what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, November 17, 2013

BLACK BOX / RED TEAM ASSESSMENT FIELD REQUIREMENTS



This blog is meant for everyone who keeps asking me about Red Teaming and accompanying me, during such operations. The reason i normally refuse its due to that some of them don't have minimal requirements that an operative should have.

Now remember old school BlackBox doesn't require RedTeaming, but with the advanced technology, and security threats, this part of testing has to be applied. Most Pentest Companies will tell you its not part of Blackbox, since they have no idea how to do it and have no personnel and they will have to give you a substandard service.

1. Confidentiality

You need to keep what you learn about the operation close up, until at a time when its declassified and irrelevant. Naming of client Organization and the vulnerabilities that they still have should not be known by the public or friends. Also the target should not know when attack is underway, everything should be stealth as possible. Thats why Red Team is part of BlackBox Pentesting especially during Clandestine Intel Gathering, Social Engineering and Physical Exploitation.

2. Strength and Speed

You have to be really fit, fast and strong. This is not a field for the weak and fatty fatty geeks who sit behind the desk all day, this is for the people, who will pull themselves over a roof / fence, who can run for a long distance, can sprint very fast at short distance, can jump from one staircase to another, go through stairs up to the floor target in a tall building and still type, and also be able to handle an on-coming threat in a hostile area. This is where alot of you fail.

3. Integrity

You can never be bought off, by thugs to help them steal money from a bank.
You can never Deny services, to servers and infrastructure because DDOS is your only options you got.
You don't Bruteforce until its the last option.
Any machine, mobile technology, access cards, printed paper work, should be returned back after the engagement.
You can not hack back the network, because the organization is taking forever to pay you.
You should never leak surveillance footage, even if its explicit, it should be deleted.

4. Think on your feet

You should be able to react to a situation, make something up real fast, be a fast thinker and be good with words. Not many Computer geeks are good with this, but you can learn.

5. On Ground Defense/Offense

You should have an idea of how to crack a safe, how to steal a wallet, to plant an accesspoint / flashdisk, notice a weapon/ gun-type, or if somebody is armed, learn how to use a side arm (Not so necessary, unless contracted for Govt Operations), learn how to spot a camera and other physical security devices and be smart on the road and streets.

6. Financial Knowledge

Its vital to understand banking and other financial infrastructure, applications used in banking, understand how these infrastructures work and which types of servers and operating systems are commonly used.

7. Adapt to any environment

During Threat Intelligence, one of the vital issues you will encounter is understanding the administrator who set up that network, the guard who is at the door, who did set the firewall/IDS and what was the state of their mind. What are the inner-working of the IT Team in this organization and how they relate to the users and their bosses. You should be able to adapt to any other situation that has developed during the engagement. (I remember fixing a service i had messed uo, before the administrator figures out the service has crashed)

8. Perfect Liar

Social Engineering and Espionage requires good liars. You gotta make up the perfect lie that will sell during an assessment.


So these are the most essential Requirements during a Black Box Penetration Testing, the others are equally important but not as essential.


Thursday, November 14, 2013

DE-CLASSIFIED VERSION OF INTERNET TO ATM EXPLOITATION

Late last year i was involved in a Penetration testing as a third party attacker. The attack was meant to show risks that can be used to gain access to ATM-Bridge and ATM machines and how someone would gain access to them from the Internet. Now the issue is that this could not be done in the amount of time the Bank wanted, and also the main contractor didnt believe in full penetration testing. So i dropped the job and talked to the IT Manager and told him i can exploit the bank in less than six months, give or take. He was reluctant but agreed on later after the contractor submitted their report.

So here is a declassified simulation, where you can use simple tools from backtrack to gain access to the network.


The fun part on this simulation is HP-Aux ATM-Bridge servers. Most banks use HP Softwares for network managements e.g HP Data Protectors and most of the time they are installed on Server level application and thus makes them easier to be exploited, we all know port 5555? I hope the answer is YesZuur






Also if you get access to A.D servers due to vulnerabilities that domain controller has, eg this one was on Windows 2003 Server, you will be able to control the main HP Protector servers and you can get full access to ATMs.


Now remember most of these applications could have passwords, so accessing them via rdesktop using another session would be hard, but by now as a pentester you should know how to hijack a remote desktop session that an authenticated user is already in, via Active Directory on a Domian Forest.


Anyway, trying to figure out which bank this is will be the hardest part of your reconnaissance, but understanding how such a pentest works will be the best part of upgrading your career in Infosec and defending your organizations.







Thursday, November 07, 2013

Blog Posts

Hi.

So,i usually make sure i release a post every month, even though some do delay, this is usually due to restrictions by clients, i cannot release some info about a pentest to avoid leakage of where and when this infrastructure was tested, so there will always be a waiting period, so that no one can actually figure out who was the target.