Jan 8th 2018 by Zeekawla99ii • 27 Questions • 32 Points
I am an infosec professional and "red teamer" who together with a crack team of specialists are hired to break into offices and company networks using any legal means possible and steal corporate secrets. We perform the worst case scenarios for companies using combinations of low-tech and high-tech attacks in order to see how the target company responds and how well their security is doing.
That means physically breaking into buildings, performing phishing against CEO and other C-level staff, breaking into offices, planting networked rogue devices, getting into databases, ATMs and other interesting places depending on what is agreed upon with the customer. So far we have had 100% success rate and with the work we are doing are able to help companies in improving their security by giving advice and recommendations. That also includes raising awareness on a personal level photographing people in public places exposing their access cards.
AMA relating to real penetration testing and on how to get started. Here is already some basic advice in list and podcast form for anyone looking to get into infosec and ethical hacking for a living: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/
Proof is here
Thanks for reading
EDIT: Past 6 PM here in Copenhagen and time to go home. Thank you all for your questions so far, I had a blast answering them! I'll see if I can answer some more questions later tonight if possible.
EDIT2: Signing off now. Thanks again and stay safe out there!
In percentages, how much of your work is hacking in the old sense, like reverse engineering, digital tampering and usurping some kind of computer or other electronic gadget? How much is social engineering, role playing and in general would not need a keyboard?
Information gathering, pretexting and recon usually (there are exceptions) takes up 3/4 of the time spent on a job. Actual time on the customer network itself is usually only a few days compared to the many weeks of preparing phishing and social engineering scenarios because we will already know where the systems are we have to access and already have gathered so many credentials to be able to access them. Most time spend after that is actually finding the target data we are after versus what user accounts and roles give access to what. Good question.
Have you ever gotten in trouble with the law? I mean as in, the police got involved before you could pull out whatever papers allowed you to break in etc?
Companies and organisations usually rely on their own security services and departments first before escalating to the police, which is part of the process we are testing. Although we usually have a "get out of jail"-letter in the back of our pockets stating why we are there if things do escalate; we never had to deal with the law or the police and we intend to keep it that way =)
What is some of the craziest shit you've done while breaking into buildings?
There are a lot of examples that come to mind. If I had to pick a few: breaking into an ATM in the middle of a mall while hundreds of people pass you doing their shopping (and not caring because you are wearing the ultimate cyber weapon: a fluorescent vest). Walking through the basements of a dark data center of a financial institution after business hours and almost getting locked in. Replaying an employee's fingerprints on fingerprint access control readers using toilet paper. I'm sure there is more stuff that I am forgetting but those are the first things that come to mind.
Have you ever seen the show White Collar? If so, what are your thoughts on any of the cons on that show? Your story had me thinking of the ep where Neal/the FBI break into a bank to demonstrate weak points in its security.
I have not, will check it out thanks.
So a white hat hacker? Also whats the easiest way you've broken In?
Knocking on the window of the kitchen at the back of a large office building where the target office was located holding a box that was empty.
What was the size of your red team when you started. Do you have a team that competes in CTF events?
A red team assigned to a job usually consists of 3 to 4 people depending on the skill sets that are required with 2 people being on the job on a constant basis over a period of a few months in order to ensure realistic results and responses from the target company. We sometimes compete in CTF events if we have time.
What does your hacking kit look like? Could you list some (or even your favorite) tools you're using in your daily job/life?
Here is a selection that we usually bring on the job and after carefully planning our attack plan using at least two to three attack waves spread out over a couple of weeks or months:
- USB Armory, to have a self-contained system with everything you need
- Multi-band WiFi dongles with Atheros chipset suited for frame injection
- Proxmark EV2 or custom RFID/NFC copiers for access-card stealing or cloning
- Magspoof for access-card stealing or cloning
- Weaponized PocketCHIP / Raspberry Pi / Beaglebone with LCD display for WiFi hacking using a rogue access point. But also for running tools on the go such as network manipulation, credential extraction and man-in-the-middle tools
- Rubberducky or teensy for fast typing of payloads when required
- USB keyloggers and USB extension cords either stand-alone or WiFi enabled
- Ducttape and straps to install rogue network implants for later persistent network access
- Extension cords and network cables
- Bluetooth headset earpiece to stay in contact with my colleagues keeping watch
- Lockpick kits, bump keys, jiggler keys and other lockpicking tools
- Pliers, wrench, screw drivers for breaking down a lock or door
- Camera to photograph evidence and findings
- USB thumb drives tied to a lanyard and old keys to be "left" in bike sheds and parking lots containing interesting and enticing content for the lucky finder
- Fake paper access card and badge holder
- Banana, bunch of papers or other things to hold in your hand. People who have something in their hand walking around the building are usually not regarded as suspicious
- Disguise and clothes if you have to switch roles. You might have come into the building as the smoke detector check-up guy and might have to transition to a suit and tie to be able to get into the executive offices in another wing of the building
One of the better - if not the only real - red teaming movie out there with a killer cast. I love it and watch it at least once or twice a year. No more secrets Marty.
How did you learn to do everything including experiences and education history?
Work as a system administrator when security consultancy simply didn't exist. Work as a network engineer and web master. Learn about where companies drop the ball when it comes to inter-company or inter-department communication and responsibilities. Learn where companies cut corners and try to exploit those. Learn social engineering and what drives or upsets the meatware i.e. the people working there. Have expert knowledge about operating systems, networks, web, mobile and other facets. Check out this list of tips to get started: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/
This sounds like a dream job. when it comes to legal means in attacking networks. Are there any tool, methods that are actually illegal?
If you think this is a dream job, we are hiring: https://www.f-secure.com/en/web/about_global/careers/job-openings
What is the weirdest thing or setup you encountered during paid or unpaid hacking?
Finding video surveillance and access control management systems exposed to the internet without firewall. Finding "this is the backup of the entire website.zip" in the webroot of a production server for a bank. Being able to guess the password of the network connected guest badge allowing us to print our own guest badge every day and just walk in the building (the password was 12345). Production level financial information servers running under the desk of a sysadmin because of internal IT politics and tensions. A company with a garbage container outside containing hundreds of computers and hard drives in perfect working condition containing passwords, documents, financial records, etc.
Once breaking into an ATM in a major retail chain we triggered the seismic alarm and it started to make a lot of noise. When looking around no one even looked at us. Until a child, trying to go through the revolving door to get into the mall, touched the glass wall of the revolving door triggering the alarm and stopping the door for a couple of seconds as part of the security measure. The glass revolving door alarm sounded exactly like the seismic alarm of the ATM and thus no one cared =]
If someone is planning to learn a computer programming language, which language would you recommend to that person, which would help the most in pen-testing?
Everything is geared towards Python these days so having proficiency in Python and scripting languages such as Powershell/Bash/etc will give you a lot of options when having gained access to systems or when wanting to develop something. Check out the grayhat hacking and blackhat hacking book series.
Sorry if this already got asked, but what’s your opinion on shows like Mr Robot? If you watch it, how possible is a scenario like that? Do you feel like the show addresses all parameters required to pull off a hack of that scale?
Mr Robot is being praised for its realistic portrayal of hacker tools and attacks and it is indeed a fun show in how they show how simple it can be to compromise something. They get the occasional thing wrong and I always find it refreshing to hear Sam Esmail and team talk about how they actually fix the things they got wrong afterwards. But it is and remains a show. I don't think we are going to see anyone trying to melt backup tapes anytime soon but I like the cyberpunk aspect to it ;)
how do you feel about contractors contracts significantly limiting your attack surface?
We usually get in pretending to be the contractors themselves
How do I protect myself as a normal user best from cyber attacks?
I read that you are from Belgium. As a Belgian Computer Science student who is also interested in (Software) Security, is there any University in Belgium that you recommend for getting my Masters?
I am no longer living in Belgium I'm afraid and my school days are long over. It all depends on your interests and what it is you want to with information security.
What are the books that you would recommend to people who are already into hacking and who would like to acquire more knowledge on different hacking techniques as well as the way of thinking?
It kind of depends what domains you want to get better at. Most of the skills that are required are expert sysadmin skills, being able to program and script things together and having a solid understanding on how the technology works. But, also understanding what the caveats are of that technology being used in an organisation and how it can be used against that organisation. And for that you need to know what the daily tasks are of a sysadmin, network administrator, developer and deployment environments, how code gets distributed from the IDE to the production environment, how email environments work, etc. Basically how a company works and how it functions.
Rather than going the "hacking exposed" and other book series way which are more tool related and which will not help you in understanding; I am a big proponent of playing war games or hacker challenges. Learning by doing and getting your hands dirty on your own lab, writing your own tools and code is going to be the most productive for you to learn new things. But from a pure technical side I always recommend the following books as a bare minimum:
- The art of software security assessment
- Exploiting software and how to break code
- The tangled web
- O'Reilly's Network security assessment - latest edition
- The web application's hackers handbook
- The browser hackers handbook
- Mobile application hacker's handbook
- Grayhat Python
- <Any book on your favorite operating system>
- <Any book on your favorite programming language>
- <Any book on TCP/IP>
- <Any book on ITIL and IT processes and procedures>
- All the books I forgot for which you are all facepalming right now
What are your favourite ‘war games’ and ‘hacker challenges’ ? From a 2nd year comp sci student looking to go into security!
Try http://overthewire.org and http://cryptopals.com and get involved with their communities. Look for any kind of challenge be it system or network based. SANS.org usually has a recurring hacker challenge e.g. their holiday challenge, as do the major conferences which they archive for later download and replay. As far as originality I like http://www.pwnadventure.com a lot.
Are there any programming languages that are better to learn specifically for ethical hacking?
If I had to pick two, python and powershell will help you the most, in no particular order.
Is protocol fuzzing something you leverage in your approach? How common is fuzzing in hacker community?
Red teaming seems to be a method of finding the weakest security links possible, but what about slighty more difficult vulnerabilities that you dont attempt to find bc they take too long to discover or you just miss them? Do you suggest more significant security program change within an organization after you exploit the low hanging fruit?
Fuzzing is more useful if you want to find vulnerabilities in a certain piece of technology. It is extremely rare we use fuzzing as part of a red team test but it has happened that we were able to fingerprint what software a company was using as part of their daily tasks, find vulnerabilities in it and then exploit those in a way that advances us towards our objective.
There will always be things that we do not find as part of a red team. We only need to find one way in. If a customer is interested in finding as many vulnerabilities as possible in a given solution, technology or process then we can offer that service to them as well but it kind of goes beyond what a red team is trying to achieve. Which is to test the resilience and monitoring capabilities of an organisation against a targeted attack where the attacker picks the attacks, not the defender. Once the detection mechanisms reach a certain maturity and most low hanging fruit is found, then and only then as part of an iterative process can more controls and processes be introduced.
What's an invaluable piece of equipment we wouldn't think of?
Do you enjoy your job? I work server administration and I find myself disliking it more and more everyday. I would rather be breaking in than patching holes constantly it seems. I would like to learn more hacking do you have any educational sources you recommend?
I do - because I get to use my own creativity in order to see how far I can push a scenario that might result in compromise and use/develop some custom tools and techniques along the way.