Close

Hack Chat Transcript, Part 1

A event log for Pentesting Hack Chat

It takes a hacker to catch a hacker

dan-maloneyDan Maloney 05/13/2020 at 20:020 Comments

OK everyone, thanks for coming out today for the Pentesting Hack Chat. I'm Dan Maloney, I'll be moderating today. Let's all welcome Eric Escobar to the Hack Chat.

Thanks for coming along for the ride today, Eric. Maybe you can tell us a little about yourself to get things started?

Dana joined  the room.12:00 PM

Eric12:01 PM
Yeah absolutely! my main job is working as a pen tester for Secureworks where I break into fairly large companies and help improve their security posture

ChangeFlutter joined  the room.12:01 PM

BinarySneaker joined  the room.12:01 PM

Eric12:01 PM
I primarily do wireless security but I've been known to hop on some red teams, and conduct internal penetration tests as well

Eric12:02 PM
in a previous life I used to be a civil engineer too!

bprofitt joined  the room.12:03 PM

guido.giunchi12:03 PM
How did you get in that field from Civil engineering?

I was just going to ask about that. How did you make the leap to security?

Eric12:04 PM
sooo in college I didn't have wifi in my dorm so i bought a yagi antenna to pull wifi from library ~300 yds away.

Eric12:05 PM
That planted the seed, and I dabbled in breaking WEP and WPA2 networks

Ioannis Valasakis12:05 PM
OK, now it starts getting interesting :) Are you a radio amateur as well? If not, are you using/experimenting with RF techniques on networks and devices?

Eric12:06 PM
I was at home on summer break and at my roommates parents house, turns out his father was a director of security at a tech company and asked if I wanted to join the security team he was creating

Eric12:06 PM
annnnnd yes I got my ham license in college!

Wow, lucky break!

felix.cormier9 joined  the room.12:06 PM

Eric12:07 PM
i hopped from Barracuda security team -> secureworks as a pentester and now I'm the practice lead for our wireless pentesting

C@t Bailey joined  the room.12:07 PM

Eric12:07 PM
yeah definitely. It was incredibly lucky lol

bprofitt12:07 PM
Eric thanks for taking the time for this chat! What skills do you think translates well for someone trying to make the move into security from a compsci/app engineering pov?

booshington joined  the room.12:08 PM

Eric12:08 PM
since starting at barracuda we competed in the wireless ctf at defcon which is/was a blast

Little bit of an out-there question: do you find your civil engineering training informing your security work at all?

Eric12:08 PM
python

dcox12:08 PM
Can you share a story about a wireless pen test?

Eric12:08 PM
@Dan Maloney excel has been a godsend for some thing

Eric12:08 PM
s*

Eric12:09 PM
also knowing what a typical corporate environment looks like and how outdated hosts are everywhere

Eric12:09 PM
@dcox there was one time we tested a theme park which was pretty awesome

Eric12:10 PM
@dcox more than once we've been able to compromise and entire organization without stepping foot in their office

airforcetxn12:10 PM
What does your 'kit' look like? I've found some hak5 stuff to be great in theory but a bit unreliable at times.

ChangeFlutter12:10 PM
what changes in our approach do you expect with the new WiFi standard?

Eric12:11 PM
@airforcetxn a handful of raspberry pi's, a hotspot, a laptop, and a bunch of panda pau09's

Gabriel D'Espindula12:12 PM
Eric, when you get an assignment, you use more known exploits and look for unpatched services or really spend time understand the client's system and trying to break in? If so, how you know when is time to stop and start the reports?

Dana12:12 PM
Do you have a most notable wireless find from a pentest? (funny/ridiculous/unique/awesome)

Eric12:12 PM
@ChangeFlutter I expect that we'll see capturing 4 way handshakes will stop with wpa3

Eric12:13 PM
@Dana ringing a wireless doorbell

Eric12:14 PM
@Gabriel D'Espindula I definitely use known exploits with things that are unpatched

Eric12:14 PM
@Gabriel D'Espindula we also definitely look at their configs and setup and usage of their infrastructure

Eric12:14 PM
and use that to build out our plan of attack

rob dayton joined  the room.12:14 PM

Yann Guidon / YGDES12:15 PM
Eric : do you also happen to help people write safer code or fuzz software ?

Eric12:15 PM
@Yann Guidon / YGDES people on our team do. You wouldn't want me coding anything

bprofitt12:16 PM
What's your take on certifications, useful for hr, practically useful, etc, especially with cissp now being equivalent to a masters degree?

Phabeon12:16 PM
Eric, as a seasoned vet, what are your thoughts on CompTIA's Security+ Cert? aka how useful is it real world?

would you recommend pursuit of it? Why or Why not?

Is general Networking knowledge enough or do you recommend Net+ or even CCNA as a must?

Eric12:16 PM
@bprofitt useful for hr, do it if work pays for them

Eric12:16 PM
if you want to get started sec+ network+ i've both heard are good

What's the conversation like when you have to tell the person in charge of security that you were able to break in?

Eric12:17 PM
@Phabeon I personally really like the OSCP it was more of a game

Eric12:18 PM
@Dan Maloney that's really an artform lol

I can imagine emotions run a bit high when turf is being protected

Eric12:18 PM
I basically say, look it wasn't great, but better we got in then an attacker. you paid to know your weaknesses and now you have a report you can use as ammunition to get your team more time, training, budget, tools and resources.

airforcetxn12:19 PM
I'm slated for SANS SEC617 in September. Have you taken it or heard anything one way or the other about it?

Eric12:19 PM
I've heard it's good, I'm not super familiar with that course though

Gabriel D'Espindula12:20 PM
You start as an outsider trying to break in or you have a briefing of the system overview from the company that requests the service beforehand?

Eric12:20 PM
@Gabriel D'Espindula it depends.

anfractuosity12:20 PM
A little wifi question, with WPA3, which i assume is coming out soon? or maybe out? Am i right in thinking you can't easily deauth devices?

Eric12:21 PM
We do EPTs (external tests) which simulate an attacker on the public internet with only target IP addresses

Eric12:21 PM
we have IPTs which simulate an internal attacker

Eric12:21 PM
wireless simulates someone in proximity to your airspace

Eric12:21 PM
red team, we can pretty much do anything

ChangeFlutter12:21 PM
Thank you for the answer and your time Eric, as any industry is being "affected" by AI and ML, what is your feeling about the penetration testing field around this, there are already many AI systems out there that claims to do our job "better", what are your thoughts and the future of us as a community...we all know automation is not always the best?

Eric12:21 PM
appsec, we try to break in to your custom website or application

Eric12:22 PM
hardware is.. well we try and break a hardware device

rob dayton12:22 PM
Hi Eric, have you experienced a major downturn in work since the coronavirus or have you found opportunities in pentesting as a direct result of businesses shutting down and the chaos/confusion it has caused?

Eric12:22 PM
wpa3 i belive has protections from direct dauths like you can do in wpa2. I have only seen wpa3 in a lab so not in the real world yet

anfractuosity12:23 PM
nice :), thanks

Eric12:23 PM
@rob fortunately we are busier than ever

Mark Snyder12:23 PM
Broad question, how long are your engagements?

Dhruv Mehta12:23 PM
I am a Certified Ethical Hacker. How should I proceed further to learn more about security and make a career in it?

Eric12:23 PM
a lot of external tests, new clients who now need remote access etc etc

Eric12:24 PM
@Mark Snyder they can be as short as a week or as long as 3 months

Eric12:24 PM
@Dhruv Mehta get an oscp, submit talks to conferences, network, and be a member of the community

QHENT12:25 PM
Going back to your kit -- Have you ever used a drone as a platform for your pentesting?

bprofitt12:25 PM
How do you keep abreast of new things without burning out, since it's your day job as well? Any tips for not getting stuck in the rabbit hole, after getting my OSCP I didn't want to look at a terminal for 2 months :)

Dhruv Mehta12:25 PM
Thank You Eric for the answer. Also, which skills should I learn next?

matt joined  the room.12:25 PM

guido.giunchi12:25 PM
How can you learn the skills needed without having a team available?

Eric12:25 PM
we have the capability but have never needed it. a long range antenna or just a hidden ground device are typically all we need

Eric12:26 PM
never underestimate a soda can with a pi, lipo and lte

Eric12:26 PM
@guido.giunchi the hacking community at large is your team. I have a ton of friends I don't work with directly which provide input. karma is huge.

sniffski12:27 PM
@Eric I remember back in 4 or 5 years I was playing with scapy and rogue AP. Then it worked like charm... I listen for SSIDs which are most searched from near by devices and create Rouge clones and I got allot of clients(mainly mobile devices) associating with my RougeAP... My question is do you think this attack still works? Is there any mitigation applied so far?

QHENT12:27 PM
Thank you for your answer. Clever.

Eric12:27 PM
@sniffski 100% it works I do it every day!

Eric12:27 PM
best way to counter it is to be listening for it

guido.giunchi12:27 PM
Thank you @Eric

Eric12:27 PM
99% of our clients don't listen fro other wireless activity

sniffski12:28 PM
Lovely

Ben joined  the room.12:30 PM

Have you ever completely failed to penetrate a system? Anything locked down so tight that you couldn't find a way in?

sniffski12:30 PM
Thanks @Eric... you gave me a purpose for my Pi0 to play with! :)

Eric12:30 PM
it helps to be in a slack channel with other nerds

Eric12:31 PM
@Dan Maloney yes absolutely

bprofitt12:31 PM
@Eric - Kali, parrot or do you roll your own distro with tools?

Eric12:31 PM
it's rare, but some companies do security right

Eric12:31 PM
@bprofitt kali for something quick, or debian, or ubuntu for sdr stuff

Yann Guidon / YGDES12:32 PM
Which is worse ? governmental or private company ?

Phabeon12:32 PM
Eric, your job is tons of fun right, but what do you do for FUN when your "off"

Eric12:32 PM
both have pros and cons. I think they are just different

Eric12:32 PM
govt is slow to respond to fixes i'v found

Do you ever have to test non-WiFi wireless systems? Like maybe microwave backhaul links between sites? Seems like those could be rich targets.

Eric12:33 PM
@Phabeon I have a 2 year old LOL

Yann Guidon / YGDES12:33 PM
oh that's certainly a lot of ... "fun" :-D

Eric12:34 PM
@Dan Maloney I've tested a handful of RF

Eric12:34 PM
one ptp setup and a lot of other radio protocols

Doug12:35 PM
What do you use for SDR - hardware & software?

Eric12:35 PM
hardware - hackrf, or a b210

Eric12:35 PM
software universal radio hacker, ooktools, gnuradio

guido.giunchi12:36 PM
You said you also do hardware: can you elaborate on that a bit more please?

Gabriel D'Espindula12:36 PM
Companies hire you usually for precaution or because someone messed up with them?

Eric12:37 PM
yeah our team tests hardware devices to see if we can extract information from onboard chips, or gain access to a local shell with serial/jtag or some other means

Eric12:37 PM
@Gabriel D'Espindula typically for audits, precaution or something bad has happened

Eric12:37 PM
@Gabriel D'Espindula we also have a full incident response team

Eric12:38 PM
for people that have been hit by "hackers" or ransomware etc etc

Dhruv Mehta12:39 PM
What is your approach for organizations hit with ransomware?

Eric12:39 PM
That’s definitely not my forte but I believe our stance is that we first try to evict and then restore from backup and regain control

Rhythm Chopra joined  the room.12:39 PM

Dhruv Mehta12:40 PM
Okay. Thank You Eric

Eric12:40 PM
Absolutely!

Phabeon12:40 PM
Eric, if I understood one of your previous replies, your not a coder/programmer right? So what skills would you say you have then?

i.e. strong in networking or wireless standards, ect, ect

guido.giunchi12:41 PM
On the last question, how is the team structured, do you have precise roles?

Eric12:41 PM
I’d say that I have a strong understanding of wireless networking, networking, and how to talk to people

Discussions