»Modern pentest tricks for faster, wider, greater engagements«
2018-10-18, 15:00–15:45, Europe

The pentesting domain is constantly evolving and has quite changed in the last decade in order to provide more and more sophisticated, (bug-free) and complete tools. The ability to process wide data sets coming from multiple tools is becoming a true pentesting core skill. This talk is nothing but the will of a 7-year experience pentester to share its coolest techniques, tools and procedures that he learned over time and that not everyone might be aware of. If you never heard about Jython, sift, PyInstaller, CSVKit, Impacket, Frida, GNU Parallel, or you don’t have a clue of how they can be applied for your pentesting day-to-day job ; come on in, you will for sure (I hope) take at least something practical back with that talk.

  • Who am I (2 minutes): in short, a french professionally passionate infosec hobbyist
  • Introduction & context (4 minutes)
  • How the pentesting domain evolved, that is to say: what is now possible that wasn’t few years ago
  • Mass-scanning the planet
  • Querying a self-made OSINT platform (cf. Modern Internet Scale Reconnaissance talk @ BSides LV 2017)
  • PowerViewing and CrackMapExecing corporate networks
  • BloodHounding domain admins
  • Responder-ing users
  • ...and many other things

  • Why it is important to adapt to new methods

  • Because of a recent change of paradigm where security folks like to program, hence greater tools are produced
  • For faster, wider, greater engagements

  • Modern tricks (35 minutes)

  • During reconnaissance, (post)exploitation and reporting: data analysis
  • The importance of having CSV outputs: Keep It Simple Stupid (when you can)
  • CSVKit
  • Principle: a suite of tools to do whatever you want or you dreamed of on a CSV file (convert, format, look, grep, sort, cut, join, stats)
  • Use-cases: the sentence above
  • [Demo #1]: csvlook and csvstats on a Nessus file, to know what’s inside the file without touching it
  • [Demo #2] csvsql or “how to perform SQL queries on a CSV file”
  • [Demo #3] csvpy or “how to dynamically inspect a CSV file in a Python interpreter”

  • Dataiku

  • Principle: do anything you could with Excel but more easily and more quickly, with custom code and beautiful charts
  • Use-cases: cross multiple complex inputs
  • [Demo #4]: load your heavy Nessus output file and perform some actions on it (sorting on plugins, severity etc.)

  • During reconnaissance (and probably other phases too) : Parallel processing

  • GNU Parallel
  • Principle: a perl script to parallelize any command you want to run in order to maximize your I/O and CPU usage
  • Use-cases: anything you did with xargs, Parallel is a drop-in replacement of xargs
  • [Demo #5] DNS enumeration with dig with results compared to other tools (dnsenum, etc.)
  • [Demo #6] URL enumeration with wfuzz on multiple targets simultaneously

  • nmaptocsv

  • Principle: convert nmap or masscan results to csv
  • Use-cases: when your target IP range is closer to a /16 than a /27
  • [Demo #7] converting a large nmap result, showing the different options

  • webscreenshot

  • Principle: takings screenshots of a list of websites
  • Use-cases: again, when your target websites list is closer to 1000 than 10
  • [Demo #8] webscreenshoting of a large list of sites, showing tricks to sort results

  • During exploitation: static and dynamic analysis

  • Jython
  • Principle: writing Java code in Python, allowing to use Java classes AND Python libraries in the same snippet
  • Use cases:
    • Quickly rewriting a code snippet from a Java decompiled bytecode
    • Executing a Java / Android snippet from a third party crypto lib
    • Writing Burp Suite extensions
  • [Demo #9] reimplementing a custom-wtf-password-obfuscation routine from a decompiled Android app in Jython

  • Frida

  • Principle: writing JavaScript code to instrument binaries
  • Use cases: pure reverse-engineering, altering the execution flow, dumping secrets
  • [Demo #10] recovering an Android application encryption key at runtime

  • During exploitation and post-exploitation: weaponizing a script

  • PyInstaller
  • Principle: convert your Python script into an executable file (PE or ELF) embedding a Python interpreter plus your cool script
  • Use-cases: compiling great Python tools in PE in order to drop them on a Windows box where you just can’t (or want to) have a reverse shell or meterpreter
  • [Demo #11] showing compiled examples scripts from the Impacket framework (smbexec, wmiexec etc.) compiled for Windows
  • [Demo #12] compiling a random yet useful script to show that it is really easy and more importantly, that it does work

  • Taking a step back (4 minutes)

  • Main conclusion: intense parallelization and data analysis techniques will be truely needed as a core skill for pentesters
  • Final word: pentesters, go back to your shell and start applying these tricks :-)

  • Questions (5 minutes)