Update: We're going away for a bit. Stuff to hack. But we'll check in periodically for new questions over the next couple days for any questions haven't been addressed already. Thanks everyone!


Hi Reddit! /u/hackamuffin, /u/sho-luv, and /u/todbatx just published a paper in an effort to demystify the occult practice of professional network penetration testing. We're here today to answer any questions you might have about this super fun career.

No, we will not hack your girlfriend's Facebook for you. Yes, this line of work is exactly like how it's portrayed in the movies, black hoodies and all.

Proof pics || Proof Tweet


FAQ

Comments: 602 • Responses: 26  • Date: 

-CIA-140 karma

[removed]

todbatx267 karma

Those background checks are rough.

Also, I can't take polygraph tests seriously. Since they're garbage science.

stermister60 karma

Once computers become sentient, will attempting to penetrate their ports be considered unconsensual assault?

SirLordBoss9 karma

Cant you alreafy get arrested from doing a port scan? In the future, that will likely be considered rape. The future is dumb.

todbatx19 karma

In the US, portscanning isn't nearly as risky as it used to be. We scan the internet pretty routinely, and talk about it at Project Sonar.

anantshri50 karma

If you are asked to fill out a pareto chart style (roughly 80% of the effects come from 20% of the causes) What would be you pick of 20% say in case of networks, web and mobile?

todbatx60 karma

So, what accounts for all the win in the network, or what accounts for all the fail? I'll cover both, since oddly, the answer is the same.

Most network and computer resiliency -- the stuff that makes the target hard to hack -- is due to decent patch management. If your organization is diligent in getting updates out to servers, desktops, and mobile, you're 80% of the way there, for sure.

When it comes to exploiting vulnerabilities, though, most of the time, it's due to that small population of machines that don't see automatic updates. They may be "too critical to reboot," or they're some goofy IoT thing that can't get updated reasonably. That's where pentesters (and criminals) live.

InfoSec_Jackass43 karma

Steve-O here: If Todd Beardsley shaves his beard does the universe collapse on itself?

todbatx35 karma

No. That only happens if egypt shaves his. In theory. Let's pray we never find out.

TenPest00737 karma

What's the best thing a junior can do after passing OSCP?

todbatx43 karma

Drop out and start working! Or, get an internship while you're in school. Either way, start getting out into the field for real.

(I didn't end up finishing my degree until I was 38).

canchill31 karma

I work at a financial institution in South East Asia. How difficult to penetrate a midsize financial institution?

What are some tell tale sign of bad security visible to public?

todbatx60 karma

We discuss this some in our paper, Under the Hoodie. Turns out, there's not a ton of difference between industries, which we found kind of surprising.

You'd think that places like financial institutions and healthcare providers would have better security than a retail outlet, but the fact of the matter is, everyone runs pretty much the same stack -- Microsoft desktops, Linux servers, and Cisco switches and routers (and if not those, their top two or three competitors).

So, broadly, techniques and tech really don't change much from site to site. There's always something new you run into on every site, but the basics are the same where ever you go.

satysin24 karma

Vim or Emacs?

todbatx44 karma

Vim.

hackamuffin28 karma

VI. And bring back Lynx and Pine while we're at it.

todbatx18 karma

You are wrong, /u/hackamuffin.

Links is way nicer than lynx.

Djaja18 karma

Any easy way to see if my phone has been infiltrated by anyone I wouldn't want there?

todbatx49 karma

Easy? I can't think of many. There are companies that make anti-malware for phones, like Zimperium which are fine, but for most people who don't have enterprise security on the phone, the best bet is to avoid shady, off-brand app stores, keep your automatic updates going, and factory refresh maybe once a year (you do have backups of all your photos, right?).

If you see that you're suddenly texting people with spam links, or find weird apps you never installed, then you've likely been owned.

stompinstinker16 karma

I find security testing the most sexually pun-filled area of IT. For example: "penetrating your back-end". What are some of your favourites?

todbatx27 karma

I know! And it's off-putting.

Unrelated, but over at Metasploit, we have a Code of Conduct that specifically forbids "the use of sexualized language or imagery." Which helps make our project a little more welcoming, but it's easy to accidentally pun something with the language we use.

I do think that pentesting, and security in general, is absolutely loaded with very aggressive language. Terms like "attack" and "exploit" don't exactly get a lot of people into a friendly mood, and the imagery is very much centered on castles and locks and swords and other things that boys like (with few exceptions).

It's unfortunate, and I believe that the language and images that we use to describe our industry absolutely contributes to the lack of women in our industry. That, and the overt sexism and misogyny that you find in male-dominated industries.

Sumidiotdude14 karma

What movie has the most realistic representation of hackers?

sho-luv51 karma

Hackers!!! ... We say sneakers. Mr Robot is probably the most honest.

todbatx54 karma

Yep, Mr. Robot seems to be the most technically accurate (except when things obivously veer off into fantasy land).

"Yes, we all know what a Raspberry Pi is." - favorite line. :)

iv0ryw0lf11 karma

I get using a Raspberry Pi, but I always argued this: Why not get a prepaid Android phone from Walmart at about $20-$40 and use that? You don't have to activate it and 9 out of 10 times they can be rooted since they are older. Launch your attack from that! You can then do your pwn custom tools. Git it?

todbatx18 karma

eh, I'd argue it's easier to just run your stuff from Raspbian, especially if you're not into android APK development. The Android platform may end up being slightly cheaper, but that'll wash out when you end up having to get a better power supply going.

alibyte14 karma

What can a junior in high school do to get into this profession? I've been playing with RATs (on my computers ONLY, nothing illegal), making viruses undetectable, and going through online netsec courses on cybrary. Thanks :)

todbatx26 karma

We don't hire pentesters who are 16ish, but we have occasionally hired high school interns for software development jobs elsewhere at Rapid7. I'd say take this time to learn programming languages, scripting languages, and throw in on some open source software projects that strike your fancy on GitHub. Getting some programming experience under your belt will pay off a ton in the long run, since you'll better understand how computers work.

Daniel20413 karma

Are you 4chan?

todbatx11 karma

Nope.

dorkvader1211 karma

What are some common security practices that infuriate you?

todbatx12 karma

The belief there's a well defined "internal" vs "external" side, given that we have mobile devices moving around all the time, and everyone's shoving their core infrastructure off to the cloud.

Network segmentation is hard.

MyGrownUpLife9 karma

1 - I read something several years ago about password policy and that decreasing pw reset times and increasing length and complexity had a sort of reverse effect because it lead to people following formula (switching characters around or increment numbers) or just being more prone to keeping them written down in unsafe places and there was a theoretical point of diminishing returns. In your experience have you found anything that supports or refutes this notion?

2 - Key fobs and phone apps providing tokens for use in authentication - is this a real solution or a placebo? Is there a struggle with increased cost and effort to the IT team replacing and resetting due to the fob or phone being lost that might be keeping some orgs from adopting this or regretting making a move to this?

todbatx15 karma

So last question first: multifactor / two-factor authentication (MFA / 2FA) do tend to make things much harder for attackers, on a couple fronts. It means you can't just guess "Spring2017!" for all users across the site and expect to get going with your stolen credentials (without 2FA, this password will almost certainly work, btw). It also means that if you get compromised, and your user database leaked, those passwords are /slightly/ less valuable, because you still need to deal with the 2FA / MFA.

Now, in practice, 2FA / MFA is not a cure-all. They're still defeatable. But you need to work at it a little harder. For more on 2FA -- namely, who supports it -- see https://twofactorauth.org/ . I love that site. Tons.

For your first question: password management is tough. If I was king of security, I would mandate that users must use a password manager, which gives them long, unmemorable passwords full of all the character classes and maximum length. Password policies that enforce minimum lengths do tend to help overall password complexity, but that's about the only control that seems to work consistently.

If you're not a unilateral monarch (and no CISO is), then the best thing to do would be to force password expiration maybe 2x a year, have account lockouts that are human-forgiving (lockout for 30 seconds, alert for serious if the lockout is hit 10 times in a row), and keep an eye on your typical user behavior to tell when a service account is suddenly logging into all your phones when it's never done that before.

For more on passwords, I really like Mark Burnett's book. It's pretty much still the go-to for this.

TombstoneSoda3 karma

No fear of getting their password manager info dumped?

todbatx11 karma

Password managers mean that you are keeping all your passwords in one basket, so you better protect that basket.

But, I'd say, for most people, using a password manager is way less risky than reusing the same 3-5 passwords they use on every site they ever encounter.

The password manager I use is usually offline, and lives on my (phyiscal) keychain. It's encrypted with a fairly decent password, which I do have to remember in my head.

It also means that I don't get to use it with my phone (if I had it on my phone, it'd be online all the time). But, for that case, I tend to have long-lived sessions terminated on a phyiscal device that has full disk encryption, near my body pretty much all the time. Or, in a pinch, I can do a password reset via my e-mail.

TheCakeDayLie8 karma

How important do you consider network security measures like SIEM log monitoring, vuln scan/mgmt, and patch mgmt to be?

Side note - I work in that particular industry and am constantly surprised when I speak with an ISO who simply doesn't give a shit.

todbatx14 karma

We cover this some in our pentesting census report, but briefly, detection is everything.

If you're able to detect the pentesters in time to actually do something about it, we'd fail on site a lot more often. Which is good news for you, the client! It means you at least have a chance of catching real intruders in the act.

The trick is hitting that balance between detecting everything that's useful, and suffering alert fatigue. You can't have a SIEM that just screams everything is broken all the time, or else your analysts will just never respond to anything.

aspoels5 karma

Whats your favorite hardware? Whats your favorite operating system? Whats your favorite web browser? Whats the pay like? Are you guys able to do any of the stuff we've seen in the Wikileaks Vault 7 year 0 leaks?

todbatx3 karma

The Vault7 stuff looked awfully familiar. I wrote a blog post about it. TLDR: Working at the CIA is pretty much an identical experience as working on Metasploit.

InfoSec_Jackass5 karma

Bam here again. How has the security (conference) scene changed over the years? Would you say it is toxic or inclusive at large? A grounding litmus test would be if you would want a daughter of yours to go into infosec.

todbatx6 karma

How has the security (conference) scene changed over the years?

Ignoring the rest of the question (which /u/eccentricoldsoul handled), I think it's pretty obvious that the conferences have all gotten a lot more commercial. RSA is the new CES, Black Hat is the new RSA, and DEF CON is the new Black Hat. I don't think this is particularly bad or contentious.

That said, regional conferences are where it's at. I like THOTCon, Derby, and Infosec Southwest (the last I help run, and you should go there!).

And, THAT said, there are a billion conferences. You could go to one a week and never run out. I think it's hard to characterize them as a whole. Some are great.

Stuckin_Foned3 karma

Did you read 2600?

todbatx9 karma

I did! I was at the first 2600 meeting in San Francisco, at the... Montgomery Street? BART station. It was all pay phones, and no laptops allowed. Pretty much exactly like a Cory Doctorow book.

Djaja1 karma

How is the weather where you are at?

todbatx8 karma

Pretty downvotey!

workthrowaway26321 karma

How do I avoid getting digitally ransacked by thieving, balaclava wearing l33t hackers?

todbatx2 karma

Don't hang out in TV studios.

Korauw1 karma

Did some companies ask you to make something illegal for them ?

todbatx2 karma

See /u/hackamuffin's answer, here.

derb14-1 karma

how to i hack the wifi password of my neighbors ?

todbatx9 karma

Well, step one is to get their consent. Have you done that?