Figured I'd post a day in the life of my job.
#### 8:15am ####
I'm ahead of schedule expected heavy traffic on the route, only meant to be there at 9am but may as well see if I can get in and started.
#### 8:45am ####
I'm still driving around and around the postcode area looking for the place. I've been told it's a big building covered in branding, phone call later and I find out my colleague is also doing laps around the place and can't find it either. His satnav thinks he's in a field.
#### 8:50am ####
We find the place. It's a big white building in a place where there are lots of big white buildings. Not a signpost in sight, let alone branding or logos.
We have a bit of a palaver going through the main gate but all gets sorted after 5 minutes and we head into the car park. Unfortunately the place I am at has a 2 hour induction they run once every 4 weeks, my work as it's so short term often doesn't fall into the "we must make sure we book him on it" category and I usually get lumped with being escorted everywhere.
We meet our escort inside - nice chap but he's got work to do, he takes us in and leaves us to it.
Get in, laptops out and powered up, VM with backtrack 5r1 kicked off and I whip out my CAT6 and plug into the first switch port - No link.
"Bollocks - No link light here mate, what about yours?" I ask my colleague
He replies: "Yeah I've got nothing, lets try them all one by one, maybe we can find one we can kick off while we sort out the rest"
No dice - We start calling people but its 9am and everyone is doing their morning coffee desk settling shuffle process so noone answers. Gets picked up about 9:30 and we're told they're on it and will email us when it's done. My colleague had been in contact with the network guys all the previous week so all of the configurations should be written, just a case of loading them on.
#### 11:30am ####
We get the email - colleague is renowned for a bit of rage but by this point he's all raged out we were resigned to just staring into cups of coffee in the break room, cursing the project.
We head back in and link light is good, I grab 2 spare IP addresses out of my first VLAN and fire off an arpsweep to enumerate the devices. A quick nmap -sP IP/CIDR gives me reverse DNS for the hosts if I have it and confirms the arpsweep findings. Another colleague of mine has scripted this part all in a nice little bash script available here: https://www.phillips321.co.uk/pentest-sh/
Happy to use it as it frees up my time to go and give everything a good poke as it gets reported on screen. So I set it going giving me a full 65535 port TCP Syn scan, a small TCP syn scan (1000 common ports - useful for when scanning load balancers which seem to like taking an ever increasing amount of time to do a full scan) and a small UDP scan (1000 common ports again).
It'll try and auto identify any services it finds, if its a web page it'll try and take a screenshot of it, it'll auto run sslscan against any ssl services to identify weak ciphers and self signed certs and it'll do an obligatory onesixtyone and nbtscan if it's appropriate. As I only find a few hosts I also kick off nessus (professionalfeed) at the same time. It's not fantastic but it gives you a few pointers as to where you need to do your poking.
Now I watch the scans come in and have a bit of a poke at the ports as they scroll up on screen. The script does a full summary at the end but I like to not be sitting there and twiddling my thumbs while I'm waiting for scans to complete. My colleague is doing the same just further down the racks and I hear a "YES!"
He's found a windows machine. The name it's reporting via netbios is something along the lines of "W2K3TEST1" so we're instantly thinking - its got to be unpatched...
Our thinking is not wrong. Nessus confirms it moments later - the server is vulnerable to MS08-067 (http://technet.microsoft.com/en-us/security/bulletin/ms08-067) my colleague fires up metasploit, few clicks later - he has access to the local machine as NT_AUTHORITY/system. Okay, he's "got root" on the local machine, but this is a massive network - what next...
He uses another metasploit module known as incognito (http://www.offensive-security.com/metasploit-unleashed/Fun_With_Incognito). Turns out a domain admin once logged into the machine and his token was cached. My colleague assumes the role, adds a user for himself to the domain and adds that user to the "domain admins" group.
Pow... even better now we have access to the entire domain this machine is part of as admin, including the domain controllers themselves and we haven't even scanned them yet. Colleague starts looking to see if there are any trusted domains within the forest. However whomever designed this network performed an epic fail.
The domain is completely flat - including machines from test and live.
Now for some reason this network is subdivided into over 100 VLANs... each VLAN having maybe 2 hosts in, sometimes a few more. From a network perspective we'd say that granularity is overkill. However it all means nothing if the entire domain is flat and you can own every single box on the network with one attack.
We did say every single box right, so yeah like most corporate networks you'll find a good chunk of linux based boxes, usually redhat. Using the well known SSH enumeration bug (Valid usernames cause a pause in a rejection, invalid credentials get rejected instantly) we also figure out that they also authenticate to the DC, so a few more groups added to our user and not only can we log onto windows machines as admin, we can now become root and sudo across the linux side of the network too.
Blam - First 30 minutes of testing. Network owned. :ptu:
Now granted while my colleague was doing this I wasn't sitting around doing nothing either. I found myself another avenue of attack, its simplistic but everyone forgets it. Updating 3rd party software. We are heading towards lunchtime when I find an old installation of Glassfish v2.1 on a machine.
Glassfish v2.1 has the most idiotic "exploit (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1511)" known to man in my opinion. It's a simple auth bypass that requires you to change any HTTP requests from
GET to get or POST to post basically lowercase HTTP requests defeat the authentication on the server.
So I fire up BURP suite and set the proxy up to intercept my requests. Browse to the site do the necessary transformations and gain access to the admin console.
In the meantime I've also fired up msfpayload and exported myself a war file containing a meterpreter console from metasploit. I fire up a multi/handler listening for a reverse TCP shell.
Using the now wide open admin console I upload the war file I exported and launch it. few seconds pass and pow I have a remote console running as the glassfish user.
Okay, so again an account that runs a process is one thing but it's not root.
###13:00###
I head to lunch, with my colleague already gloating that he has root on everything and I eat my sandwiches while scouring exploit-db.com for local privilege escalation exploits in RHEL 5.6 or affecting Linux Kernel 2.6.18, I download about 15 or so and go through the code they run on my laptop making sure that i'm not going to run a "bad exploit" that will leave a persistant mark or try and connect out at all. I fire up any that pass the review in a VM with tcpdump running just to double check
Any I have doubts over I throw away. The rest look to be clean so I finish my lunch off and we head back in.
###13:45###
I kick off one and no dice, another...another...another... nothing is working either the exploits are duff or something isn't right so I give up trying to run them as i'm clearly doing something wrong. I default back to what I should have kicked off while at lunch.
$ find / -name password 2>/dev/null -- It never works but its always useful to check, never underestimate the idiocy of people.
/tmp/password -- WTF :o
$cat /tmp/password
password123
$su -
$enter password:
password123
#whoami
root
Bosh! Root. Done. :cheers:
###14:30###
Technically we're here all week testing the entire environment but the damage is done. That root password, works on every box. Unfortunately the difference between a penetration tester and a hacker is that a hacker only needs to find one avenue of attack, a penetration tester has to find them all.
So the rest of the week continues in a similar vain.
Voila a day in the life - What's your day in the life story?
mine.. roll into the office at 9.30
check call stack for new calls. check calls close to SLA
do calls close to SLA, phone users of other calls to see if theres still a problem.
Wash & repeat until no more calls likely to breach SLA on that day.
go home, check work email for the remainder of the day.
tl;dr
My days aren't standard enough to be able to write any kind of consistent example. Some days I'm so overloaded with jobs here and there, writing scripts, designing logos/buttons/banners, fixing bugs or software config problems, yet others I end up doing one big project all day for a new website build or design.
Some days have been more like this:
:lol:
Quote from: Quixoticish on March 18, 2012, 23:52:11 PM
tl;dr
yet you feel the need to post?
Damn your post count must be important. +1.
Sent from my GT-I9000 using Tapatalk
Quote from: Clock'd 0Ne on March 19, 2012, 02:05:03 AM
My days aren't standard enough to be able to write any kind of consistent example. Some days I'm so overloaded with jobs here and there, writing scripts, designing logos/buttons/banners, fixing bugs or software config problems, yet others I end up doing one big project all day for a new website build or design.
Some days have been more like this:
:lol:
Lol mines not standard in the slightest, thats just a single particular successful pwnage day.
Have a go :) just like "what do you do?" Only more descriptive.
Sent from my GT-I9000 using Tapatalk
Awesome post. Love this. Thanks for putting in the effort, sounds like a fun job.
I'll try and do one of my job at some point.
Quote from: Clock'd 0Ne on March 19, 2012, 02:05:03 AM
My days aren't standard enough to be able to write any kind of consistent example. Some days I'm so overloaded with jobs here and there, writing scripts, designing logos/buttons/banners, fixing bugs or software config problems, yet others I end up doing one big project all day for a new website build or design.
Some days have been more like this:
:lol:
The uploader has not made this available in your country.
Where did you learn all this stuff?
edit: deserves a :o
Quote from: Pete on March 19, 2012, 15:38:42 PM
Where did you learn all this stuff?
That's what I was thinking too. I wouldn't know where to start :o
Yeah, where do you even start?
My day:
9:30-3:30 zzzzzo sbs install zzzzz
3:30 scheduled reboot
3:30 - 5:00 :gag: windows updates :gag:
90 flipping minutes of waiting to go home because of windows bloody updates. FU windows updates.
That is one of the reasons why I love ubuntu, the updates are so swift :)
Quote from: Pete on March 19, 2012, 19:22:38 PM
Yeah, where do you even start?
My day:
9:30-3:30 zzzzzo sbs install zzzzz
3:30 scheduled reboot
3:30 - 5:00 :gag: windows updates :gag:
90 flipping minutes of waiting to go home because of windows bloody updates. FU windows updates.
Quote from: bear on March 19, 2012, 19:50:36 PM
That is one of the reasons why I love ubuntu, the updates are so swift :)
Quote from: Pete on March 19, 2012, 19:22:38 PM
Yeah, where do you even start?
My day:
9:30-3:30 zzzzzo sbs install zzzzz
3:30 scheduled reboot
3:30 - 5:00 :gag: windows updates :gag:
90 flipping minutes of waiting to go home because of windows bloody updates. FU windows updates.
heh... so you think.
I've just been rebuilding my test VM. Backtrack (based on ubuntu) kept me there for another bloody 2 hours.
As for where to start erm, it's all on the job training so you just figure it out.
Enumeration -> Fingerprinting -> Exploitation -> Cleanup.
There's a bunch of other stages i'm sure im missing but im knackered today, it's been a day of emails and progress bars :|
Enumeration - find hosts, scan for open ports.
Fingerprinting - essentially banner grab to try and version the services you're seeing. I've been known to MD5 all .js files on a website to identify a wordpress install, took bloody ages but it worked.
Exploitation - You could write your own fancy things, however there are many many people out there who are better at it than me, you or anyone I know. They dedicate their 9-5 to research the latest vulns or they truely are "1337" so theres no point, may as well reuse theirs.
A majority of the time it doesn't even require an exploit in the traditional sense of the word, but just an inquisitive nature.
Find a Multifunction Device (printer with bits on) management interface on a hunch you try admin/admin and get in, okay so what now?
Can you browse the last scanned/copied/printed documents for interesting filenames or enumerate valid company usernames?
Can you find the temporary directory where it stores things before emailing them across a company network?
Are you able to obtain a copy of documents as they're scanned?
That type of thing, it's just following the rabbit hole to the end.
Cleanup - Just don't do anything that would cause lasting damage, unless you know you are allowed to do it. Make sure anything you can do can be cleaned up afterwards with minimal/no downtime, if you can, clean up as you go.
Easy enough. As for tools and toys, google... or talking with your colleagues about what they use. Some of us have written our own tools that make our jobs easier and some of our team are able to obtain tools from other people it's all about sharing.
Then it's all about keeping up to date with current topics. I subscribe to a bunch of blogs and security news feeds, podcasts and I get emailed whitepapers, etc... It just comes with the job.
When I started I knew nothing, I still know nothing. In 20 years time, I'll still know nothing :D You just do what you can in the time you're given.
edit - my days do vary a bit but this is a rough overview of stuff that can/does happen - sometimes I get a mixture of stuff and deal with lots of people - other times I'm just working for a few days on one item and ignoring absolutely everything else...
----------------------------------------------------------------------------
my day - roll out of bed at like 9-ish... quick shower etc.. go to station... check - e-mails etc... on phone, on train. Get into office sometime circa 9:30
take a look at schedule/priorities for week and make a rough plan in head re: what to tackle today.
Start off maybe testing something I analysed last week, find that some of the spec has been missed by the developer - send back to developer.
Fob off project director who's chasing said item - tell him it will be ready in two days... tell developer it needs to be done today. Aim deliver it tomorrow...
Analise an implementation issue, realise the professional services consultant's job title is still an oxymoron and his spec is bollocks... try getting sense out of PS consultant... realise he's an utter numptie and doesn't really know what the client wants but has tried to copy and paste some stuff the client sent him into some form of doc... phone client directly and clear it all up over a 5 minute conversation - write proper spec and have a quick chat over with a developer to get their input make sure they agree with the proposed solution, amend spec if required - get dev time scheduled...
Respond to a mail from support
Ignore two other mails from support that are fairly retarded....
Take phone call from some account manager chasing some crap issue for a client we don't care about - tell her straight that its not going to happen this week and unlikely to happen next week either and that its basically at the bottom of the list...
Respond to mail from account manager's boss who the account manager has now complained to - remind them that X, Y and Z client were supposed to be the priority but if they insist you'll happily stop the work for those clients and look at the unimportant issue for the unimportant client - choice is up to them...
Receive mail from account manager's boss saying no of course X, Y and Z are more important I don't want to take any time away from them...
Analyse/start looking into a couple of other things - realise they will all take a bit of time and its getting near the end of the day so...
...actually take a look at the issue for the unimportant client that caused a fuss with account management as it looks like a quick fix... write quick spec but get it scheduled for next week as the account manager is a pain and pandering to her with a quick turnaround will only encourage her to be more of a pest.
Find out how far dev guy has got with the bits missed from the spec from earlier... apparently few issues but will be sorted tomorrow morning...
go home...
checking phone in evening - receive some chaser e-mails relating to the previously ignored e-mails from support
this time they're CC'ing the support manager
ignore them again...
Lol, what are you? A test manager?
Loving the ignoring bit, though i'd encounter way too much rage if I did it.
Sent from my GT-I9000 using Tapatalk
Gas Trading IT Analyst
Arrive in for sometime between 7 and 8.30 depending on how I felt about getting out of bed that morning.
On walking onto the Trade floor check the overhead display plasmas which show live gas and oil flow data for errors or missing values. Data which has not been updated is highlighted and will be a top priority as soon as I get my laptop docked and fire up.
Check with analysts and traders when walking to my desk that there are no critical issues at the moment, usually they will point to the missing data I have already spotted.
Get logged in and quickly scan over emails to ensure there aren't any critical issues. Usually not so find out where those late or incorrect data values are sourced from. 99% of the time it comes from a website which we scrape for data, check the website to see if they havent published data or if we havent captured it. Send an email to the providers, then to the users to let them know we're dealing with the issues.
Phone Singapore pre 9am to make sure all is well over there, reassure them that the development work they've asked for is getting done and give them some timelines for delivery.
Check the support team guys aren't stuck with anything, if they are, point them in the right direction, get timelines then leave them to it.
Work through the mornings emails. Most are requests for new data feeds or requests to us verify erroneous looking data. Speak to the relevant people to make sure they're going to handle them within an appropriate timescale.
Check my on-going work list, normally its a list of tasks I am managing but not doing myself, I will check with the support and devs on the progress of the work and then wander over to the users (usually an Analyst, sometimes a Trader) to let them know how its going and when to expect delivery.
Consider starting the strategic development tasks assigned to me for this sprint. Read the day's analysis and trading updates instead.
1000 - Morning scrum meeting. 20 minute stand-up discussion of where each team member has got to with the work they have been scheduled to complete during the current 2 week sprint of work. Explain that I'm behind schedule because of all the ad-hoc high priority business requests I've dealt with, everyone agrees and we add some time to the delivery date for my piece of work.
Fire up VS2010 and work on the .NET application I'm developing while getting interrupted every 20 mins by someone with an issue they can't solve. Help out on various things and don't get as much coding done as I had intended.
1200 Take a good hour for lunch looking at HUKD and Tek, usually buy on or two things I don't need. Eat too much and end up feeling sleepy for the rest of the afternoon.
Have a couple of design/strategy/planning meetings somewhere during the day. Everyone agrees on the right course of action but it helps to talk through the details a bit. Take our proposed solution to the business stakeholder and explain why it's the right thing to do and why it will take so long. Get agreement and leave them optimistic about the project.
1658: Shutdown laptop so I can be out the door by 1700.
Quote from: M3ta7h3ad on March 21, 2012, 06:56:54 AM
Lol, what are you? A test manager?
Loving the ignoring bit, though i'd encounter way too much rage if I did it.
Sent from my GT-I9000 using Tapatalk
Nah analyst - there are a few of us working within a team of developers - we get involved in the spec's and initial testing and some limited documentation (in theory user documentation is supposed to happen, in reality it doesn't but limited technical/implimentation documentation does happen if its really necessary).
Re ignoring people we unfortunately have various people to deal with from on site consultants to account managers to support - dealing with them becomes quite arbitrary as the important stuff is generally already being looked at and if what they're concerned about isn't being looked at then 9/10 times its probably not important.
If they're asking something relevant and that can be answered promptly then I reply, if they're being a numptie and fwd'ing something a client sent them which they don't understand/haven't bothered to look at or attempted to understand themselves then I tend to ignore them... Everyone has to start somewhere but when I started I wouldn't have dreamed of simply fwd'ing a mail to someone in dev and expecting them to do my job for me - I'd at least have a crack at it myself, attempt to add some value. Obviously you've got to be patient with new guys, but people who've been around for a while and still just fwd crap ought to know better and can legitimately be fobbed off/ignored IMO.
We do have a QA dept but they are there to test entire releases not fixes, customisations or ongoing project work - they also don't have people from other parts of the business pestering them.
My days are pretty much as random as feck. The below isn't a typical day, I'd never get it all in one day, but chances are over the course of a week it would have happened.
Arrive at work at 8.30
Check emails and answer/action them all.
9am I start on my normal work, which currently is admin and research.
10am I need a break from the computer so I decide to deliver the parcels that have come in to the office. These include boxes of maggots and fly larvae, liver, and controlled drugs.
At some point in the morning I get asked if I can top up the liquid nitrogen, so I do that and get mesmerized by the way it boils. Later in the day I dispose of Dry Ice in a sink by running hot water over it. Before the water, I leave it for a while, which causes the sink to get so cold that it starts to snow from underneath. When I turn the hotwater tap on it creates a rolling fog that pours out of the sink and creeps across the floor.
As I'm walking to lunch I'm asked if I could set up for one of the forensic practicals later that day. This involves dressing some fake corpses, stabbing them repeatedly, and then ransacking our custom facility to make it look like a murder/rape/drugs deal gone wrong etc. It's always fun dragging the body bags across the floor.
In the afternoon I do a bit more office work before heading to the labs to sieve some mud samples from France and Portugal. It's menial work, but quite theraputic, and means next week I'll be in Portugal and then Spain collecting fresh samples to bring back.
5-5.30pm I head home.
I'd have to say that currently my jobs are a bit more boring than in the past, it was much more fun when I was using the Scanning Electron Microscope and managed to singe a flies anus using a beam of electrons emitted from a high-voltage tungsten filament fired from an electron gun :D
I guess this is fairly typical:
Get up between 8:45-9:30am depending on how knackered I am and how well my alarm revives me. Zombie walk to the kitchen (bitch of a commute, that) and get a tall and strong cup of tea brewing and make some breakfast if I'm hungry, then head to my office room while it brews to check emails/MSN/forums... 15 minutes later check on tea brewing, having forgotten about it - strong but growing tepid - so I add milk to drink it anyway.
10am - unless something urgent has come up or needs finishing, start some real work when brain is in gear. Usually have a Skype/mobile call with the main office to see what is prioritised for the day, unless there is a new website build project already on the cards.
Spend the rest of the morning either doing odd jobs as I'm called or MSN'd about bugs/config issues, doing site graphics, or spend it designing/coding up the template for a new build.
12-1am - have myself some lunch, sometimes later than this if I've been particularly busy. 2 packs of Tesco value curry noodles FTW! Sometimes I spice this up with random noodle/ramen packs from the world food sections (Tom Yum is good). Maybe once a month I'll have a graze box delivered.
Afternoon - spent in much the same way as the morning, taking/making calls to clients/the office about problems or design requirements; I can usually have a website design wrapped up in an afternoon if it's not too busy. I like to double-quote on time though so I'm not flogged to death :horse:
Finish around 6pm usually (later if busy). As I'm typically a night owl if I've a few big sites I'm working on I'll sometimes work late evening when I get my second wind of energy and it's quieter.
Some of you have far more interesting/fun jobs from the sounds of it. I enjoy my job, but I don't get out enough and miss the banter and japes of working at somewhere like Tekheads :D
That is an elaborate way to say f**k you ;D
(http://dl.dropbox.com/u/27671628/fyp.jpg)
Some of you guys have freaking amazing jobs.
WTF @ zpyder, dead bodies?! Well after seeing your fake hands and blood thing back in the day I guess there's one guy I'd pick for that :D Sounds like an episode of CSI! :D
Quote from: M3ta7h3ad on March 23, 2012, 21:44:08 PM
Some of you guys have freaking amazing jobs.
WTF @ zpyder, dead bodies?! Well after seeing your fake hands and blood thing back in the day I guess there's one guy I'd pick for that :D Sounds like an episode of CSI! :D
I said that zpider's murdered teddy bears would be useful training eventually... ;D
My worknight is mostly helping old people to toilet or getting stuff to eat or drink and also a few diperchanges, emptying urine bags chainging soiled or wet bedspreads also some coffemaking, flowerwatering and laundry. On computer, rapporting load data from "mobipen". :)
my day yesterday... woke up at 7am, had a lie in with the missus, got into work at 10am.
played ipad games until 11, checked sla, fixed call, played ipad until 12, checked sla
done 2 calls. played ipad until 2pm, checked stack, done 2 calls, decided 2.30pm was to late
to be in work. drove home - stopped in tesco for tequilla, limes & triple sec.
5.31pm drink magarita - just incase i had a vip 2hr sla (my hours are 7.30-7.30 flexi)
2nd busiest day this year - the day before was the busiest, i didnt get home until 4pm :(
Zpyder's days sound the most fun.
I don't have a typical day but here's friday:
8am - I'm on day 5 of a 5 day project so I'm leaving home a little late, aiming to get to site for around 9:30.
9:30 - I check my work plan. Still have to move user drives over to the new server, and get a 3rd party app working. The 3rd party company has screwed up their end of the work so I'm not bothered about this bullet-point running over - it's not my fault. Apparently there are two new MFPs coming sometime in the afternoon.
10:30 - Check with the users and most don't even know they have P: drives, so I tell them don't do any work while I robocopy stuff. I'm gonna dcpromo the old server later so I check the FSMO roles etc have moved. I turn the old server off figuring I'll boot it up in a few hours to dcpromo - that way I'll know if anything is still depending on it.
12:30 - I've got 5 i7 PCs this guy has bought 2nd hand from somewhere. Fresh builds apparently but no one knows the passwords for them. I hiren's bootcd them and blank the passwords - normally I'm good at guessing them - get them on the domain and pile them in a corner.
1pm - I floorwalk, check everyone is happy. Everyone is happy except things are slow all of a sudden - DNS records still exist for the old DC. Also people are getting errors in Outlook because I haven't set the OAB for the database.
2pm - I'm done. I do my paperwork and fire up the old DC. Run dcpromo and get an error - it's only because the servers are out of sync though. dcpromo and the server room gets a lot quieter :). 3rd party company comes good with the licensing issues, they're slow workers so after a server reboot I get it all working myself then tell them it's all cool.
2:30pm - the MFPs arrive. Do I want to help get them up 3 flights of stairs? No. I floorwalk again. All is well.
3pm - the printer guys want to get the drivers installed on the server. I do it for them in 10minutes because it's my server and they're not messing with it.
4pm - figure I've hung around long enough so I have a chat with the MD and get the paperwork signed.
I'm currently having breakfast in Spain having travelled over the last week from Lisbon down to the algarve and then west. We leave for England tomorrow.
My job the last week has been supervising students doing some sampling for the research I'm employed on and taking photos. I've got bucket loads of photos of rare birds, eagles, spoonbills, corn buntings etc, well, rare in the uk. It's been a good week - essentially paid to be a photographer!
You lucky bugger! Picked up a tan?