Dear PenTest Readers,
This month we’ve prepared something really special - PenTest Mag’s takeover edition by OCD Tech. This amazing, Boston-based, cybersecurity consulting company provided you with 11 excellent articles on various and relevant topics in the industry. The substantive value of each write-up is unquestionable - there is no business advertising content.
Instead, you have a wide range of content written by experts in their fields. The scope of the discussed topics reach from presenting you with juicy pentesting tips and techniques, like Windows Privilege Escalation, IoT vulnerabilities, OSINT, Zero Knowledge Proof, through communicating IT risk to nontechnical audience, to team management advices for cybersecurity businesses and pentesting career tips. And that’s not all, check it out by yourself! :)
When we came up with the idea of this special collaboration, we had already had some publications by OCD Tech employees in our editions before. Thus, we were sure that this takeover edition was going to be full of great offensive security articles. And this is exactly what happened here. Every reader will find their own treat in this one! (pun intended, as the publication day is Halloween).
If you’re looking for a top-notch-proven, credible consulting, look no further and reach out to OCD Tech. In the presented edition there is a strong demonstration of how skilled and great to work with this team is.
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
So You Want to Work in Offensive Security
by Michael Hammond
As you advance in cyber security, you have to decide if you want to specialize or become a jack of all trades. As you work on your transition into cyber security, you’ll also have to decide if you want to be the expert in one area or be broad enough that you have transferable skills. As a subject matter expert, you may command a higher salary, but what happens when that technology is no longer used? Unfortunately, you’ve become an expert in an area no one needs. To combat that, remember what I said earlier, keep learning. Alternatively, maybe you have such broad knowledge that you can be a good fit in a larger number of positions, but your salary may not be as high. You’ll have to decide for yourself which path you are more comfortable taking.
Windows Privilege Escalation: The Concepts of Hijacking Execution Flow
by Jill Kamperides
This article will cover four similar, but different, techniques for escalating privileges on Windows systems. Each technique, at its core, has to do with permissions loopholes and basic program execution, and is more about operating system logic than any intense technical exploitation.
Understanding Microsoft Office Trusted Locations Workflow and How It Can Be Exploited
by Adam Maraziti
Ronald Reagan once said, “Trust, but verify”. That holds true even for Cybersecurity. We are long past the days of relying on software companies to implement default settings with a security first focus. It is on organizations to review administrative guides, default settings and various best practices to securely configure new and existing software. Even then, some built-in functionality cannot be changed and organizations are forced to get creative with solutions to mitigate the associated risks. Usually, this is more of an issue when a larger software company determines that a security concern is not great enough to warrant a patch or a change in functionality because the product, in most cases, is widely used in the industry, or it is working as intended (as determined by the software company). One such company is Microsoft and its suite of Office products. This article will speak about some advanced topics, however, the user should have enough information within the article to understand the core concepts utilized. The goal is to provide some information on the product, the functionality of the product, an in-depth look at how the software steps through the process, and how this is exploited, including a unique attack chain, and finally, some best practices an organization can utilize to prevent it.
IoT Device Vulnerabilities - We Should All Be Worried
by Julia Muccini
As implanted medical devices (or IMDs) become increasingly more sophisticatedwith features such as wireless clinician controls, monitoring functions, evenconnections to Bluetooth and smartphones, the cyber risks increase exponentially. Former United States Vice President Dick Cheney was watching that episode of Homeland and requested that the wireless function of his cardiac device be turnedoff to reduce the risk of a politically motivated assassination through his IMD. IMDsare increasingly common among the general population while remaining unsecure and riddled with vulnerabilities. Wireless IMDs communicate through a radio channelwith the programmer base (such as a hospital or doctor’s office), and this channel can be intercepted if the signals are not encrypted. If the radio channel is blocked, the device could be inaccessible. Alternatively, the device could be overloaded byflooding it with network traffic over the radio channel, which could block access to the device as well as drain its battery power. In both instances, the device would be permanently inaccessible, and the patient’s life would be at risk.
Developing a Password Cracking Methodology
by Greg Haapaoaja
Let me paint a scene for you: it is day one of your penetration test, your enumerationof the environment tells you that SMB signing is disabled on the network so relaying hashes is out of the question. However, you are having luck with Responder and start capturing NTLMv2 hashes. After a few hours, you have collected a dozen hashes. What is your plan? Crack everything at the same time? Start with a dictionary attack or go straight to ten-character brute forcing? It is vital to have a methodology to make the best use of penetration testing engagement time, especially during shorter engagements. While transitioning from my prior work at OCD Tech to our firm’s penetration testing team, I was tasked with “owning” our password cracking rig. In the three years that I have had this responsibility, I have been able to develop my own methodology. In the following paragraphs, I will help outline key areas to help build your own.
Building and Applying an Open-Source Intelligence Profile
by Emily Connolly
As organizations evolve their defenses against social engineering, those working on the offense need to work smarter and more creatively than ever. The use of a strong OSINT profile can help an attacker better understand and connect with their target, providing leverage and opportunity, while bypassing many of the usual red flags of a social engineering attack.
Communicating IT Risk to Nontechnical Audiences
by Robbie Harriman
“The Curse of Knowledge”: A cognitive bias that occurs when an individual, who is communicating with other individuals, assumes that the other individuals have the background knowledge to understand. For those of us in IT, the Curse of Knowledge is a very real effect and can put us at a disadvantage in a conversation. As we become more and more knowledgeable as experts in the field, we become further disconnected from the ability to step back and explain things to the layperson. We accumulate a vocabulary of technical jargon and, possibly worst of all, the acronyms. I’ve found myself multiple times in a conversation of mixed audience, where I realize I’m spewing alphabet soup that not everyone will understand. There’s nothing more frustrating than knowing what you want to say, but not know how to say it. And this is just as frustrating for those trying to receive the message – especially decision makers.
Contract Signed – Now What? Strategies in Preparing Your Team to Succeed
by Jeff Harms
With any company the goal is to have multiple projects going at one time. Task management becomes a priority for the manager, but it is necessary for the team as well. A helpful process is to write down every task that needs to be completed for the SOW, or for general assistance to a client. You may be surprised how long the task list becomes. Once this is completed, determine who the primary, secondary, and “persons with knowledge” contacts should be for every task. Completing this assignment helps in a few ways. First, it provides you and your clients with a contact list for each task. Second, it identifies if anyone is unknowingly assigned too many tasks within a project or daily work. Third, training areas are identified when you have tasks that only have one person with knowledge. This information should also be shared with company management.
Need to Harden Your Systems? Here Are Some Ideas on Where to Start
by David Cantor-Adams
Are you a busy president of a company and concerned about all the IT Security problems you keep hearing about in the news? Maybe it’s all the ransomware attacks in the news, or the idea that some government or competitor might be trying to steal trade information. Or, maybe it’s just the recognition that the pandemic has created high turnover and you don’t feel like the new people are as well trained in your business systems as they should be.
Automation: Bashing Your Way to the Future of Pentesting
by Nick Freberg
A pentest automation script can be done in any scripting language of choice, but for the purpose of this exercise and its compatibility with Linux command line syntax, Bash will be used. While it’s true that there are plenty of GitHub repositories available that have all-in-one tools already assembled, such as AutoRecon, having the skills to build one independently and integrating tools specific to a testing team’s methodology can serve as a worthy passion project and professional development opportunity. The end result of this project will be a Frankenstein’s monster of various pentesting tools that will make assessments streamlined and simplified
Zero Knowledge Proof
by Adam Maraziti
What if I were to tell you that there is a way for me to prove something to you without actually knowing what it is I am trying to prove? Sounds crazy, right? That is where Zero Knowledge Proof comes into play. Zero Knowledge Proof or ZKP is a mathematical technique to verify the truth of information without revealing the information itself. This article will touch on the history of ZKP, some examples to understand it better, and use cases for organizations. While this article will touch on those areas, in general, ZKP goes much deeper into mathematics. For those interested, I urge you to read more on ZKP protocols and Interactive proof systems.