Dan MaloneyOK everyone, thanks for coming out today for the Pentesting Hack Chat. I'm Dan Maloney, I'll be moderating today. Let's all welcome Eric Escobar to the Hack Chat.
Thanks for coming along for the ride today, Eric. Maybe you can tell us a little about yourself to get things started?
Yeah absolutely! my main job is working as a pen tester for Secureworks where I break into fairly large companies and help improve their security posture
I primarily do wireless security but I've been known to hop on some red teams, and conduct internal penetration tests as well
in a previous life I used to be a civil engineer too!
How did you get in that field from Civil engineering?
I was just going to ask about that. How did you make the leap to security?
sooo in college I didn't have wifi in my dorm so i bought a yagi antenna to pull wifi from library ~300 yds away.
That planted the seed, and I dabbled in breaking WEP and WPA2 networks
OK, now it starts getting interesting :) Are you a radio amateur as well? If not, are you using/experimenting with RF techniques on networks and devices?
I was at home on summer break and at my roommates parents house, turns out his father was a director of security at a tech company and asked if I wanted to join the security team he was creating
annnnnd yes I got my ham license in college!
Wow, lucky break!
i hopped from Barracuda security team -> secureworks as a pentester and now I'm the practice lead for our wireless pentesting
yeah definitely. It was incredibly lucky lol
Eric thanks for taking the time for this chat! What skills do you think translates well for someone trying to make the move into security from a compsci/app engineering pov?
since starting at barracuda we competed in the wireless ctf at defcon which is/was a blast
Little bit of an out-there question: do you find your civil engineering training informing your security work at all?
python
Can you share a story about a wireless pen test?
@Dan Maloney excel has been a godsend for some thing
s*
also knowing what a typical corporate environment looks like and how outdated hosts are everywhere
@dcox there was one time we tested a theme park which was pretty awesome
@dcox more than once we've been able to compromise and entire organization without stepping foot in their office
What does your 'kit' look like? I've found some hak5 stuff to be great in theory but a bit unreliable at times.
what changes in our approach do you expect with the new WiFi standard?
@airforcetxn a handful of raspberry pi's, a hotspot, a laptop, and a bunch of panda pau09's
Eric, when you get an assignment, you use more known exploits and look for unpatched services or really spend time understand the client's system and trying to break in? If so, how you know when is time to stop and start the reports?
Do you have a most notable wireless find from a pentest? (funny/ridiculous/unique/awesome)
@ChangeFlutter I expect that we'll see capturing 4 way handshakes will stop with wpa3
@Dana ringing a wireless doorbell
@Gabriel D'Espindula I definitely use known exploits with things that are unpatched
@Gabriel D'Espindula we also definitely look at their configs and setup and usage of their infrastructure
and use that to build out our plan of attack
Eric : do you also happen to help people write safer code or fuzz software ?
@Yann Guidon / YGDES people on our team do. You wouldn't want me coding anything
What's your take on certifications, useful for hr, practically useful, etc, especially with cissp now being equivalent to a masters degree?
Eric, as a seasoned vet, what are your thoughts on CompTIA's Security+ Cert? aka how useful is it real world?
would you recommend pursuit of it? Why or Why not?
Is general Networking knowledge enough or do you recommend Net+ or even CCNA as a must?
@bprofitt useful for hr, do it if work pays for them
if you want to get started sec+ network+ i've both heard are good
What's the conversation like when you have to tell the person in charge of security that you were able to break in?
@Phabeon I personally really like the OSCP it was more of a game
@Dan Maloney that's really an artform lol
I can imagine emotions run a bit high when turf is being protected
I basically say, look it wasn't great, but better we got in then an attacker. you paid to know your weaknesses and now you have a report you can use as ammunition to get your team more time, training, budget, tools and resources.
I'm slated for SANS SEC617 in September. Have you taken it or heard anything one way or the other about it?
I've heard it's good, I'm not super familiar with that course though
You start as an outsider trying to break in or you have a briefing of the system overview from the company that requests the service beforehand?
@Gabriel D'Espindula it depends.
A little wifi question, with WPA3, which i assume is coming out soon? or maybe out? Am i right in thinking you can't easily deauth devices?
We do EPTs (external tests) which simulate an attacker on the public internet with only target IP addresses
we have IPTs which simulate an internal attacker
wireless simulates someone in proximity to your airspace
red team, we can pretty much do anything
Thank you for the answer and your time Eric, as any industry is being "affected" by AI and ML, what is your feeling about the penetration testing field around this, there are already many AI systems out there that claims to do our job "better", what are your thoughts and the future of us as a community...we all know automation is not always the best?
appsec, we try to break in to your custom website or application
hardware is.. well we try and break a hardware device
Hi Eric, have you experienced a major downturn in work since the coronavirus or have you found opportunities in pentesting as a direct result of businesses shutting down and the chaos/confusion it has caused?
wpa3 i belive has protections from direct dauths like you can do in wpa2. I have only seen wpa3 in a lab so not in the real world yet
nice :), thanks
@rob fortunately we are busier than ever
Broad question, how long are your engagements?
I am a Certified Ethical Hacker. How should I proceed further to learn more about security and make a career in it?
a lot of external tests, new clients who now need remote access etc etc
@Mark Snyder they can be as short as a week or as long as 3 months
@Dhruv Mehta get an oscp, submit talks to conferences, network, and be a member of the community
Going back to your kit -- Have you ever used a drone as a platform for your pentesting?
How do you keep abreast of new things without burning out, since it's your day job as well? Any tips for not getting stuck in the rabbit hole, after getting my OSCP I didn't want to look at a terminal for 2 months :)
Thank You Eric for the answer. Also, which skills should I learn next?
How can you learn the skills needed without having a team available?
we have the capability but have never needed it. a long range antenna or just a hidden ground device are typically all we need
never underestimate a soda can with a pi, lipo and lte
@guido.giunchi the hacking community at large is your team. I have a ton of friends I don't work with directly which provide input. karma is huge.
@Eric I remember back in 4 or 5 years I was playing with scapy and rogue AP. Then it worked like charm... I listen for SSIDs which are most searched from near by devices and create Rouge clones and I got allot of clients(mainly mobile devices) associating with my RougeAP... My question is do you think this attack still works? Is there any mitigation applied so far?
Thank you for your answer. Clever.
@sniffski 100% it works I do it every day!
best way to counter it is to be listening for it
Thank you @Eric
99% of our clients don't listen fro other wireless activity
Lovely
Have you ever completely failed to penetrate a system? Anything locked down so tight that you couldn't find a way in?
Thanks @Eric... you gave me a purpose for my Pi0 to play with! :)
it helps to be in a slack channel with other nerds
@Dan Maloney yes absolutely
@Eric - Kali, parrot or do you roll your own distro with tools?
it's rare, but some companies do security right
@bprofitt kali for something quick, or debian, or ubuntu for sdr stuff
Which is worse ? governmental or private company ?
Eric, your job is tons of fun right, but what do you do for FUN when your "off"
both have pros and cons. I think they are just different
govt is slow to respond to fixes i'v found
Do you ever have to test non-WiFi wireless systems? Like maybe microwave backhaul links between sites? Seems like those could be rich targets.
@Phabeon I have a 2 year old LOL
oh that's certainly a lot of ... "fun" :-D
@Dan Maloney I've tested a handful of RF
one ptp setup and a lot of other radio protocols
What do you use for SDR - hardware & software?
hardware - hackrf, or a b210
software universal radio hacker, ooktools, gnuradio
You said you also do hardware: can you elaborate on that a bit more please?
Companies hire you usually for precaution or because someone messed up with them?
yeah our team tests hardware devices to see if we can extract information from onboard chips, or gain access to a local shell with serial/jtag or some other means
@Gabriel D'Espindula typically for audits, precaution or something bad has happened
@Gabriel D'Espindula we also have a full incident response team
for people that have been hit by "hackers" or ransomware etc etc
What is your approach for organizations hit with ransomware?
That’s definitely not my forte but I believe our stance is that we first try to evict and then restore from backup and regain control
Okay. Thank You Eric
Absolutely!
Eric, if I understood one of your previous replies, your not a coder/programmer right? So what skills would you say you have then?
i.e. strong in networking or wireless standards, ect, ect
On the last question, how is the team structured, do you have precise roles?
I’d say that I have a strong understanding of wireless networking, networking, and how to talk to people
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.