All right, let's get ready for a deep dive into the world of penetrition testing. Exciting, but not the kind you see in the movies, you know, the Hollywood stuff. Right, We're gonna be looking at the real deal. The secrets from this book pentised Secrets. Okay, Breaking the Unbreakable Enterprise Security.
I like that title.
It's by Sager Bonsall and au j Burala. Hmmm, I'm not familiar, and it's it's fascinating because it really pulls back the curtain on what it actually takes to break into these systems that everyone thinks are you know, unbreakable.
Right, yeah, So much of what we see about hacking is so unrealistic totally. It's all you know, flashy graphics and people typing really fast.
Yeah yeah, yeah.
But this book, it focuses on the strategy, the mindset. Okay, you know, the real secrets.
So you're saying it's more like a mental game than a technical one.
It's both, really, but the technical stuff that tools and techniques, that's just one part of the equation this book does is it gives you a much more realistic understanding of how enterprise security actually works. Okay, and maybe where it doesn't.
So this is going to be like our you know, our mythbusting deep Dove's the real world of pen testing.
Awesome.
Let's start by debunking a major myth. Okay, the lone wolf hacker.
Oh yeah, that's a good one, right.
You always see that in the movies, right.
The lone genius working in the dark.
Yeah, all by themselves cracking these impossible.
Codes, hacking into the CIA or something exactly.
But in reality, it's not like that at all. Yep, especially when it comes to enterprise pen testing.
Ah.
This book makes it clear that it's a team effort.
It's definitely team sport.
Yeah, a team sport.
Any different skills, different perspectives.
Okay, so let's break down this team. Then, the book describes the structure of Sager Banzol's global pen testing team.
Right, so Sager he's a founder of the company. He's the one who heads things up thanks overseeing projects, managing clients, you know that kind of stuff.
Like the CEO, the big boss.
Yeah you could say that.
Okay, And then who else is on this team?
Well, there's Aju. He's X Navy, which is interesting X.
Navy, so he brings a different kind of experience exactly.
His expertise is in GRC PRC. What's that governance, risk and compliance okay?
And why is that important for a pen testing team.
Because it's not just about breaking into systems, right, you need to understand the rules, the regulations. Oh I see the legal frameworks, and then you need to be able to assess the risks, identify the vulnerabilities.
So AJ is like the strategic planner, making sure everything is done by the book.
Yeah, you could say that. He's also really good with digital forensics.
Okay, so if something goes wrong, he can cover their track.
Not exactly covering their right of course, i'mant more like understanding how the attack happened, gathering evidence, you know that kind of stuff.
Got it. So we've got the CEO and the strategist. Who else is on the stream team?
Well, then you've got the specialists.
The specialist okay.
Like Jatindraendra. He's the web app whiz web app whiz. Yeah, he's got tons of bug bounty hunting experience.
Called bounty hunting.
Basically finding and reporting vulnerabilities in websites and apps, so he.
Knows all the tricks of the trade. When it comes to web application exactly.
He's the one who can find those subtle weaknesses that others might miss.
Okay, and what about infrastructure.
For that, you've got Man Deep Man Deeprak. He's top ranked in infrastructure testing.
Top ranked. That's impressive.
Yeah, and he's all the way from Australia. Wow.
So they've really assembled a global team here.
They've got the best of the best.
Okay. So we've got the CEO, the strategists, the web app whiz, the infrastructure expert, anyone else.
Oh yeah. They also have a senior exploit writer, Miss X.
Let's call her Miss X Mysterious.
She's brought in for specific projects that require her unique skills.
Unique skills like.
What well, she's the one who can create those custom exploit the ones that can bypass even the toughest security measures.
So she's like the secret weapon, you could say that. And then lastly they have Paul right he handles network pen testing, but he also has expertise in compliance and legal matters.
Yeah, he's one who make sure they stay on the right side of the law.
Okay. So this team is like a well oiled machine. It is with specialists for every aspect of appentist.
And that's what it takes to be successful.
So it's not just about being a hacker, No, it's about having a diverse team with a wide range of skills.
Absolutely.
Now I'm curious with all this expertise, Yeah, did they still face challenges?
Oh? Absolutely, Even the best teams run into roadblocks.
Okay, So what kind of challenges did they encounter?
Well, the book describes how even this elite team faced some serious hurdles right from the start.
From the start, you mean, during the initial recon Exactly.
They were targeting a company with all the standard defenses cloud flair protection.
Oh yeah, cloud flair. That's tough to get around.
It is rate limiting, user agent locking.
Okay. So they were trying to slow them down and filter out any suspicious traffic exactly. And they suspected there might be a web application firewall.
Yeah a waif. That's a common defense, and.
Of course endpoint security on all the computers.
Right, So even if they managed to get through the perimeter defenses, they'd still have to deal with security software on individual machines.
It's like a fortress with multiple layers of walls and moats, it is.
But these guys they were determined.
Okay, so how did they get.
Past all that, Well, they had to get creative.
Creative how so.
They used custom scripts to bypass cloud flares protections. Custom scripts interesting, and they rotated EPs to.
Make it look like the traffic was coming from different locations exactly.
And they even analyzed user agent strings.
User agent strings, what are those?
Basically, it's a piece of information that your browser sends to a website. Okay, it tells the website what kind of browser you're using, what operating system you have, that kind of thing.
I see.
So they were trying to make their traffic look like it was coming from legitimate users.
So they were like digital chameleons, blending in with the crowd exactly.
Yeah. And what's even more impressive is their use of deduction.
Deduction like Sherlock Holmes Exactly. They were looking for clues, clues like what kind of clues.
Subtle hints that could reveal information about the company's systems.
Hmmm, this sounds intriguing.
It is. For example, they noticed some subtle differences in the way the website loaded, differences like what tiny things like the spacing of elements, okay, the way certain images were rendered, I see, and based on these tiny clues, they were able to deduce that the company was using WordPress word Press.
Really that's pretty common.
It is, but it narrows down the possibilities.
Okay.
And then they went even further. Yeah, they figured out that they were using a specific theme, a theme.
What's that.
It's like a template that determines the look and feel of a website. And the theme they were using was OCEANWP.
OCEANWP.
Okay, it's a popular theme. But now they knew exactly what they were dealing with.
So they were like digital detectives putting together a puzzle.
They were. And this is all before they even tried to break in.
This is just the recon phase exactly.
They were gathering information, building a profile of their target.
So persistence, adaptability, attention to detail. Those are the key takeaways and a little bit of Sherlock Holmes thrown in exactly. But let's be honest, the part everyone's waiting for is the social engineering attack.
Right, That's where things get really interesting. So tell me about it. We'll forget about those simple phishing emails, Okay, you know ones that say click here to reset your password.
Yeah, those are so obvious.
Like these guys. They went for something much more sophisticated. Sophisticated, a multi stage operation.
Multi stage operation, okay, lay it on me.
They did their research and they specifically targeted an employee.
It's an employee, okay, who was it?
A female secure the administrator.
A security administrator.
Yes, someone who should know better.
I see. They wanted to challenge themselves.
Maybe, But there's more to it. Uh huh. They also knew that she was a parent.
A parent. Hmmm. Why is that important?
Because parenting can create vulnerabilities.
Vulnerabilities how so, well, think about it.
Parents are always worried about their kids, right, especially their education.
Uh huh.
So they prayed on that concern.
Okay, So it's not just about technical skills. Yeah, it's about understanding human psychology exactly. That's fascinating it is.
So here's how they did it, all right, I'm all yours. They created a fake website.
A fake website okay.
Offering free online math classes.
Free math class.
Yeah, they knew that would be tempting for a parent.
Makes sense. Who wouldn't want free help with math?
Exactly?
That's what happened.
Next, they created a sign in with Google button.
Oh those are everywhere these days.
They are, and that's what makes them so dangerous.
Dangerous how so because.
They allow websites to access to your Google account. But here's the clever part. Yeah, they restricted the scope.
Of access, restricted the stove.
Yeah, so they only requested access to her Gmail account.
Hmmm, that's sneaky. So she wouldn't be suspicious exactly.
She probably just thought, oh, they need my email to send me updates, right, that makes sense. But what she didn't realize is that they were now inside her Gmail. Wow.
So stage one of their attack was a success. It was, but it doesn't stop there.
Oh no, they had more tricks up their sleeves.
Okay, what else did they do?
They embedded a beef payload on the website.
Beef payload. What's that?
It's a tool for browser exploitation.
Browser exploitation? You mean they could take control of her browser potentially potentially.
Yeah, it depends on whether her browser had any vulnerabilities. But if it did, they could have gained further access to her computer.
So beef was like their backup plan.
Yeah, you could say that.
And they also offered a dummy software installer m a software installer yeah, with a hidden interpreter shell.
A interpreter shell.
Yeah, it's like a backdoor that allows remote access and control.
Though they were really covering.
Their bases, they were, They had multiple ways to potentially get into her.
System, and that's what makes them so dangerous.
So what happened? Did any of these later stages work?
It seems not.
They didn't work. Why not?
It's hard to say for sure. Yeah, but it's possible she had good antivirus software, okay, or data loss prevention tools.
So even with a sophisticated plan, sometimes the simplest defenses can work.
Absolutely.
But these guys, they were prepared for setbacks.
Oh yeah, they always had a backup plan.
So what did they do next?
They used the compromise Gmail.
Account, the Gmail they already had access to.
Exactly. They used it to reset her LinkedIn password.
Her LinkedIn password? Why LinkedIn?
Because they wanted to target someone else, someone else, an intern? An intern, Yeah, a classic dumb admin.
Dumb admins?
What do you mean, someone who's eager to please? Okay, maybe a little too trusting, I see.
They were going to exploit his naivety exactly.
They created a sense of urgency. Urgency how they claimed the company was under.
Attack, under attack, what kind of attack? Adidos attack add astack? Oh wow, that's serious.
Yeah, and this poor intern he panicked, panicked, Yeah, he wanted to be the hero. Simmy fell for it, hook line and sinker.
And what did they get from him?
The information they needed to bypass cloud.
Flare, the cloud Flare protection that they had been.
Struggling with, exactly.
So this intern he accidentally gave them the keys to the kingdom. You could say that it's amazing how one mistake can have such a huge impact.
It is, and that's why social engineering is so.
Effective, because it exploits human weaknesses exactly. But let's not forget about the technical side of things, right. The book also highlights the importance of misconfigurations.
Oh yeah, misconfigurations can be just as valuable as any expert.
So what kind of misconfigurations did they find?
Well, remember those cloud Flare rules they got from the intern. One of them was a real golden ticket, A golden ticket. Yeah, it allowed bypass access.
Bypass access, so they could get around cloud Flare.
But there was a catch, a catch.
What was it?
It required a very specific whitelisted.
IP address, whitelisted IP address okay.
And they didn't have it, so it was a dead end. Not quite, not quite.
Why not.
Remember that dumb admin who gave them the cloud Flare details, Yeah, well he also inadvertently revealed the real IP address of their web server. He did through DNS entries.
DNS entries, oh, icee.
So now they had the IP address they needed, so they.
Could just walk right in.
Not so fast, not so fast?
What else was there?
There was an ADC and ADC an application delivery.
Controller okay, And what does that do.
It's like a security guard that stands between the outside world and your web server ICE. And this ADC was locked down tight walk down. Yeah, I was only talking to cloud.
Flare so they could access it directly, not without the right credential. So it was another dead end, it seemed that way. But I have a feeling they found a way around it.
They did. How they discovered that an exchange.
Server an exchange server, what's that?
It's a mail server?
A mail server okay.
And it was placed in the DMZ, the DMZ the demilitarized zone okay.
And why is that a problem.
Because the DMZ is meant for public facing services. It's like leaving the front door to your house wide open.
So it was a major security risk. It was, and they found a way to exploit it.
They did tell me more. Remember how we talked about staying up to date. Uhh, Well, their diligence paid off. They discovered a zero day exploit.
A zero day exploit, what's that?
A vulnerability that's unknown to the public. Okay, and this exploit specifically targeted exchange server.
So they had the keys and the map to the vault.
You could say that it work. They were cautious.
Cautious.
Yeah, they tested it in a controlled environment.
First, Okay, that makes sense.
To make sure it worked as expected. And of course they had the username and password.
From our friend, the dumb admin.
Exactly.
It's like a domino effect. One mistake leads to.
Another, and that's how they got into the exchange server.
So they were in. They had a foothold in network.
But they weren't done yet.
There's more.
Oh yeah, the story's just getting started, all right.
Well, I can't wait to hear what happens next.
Me neither. So remember that keylogger, Yeah.
The one running on the GRC admin's.
Computer, right on his Buntu machine Ubuntu, right, it actually caught something really interesting?
Oh like what, Well, it seems.
He used RDP to log into another machine RDP, what's that Remote desktop protocol?
Okay?
And the keylogger, well, it caught everything everything, you mean, his username is password, the whole thing.
So they had access to another machine just like.
That, not exactly, just like that.
What do you mean?
The keylogger logs, they were a bit of a puzzle. A puzzle, yeah, like a co They needed to crack a code. I don't get it, okay. So for example, instead of seeing chloroeyah, the log showed xlr okay.
So it was jumbled up exactly, so they had to decode it.
They had to figure out what each jumbled sequence represented.
So it wasn't just a simple substitution cipher.
No, it was more complex than that.
Give me another example.
Okay, So perch top roochtop that actually stood for rusktop.
Okay. And what about the username and password?
The username was logged as rossok do rosok do.
That doesn't sound like a real name.
It wasn't. Everything was encoded, so how.
Did they even begin to decipher all this?
They started by looking for patterns patterns. Yeah, they noticed that certain letters never got replaced, like witch letters the ones on the top row of a cordy keyboard. Oh interesting, like E R tuop.
So maybe the key logger was recording keystrikes based on their physical location.
That's what they thought.
Okay, so what about the other letters, Well.
They noticed that some letters were replaced by the letter before them on the keyboard.
Okay, give me an example.
So C was replaced by x x's before C.
Right exactly, and L became K right again. But you said it wasn't a simple substitution.
There were some inconsistencies like what well A, for example, it had no clear relation to any other letter, so.
It was random, it seemed that way. And JAY was replaced by K, which is the letter after it, not before right.
So there were definitely some exceptions to the rule.
So how did they figure out the rest of the code, especially the username and password.
Through careful analysis?
Analysis?
Yeah, they use a tool called CrypTool.
Cryptol what's that.
It's a program that can help you analyze and decrypt different types of codes.
So they fed the key lugger logs into CrypTool and.
It helped them generate possible combinations.
Based on the rules they had already discovered.
Exactly, and eventually they cracked the code.
So what was the decoded username?
Rosokdo turned out to be Redolphe Dulfa.
That sounds like an actual name.
It is, It's a Spanish name.
So they had the username. What about the IP address?
That was easy. It was just logged with commas instead of periods.
Commas instead of periods. That's it.
That's it, okay.
And what about the password? Was that encoded too?
Oh? Yeah? The password was the trickiest part.
What did it look like?
It was a long string of characters with a bunch of LFFT thrown in lsft.
What's that?
They figured out it represented the left shift key.
Oh so it meant the following letter was capitalized exactly. So they had to figure out which letters were capitalized and which ones weren't on.
Top of the other substitution rules. That's complicated, it was, but they managed to narrow it down to eighty two possible passwords.
Eighty two.
That's still a lot, it is, but it's better than trying every single combination.
So what did they do?
They decided to test them one by.
One, one by one, but wouldn't that take forever?
It could, but they had to be careful, careful. Yeah, they didn't want to trigger any security alerts.
Like what kind of alert?
I got? Lockout mechanism?
I count lockout? What's that?
Basically, if you enter the wrong password too many times, Yeah, the system can lock you out.
Oh, I see. So they had to limit their attempts exactly.
They decided to try one password every ten minutes.
Ten minutes, so six attempts per hour.
Right. It was a slow process.
But they couldn't risk getting locked out.
No, they had to be patient.
So did it work? Did they find the right password?
After seven hours?
They got in seven hours? That must have been.
Nerve wracking, it was, but they got there in the end.
So what was the password?
It was sixty MP two mjyypv at VK.
Wow. That's a strong password.
It was, But it wasn't strong enough to stop them.
So they were in. They had access to another machine.
But now the question was what to do next.
I would think they'd go straight for the domain controller, the heart of the network. Yeah, the crown jewels.
That's what most attackers do, but not this team. They decided to take a different.
Approach, a different approach.
Why, because attacking the DC directly is risky, risky. Yeah, it could trigger all sorts of alarms.
So they didn't want to tip their hand exactly.
They wanted to stay under the radar.
So what do they do instead?
They focused on lateral movement.
Lateral movement, what's.
Moving from one machine to another? Okay, expanding their access within the network.
I see. And they did this stealthily.
As stealthily as possible.
So they were playing the long game. You can say that, But how did they actually do it? How did they move from one machine to another?
Well, they used a combination of tools and techniques like what they used Empire and metasploit.
Those are powerful tools.
They are, but they didn't use them for brute force attacks.
What did they use them for?
Then? For passive data collection?
Passive data collection?
What's that? Gathering information without actively attacking the system.
So they were spying on the company in a way. Yes, wasn't that unethical?
Remember this was a controlled penetration test, right, they had permission and their goal was to assess the company's security posture.
Okay, I see. So they set up keyloggers, keyloggers to capture keystrokes exactly.
What else They took screenshots at regular intervals. Screenshots had to see what users were doing on their computers.
Wow, this is getting a bit creepy.
And the even recorded audio.
Audio using the computer's microphones, so they were listening in on conversations potentially. Yes, that's a bit invasive, isn't it.
It is, but it's all part of a penetration test.
Okay, So how did this passive approach work out?
It was incredibly effective effective. How so they gathered over twenty gigabytes of data.
Twenty gigabytes that's a lot.
Of data, it is, and it included all sorts of sensitive information like what.
What kind of information did they find?
Unfortunately I can't divulge specific details.
That's right confidentiality, but trust me, it was juicy stuff. So this passive persistence strategy it really paid off, it did. They got tons of information without raising any red flags exactly. So sometimes the best approach isn't the most aggressive, exactly.
It's about knowing your goals, adapting to the situation.
Using a combination of skills and strategy.
And patients don't forget patients.
So what happened next? Did they eventually go after the demand controller.
Well that's where things get even more interesting.
Okay, I'm hooked. Tell me more.
Well, the book actually leads us hanging at this point.
Hanging.
What do you mean? It mentions chapter ten, Chapter ten. Yeah, it's titled the Biggest Secret to Nail any double blind penetration test.
Sounds intrinking, it does, right.
What but this chapter was never published?
Never published? Why not?
The author says it was too sensitive?
Too sensitive?
Yeah, he couldn't risk publishing it.
Why not? What was so dangerous about it?
We can only speculate, speculate. Yeah, maybe it contained a technique that was too powerful, too powerful, like what something that could be used by malicious actors.
Oh, I see, so he didn't want to give them any ideas, is exactly? Or maybe it exposed a.
Vulnerability, vulnerability that was two widespread.
So disclosing it could have had devastating consequences. So this deep dive leaves us with more questions than answers in a way. Yes, but that's the nature of cybersecurity, isn't it.
It is It's a constantly evolving.
Field, always something new to learn, something new to discover.
And something new to protect, well said, Well said, so, what are your thoughts on all of this.
I'm still processing at all, but one thing's for sure. Yeah, this book has given me a whole new perspective on penetration testing.
Me too.
It's not just about hacking into systems.
It's about understanding how attackers think.
How they operate, how they exploit weaknesses.
And how they can stand of the radar exactly. So what do you think is the biggest takeaway for our listeners.
I think it's this security isn't about building an impenetrable.
Fortress because there's no such.
Thing, right, There's no such thing.
Every system has vulnerabilities.
And attackers are always looking for ways to exploit them exactly. The best defense is a multi layered.
Approach, combining technology, processes and human awareness.
That's the key.
And don't forget security is a journey, not a destination.
It's an ongoing process.
Of learning, adapting, and improving.
Well said, Well said, So on that note, I think we should wrap up Part two.
SOA's good.
That's stay tuned for Part three, where we'll delve deeper into the strategic side of pen testing.
And the broader implications for cybersecurity in the real world.
It's going to be fascinating. I promise. It's been quite a journey, hasn't it.
It really has this whole.
Deep dive into the world of pen testing.
Yes, fascinating stuff.
We've seen how these teams operate, how they think, the strategies they use.
It's eye opening for sure.
What stands out most to you from all this.
That's a good question. Yeah, I think it's how different it is from what most people think. Different how what you know people imagine hacking is this fact fast paced, action.
Packed thing, right, like in movies.
Exactly, lots of frantic typing bypassing firewalls and seconds. But this book it shows the reality which it's much more methodical, much more strategic in a way. Yes, it's more like a game of chess.
A game of chess, I like that you have.
To think several moves ahead, okay, anticipate your opponent's reactions.
The company's security.
Team, right, and you have to exploit subtle weaknesses, find those tiny cracks in their defenses.
And sometimes the best move is to just.
Wait, Yeah, observe, gather information, be patient. Exactly.
They're like digital ninjas. Ninjas yeah, moving through the network undetected.
I like that analogy no trace, And that's a key principle in PIN testing.
Stay under the radar.
As much as possible.
Don't do anything to alert the security.
Team, right blend in, be invisible.
But even though they're being stealthy, they're still making progress. Oh yeah, gathering information, expanding their access, inching closer to their goal.
Every move is calculated.
And remember that cliffhanger from part two, the missing chapter, Yeah, chapter ten, the one that was too dangerous to publish, the biggest secret to nail any double blind penetration test.
It still makes you wander, doesn't it?
It really does.
What could be so sensitive that it couldn't even be hinted at?
What secrets are they keeping from us?
We may never know, but it's fun to speculate it is. Maybe it's some super secret technique.
Something that would give attackers a huge advantage.
Or maybe it exposes the flaw of vulnerability that's so widespread.
That telling people about it would cause chaos exactly, So where does that leave us? We've gone through this whole book, warned all these secrets.
And yet there's still this big unknown.
This missing piece of the puzzle.
It's frustrating in a way.
Yeah, but I think that's part of the point. What do you mean this book? It's not just about giving you a step by step guide to hacking. It's about showing you the mindset.
The way these teams think, the challenges their face, and the constant evolution of the game.
Because cybersecurity it's never static.
Right, absolutely not.
It's a moving target, always changing, always adapted.
We have to adapt with it.
We can't just rely on firewalls and anti virus software.
Those are important, but they're not enough.
We have to understand how attackers.
Think, anticipate their moves, and be.
Prepared for the unexpected.
Exactly.
So what's the biggest takeaway for our listeners do you think?
Hmm? I'd say it's this security isn't about building an impenetrable fortress because that's impossible. Exactly. There's no such thing as perfect security.
There's always a way in if someone's determined enough.
So what can we do.
We have to be proactive, we have to be vigilant, and we.
Have to be willing to learn and.
Adapt because the bad guys they're not standing still.
They're constantly evolving their.
Tactics, finding new ways to exploit weaknesses, and.
We have to stay one step ahead.
So it's a constant challenge.
But it's a challenge worth taking.
On absolutely because the stakes are high.
Secure of our data, our systems, our businesses.
It all depends on us being smart, being aware.
And never underestimating the ingenuity of the attackers.
Will said, well, on that note, I think we've reached the end of our deep dive into Pentist secrets. It's been a fascinating journey, it really has, and I hope our listeners have learned a lot.
I hope so too.
We've covered a lot of ground.
From social engineering to zero day exploits.
From lateral movement to passive persistence, and.
We've seen how even the most secure systems can be breached.
If you know where to look and how to exploit the weaknesses.
So remember, security is a journey, not a destination.
Stay heurious, stay informed.
And stay secure.
Thanks for joining us on this deep dive. Until next time.