Friday, December 15, 2017

First December Post

You can almost track my work based on how much posting happens - more posts equals easier work, fewer posts - hard work. In this case it's very much hard work; as I observed to my mother yesterday it's the hardest projects that expose the gaps in your knowledge, caused by gaps in your knowledge. In this case I'm testing from inside a VM, itself inside a VM, to accomodate a client's two-factor RSA-token based authentication, and all the attacks that rely on having an actual IP while sitting physically plugged in to the client's network can't be done, including any that call back to a SimpleHTTPServer you spin up with python, or anything for MITM-ing traffic.

I'm using the installable version of Burp for the first time in Windows, and it's really a pleasure to use. It's stable and doesn't require allocating extra ram via JRE in the Command Line Interface. It now has 13000 requests stored in the Proxy History, which previously would have required a restart by now, and all those requests take up only 70 MB of the "Save State" file.

Here are some questions I've had about VAPT as a result of recent work:

What's really the goal for a pentest? e.g. I'm great at vulnerability testing, but pivoting, and knowing what's permitted, and not disclosing my hand too early when the client asks for a daily update and I'm the talkative type, that's something to work on. Like, is the difference finding misconfigurations, then tying them together to get higher? Then explaining that to the client? How does tying stuff together help the client, other than emphasizing the need to  patch or configure things properly?