Being from the Louisville metro area (and recently having moved back with my family), Derbycon is one of the highlights of my year. The general conference ran from Friday, October 5th, to Sunday, October 7th, at a brand new location, the Louisville Downtown Marriott! Every previous year, the neighboring Hyatt has hosted it, but the move meant a bigger venue with more rooms for all the activities. Despite more space, the Derbycon team actually decides not to significantly increase the number of tickets sold, in order to keep the smaller, more familial feel. I really like this about Derbycon and the crammed, chaotic atmosphere is one of the reasons I haven’t been to DEFCON yet…though I think I’m going to finally make myself go to it next year, just to get one under my belt.
For only about a grand more than a con ticket, you have the opportunity to sign up for one of several excellent training courses that run on the Wednesday and Thursday before the conference. And trust me, $1000 might sound like a lot, but this is a steal compared to what you’ll pay for courses like this at SANS or Blackhat. Last year, I took @FuzzyNop’s Modern Red Team Immersion Bootcamp, which was very heavily focused on open-source intelligence (OSINT) gathering, selecting good spear phishing targets, and crafting convincing phishes. This year, I went towards the more technical side of red teaming with Silent Break’s Dark Side Ops 2: Adversary Simulation.
I just returned from NCC Group’s internal North American conference, a nice respite from the cold East Coast to sunny San Diego. I’m a remote employee, so it’s always a blast getting to hang out with my New York office coworkers and seeing awesome presentations from colleagues from across the country. One of the highlights was the mini-CTF put on by Sid Adukia and Dean Jerkovich.
This CTF consisted of an iOS app bundle compiled to run on the iOS Simulator, thus able to run on any Mac with Xcode and not requiring a jailbroken device. I’ve been doing iOS application pentests for years and it was really cool to see a CTF challenge using this! This is the first one I’ve seen since DVIA came out years ago.
Perhaps the biggest challenge was the fact that this was a Simulator app. Had it been an ARM-compiled iOS app that I could put on a jailbroken device, I would’ve solved a lot of these challenges in a few minutes. Most of my time was spent googling for how to do stuff like dump the keychain or hook methods on the Simulator instead of on a jailbroken device.
I’ve been worried recently just what the future of iOS security is going to look like. It seems we’ve been thrown a few bones in the last month, with Project Zero’s Ian Beer recently publishing the “tfp0” vulnerability and Jonathan Levin publishing LiberiOS, the first jailbreak for versions of iOS 11. But fewer and fewer people are publicly releasing jailbreaks. I don’t blame them either. Due to the enormous sums being offered by exploit brokers, many would argue you’re a moron for giving away million-dollar exploits for free. Someday soon, those of us in iOS security testing might be forced to have our clients compile x86 versions of their apps for us and run them all in the iOS Simulator. The good news is that a surprising number of the same tools and techniques you would normally use on a jailbroken device will also work with a Simulator app on macOS! Some things don’t, but if you’ve ever chased the latest jailbreak and found that half the stuff on Cydia doesn’t yet work for your version of iOS, then you’re already used to life on the bleeding edge. Continue reading
Taking some inspiration from my friend, Ray, I decided I’d write up some of the solutions to the various challenges I saw at this year’s BSides Raleigh CTF (capture-the-flag) events. And this time, I actually remembered to save some notes and screenshots!
This isn’t a record of every single challenge I saw, just a few that I thought were particularly interesting or noteworthy.
This was a simple one…which I like, because I suck at CTF crypto challenges. The page was just these emoji spread out:
😮😮 😮😮😑😮 😑😮😑😑 😑😑😑 😮😮😑 😑😮😑😮 😮😑 😑😮 😮😑😮 😮 😮😑 😑😮😮 😑 😮😮😮😮 😮😮 😮😮😮 😑 😮😮😮😮 😮 😮😮😑😮 😮😑😮😮 😮😑 😑😑😮 😮😮 😮😮😮 😑 😮😮😮😮 😮😮😮😑😑 😮😑 😑😮 😑😮 😮😮 😮😮😮😑 😮 😮😑😮 😮😮😮 😮😮😮😮😑 😮😑😮 😑😮😑😑 😮😮😑 😮😑😑😮 😑😮😑😮 😮😑 😮😮😮 😮 😑😮😮
So I noticed right off the bat that there were only two emoji being used: 😮 and 😑. My initial thought was maybe this was something in binary, but I was dissuaded from that because of the variable lengths of emoji strings.
The next thought was Morse code! So I copied the emojis into Sublime, did a find/replace for each character, to get this:
.. ..-. -.– — ..- -.-. .- -. .-. . .- -.. – …. .. … – …. . ..-. .-.. .- –. .. … – …. …– .- -. -. .. …- . .-. … ….- .-. -.– ..- .–. -.-. .- … . -..
Running that through a Morse code translator yielded the message:
So naturally, the flag was TH3ANNIVERS4RY.
Late last year, I began looking for a new job. Earlier this year, I finally got one! I was interested in branching out into the broader world of penetration testing and red teaming, with more external clients and more broadly-scoped sorts of engagements. This was something of a sell to prospective employers though. I do have close to a decade of infosec experience, but only a few years of that is pentesting and I’ve always been an in-house pentester doing mostly web app and mobile stuff. That means that I am something of a noob when it comes to breaking in from the outside; I’m familiar with a lot of the tech and methodology, just haven’t done a lot of it hands-on (outside of CTFs and stuff like that). I’ve been in the broader industry for a while, meaning my salary requirements are a little higher, and I absolutely wasn’t going to relocate again so soon after my last move for my old job.
All of this and extremely high demand for pentesters at the moment meant I went through A LOT of interviews. Some of them broke down over salary expectations. Some of them I quit early because I could tell it wasn’t what I was looking for. Some of them weren’t budging on relocation. One I completely hosed myself on because I bluffed too hard during the salary negotiation phase. At least one of them probably thought I was a complete dumbass. But in the end, one employer won out and I’m now happily hacking clients, mostly from the comfort of my own home.
Besides having lots of experience being interviewed for pentest jobs, I also have some experience in interviewing people for pentest jobs. At one of my previous employer, I was involved in telephone screenings and in-person interviews of a dozen or so different candidates to join our team there.
Because I went through so many different interviews recently and have experience trying to assess pentest candidates, I figured that put me in a unique position to grade these different companies and throw in my own opinion on the best way to do it.
My intent is half to just be amusing for those who are curious about how different companies are interviewing people, maybe those trying to find out what to expect the next time they start looking for a new gig; but I’m also writing this and hoping that some recruiters and hiring managers will see this. I hope this will give you some insight into how your competition might be assessing candidates, what you’re doing right in your own process, what you’re doing wrong, and how you could be doing it better. Continue reading
During my PWK training, I absolutely fell in love with KeepNote. I used it extensively for tracking all the different networks, all the hosts in that network, all the different scan results and loot I’d collect on each, and also general notes about attack vectors I had tried, what worked, what didn’t work, what to explore, little code snippets or Linux commands for easy copy-and-paste use later, links to helpful articles…you get the picture.
Unfortunately, KeepNote isn’t very well-maintained. As of this Fourth of July, the latest versions uploaded to the main site are five years old. The original developer did put it on Github two years ago, but there haven’t been many pull requests accepted since then and he obviously doesn’t have the time to keep up with it anymore. Totally understandable, but it sucks because I haven’t found a good, well-maintained replacement for it.
And believe me, I’ve tried! Evernote, Bear, nvALT, desktop wikis like Zim, the macOS Notes app, and on and on. No one else is doing, or even offering an option to do, the same kind of UI layout. I don’t know why, but the three-pane arrangement of KeepNote just hits the spot for me. The outline on the left side, submenu on top right, and notes section on bottom left; no one else arranges their app like this.
For real, this is my happy place.
Look what came in the mail a few weeks ago!
For the curious, it took about a month for them to send the paper certificate and a little hard-plastic credit card sized version via DHL courier. They send you an email asking where you want it mailed, just in case you’ve switched apartments or something in between registering and passing the exam.
Also, I realized in my previous OSCP review that I forgot to mention a few things. I’ll list them here and also add them as an update to the original review post. Continue reading
**Update (11/4/2016) – added a few bits back in from this post
A few weeks ago, I “tried harder” and was awarded the Offensive Security Certified Professional (OSCP) certification.
As many people before me have done, I decided I’d post a little writeup of my experience with the Pentesting With Kali (PWK) online training and taking the OSCP exam (twice).
As you probably know by now, the OSCP is Offensive Security’s certification for penetration testing using the Linux distribution they maintain, Kali Linux. The accompanying course, Pentesting With Kali (PWK), gets you a PDF lab guide and a series of instruction videos covering the different topics of the guide, from basic network enumeration to writing buffer overflow exploits. You’re also purchasing VPN access to their hands-on lab environment of dozens of different vulnerable hosts for you to probe and exploit. To attain the OSCP certification, you take a hands-on exam in which you’re given VPN access to a special exam network and are alotted 24 hours to compromise as many systems as possible, plus an additional 24 hours to write up and submit your exam penetration test report.
I signed up for the 90-day course, bought a one-month extension after I ran out of time (mostly for going back over machines to write the huge lab report…more on that later), I bombed my first attempt at the exam, purchased a two-week extension in order to bone up on some stuff and get a retest attempt, then passed it on my second try.
The Cost, Signing Up, and Getting your Employer to Pay For It
I’ve wanted to take OffSec’s training for a long time and I should’ve just sucked it up, ponied up the money, and took it years ago. I fought for over a year at my previous employer to get them to finance it. I was ready to give up arguing with them and buy it myself before I landed in my current job. Thankfully, where I work now has a healthy training budget for its pentesters and all I had to do was put it on the corporate card. Continue reading