Figured I'd post a day in the life of my job.

#### 8:15am ####

I'm ahead of schedule expected heavy traffic on the route, only meant to be there at 9am but may as well see if I can get in and started.

#### 8:45am ####
I'm still driving around and around the postcode area looking for the place. I've been told it's a big building covered in branding, phone call later and I find out my colleague is also doing laps around the place and can't find it either. His satnav thinks he's in a field.

#### 8:50am ####
We find the place. It's a big white building in a place where there are lots of big white buildings. Not a signpost in sight, let alone branding or logos.

We have a bit of a palaver going through the main gate but all gets sorted after 5 minutes and we head into the car park. Unfortunately the place I am at has a 2 hour induction they run once every 4 weeks, my work as it's so short term often doesn't fall into the "we must make sure we book him on it" category and I usually get lumped with being escorted everywhere.

We meet our escort inside - nice chap but he's got work to do, he takes us in and leaves us to it.

Get in, laptops out and powered up, VM with backtrack 5r1 kicked off and I whip out my CAT6 and plug into the first switch port - No link.
"Bollocks - No link light here mate, what about yours?" I ask my colleague
He replies: "Yeah I've got nothing, lets try them all one by one, maybe we can find one we can kick off while we sort out the rest"
No dice - We start calling people but its 9am and everyone is doing their morning coffee desk settling shuffle process so noone answers. Gets picked up about 9:30 and we're told they're on it and will email us when it's done. My colleague had been in contact with the network guys all the previous week so all of the configurations should be written, just a case of loading them on.

#### 11:30am ####
We get the email - colleague is renowned for a bit of rage but by this point he's all raged out we were resigned to just staring into cups of coffee in the break room, cursing the project.

We head back in and link light is good, I grab 2 spare IP addresses out of my first VLAN and fire off an arpsweep to enumerate the devices. A quick nmap -sP IP/CIDR gives me reverse DNS for the hosts if I have it and confirms the arpsweep findings. Another colleague of mine has scripted this part all in a nice little bash script available here: https://www.phillips321.co.uk/pentest-sh/

Happy to use it as it frees up my time to go and give everything a good poke as it gets reported on screen. So I set it going giving me a full 65535 port TCP Syn scan, a small TCP syn scan (1000 common ports - useful for when scanning load balancers which seem to like taking an ever increasing amount of time to do a full scan) and a small UDP scan (1000 common ports again).

It'll try and auto identify any services it finds, if its a web page it'll try and take a screenshot of it, it'll auto run sslscan against any ssl services to identify weak ciphers and self signed certs and it'll do an obligatory onesixtyone and nbtscan if it's appropriate. As I only find a few hosts I also kick off nessus (professionalfeed) at the same time. It's not fantastic but it gives you a few pointers as to where you need to do your poking.

Now I watch the scans come in and have a bit of a poke at the ports as they scroll up on screen. The script does a full summary at the end but I like to not be sitting there and twiddling my thumbs while I'm waiting for scans to complete. My colleague is doing the same just further down the racks and I hear a "YES!"

He's found a windows machine. The name it's reporting via netbios is something along the lines of "W2K3TEST1" so we're instantly thinking - its got to be unpatched...

Our thinking is not wrong. Nessus confirms it moments later - the server is vulnerable to MS08-067 my colleague fires up metasploit, few clicks later - he has access to the local machine as NT_AUTHORITY/system. Okay, he's "got root" on the local machine, but this is a massive network - what next...

He uses another metasploit module known as incognito. Turns out a domain admin once logged into the machine and his token was cached. My colleague assumes the role, adds a user for himself to the domain and adds that user to the "domain admins" group.

Pow... even better now we have access to the entire domain this machine is part of as admin, including the domain controllers themselves and we haven't even scanned them yet. Colleague starts looking to see if there are any trusted domains within the forest. However whomever designed this network performed an epic fail.

The domain is completely flat - including machines from test and live.

Now for some reason this network is subdivided into over 100 VLANs... each VLAN having maybe 2 hosts in, sometimes a few more. From a network perspective we'd say that granularity is overkill. However it all means nothing if the entire domain is flat and you can own every single box on the network with one attack.

We did say every single box right, so yeah like most corporate networks you'll find a good chunk of linux based boxes, usually redhat. Using the well known SSH enumeration bug (Valid usernames cause a pause in a rejection, invalid credentials get rejected instantly) we also figure out that they also authenticate to the DC, so a few more groups added to our user and not only can we log onto windows machines as admin, we can now become root and sudo across the linux side of the network too.

Blam - First 30 minutes of testing. Network owned. 

Now granted while my colleague was doing this I wasn't sitting around doing nothing either. I found myself another avenue of attack, its simplistic but everyone forgets it. Updating 3rd party software. We are heading towards lunchtime when I find an old installation of Glassfish v2.1 on a machine.

Glassfish v2.1 has the most idiotic "exploit" known to man in my opinion. It's a simple auth bypass that requires you to change any HTTP requests from

GET to get or POST to post basically lowercase HTTP requests defeat the authentication on the server.

So I fire up BURP suite and set the proxy up to intercept my requests. Browse to the site do the necessary transformations and gain access to the admin console.

In the meantime I've also fired up msfpayload and exported myself a war file containing a meterpreter console from metasploit. I fire up a multi/handler listening for a reverse TCP shell.

Using the now wide open admin console I upload the war file I exported and launch it. few seconds pass and pow I have a remote console running as the glassfish user.

Okay, so again an account that runs a process is one thing but it's not root.

###13:00###
I head to lunch, with my colleague already gloating that he has root on everything and I eat my sandwiches while scouring exploit-db.com for local privilege escalation exploits in RHEL 5.6 or affecting Linux Kernel 2.6.18, I download about 15 or so and go through the code they run on my laptop making sure that i'm not going to run a "bad exploit" that will leave a persistant mark or try and connect out at all. I fire up any that pass the review in a VM with tcpdump running just to double check

Any I have doubts over I throw away. The rest look to be clean so I finish my lunch off and we head back in.

###13:45###

I kick off one and no dice, another...another...another... nothing is working either the exploits are duff or something isn't right so I give up trying to run them as i'm clearly doing something wrong. I default back to what I should have kicked off while at lunch.

$ find / -name password 2>/dev/null -- It never works but its always useful to check, never underestimate the idiocy of people.
/tmp/password -- WTF 
$cat /tmp/password
password123
$su -
$enter password:
password123
#whoami
root

Bosh! Root. Done. 

###14:30###

Technically we're here all week testing the entire environment but the damage is done. That root password, works on every box. Unfortunately the difference between a penetration tester and a hacker is that a hacker only needs to find one avenue of attack, a penetration tester has to find them all.

So the rest of the week continues in a similar vain.

Voila a day in the life - What's your day in the life story?

mine.. roll into the office at 9.30
check call stack for new calls. check calls close to SLA
do calls close to SLA, phone users of other calls to see if theres still a problem.
Wash & repeat until no more calls likely to breach SLA on that day.
go home, check work email for the remainder of the day.

tl;dr

My days aren't standard enough to be able to write any kind of consistent example. Some days I'm so overloaded with jobs here and there, writing scripts, designing logos/buttons/banners, fixing bugs or software config problems, yet others I end up doing one big project all day for a new website build or design.

Some days have been more like this:

Quote from: Quixoticish on March 18, 2012, 23:52:11 PM
tl;dr

yet you feel the need to post?

Damn your post count must be important. +1.

Sent from my GT-I9000 using Tapatalk

Quote from: Clock'd 0Ne on March 19, 2012, 02:05:03 AM
My days aren't standard enough to be able to write any kind of consistent example. Some days I'm so overloaded with jobs here and there, writing scripts, designing logos/buttons/banners, fixing bugs or software config problems, yet others I end up doing one big project all day for a new website build or design.

Some days have been more like this:

Lol mines not standard in the slightest, thats just a single particular successful pwnage day.

Have a go just like "what do you do?" Only more descriptive.

Sent from my GT-I9000 using Tapatalk

Awesome post. Love this. Thanks for putting in the effort, sounds like a fun job.

I'll try and do one of my job at some point.

Quote from: Clock'd 0Ne on March 19, 2012, 02:05:03 AM
My days aren't standard enough to be able to write any kind of consistent example. Some days I'm so overloaded with jobs here and there, writing scripts, designing logos/buttons/banners, fixing bugs or software config problems, yet others I end up doing one big project all day for a new website build or design.

Some days have been more like this:

The uploader has not made this available in your country.

Where did you learn all this stuff?

edit: deserves a 

Quote from: Pete on March 19, 2012, 15:38:42 PM
Where did you learn all this stuff?

That's what I was thinking too. I wouldn't know where to start

Yeah, where do you even start?

My day:

9:30-3:30 zzzzzo sbs install zzzzz
3:30 scheduled reboot
3:30 - 5:00  windows updates 

90 flipping minutes of waiting to go home because of windows bloody updates. FU windows updates.

That is one of the reasons why I love ubuntu,  the updates are so swift

Quote from: Pete on March 19, 2012, 19:22:38 PM
Yeah, where do you even start?

My day:

9:30-3:30 zzzzzo sbs install zzzzz
3:30 scheduled reboot
3:30 - 5:00  windows updates 

90 flipping minutes of waiting to go home because of windows bloody updates. FU windows updates.

Quote from: bear on March 19, 2012, 19:50:36 PM
That is one of the reasons why I love ubuntu,  the updates are so swift

Quote from: Pete on March 19, 2012, 19:22:38 PM
Yeah, where do you even start?

My day:

9:30-3:30 zzzzzo sbs install zzzzz
3:30 scheduled reboot
3:30 - 5:00  windows updates 

90 flipping minutes of waiting to go home because of windows bloody updates. FU windows updates.

heh... so you think.

I've just been rebuilding my test VM. Backtrack (based on ubuntu) kept me there for another bloody 2 hours.

As for where to start erm, it's all on the job training so you just figure it out.

Enumeration -> Fingerprinting -> Exploitation -> Cleanup.

There's a bunch of other stages i'm sure im missing but im knackered today, it's been a day of emails and progress bars :|

Enumeration - find hosts, scan for open ports.

Fingerprinting - essentially banner grab to try and version the services you're seeing. I've been known to MD5 all .js files on a website to identify a wordpress install, took bloody ages but it worked.

Exploitation - You could write your own fancy things, however there are many many people out there who are better at it than me, you or anyone I know. They dedicate their 9-5 to research the latest vulns or they truely are "1337" so theres no point, may as well reuse theirs.

A majority of the time it doesn't even require an exploit in the traditional sense of the word, but just an inquisitive nature.

Find a Multifunction Device (printer with bits on) management interface on a hunch you try admin/admin and get in, okay so what now?

Can you browse the last scanned/copied/printed documents for interesting filenames or enumerate valid company usernames?
Can you find the temporary directory where it stores things before emailing them across a company network?
Are you able to obtain a copy of documents as they're scanned?

That type of thing, it's just following the rabbit hole to the end.

Cleanup - Just don't do anything that would cause lasting damage, unless you know you are allowed to do it. Make sure anything you can do can be cleaned up afterwards with minimal/no downtime, if you can, clean up as you go.

Easy enough. As for tools and toys, google... or talking with your colleagues about what they use. Some of us have written our own tools that make our jobs easier and some of our team are able to obtain tools from other people it's all about sharing.

Then it's all about keeping up to date with current topics. I subscribe to a bunch of blogs and security news feeds, podcasts and I get emailed whitepapers, etc... It just comes with the job.

When I started I knew nothing, I still know nothing. In 20 years time, I'll still know nothing You just do what you can in the time you're given.

edit - my days do vary a bit but this is a rough overview of stuff that can/does happen - sometimes I get a mixture of stuff and deal with lots of people - other times I'm just working for a few days on one item and ignoring absolutely everything else...

----------------------------------------------------------------------------

my day - roll out of bed at like 9-ish... quick shower etc.. go to station... check - e-mails etc... on phone, on train. Get into office sometime circa 9:30

take a look at schedule/priorities for week and make a rough plan in head re: what to tackle today.

Start off maybe testing something I analysed last week, find that some of the spec has been missed by the developer - send back to developer.
Fob off project director who's chasing said item - tell him it will be ready in two days... tell developer it needs to be done today. Aim deliver it tomorrow...

Analise an implementation issue, realise the professional services consultant's job title is still an oxymoron and his spec is bollocks... try getting sense out of PS consultant... realise he's an utter numptie and doesn't really know what the client wants but has tried to copy and paste some stuff the client sent him into some form of doc... phone client directly and clear it all up over a 5 minute conversation - write proper spec and have a quick chat over with a developer to get their input make sure they agree with the proposed solution, amend spec if required - get dev time scheduled...

Respond to a mail from support

Ignore two other mails from support that are fairly retarded....

Take phone call from some account manager chasing some crap issue for a client we don't care about - tell her straight that its not going to happen this week and unlikely to happen next week either and that its basically at the bottom of the list...

Respond to mail from account manager's boss who the account manager has now complained to - remind them that X, Y and Z client were supposed to be the priority but if they insist you'll happily stop the work for those clients and look at the unimportant issue for the unimportant client - choice is up to them...

Receive mail from account manager's boss saying no of course X, Y and Z are more important I don't want to take any time away from them...

Analyse/start looking into a couple of other things - realise they will all take a bit of time and its getting near the end of the day so...
...actually take a look at the issue for the unimportant client that caused a fuss with account management as it looks like a quick fix... write quick spec but get it scheduled for next week as the account manager is a pain and pandering to her with a quick turnaround will only encourage her to be more of a pest.

Find out how far dev guy has got with the bits missed from the spec from earlier... apparently few issues but will be sorted tomorrow morning...

go home...

checking phone in evening - receive some chaser e-mails relating to the previously ignored e-mails from support
this time they're CC'ing the support manager
ignore them again...

Lol, what are you? A test manager?

Loving the ignoring bit, though i'd encounter way too much rage if I did it.

Sent from my GT-I9000 using Tapatalk