Professor
Professional
- Messages
- 653
- Reaction score
- 645
- Points
- 93
WHITE HACKERS.
Famous carder Sergey Pavlovich talks to a white hat hacker who provides pentesting services (testing a website or application for penetration from the outside) to various companies and services.
Enjoy reading!
Contents:
How long have you been doing pentesting and what is it?
Pavlovich:
Hello, friends! During our previous interviews, we have met hackers many times, they were guests of the studio, and those who catch them. It was Group-IB. And now we have a guest in the studio. An intermediate link. He is neither a hacker, nor the one who catches them, but he is a white hat hacker.
So what does that mean?
Hacker:
Pentester
Pavlovich:
Pentester, yes. So, the one who finds vulnerabilities and informs companies that you have such a vulnerability and gets paid for it. Or not. Let's start with how old are you? How long have you been doing this? What is a pentest in general? And then we will go over what it all looks like.
Hacker:
Yes, yes, yes, I will tell you a little about myself. I am 28 years old. I am engaged in the search for vulnerabilities in general, research in the field of information security. I have my own tech blog where I talk about various tools. Where? On YouTube or where? On YouTube, yes. I started, though, on TikTok. Then TikTok blocked you, just like it did me today, no? Yes, but many videos were blocked.
The most interesting ones are the ones about pentesting. TikTok constantly blocks everything. That's why I started filming my YouTube now to somehow share information about tools, specifically about pentesting, actually. Kali, Linux, and all these other things. How long have you been doing this? I've been doing this for about 5 years. But I haven't always done this.
I also worked as an analyst, that is, after getting an education. I worked as a systems analyst, worked in the security field, worked as a networker.
Pavlovich:
A networker is a system administrator?
Hacker:
Well, yes, yes. That is, at the same time, I was sniffing networks in corporations, for various leaks, well, things like that.
Pavlovich:
5 years is already a normal experience for a pentester,
Hacker:
Whitehead hacker or is it young? Yes, it is actually a decent age for a pentester. But I have not worked in pentest companies themselves, although I was offered to work, I will not name which ones.
Pavlovich:
Hello, Kaspersky.
Hacker:
Well, now I am engaged in, in general, private practice. Why are you wearing a mask then? I am wearing a mask because I started my blog in a mask, and for some time I talked about asynth, about intelligence, and many people constantly checked me out, something else. But this is like a big image, I am not hiding from anyone, I am not involved in crime. And those who find me, please do not write, hack my wife's account.
Hack VK. No, their favorite question is that the wife forgot the password to classmates. That's how forgetful wives are.
Pavlovich:
How easy is it to hack social media accounts now? Because when I needed it once in my life, I had reasonable suspicions, I paid on one forum. For 15 dollars, I think it was 2008, and literally in a few hours they sent me the account of the person I was interested in. And all without a scam, because there was a screenshot of my message that I sent there.
Hacker:
Yes, it really can be hacked. Phishing is mainly used, that is, interception of authentication sessions. Well, a fake VVK website for classmates. Yes, that's right. Well, I also recently had a friend hacked. Well, as usual, a mailing to contacts. Like, send money. And at that moment, so that the victim does not go in, no one can call her, they, in general, drained the phone.
That's such an interesting method.
Pavlovich:
Well, that is, they set up an SMS bomber, right?
Hacker:
Yes, they hacked him very hard, and the person couldn't get in or contact anyone for about two hours. At that moment. Well, at the moment of hacking, respectively.
Pavlovich:
But usually they don't even do that, yes, they don't get to that point.
Hacker:
Well, yes. Those were more professional guys.
Pavlovich:
They hacked my brother, the younger one, they hacked him on VK and also sent out a mailing like that, stuck at the border, send me some money urgently, I'll come in the evening. They also used that greedy moment, you know, I'll come in the evening, I'll give you 10 dollars more. But even though all these contacts, friends, they are all young, they don’t have much money, they are students, and they transferred him somewhere around 200 dollars anyway, and then they also said that you did it yourself, yes,
well, and he was hacked, and he fell for it, there was a mailing like, for games or watches, I don’t know, for Xiaomi, for example, and he logged in on this left site, it turns out, a phishing, fake one, through his VK, that is, he himself gave the attackers the password from his VK.
Which social network is the easiest to hack and why?
Pavlovich:
Which Russian social network is the easiest to hack now, well, and Facebook, for example? And why?
Hacker:
It doesn’t really matter which network. They all have the same two-factor authentication. And this is a matter of phishing and social engineering. But pentesters don’t do this, that is, neither phishing nor anything. Here it is a little bit about other guys.
Pavlovich:
You yourself touched upon hacking social networks. Then let's give a general definition of pentesting in your understanding or in the generally accepted one.
Hacker:
Pentesting is, let's say, a discipline in information security, designed to find vulnerabilities and, accordingly, to make recommendations for their elimination.
What does the practice of a private pentester look like?
Pavlovich:
You say that you are engaged in private practice. That is, when you work in some large company, everything is clear. That is, you came to work, worked there for a month, received money, a salary. And what does the private practice of a white hat hacker look like, that is, a private pentester?
Hacker:
This is advertising at the moment. It was somewhere freelancing before. But in the legislative base, everything is complicated at this point, because if someone simply asks, conduct a pentest for me, he may, for example, not pay money and refer to Article 272 of the Criminal Code - unlawful access to information, respectively.
Therefore, you need to conclude an agreement, preferably with a lawyer. Now, if you want to do a pentest, then it is better to pay 5 thousand, if ...
Pavlovich:
Well, you have some kind of standard agreement.
Hacker:
Yes.
Pavlovich:
You can give people a link to attach, for example.
Hacker:
Yes.
Pavlovich:
Here. Because, you know, there are many of your followers, for example, who have taught you how to hack something, they would like to make money on it. They are afraid of going to jail and do not go to the dark side. Yes, then we put a link to the agreement, some standard one. And you, it turns out, draw up an agreement in advance that I will hack your online store or your network, your corporation?
Hacker:
Yes, and everything must be agreed upon, that is, the time, what exactly, IP addresses, all this must be agreed upon, so that not a step to the left, not a step to the right, so that somewhere it does not fall, does not go beyond the scope of the pentest, it turns out.
That is, to do something on your own there, like, here I did a DDoS attack as a bonus, for example, more precisely, a stress test, as is correctly said in a pentest, then this is already a completely different story.
Have there been cases when a site was accidentally DDoS'ed?
Pavlovich:
Have you ever had cases when during a pentest, it was you who had a DDoS attack, and how did the clients react to it?
Hacker:
Well, the clients reacted well if they asked for it.
Pavlovich:
And if they didn’t ask, so you’re testing my service and you put it down for a few hours, okay, we agreed that you’d be there, well, I suspect that this could happen, and we agreed that you’d be there from 1 a.m., when there aren’t many, say, visitors on the site. But during the day you’re testing, I don’t know, a large shop, say, MVideo, for example, a very large one, yes, Lekhov or something. They’ll fire you for advertising.
And it turns out that you put them on the site, and that’s it.
Hacker:
Have there ever been such cases? No, there haven’t been any, because without an agreement, well, accordingly, it’s already like, well, a criminal act.
Pavlovich:
Well, by chance, I mean, has it ever happened during pentests, when you put someone's network down with DDoS, basically?
Hacker:
No, basically, no, there has never been such a thing.
Pavlovich:
And in general, does pentesters often encounter such things?
Hacker:
In general, you can put it down, yes. But, as a rule, such platforms, or rather, companies that put forward their Bug Bounty program, must, accordingly, agree with pentesters what will happen there. As I said earlier, simply DDoSing a site and taking it down is not comme il faut, let's say.
How can I check a site for DDoS vulnerability?
Pavlovich:
What if I want to check the resilience of my service, for example, for vulnerability to DDoS? Specifically, do you mean if you will be pentesting it yourself? Well, let's say, all the holes that we know of have already been closed, except for a few XSS, for example, bezpantologi, yes, and I want to check whether it can withstand a normal, large-scale, diverse, different types of DDoS attack.
Reference:
Bug Bounty is a program offered by some websites and software developers, with which people can receive recognition and a reward for finding bugs. These programs allow developers to find and fix vulnerabilities before the general public learns about them, preventing abuse.
Hacker:
You just draw up an additional agreement, which will include another additional service, agreed upon in terms of time, etc. Well, and, accordingly, you have no claims if your service goes down there, roughly speaking. For a few hours.
Pavlovich:
Well, yes. You said Big Baunty, that is, Big Bounty is essentially a bug hunter, a bug hunt, right?
Hacker:
Yes, yes, yes. These are legal platforms where large companies come, set their task and, accordingly, set the price for vulnerabilities.
Pavlovich:
Well, for example, I'll explain if you didn't understand. The Kiwi company, for example, writes there, for a critical vulnerability we pay $5,000, for some interface vulnerability we pay less, and so on.
The most famous pentesting platforms
Pavlovich:
What are the most famous platforms? HackerOne?
Hacker:
HackerOne, this is Backkraut, I know, yes, these are the two main platforms where, in fact, everyone works.
Pavlovich:
But do you get your main orders there, or with targeted advertising?
Hacker:
No, by the way, I am not working with it yet, we are planning to enter them now. We are currently writing a bot for automatic tests. The only thing is that we do not yet know how it all is from the legal side. Because if we put the bot in the public domain, it will throw up other people's sites. Throw up other people's sites, yes. And here is a very interesting point, why an agreement is absolutely necessary.
Because a competitor can really ask to do a pentest for his competitor. And this will already be like an offense.
Pavlovich:
So the bot will have to be erased, the bot code will have to be erased. But these platforms like HackerOne, I know, they are good for pentesters in that there is a rating for everyone.
Hacker:
Yes, but there are not so many Russian companies there now. But I have seen Kiwi. Yes. By the way, there is an application there, you can also... There are different levels there, critical, mainly four levels. The fourth level is critical – it has the possibility of injection, there is SQL injection, XSS vulnerability, and various small ones, they pay from zero, let's say, to 100 dollars for them.
These are some server leaks, when developers leave some information, for example, about the PHP version or the version of the server itself. Sometimes they leave a list of passwords in the public domain in the comments.
Where do you mainly advertise?
Pavlovich:
So you drained, let's say, some targeted contextual advertising, where do you mainly advertise?
Hacker:
Google, Yandex. That is, contextual advertising. Contextual, I want targeted.
Pavlovich:
So you drained, for example, a thousand dollars, how many applications does this bring and how many of them become real clients, does it reach the payment?
Hacker:
So right now I can't tell you the exact analytics, but somewhere.
Pavlovich:
I'll say this, that... You can tell me the percentage, out of a hundred percent there.
Hacker:
No, I probably can get one application for 3,000 rubles, let's say, like that, somewhere around. That is, there are almost 50 dollars, a little less, one application. Yes. Real, for which they will pay? Yes. Well, plus or minus. Not always, of course. Again, this is such a crooked statistics. That's what I said. But the order, well, the average is from 7 to 15 thousand.
15 thousand - this can be done, the coolest test is called sociotechnical.
Pavlovich:
Call an employee and try to deceive him and find out the admin password from him?
Hacker:
Not exactly call, you can actually call if this is agreed upon. A sociotechnical test is when, let's say, like Red Timming, the manager knows about it. After all, most mistakes are the human factor. And first, roughly speaking, such a socio-attack is carried out.
Like, some kind of payload is sent to corporate email, which, let's say, will open some port, and you can get a reverse.
Pavlovich:
Well, like a letter from the tax office, yes, with a substituted email to the tax office, for example, and there will be some PDF or Excel macro, which will launch the exploit.
Hacker:
Yeah, let's say. If all this doesn't work, then, it turns out, we move on to external testing. In general, OpenTest is divided into two types of testing. These are BlackBox and WhiteBox. BlackBox is an analysis of external security.
And whitebox is, for example, when the customer provides a VPN connection, and that you can poke it inside the network in various ways.
Pavlovich:
Well, and blackbox is from the Internet, right?
Hacker:
Yes, when, say, a white IP address is provided there, the IP address of the server, and there, with various tools and technologies, the presence of vulnerabilities, open and closed ports, and so on are checked.
Pavlovich:
You don't know the IP address, for example, of my site, is it hidden behind Cloudflare or this Dosguard, what are you going to do?
Hacker:
This is already a really problematic story, but in principle it would be possible to ping it, somehow pull it out of there, have a look.
Pavlovich:
Today we ourselves found a way, there are sites hanging on subdomains, and we found that one of the sites in the light is just a real IP. And where? Have you looked at Whoiz? I don't know, my Programmer wrote this today. That is, I say that for some reason I didn't restore this site, the SSL failed there, he says, because of it, he says, it shines this, it shines, everything is closed, the main domain and subdomains are closed behind Cloud, but he says, everything has disappeared there, in short, the SSL and so on, I, he says, don't raise it, because it shines, our real IP.
Hacker:
The SSL failed, it turns out. Well, I get it.
Spontaneous penetration of a site without a contract
Pavlovich:
And according to this scheme, when you yourself accidentally found some kind of there surfing the Internet, found some kind of vulnerability on the site, hacked something there, looked, that it is so critical. In principle, well, well, I did not delete anything there, did not erase, traces and all logs were cleared, and I encountered this myself. And then writes to the company that you have some vulnerabilities there quite serious, which can lead to this, to that. Let me fix everything for you, and you will pay me 200 dollars, for example.
Hacker:
Well, this question is also questionable, actually. But they do it. They do it, yes. It can be done this way, indeed. Indeed, it can, but it is not a fact that they will simply pay. Because there is no contract, they will say, well, yes-yes, let's say. I just had such a case. Back when I was studying at the university... What did you study? Information security, comprehensive support. There was a case, I also constantly poked at some sites.
And, in general, I poked at sites that deal with KGB paraphernalia. That is, there are mugs, flags, all that. Well, I poked there, they were looking for an injection. In general, I launched everything in front of me, roughly speaking. This entire database from QL. The list of clients, orders, prices. Orders, prices, passwords, of course, too. Everything from the admin panel is there. And, in general, I did nothing, because I thought, well, the KGB site, now they will write me this too.
They will slap something on me. Well, that's it.
Pavlovich:
Well, when they wrote to me and showed me what I had, I paid without any problems. That is, I paid, and then this guy protected us for a long time. We still communicate. But from, okay, let's say, not from your personal statistics, but in general, here at White Hat hackers, yes, you found it there, your gang, there a friend, it doesn't matter, the community of pentesters found, let's say, 100 vulnerabilities themselves. So you send out 100 mailings, for example, to corporate email, of course, or there on LinkedIn, the personal director of this company.
Out of 100 such reports sent, how many will end up being paid, for example, and cooperation?
Hacker:
Well, it's hard to say, in fact, because finding is just a shot in the dark, it's like, pay me something, I'll be there, well, it's not serious in general, because many simply won't pay. Here, like in Russia, at least until they hack, until I lose something, well, we don’t really need any pentests.
Until the thunder strikes. Yes, yes, yes, until the thunder strikes. And that’s why, unfortunately, this whole thing isn’t very developed here yet. In America, it’s already, well, somewhere in Europe, it’s already in full swing, there, security, something else. But there’s a huge fine,
Pavlovich:
First, it’s a reputational loss. Yes. You can lose your entire business. Second, a huge fine for the state if you, through your fault, are proven to have allowed such a leak due to negligence.
Hacker:
Moreover, why else, there are many exploits that really work for many now, since I personally know many companies, well, even small firms, they have servers on them, it would seem, very important data is on them, there are some CRMs hanging there, something else.
But they generally have left-wing software, left-wing operating system, all this is old, outdated, not updated. And then, hop, you can exploit some exploit and gain access.
Pavlovich:
The main mistake you encounter in your work, that is, unpatched servers and software, as you are saying now, right?
Hacker:
Yes, that is the main mistake. The main mistake is not updating, respectively, software.
What operating system is the safest for a server?
Pavlovich:
What operating system is the safest for a server, in your opinion?
Hacker:
It doesn’t really matter. If you go to the SVA database, you can find exploits for both Linux and Windows. That is, thousands. It probably depends more on the settings. Yes, steady hands. Yes, yes, yes. Plus firewalls. Basically, they also install DLP systems. Some firewalls, DLP systems. This is really serious, if you approach the issue.
And small companies, of course, do this.
Pavlovich:
Well, the guys also told me that unused ports are often not disabled.
Hacker:
Yes.
Pavlovich:
This is also a common mistake.
Hacker:
Yes. Well, and I'm not even talking about the fact that in Russia, many people still use, well, Windows 7, like, I know people like that, and they have, like, Eternal Blue, different ones, it works under any, under any seven, like, you don't even need to drop anything there.
Do you need to know programming languages for pentesting?
Pavlovich:
Well, XP was a good system in this regard, because it had already been patched so much, and when they stopped updating it, although it had been on the Mac for a long time, I almost cried. Do you need to know any programming languages for pentesting?
Hacker:
Yes, definitely. Which ones? The web is a must, if we are talking about web vulnerabilities. Well, HTML, Misha, right? HTML, JavaScript, PHP, some cascading tables like CSS, but you just need to understand all of this, because it is all in a complex. And as for, if we are talking about software research, i.e.
Reverse engineering, that's Assembler, of course, C++, you need to know Assembler to do a normal reverse of IDPRO or old OLIDEBUG to do all this. If you only do this reverse engineering, it's closer to a virus analyst.
But, for example, a buffer overflow vulnerability can be found in some application this way, write your own SVE, yes, a vulnerability, and there will be a zero-day vulnerability, so to speak.
Pavlovich:
And how many ZeroDay, yes, these zero-day vulnerabilities have you personally found during your career?
Hacker:
There was a vulnerability in an application, if I'm not mistaken, it was some kind of reader, I think, a PDF one, there was an overflow, that's it. Well, such vulnerabilities are usually expensive, well, they close them among hackers.
Pavlovich:
Well, yes, there are some for 500 thousand dollars, and some for a million. As a rule, special services in America buy them up.
Hacker:
Yes, and, in fact, the high cost of such exploits depends on the scale of use of this software. If there is some zero-day vulnerability in Windows in the ten, then this will be really cool. I even heard that Apple is ready to pay a million dollars if a vulnerability is found on a phone, I think on iPhones, to gain control over an iPhone without any brute force, something else.
And social engineering. Yes.
What do people order to test now: websites or applications?
Pavlovich:
Websites or applications, what do people order to test now most often?
Hacker:
Now this story is actually already equalizing, because many developers, it turns out, post their programs, that is, even mobile applications, they post them on backbounty. Therefore, now both are used, well, in principle.
Pavlovich:
60 to 50, right?
Hacker:
60 to 40 somewhere.
Pavlovich:
So the application is 40%?
Hacker:
Somewhere like that, somewhere like that.
What programs does a penetration tester need to have to start?
Pavlovich:
What sets of programs, maybe some network tools, exploit packs, etc. does a penetration tester need to have to start a career like that, or to successfully conduct it?
Hacker:
Well, it would be advisable to download some operating system, Kali Linux, for example. You can use BlackArch. Kali Linux is probably better, because there is simply more information about it available on the Internet. In fact, it doesn’t matter what operating system, because, in principle, all the tools can be downloaded to regular Linux, to some Debian, or to Ubuntu, but why do it if there is already a ready-made tool. Of
the tools, this is probably Metasploit, the easiest to get started with, so to speak. Everything is intuitive, you upload the exploit, upload the payload, set the settings, respectively, the victim's IP address and, in general, exploit. Yes, yes, no, I got it, I didn't, that's the plan.
There are many tools, Wireshark is a must for network analysis, SQL map is for research on SQL injections and so on, Nmap is a must for scanning, for example, in a local network to scan the network and get local IP addresses of all machines, so that accordingly they can also be populated there.
Dictionaries for brute force? Yes, dictionaries for brute force, hashcat, there is such a tool too. In fact, there are a lot of them, and in combination the result is better if you use them all.
Pavlovich:
And how much time does a pentest take, I don't know, some online store in your performance? Well, MVD, for example, we have already talked about it.
Hacker:
Well, it's quite broad. Yes, yes, yes, if we're talking about a serious organization, then you can spend from an hour to a month, I don't know, looking for bugs. Now, if we're talking about a serious one.
How much time do you spend on one order?
Pavlovich:
Well, and of your main orders, how much time do you spend on each one, plus or minus, on average?
Hacker:
No, if, for example, the company is small, just some firm, well, we want to do it. I think it's about 4 hours. And it costs 15 thousand, for example?
Pavlovich:
I think 7-10. 7-10?
Hacker:
Yes.
Pavlovich:
So in 4 hours you earn, well, let's say 7 thousand, that's 100 dollars, that is, 25 dollars per hour approximately?
Hacker:
This is if there are so many orders. But, as a rule, in Russia we don't get that much for pentesting, in fact. What exactly...
Pavlovich:
Constantly looking?
Hacker:
Constantly, yes, we are there at work, all 24 hours we pentest something there.
Pavlovich:
Well, naturally. How often do they ask, after you have provided the customer, for example, with a report on vulnerabilities, how often do they ask to fix them or to contact them? So how does it happen? You fix them, yes, for an additional fee, for example, or you explain to their programmer where to do what, or they completely fix them with their own enhancements?
Hacker:
No, we do not fix vulnerabilities, they have their own web developers, we write a fairly detailed report, maybe 20, 40, 60 pages, maybe even more.
Pavlovich:
Well, just a typical one, you fill out the items like a checklist.
Hacker:
Like this. Yes-yes-yes, because in fact, closing these vulnerabilities is not that difficult. And they either hire someone anew, let's say they made a website once, well, they have a hole, they need to plug it, they hire someone, that is, we close it, like webmasters, we don't do anything, we don't change them, only recommendations. And you always say we, we, we. Who is that? Well, I still have a couple of guys, so to speak, enthusiasts, who do this with me.
Well, they just like it. In short, your organized crime group.
Pavlovich:
To get a kick out of it, yes. Got it. And how are the shares distributed, for example, from the order you received there? That is, the orders, as I understand it, go through you?
Hacker:
Yes, well, by the time of work, sometimes 30, sometimes 40 percent. Sometimes, I just, I don't know, a person is completely done, there, 100 percent. That is, in this regard, I kind of... I don’t have a clearly constructed business story where I tell them, you get 15 percent, and I, you know, 85.
Where do you see yourself in 5 years?
Pavlovich:
And where do you see yourself in information security in 5 years, for example?
Hacker:
I think in the same field. In the field of pentesting and research. That is, also a private master, in essence? Yes, yes, most likely so. Are you planning a company? I would like to, I would like to. A very illustrative example, of course, is Group IB. A serious story. But something narrowly focused, namely in pentesting, I would like to do something like that.
How strong is the competition between pentesters?
Pavlovich:
How strong is the competition between White Hat hackers?
Hacker:
Huge, huge competition. In the sense that a lot of guys are studying, graduating from these specialties. Many are interested in all this. A lot of guys are involved in CTF. Capture the flag, they also have such tournaments. But, unfortunately, there are very few vacancies. Officially employed? I looked, there are only 25 vacancies on Headhunter.
This is all official. And so, it turns out, a person needs to look somewhere. Well, probably some security companies.
Pavlovich:
What prevents them from going to the Western market, where there is more money and more orders?
Hacker:
I think that English is also becoming a barrier for many, oddly enough. Although, in principle, many people know it now, but not everyone is ready, so to speak, to move. And how is it with us? Even when I was studying, our teachers were mainly our colonels, lieutenant colonels. Well, and somehow all this happens. Patriotism, that is, is very strong with us.
And many still try to find... Many go to work in research institutes, in various ones, where they pay 25 thousand rubles. Therefore, few are ready to move somewhere. Well, and some kind of communications are needed. Therefore, not everyone succeeds in this, unfortunately.
Does joint, but uncoordinated pentesting on the site interfere?
Pavlovich:
Yes, of course, we still have trouble with English. I remember being taught at school, like, "Seasons and Weather", "London is the Capital of Great Britain", and so on. If several white hat hackers test one system, do they interfere with each other or not?
Hacker:
Yes, they fill the air. Because, for example, if we're talking about a stress test... Well, your group, for example, three of you test. No, no. That is, if, for example, we test a website, we don't interfere with each other, because we, for example, if we test manually through some Burpsuit...
Pavlovich:
What is that?
Hacker:
It's special software for finding vulnerabilities on websites, respectively.
Burpsuit is hung on localhost and, it turns out, it is located between the browser and the website. And, accordingly, you can accept, forge, send all requests to the website. Modify, so to speak. Well, and watch how the server reacts to these requests.
Pavlovich:
And if there are several third-party groups, for example, that is, not related to each other, for example, he ordered a pentest from you, ordered one from a Swiss company and did not separate them in time and you are testing, but it just happened to happen at the same time?
Hacker:
If it is not DOS, then it is not critical, because during regular testing, through the same Burpsuite, there are not so many requests to somehow interfere with each other, so that some kind of collision occurs, so in principle this is not a problem. Several groups work, but with one web resource.
Pavlovich:
Your favorite viscosities, for example, mine was SQL. I simply could not do anything else.
Hacker:
In fact, my favorite is also SQL, and XSS, of course.
Has the situation with SQL injection changed over this decade?
Pavlovich:
When I was writing my book, I was collecting information in it, it was written there, I don’t remember exactly how many, about 40% of the world’s websites, I described it there in 2010, are susceptible to SQL injections. Has anything changed in the SQL sphere since 2010, over the decades? Have there become fewer of them or is everything the same?
Hacker:
Yes, of course it has changed, because more secure frameworks have appeared, where it is right in first place according to AVASP, this is an ISKEL vulnerability. Of course, it is not so easy to find it now. That is, there are fewer ISKEL vulnerabilities now? Yes, definitely fewer, of course. There are many other different, hidden ones that are not included in this top 10. Because the top 10 has such very direct links.
Masolovich’s favorite tool, that is, the address bar, there, to sort through.
Pavlovich:
Find unclosed folders?
Hacker:
Unclosed folders, yes, such things. And therefore, of course, there is much less of it on the site now. And what is in this top 10 threats? Well, these are injections, direct links, sessions that are not tied, say, to an IP address, XSS, all that. But the most dangerous one is the one that allows you to take a code injection.
If XSS, then JavaScript.
Pavlovich:
With XSS, you often can’t do anything, you can just replace something on the site during one session and take a screenshot. So I can do the same through the site code.
Hacker:
You can steal, for example, user cookies.
Pavlovich:
Through XSS?
Hacker:
Yes.
Do you have a certain certification?
Pavlovich:
Do you have a certain certification? Because, you know, how system administrators take tests, they have some kind of certificate from SISK, for example, webmasters who set up advertising in Google, they also have them, they often, I have a friend in the test, he is a certified trainer.
Hacker:
Google. Well, definitely, again, there is no certification when applying for a job, here it is just knowledge, well, you can get it, in principle, but I have never taken them, that is, I took training, pre-certification, but I never passed them, actually, because there was no need. They somehow never asked me about them. There is the same workshop, all these for beginners and so on. That is why I have never received them.
And, in principle, they are really not needed.
Pavlovich:
And what would be the point, for example, of getting all these certificates for a person who works in the same field as you or for you for further employment in a cool company, for example?
Hacker:
Probably something on networks. For example, you can get something like that from CISC. That is, the training there simply assumes that a person will really thoroughly study the structure of networks completely. And this certificate can show that it really knows the 7 levels of the axis model, TCPIP protocols, and this can be worked with somehow.
What are the main areas of pentesting?
Pavlovich:
Well, yes, I saw a list of questions there, I don’t know, I would have answered one of the ten, maybe. What are the main areas, if any, in pentesting, are they divided into what?
Hacker:
Red teaming, pentesting and… well, yes, that’s it, it turns out.
Pavlovich:
Well, black teaming then.
Hacker:
No.
Pavlovich:
Red? There is no such thing. Red. I’ve heard of red teaming many times, but I haven’t had time to delve into all of this. Describe what it is in general, in simple terms.
Hacker:
Red teaming is done by more… more serious corporations order it, they have a Firewall, a DLP system, and the essence of red teaming is that users don’t know that a pentest will be conducted. It can happen, for example, at night during a campaign, and it will be without the knowledge of ordinary employees.
And the pentest, accordingly, is agreed with everyone that this and that, testing will be carried out with the rights of some user, this will all happen.
Pavlovich:
That is, there is one fundamental difference, redteaming is when no one except the director figuratively knows what will happen, and pentest, in principle, many people are aware. Yes, yes, yes. Many who are aware and are set, so to speak. And are there differences in the tools and tactics?
Hacker:
No, there are practically no differences. But most likely, more global networks will be used so that it is really DDoS, and so, and not DDoS, because, naturally, some kind of cool network, stress tests with one machine - this is somehow frivolous. Well, and the cost, accordingly, will differ many times. Yes.
What literature can you recommend to novice pentesters?
Pavlovich:
What literature could you recommend for people who want to do this kind of hacking to order, completely legal, to earn, I don’t know how much? How do you earn, by the way, in this kind of private practice now, at this stage?
Hacker:
It varies. Well, somewhere around 150 now. 150, yes. That is, if we were to expand somehow now, we are now planning to, or rather, I am planning to do more training. I want to record my own course, really good on all these tools. Because all the information is scattered, somewhere there is something in English. I want it to be easier to get started, so you can see with this course.
Pavlovich:
In September, we will release a good application on the market specifically for courses, which is an order of magnitude better than get-courses. So wait until September with the course.
Hacker:
So, literature. Literature, then, necessarily on networks. This is Taninbaum, computer networks. This is the Taninbaum computer architecture and the Taninbaum operating system. How much did he pay you? Not at all, yes. I don't think he needs it. And I can probably recommend the book "The Art of Exploit".
This is exactly about the reverse. It will be very good and useful. Well, and so watch some courses, find information.
Pavlovich:
And books on social engineering? I read Mitnick, for example, "Ghost in the Network". He has another book. I liked how they called and inquired.
Hacker:
It is better to start with technology, with technology, because many pentesters leave, become hackers or scammers. Unfortunately, entering the profession is really difficult, and many are not ready to spend a lot of time, because there are programming languages, knowledge of networks, stacks, protocols. Administration, it turns out, of Linux, MacOS, all that Windows, you need to know all that, and, unfortunately, it's very difficult to get into, and, well, there are few vacancies, yes, what I'm talking about.
Is this why people go to the dark side? Is this why, unfortunately, many people start hacking someone else.
What sites do you read to get news on your specialty?
Pavlovich:
Are there any worthy sites, specifically on information security, that you regularly read to get news, on some vulnerabilities? Well, I...
Hacker:
Well, have you read yours on Hacker.Ru? Of course I've read Fakeru. Xakeb, right? Yes. Xakeb. There is, well, and the exploit database, you can look at such technological things. What new ones appear there, the same exploits, vulnerabilities. I read a lot, actually.
Pavlovich:
In Russian, in English?
Hacker:
In English, in Russian.
Epilogue
Pavlovich:
Let's leave it, ask questions, write what you would like to know about within the framework of the pentest, and what is left outside the scope of our interview, I will ask him to monitor, answer your questions there and perhaps you will prompt him with your questions, hugs, bye.
Famous carder Sergey Pavlovich talks to a white hat hacker who provides pentesting services (testing a website or application for penetration from the outside) to various companies and services.
Enjoy reading!
Contents:
- How long have you been doing pentesting and what is it?
- Which social network is the easiest to hack and why?
- What does a private pentester's practice look like?
- Have there been any cases when a site was accidentally DDoS'ed?
- How to check a website for DDoS vulnerability?
- The most famous platforms for pentesters
- Where do you mainly advertise?
- Spontaneous penetration into the site without a contract
- Which operating system makes a server the most secure?
- Do you need to know programming languages for pentesting?
- What are people ordering to test now: websites or applications?
- What programs does a pentester need to have to start?
- How much time do you spend on one order?
- Where do you see yourself in 5 years?
- How strong is the competition between penetration testers?
- Does joint but uncoordinated pentesting on a site interfere?
- Has the SQL injection situation changed over the past decade?
- Do you have any specific certification?
- What are the main directions of pentesting?
- What literature can you recommend to beginner pentesters?
- What sites do you read for news on your subject?
- Epilogue
How long have you been doing pentesting and what is it?
Pavlovich:
Hello, friends! During our previous interviews, we have met hackers many times, they were guests of the studio, and those who catch them. It was Group-IB. And now we have a guest in the studio. An intermediate link. He is neither a hacker, nor the one who catches them, but he is a white hat hacker.
So what does that mean?
Hacker:
Pentester
Pavlovich:
Pentester, yes. So, the one who finds vulnerabilities and informs companies that you have such a vulnerability and gets paid for it. Or not. Let's start with how old are you? How long have you been doing this? What is a pentest in general? And then we will go over what it all looks like.
Hacker:
Yes, yes, yes, I will tell you a little about myself. I am 28 years old. I am engaged in the search for vulnerabilities in general, research in the field of information security. I have my own tech blog where I talk about various tools. Where? On YouTube or where? On YouTube, yes. I started, though, on TikTok. Then TikTok blocked you, just like it did me today, no? Yes, but many videos were blocked.
The most interesting ones are the ones about pentesting. TikTok constantly blocks everything. That's why I started filming my YouTube now to somehow share information about tools, specifically about pentesting, actually. Kali, Linux, and all these other things. How long have you been doing this? I've been doing this for about 5 years. But I haven't always done this.
I also worked as an analyst, that is, after getting an education. I worked as a systems analyst, worked in the security field, worked as a networker.
Pavlovich:
A networker is a system administrator?
Hacker:
Well, yes, yes. That is, at the same time, I was sniffing networks in corporations, for various leaks, well, things like that.
Pavlovich:
5 years is already a normal experience for a pentester,
Hacker:
Whitehead hacker or is it young? Yes, it is actually a decent age for a pentester. But I have not worked in pentest companies themselves, although I was offered to work, I will not name which ones.
Pavlovich:
Hello, Kaspersky.
Hacker:
Well, now I am engaged in, in general, private practice. Why are you wearing a mask then? I am wearing a mask because I started my blog in a mask, and for some time I talked about asynth, about intelligence, and many people constantly checked me out, something else. But this is like a big image, I am not hiding from anyone, I am not involved in crime. And those who find me, please do not write, hack my wife's account.
Hack VK. No, their favorite question is that the wife forgot the password to classmates. That's how forgetful wives are.
Pavlovich:
How easy is it to hack social media accounts now? Because when I needed it once in my life, I had reasonable suspicions, I paid on one forum. For 15 dollars, I think it was 2008, and literally in a few hours they sent me the account of the person I was interested in. And all without a scam, because there was a screenshot of my message that I sent there.
Hacker:
Yes, it really can be hacked. Phishing is mainly used, that is, interception of authentication sessions. Well, a fake VVK website for classmates. Yes, that's right. Well, I also recently had a friend hacked. Well, as usual, a mailing to contacts. Like, send money. And at that moment, so that the victim does not go in, no one can call her, they, in general, drained the phone.
That's such an interesting method.
Pavlovich:
Well, that is, they set up an SMS bomber, right?
Hacker:
Yes, they hacked him very hard, and the person couldn't get in or contact anyone for about two hours. At that moment. Well, at the moment of hacking, respectively.
Pavlovich:
But usually they don't even do that, yes, they don't get to that point.
Hacker:
Well, yes. Those were more professional guys.
Pavlovich:
They hacked my brother, the younger one, they hacked him on VK and also sent out a mailing like that, stuck at the border, send me some money urgently, I'll come in the evening. They also used that greedy moment, you know, I'll come in the evening, I'll give you 10 dollars more. But even though all these contacts, friends, they are all young, they don’t have much money, they are students, and they transferred him somewhere around 200 dollars anyway, and then they also said that you did it yourself, yes,
well, and he was hacked, and he fell for it, there was a mailing like, for games or watches, I don’t know, for Xiaomi, for example, and he logged in on this left site, it turns out, a phishing, fake one, through his VK, that is, he himself gave the attackers the password from his VK.
Which social network is the easiest to hack and why?
Pavlovich:
Which Russian social network is the easiest to hack now, well, and Facebook, for example? And why?
Hacker:
It doesn’t really matter which network. They all have the same two-factor authentication. And this is a matter of phishing and social engineering. But pentesters don’t do this, that is, neither phishing nor anything. Here it is a little bit about other guys.
Pavlovich:
You yourself touched upon hacking social networks. Then let's give a general definition of pentesting in your understanding or in the generally accepted one.
Hacker:
Pentesting is, let's say, a discipline in information security, designed to find vulnerabilities and, accordingly, to make recommendations for their elimination.
What does the practice of a private pentester look like?
Pavlovich:
You say that you are engaged in private practice. That is, when you work in some large company, everything is clear. That is, you came to work, worked there for a month, received money, a salary. And what does the private practice of a white hat hacker look like, that is, a private pentester?
Hacker:
This is advertising at the moment. It was somewhere freelancing before. But in the legislative base, everything is complicated at this point, because if someone simply asks, conduct a pentest for me, he may, for example, not pay money and refer to Article 272 of the Criminal Code - unlawful access to information, respectively.
Therefore, you need to conclude an agreement, preferably with a lawyer. Now, if you want to do a pentest, then it is better to pay 5 thousand, if ...
Pavlovich:
Well, you have some kind of standard agreement.
Hacker:
Yes.
Pavlovich:
You can give people a link to attach, for example.
Hacker:
Yes.
Pavlovich:
Here. Because, you know, there are many of your followers, for example, who have taught you how to hack something, they would like to make money on it. They are afraid of going to jail and do not go to the dark side. Yes, then we put a link to the agreement, some standard one. And you, it turns out, draw up an agreement in advance that I will hack your online store or your network, your corporation?
Hacker:
Yes, and everything must be agreed upon, that is, the time, what exactly, IP addresses, all this must be agreed upon, so that not a step to the left, not a step to the right, so that somewhere it does not fall, does not go beyond the scope of the pentest, it turns out.
That is, to do something on your own there, like, here I did a DDoS attack as a bonus, for example, more precisely, a stress test, as is correctly said in a pentest, then this is already a completely different story.
Have there been cases when a site was accidentally DDoS'ed?
Pavlovich:
Have you ever had cases when during a pentest, it was you who had a DDoS attack, and how did the clients react to it?
Hacker:
Well, the clients reacted well if they asked for it.
Pavlovich:
And if they didn’t ask, so you’re testing my service and you put it down for a few hours, okay, we agreed that you’d be there, well, I suspect that this could happen, and we agreed that you’d be there from 1 a.m., when there aren’t many, say, visitors on the site. But during the day you’re testing, I don’t know, a large shop, say, MVideo, for example, a very large one, yes, Lekhov or something. They’ll fire you for advertising.
And it turns out that you put them on the site, and that’s it.
Hacker:
Have there ever been such cases? No, there haven’t been any, because without an agreement, well, accordingly, it’s already like, well, a criminal act.
Pavlovich:
Well, by chance, I mean, has it ever happened during pentests, when you put someone's network down with DDoS, basically?
Hacker:
No, basically, no, there has never been such a thing.
Pavlovich:
And in general, does pentesters often encounter such things?
Hacker:
In general, you can put it down, yes. But, as a rule, such platforms, or rather, companies that put forward their Bug Bounty program, must, accordingly, agree with pentesters what will happen there. As I said earlier, simply DDoSing a site and taking it down is not comme il faut, let's say.
How can I check a site for DDoS vulnerability?
Pavlovich:
What if I want to check the resilience of my service, for example, for vulnerability to DDoS? Specifically, do you mean if you will be pentesting it yourself? Well, let's say, all the holes that we know of have already been closed, except for a few XSS, for example, bezpantologi, yes, and I want to check whether it can withstand a normal, large-scale, diverse, different types of DDoS attack.
Reference:
Bug Bounty is a program offered by some websites and software developers, with which people can receive recognition and a reward for finding bugs. These programs allow developers to find and fix vulnerabilities before the general public learns about them, preventing abuse.
Hacker:
You just draw up an additional agreement, which will include another additional service, agreed upon in terms of time, etc. Well, and, accordingly, you have no claims if your service goes down there, roughly speaking. For a few hours.
Pavlovich:
Well, yes. You said Big Baunty, that is, Big Bounty is essentially a bug hunter, a bug hunt, right?
Hacker:
Yes, yes, yes. These are legal platforms where large companies come, set their task and, accordingly, set the price for vulnerabilities.
Pavlovich:
Well, for example, I'll explain if you didn't understand. The Kiwi company, for example, writes there, for a critical vulnerability we pay $5,000, for some interface vulnerability we pay less, and so on.
The most famous pentesting platforms
Pavlovich:
What are the most famous platforms? HackerOne?
Hacker:
HackerOne, this is Backkraut, I know, yes, these are the two main platforms where, in fact, everyone works.
Pavlovich:
But do you get your main orders there, or with targeted advertising?
Hacker:
No, by the way, I am not working with it yet, we are planning to enter them now. We are currently writing a bot for automatic tests. The only thing is that we do not yet know how it all is from the legal side. Because if we put the bot in the public domain, it will throw up other people's sites. Throw up other people's sites, yes. And here is a very interesting point, why an agreement is absolutely necessary.
Because a competitor can really ask to do a pentest for his competitor. And this will already be like an offense.
Pavlovich:
So the bot will have to be erased, the bot code will have to be erased. But these platforms like HackerOne, I know, they are good for pentesters in that there is a rating for everyone.
Hacker:
Yes, but there are not so many Russian companies there now. But I have seen Kiwi. Yes. By the way, there is an application there, you can also... There are different levels there, critical, mainly four levels. The fourth level is critical – it has the possibility of injection, there is SQL injection, XSS vulnerability, and various small ones, they pay from zero, let's say, to 100 dollars for them.
These are some server leaks, when developers leave some information, for example, about the PHP version or the version of the server itself. Sometimes they leave a list of passwords in the public domain in the comments.
Where do you mainly advertise?
Pavlovich:
So you drained, let's say, some targeted contextual advertising, where do you mainly advertise?
Hacker:
Google, Yandex. That is, contextual advertising. Contextual, I want targeted.
Pavlovich:
So you drained, for example, a thousand dollars, how many applications does this bring and how many of them become real clients, does it reach the payment?
Hacker:
So right now I can't tell you the exact analytics, but somewhere.
Pavlovich:
I'll say this, that... You can tell me the percentage, out of a hundred percent there.
Hacker:
No, I probably can get one application for 3,000 rubles, let's say, like that, somewhere around. That is, there are almost 50 dollars, a little less, one application. Yes. Real, for which they will pay? Yes. Well, plus or minus. Not always, of course. Again, this is such a crooked statistics. That's what I said. But the order, well, the average is from 7 to 15 thousand.
15 thousand - this can be done, the coolest test is called sociotechnical.
Pavlovich:
Call an employee and try to deceive him and find out the admin password from him?
Hacker:
Not exactly call, you can actually call if this is agreed upon. A sociotechnical test is when, let's say, like Red Timming, the manager knows about it. After all, most mistakes are the human factor. And first, roughly speaking, such a socio-attack is carried out.
Like, some kind of payload is sent to corporate email, which, let's say, will open some port, and you can get a reverse.
Pavlovich:
Well, like a letter from the tax office, yes, with a substituted email to the tax office, for example, and there will be some PDF or Excel macro, which will launch the exploit.
Hacker:
Yeah, let's say. If all this doesn't work, then, it turns out, we move on to external testing. In general, OpenTest is divided into two types of testing. These are BlackBox and WhiteBox. BlackBox is an analysis of external security.
And whitebox is, for example, when the customer provides a VPN connection, and that you can poke it inside the network in various ways.
Pavlovich:
Well, and blackbox is from the Internet, right?
Hacker:
Yes, when, say, a white IP address is provided there, the IP address of the server, and there, with various tools and technologies, the presence of vulnerabilities, open and closed ports, and so on are checked.
Pavlovich:
You don't know the IP address, for example, of my site, is it hidden behind Cloudflare or this Dosguard, what are you going to do?
Hacker:
This is already a really problematic story, but in principle it would be possible to ping it, somehow pull it out of there, have a look.
Pavlovich:
Today we ourselves found a way, there are sites hanging on subdomains, and we found that one of the sites in the light is just a real IP. And where? Have you looked at Whoiz? I don't know, my Programmer wrote this today. That is, I say that for some reason I didn't restore this site, the SSL failed there, he says, because of it, he says, it shines this, it shines, everything is closed, the main domain and subdomains are closed behind Cloud, but he says, everything has disappeared there, in short, the SSL and so on, I, he says, don't raise it, because it shines, our real IP.
Hacker:
The SSL failed, it turns out. Well, I get it.
Spontaneous penetration of a site without a contract
Pavlovich:
And according to this scheme, when you yourself accidentally found some kind of there surfing the Internet, found some kind of vulnerability on the site, hacked something there, looked, that it is so critical. In principle, well, well, I did not delete anything there, did not erase, traces and all logs were cleared, and I encountered this myself. And then writes to the company that you have some vulnerabilities there quite serious, which can lead to this, to that. Let me fix everything for you, and you will pay me 200 dollars, for example.
Hacker:
Well, this question is also questionable, actually. But they do it. They do it, yes. It can be done this way, indeed. Indeed, it can, but it is not a fact that they will simply pay. Because there is no contract, they will say, well, yes-yes, let's say. I just had such a case. Back when I was studying at the university... What did you study? Information security, comprehensive support. There was a case, I also constantly poked at some sites.
And, in general, I poked at sites that deal with KGB paraphernalia. That is, there are mugs, flags, all that. Well, I poked there, they were looking for an injection. In general, I launched everything in front of me, roughly speaking. This entire database from QL. The list of clients, orders, prices. Orders, prices, passwords, of course, too. Everything from the admin panel is there. And, in general, I did nothing, because I thought, well, the KGB site, now they will write me this too.
They will slap something on me. Well, that's it.
Pavlovich:
Well, when they wrote to me and showed me what I had, I paid without any problems. That is, I paid, and then this guy protected us for a long time. We still communicate. But from, okay, let's say, not from your personal statistics, but in general, here at White Hat hackers, yes, you found it there, your gang, there a friend, it doesn't matter, the community of pentesters found, let's say, 100 vulnerabilities themselves. So you send out 100 mailings, for example, to corporate email, of course, or there on LinkedIn, the personal director of this company.
Out of 100 such reports sent, how many will end up being paid, for example, and cooperation?
Hacker:
Well, it's hard to say, in fact, because finding is just a shot in the dark, it's like, pay me something, I'll be there, well, it's not serious in general, because many simply won't pay. Here, like in Russia, at least until they hack, until I lose something, well, we don’t really need any pentests.
Until the thunder strikes. Yes, yes, yes, until the thunder strikes. And that’s why, unfortunately, this whole thing isn’t very developed here yet. In America, it’s already, well, somewhere in Europe, it’s already in full swing, there, security, something else. But there’s a huge fine,
Pavlovich:
First, it’s a reputational loss. Yes. You can lose your entire business. Second, a huge fine for the state if you, through your fault, are proven to have allowed such a leak due to negligence.
Hacker:
Moreover, why else, there are many exploits that really work for many now, since I personally know many companies, well, even small firms, they have servers on them, it would seem, very important data is on them, there are some CRMs hanging there, something else.
But they generally have left-wing software, left-wing operating system, all this is old, outdated, not updated. And then, hop, you can exploit some exploit and gain access.
Pavlovich:
The main mistake you encounter in your work, that is, unpatched servers and software, as you are saying now, right?
Hacker:
Yes, that is the main mistake. The main mistake is not updating, respectively, software.
What operating system is the safest for a server?
Pavlovich:
What operating system is the safest for a server, in your opinion?
Hacker:
It doesn’t really matter. If you go to the SVA database, you can find exploits for both Linux and Windows. That is, thousands. It probably depends more on the settings. Yes, steady hands. Yes, yes, yes. Plus firewalls. Basically, they also install DLP systems. Some firewalls, DLP systems. This is really serious, if you approach the issue.
And small companies, of course, do this.
Pavlovich:
Well, the guys also told me that unused ports are often not disabled.
Hacker:
Yes.
Pavlovich:
This is also a common mistake.
Hacker:
Yes. Well, and I'm not even talking about the fact that in Russia, many people still use, well, Windows 7, like, I know people like that, and they have, like, Eternal Blue, different ones, it works under any, under any seven, like, you don't even need to drop anything there.
Do you need to know programming languages for pentesting?
Pavlovich:
Well, XP was a good system in this regard, because it had already been patched so much, and when they stopped updating it, although it had been on the Mac for a long time, I almost cried. Do you need to know any programming languages for pentesting?
Hacker:
Yes, definitely. Which ones? The web is a must, if we are talking about web vulnerabilities. Well, HTML, Misha, right? HTML, JavaScript, PHP, some cascading tables like CSS, but you just need to understand all of this, because it is all in a complex. And as for, if we are talking about software research, i.e.
Reverse engineering, that's Assembler, of course, C++, you need to know Assembler to do a normal reverse of IDPRO or old OLIDEBUG to do all this. If you only do this reverse engineering, it's closer to a virus analyst.
But, for example, a buffer overflow vulnerability can be found in some application this way, write your own SVE, yes, a vulnerability, and there will be a zero-day vulnerability, so to speak.
Pavlovich:
And how many ZeroDay, yes, these zero-day vulnerabilities have you personally found during your career?
Hacker:
There was a vulnerability in an application, if I'm not mistaken, it was some kind of reader, I think, a PDF one, there was an overflow, that's it. Well, such vulnerabilities are usually expensive, well, they close them among hackers.
Pavlovich:
Well, yes, there are some for 500 thousand dollars, and some for a million. As a rule, special services in America buy them up.
Hacker:
Yes, and, in fact, the high cost of such exploits depends on the scale of use of this software. If there is some zero-day vulnerability in Windows in the ten, then this will be really cool. I even heard that Apple is ready to pay a million dollars if a vulnerability is found on a phone, I think on iPhones, to gain control over an iPhone without any brute force, something else.
And social engineering. Yes.
What do people order to test now: websites or applications?
Pavlovich:
Websites or applications, what do people order to test now most often?
Hacker:
Now this story is actually already equalizing, because many developers, it turns out, post their programs, that is, even mobile applications, they post them on backbounty. Therefore, now both are used, well, in principle.
Pavlovich:
60 to 50, right?
Hacker:
60 to 40 somewhere.
Pavlovich:
So the application is 40%?
Hacker:
Somewhere like that, somewhere like that.
What programs does a penetration tester need to have to start?
Pavlovich:
What sets of programs, maybe some network tools, exploit packs, etc. does a penetration tester need to have to start a career like that, or to successfully conduct it?
Hacker:
Well, it would be advisable to download some operating system, Kali Linux, for example. You can use BlackArch. Kali Linux is probably better, because there is simply more information about it available on the Internet. In fact, it doesn’t matter what operating system, because, in principle, all the tools can be downloaded to regular Linux, to some Debian, or to Ubuntu, but why do it if there is already a ready-made tool. Of
the tools, this is probably Metasploit, the easiest to get started with, so to speak. Everything is intuitive, you upload the exploit, upload the payload, set the settings, respectively, the victim's IP address and, in general, exploit. Yes, yes, no, I got it, I didn't, that's the plan.
There are many tools, Wireshark is a must for network analysis, SQL map is for research on SQL injections and so on, Nmap is a must for scanning, for example, in a local network to scan the network and get local IP addresses of all machines, so that accordingly they can also be populated there.
Dictionaries for brute force? Yes, dictionaries for brute force, hashcat, there is such a tool too. In fact, there are a lot of them, and in combination the result is better if you use them all.
Pavlovich:
And how much time does a pentest take, I don't know, some online store in your performance? Well, MVD, for example, we have already talked about it.
Hacker:
Well, it's quite broad. Yes, yes, yes, if we're talking about a serious organization, then you can spend from an hour to a month, I don't know, looking for bugs. Now, if we're talking about a serious one.
How much time do you spend on one order?
Pavlovich:
Well, and of your main orders, how much time do you spend on each one, plus or minus, on average?
Hacker:
No, if, for example, the company is small, just some firm, well, we want to do it. I think it's about 4 hours. And it costs 15 thousand, for example?
Pavlovich:
I think 7-10. 7-10?
Hacker:
Yes.
Pavlovich:
So in 4 hours you earn, well, let's say 7 thousand, that's 100 dollars, that is, 25 dollars per hour approximately?
Hacker:
This is if there are so many orders. But, as a rule, in Russia we don't get that much for pentesting, in fact. What exactly...
Pavlovich:
Constantly looking?
Hacker:
Constantly, yes, we are there at work, all 24 hours we pentest something there.
Pavlovich:
Well, naturally. How often do they ask, after you have provided the customer, for example, with a report on vulnerabilities, how often do they ask to fix them or to contact them? So how does it happen? You fix them, yes, for an additional fee, for example, or you explain to their programmer where to do what, or they completely fix them with their own enhancements?
Hacker:
No, we do not fix vulnerabilities, they have their own web developers, we write a fairly detailed report, maybe 20, 40, 60 pages, maybe even more.
Pavlovich:
Well, just a typical one, you fill out the items like a checklist.
Hacker:
Like this. Yes-yes-yes, because in fact, closing these vulnerabilities is not that difficult. And they either hire someone anew, let's say they made a website once, well, they have a hole, they need to plug it, they hire someone, that is, we close it, like webmasters, we don't do anything, we don't change them, only recommendations. And you always say we, we, we. Who is that? Well, I still have a couple of guys, so to speak, enthusiasts, who do this with me.
Well, they just like it. In short, your organized crime group.
Pavlovich:
To get a kick out of it, yes. Got it. And how are the shares distributed, for example, from the order you received there? That is, the orders, as I understand it, go through you?
Hacker:
Yes, well, by the time of work, sometimes 30, sometimes 40 percent. Sometimes, I just, I don't know, a person is completely done, there, 100 percent. That is, in this regard, I kind of... I don’t have a clearly constructed business story where I tell them, you get 15 percent, and I, you know, 85.
Where do you see yourself in 5 years?
Pavlovich:
And where do you see yourself in information security in 5 years, for example?
Hacker:
I think in the same field. In the field of pentesting and research. That is, also a private master, in essence? Yes, yes, most likely so. Are you planning a company? I would like to, I would like to. A very illustrative example, of course, is Group IB. A serious story. But something narrowly focused, namely in pentesting, I would like to do something like that.
How strong is the competition between pentesters?
Pavlovich:
How strong is the competition between White Hat hackers?
Hacker:
Huge, huge competition. In the sense that a lot of guys are studying, graduating from these specialties. Many are interested in all this. A lot of guys are involved in CTF. Capture the flag, they also have such tournaments. But, unfortunately, there are very few vacancies. Officially employed? I looked, there are only 25 vacancies on Headhunter.
This is all official. And so, it turns out, a person needs to look somewhere. Well, probably some security companies.
Pavlovich:
What prevents them from going to the Western market, where there is more money and more orders?
Hacker:
I think that English is also becoming a barrier for many, oddly enough. Although, in principle, many people know it now, but not everyone is ready, so to speak, to move. And how is it with us? Even when I was studying, our teachers were mainly our colonels, lieutenant colonels. Well, and somehow all this happens. Patriotism, that is, is very strong with us.
And many still try to find... Many go to work in research institutes, in various ones, where they pay 25 thousand rubles. Therefore, few are ready to move somewhere. Well, and some kind of communications are needed. Therefore, not everyone succeeds in this, unfortunately.
Does joint, but uncoordinated pentesting on the site interfere?
Pavlovich:
Yes, of course, we still have trouble with English. I remember being taught at school, like, "Seasons and Weather", "London is the Capital of Great Britain", and so on. If several white hat hackers test one system, do they interfere with each other or not?
Hacker:
Yes, they fill the air. Because, for example, if we're talking about a stress test... Well, your group, for example, three of you test. No, no. That is, if, for example, we test a website, we don't interfere with each other, because we, for example, if we test manually through some Burpsuit...
Pavlovich:
What is that?
Hacker:
It's special software for finding vulnerabilities on websites, respectively.
Burpsuit is hung on localhost and, it turns out, it is located between the browser and the website. And, accordingly, you can accept, forge, send all requests to the website. Modify, so to speak. Well, and watch how the server reacts to these requests.
Pavlovich:
And if there are several third-party groups, for example, that is, not related to each other, for example, he ordered a pentest from you, ordered one from a Swiss company and did not separate them in time and you are testing, but it just happened to happen at the same time?
Hacker:
If it is not DOS, then it is not critical, because during regular testing, through the same Burpsuite, there are not so many requests to somehow interfere with each other, so that some kind of collision occurs, so in principle this is not a problem. Several groups work, but with one web resource.
Pavlovich:
Your favorite viscosities, for example, mine was SQL. I simply could not do anything else.
Hacker:
In fact, my favorite is also SQL, and XSS, of course.
Has the situation with SQL injection changed over this decade?
Pavlovich:
When I was writing my book, I was collecting information in it, it was written there, I don’t remember exactly how many, about 40% of the world’s websites, I described it there in 2010, are susceptible to SQL injections. Has anything changed in the SQL sphere since 2010, over the decades? Have there become fewer of them or is everything the same?
Hacker:
Yes, of course it has changed, because more secure frameworks have appeared, where it is right in first place according to AVASP, this is an ISKEL vulnerability. Of course, it is not so easy to find it now. That is, there are fewer ISKEL vulnerabilities now? Yes, definitely fewer, of course. There are many other different, hidden ones that are not included in this top 10. Because the top 10 has such very direct links.
Masolovich’s favorite tool, that is, the address bar, there, to sort through.
Pavlovich:
Find unclosed folders?
Hacker:
Unclosed folders, yes, such things. And therefore, of course, there is much less of it on the site now. And what is in this top 10 threats? Well, these are injections, direct links, sessions that are not tied, say, to an IP address, XSS, all that. But the most dangerous one is the one that allows you to take a code injection.
If XSS, then JavaScript.
Pavlovich:
With XSS, you often can’t do anything, you can just replace something on the site during one session and take a screenshot. So I can do the same through the site code.
Hacker:
You can steal, for example, user cookies.
Pavlovich:
Through XSS?
Hacker:
Yes.
Do you have a certain certification?
Pavlovich:
Do you have a certain certification? Because, you know, how system administrators take tests, they have some kind of certificate from SISK, for example, webmasters who set up advertising in Google, they also have them, they often, I have a friend in the test, he is a certified trainer.
Hacker:
Google. Well, definitely, again, there is no certification when applying for a job, here it is just knowledge, well, you can get it, in principle, but I have never taken them, that is, I took training, pre-certification, but I never passed them, actually, because there was no need. They somehow never asked me about them. There is the same workshop, all these for beginners and so on. That is why I have never received them.
And, in principle, they are really not needed.
Pavlovich:
And what would be the point, for example, of getting all these certificates for a person who works in the same field as you or for you for further employment in a cool company, for example?
Hacker:
Probably something on networks. For example, you can get something like that from CISC. That is, the training there simply assumes that a person will really thoroughly study the structure of networks completely. And this certificate can show that it really knows the 7 levels of the axis model, TCPIP protocols, and this can be worked with somehow.
What are the main areas of pentesting?
Pavlovich:
Well, yes, I saw a list of questions there, I don’t know, I would have answered one of the ten, maybe. What are the main areas, if any, in pentesting, are they divided into what?
Hacker:
Red teaming, pentesting and… well, yes, that’s it, it turns out.
Pavlovich:
Well, black teaming then.
Hacker:
No.
Pavlovich:
Red? There is no such thing. Red. I’ve heard of red teaming many times, but I haven’t had time to delve into all of this. Describe what it is in general, in simple terms.
Hacker:
Red teaming is done by more… more serious corporations order it, they have a Firewall, a DLP system, and the essence of red teaming is that users don’t know that a pentest will be conducted. It can happen, for example, at night during a campaign, and it will be without the knowledge of ordinary employees.
And the pentest, accordingly, is agreed with everyone that this and that, testing will be carried out with the rights of some user, this will all happen.
Pavlovich:
That is, there is one fundamental difference, redteaming is when no one except the director figuratively knows what will happen, and pentest, in principle, many people are aware. Yes, yes, yes. Many who are aware and are set, so to speak. And are there differences in the tools and tactics?
Hacker:
No, there are practically no differences. But most likely, more global networks will be used so that it is really DDoS, and so, and not DDoS, because, naturally, some kind of cool network, stress tests with one machine - this is somehow frivolous. Well, and the cost, accordingly, will differ many times. Yes.
What literature can you recommend to novice pentesters?
Pavlovich:
What literature could you recommend for people who want to do this kind of hacking to order, completely legal, to earn, I don’t know how much? How do you earn, by the way, in this kind of private practice now, at this stage?
Hacker:
It varies. Well, somewhere around 150 now. 150, yes. That is, if we were to expand somehow now, we are now planning to, or rather, I am planning to do more training. I want to record my own course, really good on all these tools. Because all the information is scattered, somewhere there is something in English. I want it to be easier to get started, so you can see with this course.
Pavlovich:
In September, we will release a good application on the market specifically for courses, which is an order of magnitude better than get-courses. So wait until September with the course.
Hacker:
So, literature. Literature, then, necessarily on networks. This is Taninbaum, computer networks. This is the Taninbaum computer architecture and the Taninbaum operating system. How much did he pay you? Not at all, yes. I don't think he needs it. And I can probably recommend the book "The Art of Exploit".
This is exactly about the reverse. It will be very good and useful. Well, and so watch some courses, find information.
Pavlovich:
And books on social engineering? I read Mitnick, for example, "Ghost in the Network". He has another book. I liked how they called and inquired.
Hacker:
It is better to start with technology, with technology, because many pentesters leave, become hackers or scammers. Unfortunately, entering the profession is really difficult, and many are not ready to spend a lot of time, because there are programming languages, knowledge of networks, stacks, protocols. Administration, it turns out, of Linux, MacOS, all that Windows, you need to know all that, and, unfortunately, it's very difficult to get into, and, well, there are few vacancies, yes, what I'm talking about.
Is this why people go to the dark side? Is this why, unfortunately, many people start hacking someone else.
What sites do you read to get news on your specialty?
Pavlovich:
Are there any worthy sites, specifically on information security, that you regularly read to get news, on some vulnerabilities? Well, I...
Hacker:
Well, have you read yours on Hacker.Ru? Of course I've read Fakeru. Xakeb, right? Yes. Xakeb. There is, well, and the exploit database, you can look at such technological things. What new ones appear there, the same exploits, vulnerabilities. I read a lot, actually.
Pavlovich:
In Russian, in English?
Hacker:
In English, in Russian.
Epilogue
Pavlovich:
Let's leave it, ask questions, write what you would like to know about within the framework of the pentest, and what is left outside the scope of our interview, I will ask him to monitor, answer your questions there and perhaps you will prompt him with your questions, hugs, bye.
