Pentesting Hack Chat

Eric Escobar will host the Hack Chat on Wednesday, May 13, 2020 at noon Pacific Time.

Time zones got you down? Here's a handy time converter!

Professional pentesting is not all cops-and-robbers fun, of course. Pentesters have to stay abreast of the latest vulnerabilities and know what weaknesses are likely to exist at a given facility so they know what to target. There are endless hours of research, often laborious social engineering, and weeks of preparation before actually attempting to penetrate a client site. The attack could be as complex a deploying wireless pentesting assets via FedEx, or as simple as sprinkling thumb drives in the parking lot. But when it comes, a pentest often reveals just how little return companies are getting on their security investment.

As a consultant for a security firm, Eric Escobar gets to challenge companies on a daily basis. He's also a regular on the con circuit, participating in challenges like Wireless CTF at DEFCON until he won too many times. Now he helps design and execute the challenges, helping to share his knowledge with other aspiring pentesters. And he'll stop by the Hack Chat to do the same with us, and tell us all about the business of keeping other businesses in business.

Event Logs

Collapse

Hack Chat Transcript, Part 2
Dan Maloney • 05/13/2020 at 20:03 • 0 comments

Eric12:42 PM
@guido.giunchi we're all pretty fluid. an individual will have a specific test but we all help one another if there's something an individual is specialized in

Eric12:42 PM
@Phabeon I can write some bash/python but just enough to be dangerous lol

Rhythm Chopra12:43 PM
Eric, I am totally fascinated by penetration testing be it software or hardware. And wanna get started with the domain. Is there a kind of todo list or something or getting started.

Eric12:43 PM
I'd check out the OSCp certification. it's tough but really well rounded

Rhythm Chopra12:44 PM
I have a pretty good experience in programming with C++ & python. But doesn't seem of much help as of now

Eric12:44 PM
it will when you're trying to fix an exploit, automate something, or do something at a large scale

Eric12:44 PM
i promise lol

Eric12:45 PM
a little sqlite3 is also handy

What do you find to be the most common security mistake businesses make? IOW, what one thing makes your job a piece of cake?

Rhythm Chopra12:45 PM
Well, I got MySQL at hand :P

Eric12:45 PM
@Dan Maloney single factor auth, reused password, unpatched hosts

bprofitt12:45 PM
@Eric how do you avoid burnout with the massive amount of info that you have to keep digesting/trying out/etc

Eric12:46 PM
@bprofitt working on an interesting project or deep diving into some research thing, or building tools, or just taking time off

Rhythm Chopra12:47 PM
So, regarding OSCP certifications, how much better or preferred a certification is as compared to some hands on experience? Shouldn't hands on be more helpful over theoretical knowledge in this kind of domain?

Eric12:47 PM
I'm going to punt and say both are important. However, I'd also add people skills in there too

Rhythm Chopra12:49 PM
Well, yeah. Social engineering is for sure a biggest upper hand. Coz humans are more vulnerable and exploitable than machines :P

Eric12:50 PM
I think the main goal of understanding something should be the ability to explain it to a standard human. I use my mom as an example. If i can explain an exploit, vulnerability or something to her I know i'm golden.

Rhythm Chopra12:50 PM
Yeah, absolutely.

Dhruv Mehta12:50 PM
What resources do you follow to stay updated with the latest security news?

Eric12:51 PM
@Rhythm Chopra I mean just the ability to communicate effectively. It will take you farther than any haxor skill

Eric12:51 PM
@Dhruv Mehta I love hackaday for the builds that have given me tool ideas, and I really like the podcast risky business

Eric12:51 PM
ars technica is great too

bprofitt12:52 PM
@Eric - anyone in the twitter space that you follow that helps you in your job, i.e. new ideas, hw, exploits? Btw, thanks for the awesome answers :)

Gabriel D'Espindula12:52 PM
Eric was studying to translate from construction workers to contractors and ended up translating from nerds to normal people lol

Eric12:52 PM
@Gabriel D'Espindula not wrong lol

Dhruv Mehta12:52 PM
Thanks, Eric for the awesome answer

matt12:53 PM
It seems like you have to meet a minimum technical threshold. But at a point, additional technical chops hits the wall of diminishing returns and a pentester might be better served by focusing on their ability to interact with a wider body of less technical folks. Is that way off base Eric?

Phabeon12:53 PM
Eric, have you ever been hacked? If so, lesson learned?

bwa haha, If not is it because you are zero network connection dwelling?

Eric12:53 PM
@bprofitt gosh, sammy kamkar and justinsteven are great

Eric12:54 PM
@Phabeon not that I know of. Just watch phishing emails LOL

Eric12:54 PM
@matt thanks for the softball. you couldn't have said that any better

matt12:55 PM
this justinsteven:

https://www.youtube.com/channel/UCCBmFvsR6sIPrmjSVVxY9ng

?

Eric12:55 PM
@matt yep that's the wizard!

So we're almost at the end of our hour - any last-minute questions for Eric?

Phabeon12:56 PM
Eric, you can't fix everthing right, nor are you hired to do so... so HOW often do you have to...
Read more »
Hack Chat Transcript, Part 1
Dan Maloney • 05/13/2020 at 20:02 • 0 comments

OK everyone, thanks for coming out today for the Pentesting Hack Chat. I'm Dan Maloney, I'll be moderating today. Let's all welcome Eric Escobar to the Hack Chat.

Thanks for coming along for the ride today, Eric. Maybe you can tell us a little about yourself to get things started?

Dana joined the room.12:00 PM

Eric12:01 PM
Yeah absolutely! my main job is working as a pen tester for Secureworks where I break into fairly large companies and help improve their security posture

ChangeFlutter joined the room.12:01 PM

BinarySneaker joined the room.12:01 PM

Eric12:01 PM
I primarily do wireless security but I've been known to hop on some red teams, and conduct internal penetration tests as well

Eric12:02 PM
in a previous life I used to be a civil engineer too!

bprofitt joined the room.12:03 PM

guido.giunchi12:03 PM
How did you get in that field from Civil engineering?

I was just going to ask about that. How did you make the leap to security?

Eric12:04 PM
sooo in college I didn't have wifi in my dorm so i bought a yagi antenna to pull wifi from library ~300 yds away.

Eric12:05 PM
That planted the seed, and I dabbled in breaking WEP and WPA2 networks

Ioannis Valasakis12:05 PM
OK, now it starts getting interesting :) Are you a radio amateur as well? If not, are you using/experimenting with RF techniques on networks and devices?

Eric12:06 PM
I was at home on summer break and at my roommates parents house, turns out his father was a director of security at a tech company and asked if I wanted to join the security team he was creating

Eric12:06 PM
annnnnd yes I got my ham license in college!

Wow, lucky break!

felix.cormier9 joined the room.12:06 PM

Eric12:07 PM
i hopped from Barracuda security team -> secureworks as a pentester and now I'm the practice lead for our wireless pentesting

C@t Bailey joined the room.12:07 PM

Eric12:07 PM
yeah definitely. It was incredibly lucky lol

bprofitt12:07 PM
Eric thanks for taking the time for this chat! What skills do you think translates well for someone trying to make the move into security from a compsci/app engineering pov?

booshington joined the room.12:08 PM

Eric12:08 PM
since starting at barracuda we competed in the wireless ctf at defcon which is/was a blast

Little bit of an out-there question: do you find your civil engineering training informing your security work at all?

Eric12:08 PM
python

dcox12:08 PM
Can you share a story about a wireless pen test?

Eric12:08 PM
@Dan Maloney excel has been a godsend for some thing

Eric12:08 PM
s*

Eric12:09 PM
also knowing what a typical corporate environment looks like and how outdated hosts are everywhere

Eric12:09 PM
@dcox there was one time we tested a theme park which was pretty awesome

Eric12:10 PM
@dcox more than once we've been able to compromise and entire organization without stepping foot in their office

airforcetxn12:10 PM
What does your 'kit' look like? I've found some hak5 stuff to be great in theory but a bit unreliable at times.

ChangeFlutter12:10 PM
what changes in our approach do you expect with the new WiFi standard?

Eric12:11 PM
@airforcetxn a handful of raspberry pi's, a hotspot, a laptop, and a bunch of panda pau09's

Gabriel D'Espindula12:12 PM
Eric, when you get an assignment, you use more known exploits and look for unpatched services or really spend time understand the client's system and trying to break in? If so, how you know when is time to stop and start the reports?

Dana12:12 PM
Do you have a most notable wireless find from a pentest? (funny/ridiculous/unique/awesome)

Eric12:12 PM
@ChangeFlutter I expect that we'll see capturing 4 way handshakes will stop with wpa3

Eric12:13 PM
@Dana ringing a wireless doorbell

Eric12:14 PM
@Gabriel D'Espindula I definitely use known exploits with things that are unpatched

Eric12:14 PM
@Gabriel D'Espindula we also definitely look at their configs and setup and usage of their infrastructure

Eric12:14 PM
and use...
Read more »