 Tommy here from Orange Systems and are you ready for a pen test? This is actually the first reply yet when someone reaches out to me and says, Hey, I'd like to get a pen test done, but are you ready? There's a lot that goes into the actual testing, but before then there's a lot that you should probably cover to make sure things are patched Make sure things are up to date because pen testing can be an expensive process And you really want to make that pen test engineer work for their money You want them to not find the easy things that you'll go well I guess I could have just done that I guess I could have updated the servers I probably could have closed a few of those ports. You want them to come in and look for the hard things You want to leverage all the skill they bring and say I want them to look for the angles I may have missed because that's also me what you're paying them for and yeah Remember they're generally looking for things on a how easy is it? They're gonna try the obvious. Did you patch it? They're gonna try the obvious Did you close RDP and then keep escalating from there? But there's a lot of scoping that goes in this There's a lot of details that goes involved in myself not being a pen tester matter of fact If you reach out and call us for a pen test I refer it over to Jason Slagle president of CNWR and good friend of mine Jason Slagle is an excellent security researcher and he's going to join us an interview here to define what a pen test is What a pen test isn't and how you can prepare for it We're also gonna as I said I'm gonna be referencing some of the links down below Because I want to make sure you have plenty of resources to gain a good understanding and a lot of things You could just do yourself to take a look at your network and take a look at your systems And make sure that you are prepared for the next step All right, and Jason's gonna tell us exactly what a pen test is or actually we probably back it up Do you need one? That's where you really start? Yeah, we it's it's an interesting question Because we you know we get asked this all the time and like oh I need a pen test Can you do a pen test for me and after like a 20 minute conversation what comes out of it? Is that's not actually what they're after? Yeah, you need it You probably maybe need a vulnerability scan if you haven't even done that and this is some stuff You can even start doing yourself poking away at it and like Kenny you said in this Well, I say you said because mean you've talked so much about this before the audience It's really comes down to how the the pen test is going to be conducted You're gonna pop the easy stuff first so you hopefully you have the really easy obvious things fixed first, right? from my perspective the job of a pen tester is to Break into whatever system you give them right like escalate if that's in scope move laterally if that's a scope and right up list of their findings and In most cases it doesn't necessarily matter unless you specifically call something out of scope or you know They're touching things that are off limits. It doesn't necessarily matter to them how they do it So if you don't kill the low-hanging fruit They're gonna totally take advantage of the low-hanging fruit and that's what you're gonna get in your report is oh, yeah, we used this We We use this unpatched windows vulnerability. We we got on the box We were able to pull credentials out of memory. We used them to move laterally, right? Like we escalated to a domain admin by pulling credentials out of memory with any catch right and then and then you're done and it's like well Okay, those are all things that maybe you should have had fixed before you got a pen test Yeah, you want to fix the obvious things because you're doing yourself a disservice if the pen tester comes in and uses the first thing They find they're not gonna go back and go I'm looking for the next hardest way to do this They find the easiest way as based on the scope and we move laterally But that didn't really solve your problem because what if there was actually a little bit more complex way? They could have got in and it was just because you had an unpatched ESXi server or something that was essentially an obvious thing You know patching your firewalls, etc. So you really want to have as much Done as possible as for vulnerability scans just come in and once you have all that done then you want them to Yeah, yeah, and I mean this segway is perfectly into like let's talk about you know based on our little outline we're using here, right? Like I'll share down in the links below so people can have the outline of the scoping of a pen test and all the steps pen tests are Typically time-boxed engagements, right? So when you actually hire a pen tester, you're not hiring them to pen test your application Because you know you can literally throw stuff at the wall forever What you typically are hiring is a fixed scope, right? And typically it'll be a set amount of time a week two weeks is pretty common And then on top of that there'll be a couple of days to end up writing up the report, right? So, you know, you'll see something like You know a 40 plus eight where it's like they're gonna throw They're gonna spend 40 hours trying to break into your stuff And then they're gonna spend eight hours at the end of it gathering up all their notes and and you know Writing up the report that you get That that doesn't mean if they were unsuccessful That you're safe, right? It just means that in the 40 hours they had to do it They weren't able to do it. So, you know to the point if they do Quickly and easily get in and move laterally and you know, they've got that done in 10 hours Then yeah, they may they may look for other ways to do it a nods their amount of time just goes into initial discovery initial Access initial looking at mapping the environment. Yeah, it's that it's this is time box They they go until they're out of time and then they spend the time writing a report It's one of the reasons when you decide the scoping for this and in the realm that we usually work in for pen testing You're gonna want to define and give us some of the information because that counts against your hours If you want me to go hunt it down or you know, really dig around to use some OSINT to figure out where all your infrastructure is It's probably fastest to let us know where it is assumed someone discovered it a lot of stuff is hopefully you don't have things really publicly Exposed but you want to get us to the part where we're testing things as fast as possible Yeah, and that's I mean for sure there and there's a couple ways to do this, right? Like there's you know, typically black box gray box white box, right where it's Black box. I don't know anything about the system. You know, you just give me the domain name or the web app And it's entirely on me to do it, you know gray box Maybe you give me logins, right? Like in some api documentation Whereas white box I would typically if it's say an application I typically have access to the source or I have network diagrams or I know what all the systems do They serve their own purpose, right? Like but that's one of the first questions that I will ask when asked whether to do this is like what what kind of Thing are we looking at here? Is this a you know, a gray white or black box? And I will explain each of those things when we do it But they they definitely change the amount of time It's gonna take me to do it and it definitely changed the scope to a certain extent So, you know knowing that going in is actually really helpful One of the things you want it that's gonna happen is you're gonna have to define the rules, right? like because I Anyone that's been to a conference with me knows that you define those lines I will color right up against them. I will do my best and not color over them But I will be calendar at the edge And so if you have legal requirements or you have things that I'm absolutely not allowed to hit or people I'm not allowed to talk to those things need called out because otherwise if you don't tell me I can't do it or You don't tell me that I'm only allowed to do things that are explicitly in scope then Everything is in scope and I'm gonna go down a rabbit hole I'm gonna be trying to social engineer your employees and it all starts other fun things Yeah, I always recommend people listen to one of my favorite episodes, which is Jeremy from marketing of dark net diaries That's a great one where they you know They do define the engagement but it does go into engaging employees to get to FA codes and things like that it Comes down to scoping in time like we said in the beginning of how much of this do you want us to find out? You know, what is the rules of engagement here because yeah, cool You're thinking you're safe with 2fa, but the reality is as that podcast proved a little bit of a spoiler Yes, people will read you to FA codes off of phones You know back to the very high-level piece of this, right? Like that's the thing that most people don't understand It's like they have some sort of regulatory requirement that they get a pen test But they're not necessarily actually after a pen test Because marketing ruins all things. Yeah, so which is why we're making this video. Yeah Marketing around pen tests Sometimes they start at a price that doesn't make any sense and it's not exactly what we would call a pen test You yeah, it's kind of eroded away the word pen test, right? We're a lot of times, you know vulnerability scanner vulnerability scan plus people are calling a pen test and it's not I would consider I Would I wouldn't consider that a pen test, but it seems like the common lexicon is now starting to consider that a pen test So maybe we need to call this a red team engagement, right? Like instead of a pen test because that's essentially what we're talking about here I mean know that they're expensive, right? You know, we're talking probably 40 hours minimum plus eight hours ready report, right? So 48 hours at Three four hundred dollars an hour. Yep, you know, this isn't a small amount of money So it's very important to understand what you're getting into before you, you know, you drive down this road Yeah, I think that's a really important aspect. So let's go a little further down there One of the questions that's probably gonna come up a lot is custom applications or some of these one-off Non-common industry applications move it's in the news here in 2023 a lot But obviously there's been companies that went through pen tests We have to define which applications are gonna be tested and how Extensively they're gonna be tested because fuzzing an application until it breaks may or may not be in scope and also can be It's an important aspect, but it's one of those things that may not you have to really kind of carve out Yeah, it's really so web application testing in particular is really hard You basically just throw stuff at the wall like oh that might be injectable then, you know, you spend Six hours trying to inject something only to go I know that wasn't actually injectable then you move on to the next thing Oh, maybe I can do some authentication bypass stuff here and then you you know spend six hours trying to get it to work It doesn't work. They're like, okay, they protect it against that You end up down these rabbit holes that you know You easily sink hours into this looks like it could be a thing And then it turns out that some Downstream system protects it in a way that isn't immediately obvious to use you end up just waste a bunch of time going down a road there With web applications and applications in particular They're they tend to be somewhat longer engagements if you want to do them correctly and just because you don't have any findings It is I'm sure a lot of these companies that have been hit recently can tell you just because you don't have any Findings doesn't mean that you're safe. It just means that you're safe from the some of the easier low hanging fruit Yeah, and this is something to think about too because you can't just take hey, I had a pen test I'm good. No one can ever get in his system And it can be a bit of a challenge because of these other vulnerabilities and new techniques that come out all the time This is an ever-evolving not a static type of thing that happens. It's not like here's the checklist This is the only things we do we may have a checklist of the process as we follow But when it comes to techniques, that's the ever-evolving part that hey a pen test from even two years ago It's not the same as it is today because the techniques have evolved a few resources I'm gonna throw out there and recommend here as we get to the end of this check out like the Black Hills cyber talks They're definitely stuff if you just want to go deep just how crazy some of these pen tests are It's one of those further reading things besides any of the dark net diaries any of the red team stuffs on a dark night Diaries is always a whole lot of fun. Yeah Do you think of Jason? Are you probably recommend? No, there's I'll send you a couple like basically pen tester Workbooks worksheets stuff like that right so like anything is as we covered earlier in this when you do your first one of these Giving as much information as possible is probably In your favor right because they don't have to spend a bunch of time gathering information and you know it may lead to Your an ability to do a slightly shorter engagement If you're up for it right like the a lot of easy stuff is covered in various pen testing Workbooks and they talk about a bunch of tools You know poke at your own things and fix the things you find before you pay a very expensive resource to find make them work for Their route you want them to really have to use that hacker mindset. Don't give us something really basic or where it's gonna pop it All right, well everything will be linked in the forum post down below and thank you. Okay. Cool. Thanks