Hi, I am so happy to finally launch this podcast. The idea behind it is to provide hackers with a unique mix of various topics: technical stuff like hacking Q&As and tool reviews, and non technical advice on productivity, personal growth…
You can listen to the first episode using the widget below or on https://anchor.fm/bughunter. I’m working on making it available on all major platforms like iTunes, Spotify, etc.
Also, if you prefer written text, you’ll find the whole transcript below. It’s also helpful for finding all links or commands mentioned in the audio.
Hey hackers! This is the Bug Hunter podcast by Pentesterland. The podcast for pentesters & bug bounty hunters.
We tackle technical questions & inspirational topics to help you develop both a hacker skillset & mindset.
Welcome to this first edition! I’m you host, Mariem. And the title of this episode is: “Hacker mindset & network pentest”.
Here’s how this first show is structured. I have two segments called:
- Personal growth
Just so you know, the second segment isn’t technical at all. I’s not even directly related to hacking.
I think that all of us without exception should be working on our own personal growth. Personal development and productivity tools & techniques help us become a better version of ourselves, as humans and as hackers. That’s why I’m mixing things up and will include topics about hacking and life hacking, mindset, motivation, productivity, etc.
I was contacted recently by @lops3g on Twitter. I hope I’m pronouncing his handle right. It’s written as lops3g. Anyway he was on a pentest with a first big customer and had multiple questions. Basically, they revolved around how to improve his external network penetration tests & the difference between network and web tests.
Here is some information that he gave me on the context of these tests:
- His client asked for an external network penetration test in black box mode
- He used Shodan & Censys but got limited results
- The kinds of ports & services he found open are: 80, 22, smtp, sip, pop3, 443
- He didn’t try to exploit the non HTTP ports (22, smtp, sip & pop3)
- He only scanned the most common TCP ports
- SSH services were vulnerable to user enumeration, so he tried to bruteforce them
- He didn’t test the SMTP service for open mail relay
Here is some advice that I gave him in case it helps you too:
Always scan all TCP ports
Unless you notice that it causes any kind of disruption on the target network, it should be your default.
The reason for that is that Nmap only scans the 1000 most common ports by default. And often there are higher open ports. So if you didn’t scan all 65535 ports, you might miss some vulnerabilities.
The option to scan all ports is
Always scan the most common UDP ports with
UDP scans are a lot slower so scanning all UDP ports would take forever. But systematically scanning at least the common UDP ports is a good habit. It’ll allow you to detect interesting services like DNS, SNMP, TFTP, RPC, NTP, Isakmp…
If you feel like a WAF of something blocks your port scanning, try firewall evasion techniques & options
If you need a tutorial on how to do that, just send me a message on Twitter or send an email to [email protected] and I’ll gladly help.
Use Shodan & Censys like @lops3g did but always confirm what you find
… because their results might not be up to date!
Shodan for instance might show you an open vulnerable service which isn’t available on the target anymore. So don’t take their results for granted.
Start a knowledge base and improve it over time
This is so important! I’m giving you 10 tips today on how to improve your network pentests. But if you had to choose only one to implement, the most crucial, it is this one.
A knowledge base is a set of notes in any format your prefer, which will help you takes notes of any techniques, tricks, tools or command lines that you find interesting. It is where you gather payloads, attack techniques you are learning, interesting links, articles, etc.
If you do this consistently throughout your career, you will build serious knowledge and you won’t ever loose anything. You won’t scratch your head thinking about some cool trick that you saw somewhere and need now but can’t remember what it was. Because even if you forget something, it’ll be there, in your notes. You will never have to ask anyone how to set up all your pentest tools to go through a remote corporate server. If someone gives you a piece of advice or shows you how to do something, you won’t have to ask them every six month to repeat it. Also, if you don’t know what to do next, if you are lacking ideas during your pentest, it will be your go to checklist to make sure that you don’t forget anything.
Now that you’re convinced, how do you create such a knowledge base in practice?
I won’t get into the details of which tool to use because it’s a matter of personal experience. Try different ones and find out what works best for you.
But the easiest way to start taking notes on network pentests is to make a pentest checklist with a category for each service, one for SMTP, one for SNMP, for FTP, etc. And over time add as many techniques & tools to each one.
There are a lot of pentest frameworks & OSCP references that you can use for inspiration. You’ll find two good ones in the show notes and we regularly link to many references in the Pentester Land newsletter. While you’re going through these references, take notes of any actionable advice or tricks:
- <https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q>\\ - <http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html>\\ - <https://pentester.land/newsletter>
If you see an open SMTP service, test it for open mail relay
You can use Metasploit for that or better, do it manually. If you don’t know how, check out the show notes. I link there to a tutorial on how to manually test for open mail relays.
Don’t limit yourself to one tool for each kind of test
Sometimes a tool won’t work, but if you try another one or do the test manually you’ll find a bug. Or you will get an error which will help you debug the issue and get a working exploit.
For example, if you test for open mail relay with Metasploit, sometimes it won’t work and you will not know why because no error message is returned. But if you do the test manually, using Telnet and directly communicating with the server using SMTP commands like
MAIL FROM, you might see that external email addresses are not allowed by the mail server you are testing. It tells you so through error messages. But if you try an internal email address, it will work. So the server in this case would be vulnerable to internal mail relay and this is easier to detect by communicating with it directly.
Make sure to understand the scope validated with the client before you start the mission
The way I see it, a Web pentest only targets Web apps & HTTP-based services. While a network pentest targets all kinds of available services, ports, systems, apps… It’s assessing the security posture of the network infrastructure and includes testing for vulnerable open services, firewall bypass, ids/ips bypass, and more.
That said, everyone might have a different understanding of what each type of tests means. So make sure before you start any tests that your client and you are on the same page, validate the exact scope ideally including the target IP addresses or net blocks, the exact type of tests, whether scanners and automated tools are allowed, whether you will test all open services or only HTTP-based services, etc. This will prevent any misunderstanding with your client.
Ask the client beforehand for their priorities, which functionalities, risks or vulnerabilities are preoccupying them the most
… so that you don’t spend too much time on parts of a site that are for example scheduled to be removed. Also they may have doubts on the security of specific parts of a site, based on the feedback of developers or users. This kind of information is absolutely not mandatory especially for black box tests. But it could help you know where to start and save some time because pentesters usually have a lot less time to find vulnerabilities than real attackers.
Train as much as you can
There are many VMs and intentionnally vulnerable apps out there. If you don’t know where to start, check out the “Challenges” section of Pentester Land’s newsletter.
To conclude, I am sure @lops3g already knew what he had to do and just needed a little motivation and being reassured. He already follows the PTES (Penetration Testing Execution Standard) and uses Vulnhub VMs for training.
So like I already told you @lops3g, the fact that you’re worriying about the quality of your findings and reports is a good sign. It means you’re doing your best and will continue improving.
Thanks a lot for your question!
Personal growth segment
The next subject isn’t directly related to hacking.
This is a reminder and inspirational speech for you & me. I’m hoping to inspire you to work on reaching your goals whether they’re related to hacking or not.
We all have dreams and so many obstacles that keep us from reaching these dreams.
Maybe the list of vulnerabilities you aim to learn this year is big… as huge as the different tasks that you have to do in your day job and family life? Maybe your dreams of becoming a full-time bug hunter, successful pentester or business owner are big and concrete, but you have zero idea on how to make them come true? Maybe you don’t have the time: I mean…OMG how am I supposed to do my day job, and learn, and have a family & social life, and exercise and have hobbies and get bug bounties…
Whatever difficulty you are facing, I want you to genuinely ask yourself this question: Are you problem oriented or solution oriented?
Here is the difference: You are problem oriented if you focus on your problems, on why you can’t do something. You are solution oriented if your focus is more on solutions and tactics to solve any issues that you have. You’re not justifying why you can’t do something or why anyone in your situation couldn’t do better. Instead, you dream big and will do anything it takes to get there no matter your circumstances.
We’ve all heard stories of athletes who compete with disabilities. Or people who had accidents and weren’t supposed to be able to walk again. But they somehow managed to do the supposedly impossible because they had a positive mindset, they wouldn’t take no for an answer. They didn’t wallow in self-pity.
Because you know, mindset is everything. In life in general and especially in hacking. It’s not a skillset, it’s rather a mindset, a mind game. The best bug hunters are those who don’t give up. They could spend months training, learning and submitting duplicates until a shift happens and they become successful. It doens’t happen overnight.
Focusing on your problems will only make them bigger. You know when you become interested in something like a specific car model, and you start seeing it everywhere… Cars didn’t just appear out of nowhere, they were always there but you din’t notice them before because you weren’t looking for that car model.
So if you focus on the negative, you will notice more and more negative things throughout the day.
You don’t really need to complain and explain to someone or to yourself why it is so difficult or impossible to do this or that. You don’t need empathy.
What you need is to really think about this, change your mindset and find solutions. Focus on the positive, and you will start seeing new ideas to try and potential solutions.
You can do anything you set your mind to. Of course, it could be a lot of work or uncomfortable but you can only grow in discomfort.
So genuinely ask yourself if you are problem oriented or solution oriented. This question could make a huge difference in your life and how you approach any issues from now on.
It may seem too simple but personally, this mindset shift is what made me switch from a mere dreamer and consumer, to someone who can produce stuff and get results despite not having ideal circumstances.
If I try to do something and it’s proving difficult, I tell myself that it is not a problem, rather an opportunity. If it was easy, everyone would do it. So it’s an opportunity for me to distinguish myself, to excel, to create something that most people wouldn’t be able to do because they don’t have the perseverence. Or because they just don’t challenge themselves enough.
So pay attention to your thoughts and discussions with friends and colleagues. For example, don’t say: I don’t have time to read hacking books. Find the time. Prioritize what’s important. 20 minutes a day could add up to a lot over time. Take advantage of even minutes that you have in your day, during your lunch break or during your commute or just before going to bed, etc.
So what is it that you want to achieve? I would love to know. You can leave a comment in the show notes’ page. What’s your goal: Getting bounties? Learning specific vulnerabilities? Automating your tests? Finding a job? Also, what are you commiting to do regularly to realize this goal?
Before wrapping up, I have a bonus segment.
It’s a funny Tweet from Dr. Anton Chuvakin. He says between quotation marks, as if this is something a client said:
“We have role-based access. One role has access, the other doesn’t.”
Get it? They count anonymous access as role-based.
I thought it was funny. And God, I hope this is just a joke and some client didn’t say that for real.
That’s it for today guys!
Thanks for listening to The Bug Hunter podcast by PentesterLand.
If you like what you just heard, please share, like, subscribe and comment. Let me know what you think.
And if you have any questions or suggestions, send them to [email protected].
See you next time! Keep on hacking!
If you want to be notified when new articles, our newsletter and podcasts are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…