their products (which they receive got spell keeping the tools promotion the license inwards tact).
This than spreads the value of Open Source to smallercompanies who view it existence trusted past times a much larger company.
16) I receive got tens of thousands of dollars worth of licenses atmy disposal. However, I volition never utilization tools similar Nexpose, Nessus, Canvas orMetasploit Pro unless the project, client, or a governing torso specificallyrequire them.
I believe these tools develop wretched habits. Obviously, if a projection such every bit evaluating an entire domain of IP/hosts for vulnerabilities is my task, I am going to utilization Nessus. However, (whenever a time/project permits, which they most oft do) I am going to evaluate the findings (and search for other vulnerabilities) manually.
17) The ultimate goal should locomote reliance on zero to a greater extent than than a Linux/Unix Terminal, some trend of network access too a programming language. One of my favorite exploitation tools is my Nexus seven 2013 flo tablet (running a modified version of Nethunter) too a Bluetooth folio keyboard ( I got the thought from n-o-d-e, https://www.youtube.com/watch?v=hqG8ivP0RkQ713) every bit the concluding production is a netbook that fits inwards a jacket pocket).
I receive got exploited some seriously huge clients with thislittle rig (for ingress too a quick source shell, WPS on network/enterpriseprinters too knowledge PCL/PJL/Postscript are oft your friend).
I receive got also exploited other customers with a inexpensive UMX smartphone with 5 gigs of storage, 1
gb of retentiveness too GNUroot Debian (Guest Wifi access from the parking lot or an onsite populace restroom, human nature, too Responder.py analyze mode, followed past times WPAD, LLMNR too NetBios poisoning with NTLMv1 too LM potency downgradefor the win).
18) During (red team, onsite, etc.) engagements, fifty-fifty when the ultimate target of the engagement is located on a hardwired network with heavy segmentation/compartmentalization (such every bit the conduit/zone based layouts that are full general best exercise inwards Industrial sectors), it is ever worthgaining a host/node with corporate WIFI access.
One affair WIFI access provides is reach: an Administrator’s (or other privileged user’s) dedicated workstation may locomote out of reach, but his other devices (if inwards scope) may locomote connected to Corp. WIFI for reasons such every bit saving information on a plan.
Also, WIFI allows me attacks of chance fifty-fifty when I am doing other things. Running Responder.py on a misconfigured network’s WIFI spell I am elsewise engaged is gaining me advantages (maybe clear text creds, mayhap hashes, mayhap NTLMv1 too LM hashes) at niggling toll to my fourth dimension or attention.
When I employ this, I similar to spoof the poisoning machines hostname/mac address to something familiar on the network. If you lot view a bunch of hosts named “Apple” during your recon, too all of those hosts are non online, spoof the hostname/MAC to check 1 of the Apple machines (this volition non withstand unopen scrutiny, but volition oft suffice with a niggling work).
It ever helps to sentry too receive got authorities notation on the norms of the network traffic too protocols. Try to check this every bit much every bit possible (this volition probable aid you lot avoid IDS/IPS, firewall rules, etc.) too whatever traffic would seriously stand upward out, attempt to tunnel or encapsulate with normal network traffic/protocols.
19) This leads to 2 other points:
A) Be prepared for the bulk of people inside a companionship who do non aid about, or volition minimize safety issues. Do non acquire frustrated; I uncovering that showing the parties involved what they stand upward to lose every bit a companionship from a vuln to locomote to a greater extent than effective than focusing on the vuln itself.
B) This is where the Nexus too inexpensive smartphone come upward into play: taking the client’s domain with a laptop may scare upward some results, but showing s client that an assailant could toll them tens of millions with a $20 dollar smartphone or a $100 dollar tablet (from the parking lot) industrial plant wonders.
C) I receive got an involvement inwards learning to exploit everything too anything. This has served me good during network penetration tests, every bit many targets volition defend their DCs, file servers too hosts, but non pay much attending to the printers too IoT devices inside the network.
D) To this end, acquire to piece of job with uncommon protocols. UPnP. NTLDNA too SSDP receive got been serving me good for the in conclusion distich years. Many file servers (and companionship smartphones/tablets when they are inwards scope) hold the UPnP door (and associated protocols) broad open. I 1 time grabbed SNMP too other default network appliance creds from a fileserver through UPnP.
20) If you lot are going to pay for certs with your ain cash, I recommend the OSCP. Yes, some of the machines/exploits are outdated. You won’t uncovering many of the SMB remote exploits used for the class inwards the wild real oft anymore (unless an Admin leaves a essay server up, which happens occasionally).
However, the overall experience, breakdown on enumeration methodology, self reliance too mindset the entire experience teaches you lot are invaluable.
I receive got seen some sites peddling garbage certs with no manufacture recognition. Save your money for the OSCP; its profile inwards the manufacture is high too growing. Certs are no replacement for experience, but starting out with a IT/CS related grade or some full general information technology experience (even Helpdesk work) along with the OSCP volition acquire you lot hired somewhere.
21) For persistence, I prefer adding innocuous user accounts/Remote Desktop accounts.
If I am going to add together some trend of privileged user concern human relationship early on to mid engagement, I commonly attempt to add together a to a greater extent than depression profile concern human relationship (if I receive got the option) such every bit Server Operator; these type of accounts allow privileged access you lot tin construct from, but mostly are non watched with the scrutiny of an Administrator account.
When I do do Administrator accounts (I attempt to hold back until I start out my endgame), I volition attempt to check the naming convention to similar accounts inwards inside the network. if a
For example, if the Administrator accounts inside the network are named USsupervisor, I volition call the added concern human relationship something similar USupervisor. If I know the clear text password of the concern human relationship I receive got mimicked, I volition utilization the same password.
22) Keep expert notes during the engagement; also much information is amend than to niggling information. Captured PCAPS of network traffic are neat for essay during downwards fourth dimension betwixt engagements.
23) If you lot are a hacker, liberty fighter, or someone mostly concerned most max privacy, this serial of articles too configurations are for you:
https://www.ivpn.net/blog/privacy-guides/advanced-privacy-and-anonymity-part-1586
24) My favorite distro is Backbox; it starts out with a corporation laid of tools ninus the obscure bloat (and so far I receive got been able to add together anything Kali has to Backbox). You tin utilization Backbox's "Anonymous" selection for a total transparent Tor proxy, Macchanger too host call changer too laid RAM to overwrite on exit.
I also hold Portable Virtualbox on a USB drive with a Kali Linux image...
You could follow some of the advice here: http://www.torforum.org/viewtopic.php?f=2&t=18320201
And here: http://www.torforum.org/viewtopic.php?f=2&t=18320201
The articles inwards a higher house could aid you lot do an encrypted USB with a Whonix gateway too Kali Linux workstation (you could belike commutation Kali OS inwards the Whonix Workstation for whatever Debian/Debian similar OS).
This configuration is disposable too concealable, too volition run all of the Kali Workstation's (or other Debian/Debian similar OS) through Tor. You could also do multiple other Vanilla Whonix Workstations/Gateways on the USB to do a type of local jumpbox sequencea to tunnel between/through SSH and/or VPN them earlier concluding Kali workstation.
(Note: This is merely a gut feeling, but for your ain OpSec/security/anonymity, you lot are belike best replacing the Kali workstation with some other Debian/Debian similar distro. I receive got tried Katoolin inwards the Whonix Workstation, but I uncovering that Katoolin oft breaks i).
25) H5N1 VPS with your pentest tools installed is a valuable commodity; I telephone phone mine DeathStar, too I tin telephone phone downwards some thunder from my Nexus seven 2013 flo (and a prepaid Wireless hotspot) from pretty much anywhere.
There are some providers who do non give a damn most the traffic leaving your VM every bit long every bit you lot are using a VPN too a DMCA does non come upward their way.
For hackers too liberty fighters, acquire your VPS from a province exterior fourteen Eyes countries (providers inwards Eastern European/former Soviet Block countries tin locomote both dirt inexpensive too extremely honorable; merely do your enquiry too receive got tolerance for the occasional technical issue).
You could pay with laundered/tumbled Bitcoin; fifty-fifty amend are those providers who except gift cards (much similar some VPN providers do)as payment.
Have some other political party purchase the gift cards a expert distance away from you; you lot tin uncovering some of these providers who receive got gift cards on Low End Box. The VPS tin locomote a valuable improver to the encrypted USB inwards a higher house (as you lot at nowadays receive got a host/node to take away handgrip of your contrary shells without sacrificing Tor) when combined with SSH or IPsec (such every bit Strongswan, which is inwards the
Debian repos).
26) Again, this postal service was long because I am busy, too Iwanted to brand the contribution I felt I owed this site since soon after it began. If you lot receive got technical questions concerning (or whatever questions inwards general), delight postal service them every bit comments too I volition definitely acquire you lot dorsum an answer.
I receive got made some tiddler edits since start posting this every bit to farther clarify a distich of points.
I joined this community a spell ago; I have/had been a lurker for fifty-fifty longer. H5N1 huge component division of what made the hacker community what it was (and what it is here) involves a willingness to portion knowledge (without spoonfeeding).
I would experience remiss if I gained so much from so many of you lot too did non give something dorsum on occasion.
What follows are anecdotes, opinions too observations I tin portion after almost seven years working professionally inwards the InfoSec/Netsec field.
Most of my piece of job inwards this sphere has been anchored inwards Penetration Testing. Even when my official designation was Network Security Analyst, I spent most of those three years inwards engagements against PCI environments utilized for subcontracting piece of job from Comcast, Verizon, Time Warner, Sprint too AT&T (to call a few of my quondam employers clients).
Currently, I handle the Cybersecurity Lab of an International companionship that employees over 200,000 employees. Most of my piece of job inwards my electrical current seat involves Penetration Testing (every type imaginable, including focused blackbox testing against embedded devices too the network/control structures surrounding them).
I am also a atomic number 82 indicate of contact for our international teams during remediation too triage of major safety threats, incidents too breaches.
For example, I was the my company’s caput analyst for the recent Shamoon 2.0 attacks (W32.DisttrackB/W97M.Downloader) in conclusion February, every bit good every bit the recent Wannacry outbreak.
I also serve inwards a Security Engineer capacity, every bit I am regularly asked to evaluate facets of our products too supply feedback too opinions on the safety ramifications involved.
I am extremely busy too wanted to give dorsum what I receive got taken so far, so this is going to locomote long...
Here goes nothing:
1) I am completely self taught (meaning I acquired no college/formal didactics to acquire where I am).
That existence said, a corporation Computer Science grade is invaluable every bit a base of operations (I would mostly avoid Cybersecurity degrees too locomote for CS ), too fifty-fifty the grade itself volition opened upward doors into this business.
Also, I piece of job amongst high-level engineers (CS too Electrical Engineering PhDs); what they tin do inwards a brusque menses of fourth dimension 1 time they receive got an involvement inwards InfoSec/NetSec is frightening.
2) That leads me to this: to locomote neat at anything (including InfoSec/NetSec), I believe that your pursuit must acquire a sort of lifestyle. Between piece of job too farther study/skills edifice (as good every bit fourth dimension I invest inwards InfoSec/NetSec activities such every bit my daily reading), I easily invest 80+ hours per calendar week inwards this pursuit.
And I dear merely most every infinitesimal of it. There is a huge demand for InfoSec/NetSec professionals,which I experience is going to atomic number 82 to a overflowing of depression knowledge, depression passion, depression science hiring.
Anyone trying to acquire into this manufacture for the cash lone is going to receive got a rude awakening: at that topographic point are belike lower pressure, lower piece of job hr ways to earn the same money doing something that truly interests you..
Also, those of us truly invested inwards these arts tin pretty easily spot our own.
3) Learn to study, too acquire to dear the deed of studying. Much of this task is continual study; eventually, when presented with an number youare ignorant of, you lot volition experience confident inwards knowing that you lot tin uncovering the answers you lot need.
Break the number into small, manageable pieces (goals really), too lay the pieces together until you lot tin view the whole answer.
4) Most of my success inwards this manufacture has been due to a willingness to piece of job hard, persevere too never give up. Ever. Most of this task is the creative solving of problems that do non or may non receive got whatever like shooting fish in a barrel reply (or whatever reply at all…yet).
You receive got to construct a no retreat, no surrender, obsessive demand to conquer problems.
5) I specialize inwards network penetration, though I receive got acquire fairly good rounded. To me, network penetration is the fine art of acquiring advantages.
During an engagement, I am ever looking to acquire advantages. I study too prepare to amend recognize too maximize the resources inside an surroundings that allow me to gain those advantages.
Gaining these advantages are to a greater extent than a production of knowledge too experience too so an application of tools.
6) I am also looking to locomote efficient; the best penetration tests replicate existent globe attacks. In that vein, each activity you lot receive got raises the probability that you lot volition locomote detected.
For hackers too liberty fighters engaged inwards illegal activity,you may desire to consider the latter a bit. Once you lot brand ingress too launch whatever trend of offensive action, you lot receive got escalated the legal ramifications of your trespass past times multiple magnitudes.
Also call back that the probability of you lot getting caught too prosecuted is never 0.00%: you lot receive got to locomote prepared, you lot receive got to locomote careful, you lot receive got to locomote patient too you lot receive got to prepare contingencies.
7) I utilization a measurement/assessment of endangerment vs. payoff to brand each activity inside the network every bit efficient every bit possible; past times percentages,losing a queen to receive got a rook is mostly a loser’s bet.
The best agency I’ve learned to temper a careful approach is with an old sales slogan (“ Always locomote closing the deal”, which I modified to “Always locomote advancing your position(s)”).
7) I attempt every bit much every bit possible to engage a target every bit a stalking, ambush predator: I motion carefully too attempt to utilization the surroundings to shroud myself every bit I seek to exploit the target/objectives lack of awareness.
I piece of job to remain patient too identify/quantify every bit many of the variables of the electrical current environment/situation every bit possible.
Sometimes the best determination you lot tin brand is to wearisome downwards or concord your electrical current seat for a bit; watching Tcpdump or Wireshark spell thinking on a amend motion is nevertheless advancing your
position.
8) To lower the probability of detection (whenever possible) I endeavor to attack, enumerate or probe from an obfuscated position.
Configuring your assault host/node for the highest probability of situational anonymity (using tunneling, proxies, encapsulation ,etc.) is infinitely useful inwards pentesting, hacking and/or general
security/privacy.
Mastering the manipulation of proxy, tunneling too encapsulation protocols (which involves a deep agreement of networking/TCP/UDP) almost lends you lot quasi-magical invisibility too teleportation powers when involved inwards network penetration.
Obfuscation itself is 1 of 10,000 reasons why experience/knowledge inwards the disciplines of networking, OS too programming combined with safety enquiry are such huge advantages (and some other argue why if you lot receive got upward this path you lot may never halt learning).
9) Learn to utilization every tool you lot can, but to a greater extent than importantly, acquire why the tool works. If you lot piece of job in/at exploitation long enough, the principles governing the tools volition aid you lot exploit a box someday,regardless of whether you lot utilization that particular tool to acquire the wanted/needed result..
9) Knowledge/experience over tool utilization is specially of import today: regardless of what many sites say, you lot volition non uncovering many enterprise/corporate networks today (as a professional person penetration tester at least) where at that topographic point are gross configurations/deployments leading to an easy, out of the box (deploy tool== Meterpreter) exploitation.
10) When preparation for a fight, professional person mixed martial artists lay themselves inwards the worst possible positions so they react properly when the struggle is underway.
Eventually, training/practicing your exploitation/research techniques the same agency volition locomote a huge boon inwards engagements, POCs (or inwards the wild). I specially similar to circular difficulty upward during research; it is hard for someone else to minimize your findings if you lot receive got added (and circumvented) greater safety measures than the norm (rather than having reduced them).
11) Most of my exploitation of networks inwards the in conclusion distich years receive got been a procedure of discovering network misconfigurations too weaknesses (especially inwards Windows firewall, Programs too Features, LGPO/GPO policies and/or IE/Internet Options inside Window Domains/Networks) or information leaks that I locate online or through DNS enumeration that ultimately leads to my gaining access to a host.
From there, remote exploitation (toward postal service exploitation/privilege escalation/pivoting) volition oft occur This is largely when knowledge of things such every bit Powershell (leveraged past times itself or tools similar Powersploit/CrackMapExec/PsExec/Empire) acquire invaluable (in Windows networks).
I receive got truly been finding easier remote exploits when attacking Linux/Unix boxes inwards enterprise networks (finding Solaris with Apache Tomcat during enumeration nevertheless springs promise eternal inwards my human breast).
Many (actually, mayhap all) of these companies are/were novel at deploying Unix/Linux boxes inwards their networks too were making some serious mistakes with deployment.
12) Enumeration is the most of import component division of an engagement to me. You should acquire used to enumeration without automated tools; I dear Nmap, but many times it is non viable to usewithin the customer’s network (network overhead issues, the adventure of detection
past times IIDS, the adventure of breaking PLCs or other embedded devices, etc.).
In cases where you lot are on the customer’s network, tools similar Wireshark, Tcpdump, knowledge of networking protocols/ports too banner grabbing are your friends.
13) For those engagements where you lot start demand to gain access to the network, you lot definitely receive got to a greater extent than room for running some louder tools:
I dear Fierce (and DNS enumeration inwards general) every bit it oft presents my agency in.
Google dorking is nevertheless also an incredible tool, every bit is Firefox with the correct laid of extensions (Hackbar, Tamperdata, Wappalyzer, BuiltWIth, Uppity, IP Address too DOmain Information, etc,.).
Who loves Dirbuster inwards these cirumstances? This carbon/caffeine based lifeform correct here.
Whether you lot are pentesting, bughunting or hacking/freedom fighting, a paid Shodan subscription will($50) is worth every cent. The capacity to brand exacting, accurate searches for greater than 5 pages has helped me inwards to a greater extent than engagements/bughunts than I tin remember.
14) When I am explaining why a config/setting/LGPO /GPO (etc.) is a safety endangerment to a client or my beau employees, I similar to explicate that many of the advantages I hold back for inwards my surroundings are most oft advantages that are needlessly provided to me.
If it does non interruption commutation functionality or seriously impede efficiency/development time, than it is inwards their best involvement to deny me every bit many advantages every bit possible, fifty-fifty when the advantages appear every bit if they are minutia.
When dealing with a client or non-security beau employees,you should piece of job to do a human relationship of mutual aid too teamwork.
I am non at that topographic point to rub their noses inwards at that topographic point crap; I am at that topographic point to aid improve their safety so the companionship tin prosper. This is partially a client service gig where solutions (remediation/counter measures) are to a greater extent than beneficial to the client than the exploitation itself.
Whenever possible, I similar to destination the post-exploitation/penetration essay conversation/meeting/presentation with the mental attitude that I am hither to aid gear upward these issues , how tin WE best unopen these gaps? How tin I aid brand your (or our) companionship safer, so that nosotros tin become
to a greater extent than prosperous?
15) I personally despise Microsoft (and many proprietary products/companies) on many levels, but when it comes to work, I am platform agnostic. Whatever tool is needed to consummate the mission is the tool I am going to employ.
However, whenever possible without jeopardizing the mission, I am going to employ an Open Source/Unix/Linux-centric solution.
I piece of job hard to demo my companionship the value inwards Open Source. The agency to demo that value isn’t to locomote the super Unix/Linux/GPL neckbeard who constantly bemoans proprietary software./platforms.
The best agency (for me), is to demo how effective the strategy involving the Open Source tool is. Then, inwards my report, I explicate the concern claw of using Open Source (if the tool is gratis for commercial use).
I am sensitive to companies taking Open Source tools too turning them into something proprietary.
However, if I tin brand my companionship (which is both huge too almost universally recognized every bit ethical, which is rare) view the value inwards Open Source, I know they volition eventually contain Open Source into the back upward packages for their products (which they receive got spell keeping the tools promotion the license inwards tact).
This than spreads the value of Open Source to smallercompanies who view it existence trusted past times a much larger company.
16) I receive got tens of thousands of dollars worth of licenses atmy disposal. However, I volition never utilization tools similar Nexpose, Nessus, Canvas orMetasploit Pro unless the project, client, or a governing torso specificallyrequire them.
I believe these tools develop wretched habits. Obviously, if a projection such every bit evaluating an entire domain of IP/hosts for vulnerabilities is my task, I am going to utilization Nessus. However, (whenever a time/project permits, which they most oft do) I am going to evaluate the findings (and search for other vulnerabilities) manually.
17) The ultimate goal should locomote reliance on zero to a greater extent than than a Linux/Unix Terminal, some trend of network access too a programming language. One of my favorite exploitation tools is my Nexus seven 2013 flo tablet (running a modified version of Nethunter) too a Bluetooth folio keyboard ( I got the thought from n-o-d-e, https://www.youtube.com/watch?v=hqG8ivP0RkQ713) every bit the concluding production is a netbook that fits inwards a jacket pocket).
I receive got exploited some seriously huge clients with thislittle rig (for ingress too a quick source shell, WPS on network/enterpriseprinters too knowledge PCL/PJL/Postscript are oft your friend).
I receive got also exploited other customers with a inexpensive UMX smartphone with 5 gigs of storage, 1
gb of retentiveness too GNUroot Debian (Guest Wifi access from the parking lot or an onsite populace restroom, human nature, too Responder.py analyze mode, followed past times WPAD, LLMNR too NetBios poisoning with NTLMv1 too LM potency downgradefor the win).
18) During (red team, onsite, etc.) engagements, fifty-fifty when the ultimate target of the engagement is located on a hardwired network with heavy segmentation/compartmentalization (such every bit the conduit/zone based layouts that are full general best exercise inwards Industrial sectors), it is ever worthgaining a host/node with corporate WIFI access.
One affair WIFI access provides is reach: an Administrator’s (or other privileged user’s) dedicated workstation may locomote out of reach, but his other devices (if inwards scope) may locomote connected to Corp. WIFI for reasons such every bit saving information on a plan.
Also, WIFI allows me attacks of chance fifty-fifty when I am doing other things. Running Responder.py on a misconfigured network’s WIFI spell I am elsewise engaged is gaining me advantages (maybe clear text creds, mayhap hashes, mayhap NTLMv1 too LM hashes) at niggling toll to my fourth dimension or attention.
When I employ this, I similar to spoof the poisoning machines hostname/mac address to something familiar on the network. If you lot view a bunch of hosts named “Apple” during your recon, too all of those hosts are non online, spoof the hostname/MAC to check 1 of the Apple machines (this volition non withstand unopen scrutiny, but volition oft suffice with a niggling work).
It ever helps to sentry too receive got authorities notation on the norms of the network traffic too protocols. Try to check this every bit much every bit possible (this volition probable aid you lot avoid IDS/IPS, firewall rules, etc.) too whatever traffic would seriously stand upward out, attempt to tunnel or encapsulate with normal network traffic/protocols.
19) This leads to 2 other points:
A) Be prepared for the bulk of people inside a companionship who do non aid about, or volition minimize safety issues. Do non acquire frustrated; I uncovering that showing the parties involved what they stand upward to lose every bit a companionship from a vuln to locomote to a greater extent than effective than focusing on the vuln itself.
B) This is where the Nexus too inexpensive smartphone come upward into play: taking the client’s domain with a laptop may scare upward some results, but showing s client that an assailant could toll them tens of millions with a $20 dollar smartphone or a $100 dollar tablet (from the parking lot) industrial plant wonders.
C) I receive got an involvement inwards learning to exploit everything too anything. This has served me good during network penetration tests, every bit many targets volition defend their DCs, file servers too hosts, but non pay much attending to the printers too IoT devices inside the network.
D) To this end, acquire to piece of job with uncommon protocols. UPnP. NTLDNA too SSDP receive got been serving me good for the in conclusion distich years. Many file servers (and companionship smartphones/tablets when they are inwards scope) hold the UPnP door (and associated protocols) broad open. I 1 time grabbed SNMP too other default network appliance creds from a fileserver through UPnP.
20) If you lot are going to pay for certs with your ain cash, I recommend the OSCP. Yes, some of the machines/exploits are outdated. You won’t uncovering many of the SMB remote exploits used for the class inwards the wild real oft anymore (unless an Admin leaves a essay server up, which happens occasionally).
However, the overall experience, breakdown on enumeration methodology, self reliance too mindset the entire experience teaches you lot are invaluable.
I receive got seen some sites peddling garbage certs with no manufacture recognition. Save your money for the OSCP; its profile inwards the manufacture is high too growing. Certs are no replacement for experience, but starting out with a IT/CS related grade or some full general information technology experience (even Helpdesk work) along with the OSCP volition acquire you lot hired somewhere.
21) For persistence, I prefer adding innocuous user accounts/Remote Desktop accounts.
If I am going to add together some trend of privileged user concern human relationship early on to mid engagement, I commonly attempt to add together a to a greater extent than depression profile concern human relationship (if I receive got the option) such every bit Server Operator; these type of accounts allow privileged access you lot tin construct from, but mostly are non watched with the scrutiny of an Administrator account.
When I do do Administrator accounts (I attempt to hold back until I start out my endgame), I volition attempt to check the naming convention to similar accounts inwards inside the network. if a
For example, if the Administrator accounts inside the network are named USsupervisor, I volition call the added concern human relationship something similar USupervisor. If I know the clear text password of the concern human relationship I receive got mimicked, I volition utilization the same password.
22) Keep expert notes during the engagement; also much information is amend than to niggling information. Captured PCAPS of network traffic are neat for essay during downwards fourth dimension betwixt engagements.
23) If you lot are a hacker, liberty fighter, or someone mostly concerned most max privacy, this serial of articles too configurations are for you:
https://www.ivpn.net/blog/privacy-guides/advanced-privacy-and-anonymity-part-1586
24) My favorite distro is Backbox; it starts out with a corporation laid of tools ninus the obscure bloat (and so far I receive got been able to add together anything Kali has to Backbox). You tin utilization Backbox's "Anonymous" selection for a total transparent Tor proxy, Macchanger too host call changer too laid RAM to overwrite on exit.
I also hold Portable Virtualbox on a USB drive with a Kali Linux image...
You could follow some of the advice here: http://www.torforum.org/viewtopic.php?f=2&t=18320201
And here: http://www.torforum.org/viewtopic.php?f=2&t=18320201
The articles inwards a higher house could aid you lot do an encrypted USB with a Whonix gateway too Kali Linux workstation (you could belike commutation Kali OS inwards the Whonix Workstation for whatever Debian/Debian similar OS).
This configuration is disposable too concealable, too volition run all of the Kali Workstation's (or other Debian/Debian similar OS) through Tor. You could also do multiple other Vanilla Whonix Workstations/Gateways on the USB to do a type of local jumpbox sequencea to tunnel between/through SSH and/or VPN them earlier concluding Kali workstation.
(Note: This is merely a gut feeling, but for your ain OpSec/security/anonymity, you lot are belike best replacing the Kali workstation with some other Debian/Debian similar distro. I receive got tried Katoolin inwards the Whonix Workstation, but I uncovering that Katoolin oft breaks i).
25) H5N1 VPS with your pentest tools installed is a valuable commodity; I telephone phone mine DeathStar, too I tin telephone phone downwards some thunder from my Nexus seven 2013 flo (and a prepaid Wireless hotspot) from pretty much anywhere.
There are some providers who do non give a damn most the traffic leaving your VM every bit long every bit you lot are using a VPN too a DMCA does non come upward their way.
For hackers too liberty fighters, acquire your VPS from a province exterior fourteen Eyes countries (providers inwards Eastern European/former Soviet Block countries tin locomote both dirt inexpensive too extremely honorable; merely do your enquiry too receive got tolerance for the occasional technical issue).
You could pay with laundered/tumbled Bitcoin; fifty-fifty amend are those providers who except gift cards (much similar some VPN providers do)as payment.
Have some other political party purchase the gift cards a expert distance away from you; you lot tin uncovering some of these providers who receive got gift cards on Low End Box. The VPS tin locomote a valuable improver to the encrypted USB inwards a higher house (as you lot at nowadays receive got a host/node to take away handgrip of your contrary shells without sacrificing Tor) when combined with SSH or IPsec (such every bit Strongswan, which is inwards the
Debian repos).
26) Again, this postal service was long because I am busy, too Iwanted to brand the contribution I felt I owed this site since soon after it began. If you lot receive got technical questions concerning (or whatever questions inwards general), delight postal service them every bit comments too I volition definitely acquire you lot dorsum an answer.
################
Thank you lot SmartOne.
Answers to your questions are below. You had asked for advice; I receive got this asking seriously, too so the length of the reply.
Whatever you lot select to do inwards this field, it all comes downwards to competency. . What anyone says isn't every bit of import every bit what they tin do at the keyboard or with a soldering iron.
It all boils downwards to skills, knowledge, experience too development.
That is why I experience you lot must truly dear what you lot do inwards this field, because you lot are going to receive got to pass most of your fourth dimension improving at it. If it isn't fun, too so the fourth dimension sink volition drive most running toward something else.
You had stated that you lot are a software guy; so for this instance I am going to say you lot worked/work every bit some shape of engineer or developer of spider web based applications.
This would hateful you lot already receive got many real of import skillsets that tin locomote bent to serve you lot inwards whatever InfoSec/NetSec path you lot choose.
For example, you lot would probable already receive got developed intangibles such every bit an inwardness for particular too an mightiness to concentrate focus for extended periods, which are hard to learn someone.
Not to refer that a competent programmer has an excellent, high flat payoff inwards this industry. Even if you lot do non uncovering the languages you lot specialized inwards right away useful, you lot receive got the capacity to acquire others at an expedited charge per unit of measurement (and probable receive got applicable experience inwards secure development, code review, etc).
It is truly going to come upward downwards to what you lot desire to specialize in. Once you lot receive got some thought most what you lot desire to do, brand the skills you lot already receive got piece of job for you lot toward that goal.
Let us farther the instance past times maxim you lot wanted to acquire a Penetration Tester, too you lot wanted to specialize inwards Network Penetration (easily my favorite facet of my career).
Than I would say locomote along to focus most 80% of your evolution toward network penetration skills, but also weaponize your pastWeb Development background: dedicate most 10% to 20% of your total evolution fourth dimension into studying too gaining a deep working knowledge of the OWASP Top 10 (fortunately, the exploitation methods/vulns listed inwards the Top 10 do non commonly shift violently).
Why? Often, you lot tin uncovering a agency into the target network via Web Application Penetration. If you lot had some trend of Web Development background, your electrical current skillsets maximize whatever fourth dimension you lot pass learning Web Application Penetration,.
Which inwards plow adds a valuable, to a greater extent than familiar weapon to your Network Penetration skillset (your ultimate goal).
Train hard, prepare smart too receive got fun. If you lot are consistent, you lot volition locomote amazed where you lot are a twelvemonth from now.
How did I start to acquire InfoSec?
Like anything else inwards life, if you lot know what you lot want, than develop a programme that develops the skills you lot demand to acquire there. If you lot are steadfast too willing to brand sacrifices equivalent to your ambitions, you lot volition acquire there.
When I got truly serious most developing my skills, I developed a preparation regimen of at minimum, 4-8 hours of study/research/practical preparation a day, at to the lowest degree vi days a calendar week (I did this with a total fourth dimension task working betwixt 40-60 hours a week) .
The best agency to acquire is to do; when I was pushing forwards with my development, at that topographic point were a (slowly) increasing number of (a few) vendor bounty programs (now called a põrnikas bounty).
Google had been doing so for awhile at that point. They were offering bounties too allowing most (it may receive got been all)of at that topographic point domains to autumn inside scope.
(Note: In the present, Yahoo's põrnikas bounty computer programme has all of their domains inside scope, including acquisitions.)
I took total payoff of these existent globe opportunities; I didn't fifty-fifty bother to graduate past times the enumeration stage for months.
Attacking/enumerating applications similar DVWA , Windows/Linux/Unix VMs, or whatever of the Metasploitables are expert practice.
However, I would belike bring together BugCrowd, uncovering a program/customer where attacks on most (if non all) of their domains are inside scope, too begin/conduct your alive preparation that way.
This method has multiple advantages, non the to the lowest degree of which existence that you lot volition develop to a greater extent than current, existent globe skills . This volition also brand your research/study to a greater extent than efficient every bit you lot volition invariably gear some portion of your preparation past times experiences you lot receive got against alive hosts.
SmartOne, it also seems similar you lot are interested inwards improving your knowledge of networking, so I volition tell you lot how I receive got grown mine:
The agency I acquire is to start out with studying a basic overview of something too fill upward inwards the gaps of my agreement with to a greater extent than too to a greater extent than complex material.
The Prof Pro's CompTIA Network+ Study guide is a expert instance ( http://www.proprofs.com/mwiki/index.php/Comptia_Network%2B_Study_Guide69 ) of materials that are similar those I receive got applied the regulation to inwards the past times .
The link takes you lot to the index of Prof Pro's Comptia Network+ study guide. I never prepared/studied for Network+; I merely receive got a weakness for bookmarking clear, concise reference materials.
Much of the knowledge inwards the study guide could locomote considered basic, which is a damn fine start. However, allow us say you lot run into into vocab or concepts that demand greater clarity (let us telephone phone such an instance concept A),
And the magic happens: past times seeking clarity from other sources, you lot uncovering that you lot demand to studty conceptB to amend sympathise conceptA. To amend sympathise conceptB , you lot demand to acquire a fleck of something most conceptC.
Before you lot know it, hours receive got passed too the branches of your networking knowledge receive got grown inwards multiple directions.
The programming languages that I know:
Python 2. something to 2.7.8; I haven't fifty-fifty touched Python 3.0 exterior reading documentation to brand necessary changes to modules/exploits/tools. I learned Python for those situations wh
I wouldn't telephone phone myself a programmer though; I lack the talent too inventiveness inwards programming that allows for project design too creation (which is magic really).
I know plenty C to acquire an module, exploit or tool to do what I demand if at that topographic point is a tiddler issue. Fluency inwards C too ASM are high on my listing of dream of science acquisitions.
Where scripting languages are concerned (though many telephone phone Python a scripting language), I am proficient inwards Bash too Powershell.
I receive got some knowledge inwards a number of other scripting/G4L/programming languages, but that knowledge is strictly exploitation related. I mayhap able to seat a unsafe string of PHP that could atomic number 82 to LFI/RFI on a site, but I cannot r computer programme inwards it.
Do I attend safety cons:
Not yet; I hold an extremely depression profile; this is truly the start community I receive got ever joined online. I am also extremely busy too my piece of job flow tin locomote from 1 to 100 inwards seconds.
I dear the spirit too content coming out of DefCon, ShmooCon, BlackHat too CCC every twelvemonth (and HOPE every 2 years). I commonly sentry all of the recorded presentations each year.
Someday I would similar to locomote to Defcon, CCC too HOPE inwards the same year; form of similar paying my respects to the holy land.
##############
Thisadamis-
Thank you lot for your form words.
You already receive got 10 + years of technology experience....so that is a large plus.
If you lot are looking to locomote into pursuing a pentesting/InfoSec career inside a year, I would whittle downwards your pursuits a fleck (then acquire dorsum after learning everything too anything subsequently too forever more).
The OSCP would belike locomote the best affair to locomote after inwards such a brusque period. To aid prep inwards that pursuit (looking over the listing you lot posted) getting a corporation agreement of Linux, Bash, Python too some Powershell (and applying what you lot learn/practice inwards a pentest lab) would definitely locomote helpful.
Personally, that is what I uncovering myself using most when I am pentesting (Bash, Python, Powershell) now.
As good every bit studying for the OSCP, you lot may desire to remain electrical current on (and exercise ) electrical current pentesting techniques. Don't skimp on some corporation exercise where privilege escalation is concerned; run killav, getprivs, getsystem or charge mimikatz or charge incognito inwards a direct shot are pretty rare these days.
Lately I receive got been loving Power Tools, CrackmapExec, Kerberoasting, Invoke Mimikatz too psexec_scanner.rb (not newish...but combined with Invoke Mimikatz...).
I refer these because they (or my strategies when using them) heavily telephone phone upon Powershell usage.
This house (in my view) inwards the best house to acquire too hang your hat; the folks hither are doing cutting border stuff, too non focusing on what worked inwards 2011. I am literally blown away past times some of the tutorials going on inwards this place...
With your background, if you lot focus on the OCSP too piece of job similar a mad somebody to improve your skills, too so it is definitely doable. Good luck too acquire after it!
##############
Thank you lot for your form words.
You already receive got 10 + years of technology experience....so that is a large plus.
If you lot are looking to locomote into pursuing a pentesting/InfoSec career inside a year, I would whittle downwards your pursuits a fleck (then acquire dorsum after learning everything too anything subsequently too forever more).
The OSCP would belike locomote the best affair to locomote after inwards such a brusque period. To aid prep inwards that pursuit (looking over the listing you lot posted) getting a corporation agreement of Linux, Bash, Python too some Powershell (and applying what you lot learn/practice inwards a pentest lab) would definitely locomote helpful.
Personally, that is what I uncovering myself using most when I am pentesting (Bash, Python, Powershell) now.
As good every bit studying for the OSCP, you lot may desire to remain electrical current on (and exercise ) electrical current pentesting techniques. Don't skimp on some corporation exercise where privilege escalation is concerned; run killav, getprivs, getsystem or charge mimikatz or charge incognito inwards a direct shot are pretty rare these days.
Lately I receive got been loving Power Tools, CrackmapExec, Kerberoasting, Invoke Mimikatz too psexec_scanner.rb (not newish...but combined with Invoke Mimikatz...).
I refer these because they (or my strategies when using them) heavily telephone phone upon Powershell usage.
This house (in my view) inwards the best house to acquire too hang your hat; the folks hither are doing cutting border stuff, too non focusing on what worked inwards 2011. I am literally blown away past times some of the tutorials going on inwards this place...
With your background, if you lot focus on the OCSP too piece of job similar a mad somebody to improve your skills, too so it is definitely doable. Good luck too acquire after it!
##############
