Tag: Penetration Testing

  • Meet the Team: Brice Jager, Lead Penetration Tester

    I’m Brice Jager, a lead penetration tester for Raxis — and the only one currently living in Iowa. My career path has taken me on a long journey from health care, to health care technology, and now to penetration testing. I’ve enjoyed all of it, but I now feel like I’m where I was meant to be.

    Jim: Brice, in our discussions, it seems you’ve had two loves in your career: health and technology. I have to ask, which was the first to catch your eye, so to speak?

    Brice: I guess I’d have to say technology because we were introduced to Apple computers in 3rd grade, and I was absolutely fascinated by them. I became serious about health at 12.

    Jim: Yep, Steve Jobs believed in hooking his customers early. Was it just the interaction with technology, or did you actually realize you had an affinity for computers and how they worked?

    Brice: Other kids were “interested.” I was obsessed with understanding them and learning what all they could do. If you had asked me back then, I would have probably said I was playing with the computers. In retrospect, I was really learning the fundamentals of programming. I even developed my own checkers game. At that point, we didn’t have widely available internet, so I had to learn from books — and a lot of trial and error.

    Jim: Did your interest fade after that or did you continue to “play” with computers?

    Brice: Ha! No, my interest only got more intense as I got older. By the ‘90s, I was into war-driving (riding around searching for vulnerable wireless networks) and basically looking for mischief wherever I could find it. Most people I knew were content with just using technology. I was still that kid who wanted the challenge of getting inside and finding out what made it all work.

    Jim: You were a hacker even then.

    Brice: I guess so. And remember, in those days, a lot of software and websites weren’t locked down as well as they are now. It was easier to see how everything was put together. I was able to give myself a terrific education.

    Jim: So, what changed your focus to health care?

    Brice: It didn’t change as much as it expanded. I always had a parallel interest in anatomy and physiology and overall health. In fact, it’s the same interest, only directed toward the body and not a computer. The fundamental questions I wanted to answer are the same as well: How does it work? What causes it not to work well? How can I make it work better?

    Jim: Out of high school, you went with health care. What led you to that decision?

    Brice: I found it easy because I had a pretty deep understanding of anatomy, and it was good to see people getting the results they always wanted. Over time, I became a neuromuscular specialist and helped people avoid surgery or avoid dependence on medications. In a nutshell, tricking the brain into healing itself.

    Jim: You were hacking human brains?

    Brice: Ha! Yeah, you hear that term a lot nowadays, but we were doing it literally and getting results. But there really wasn’t a career path beyond where I was without dancing on the line of burnout, and you quickly realize not all health care has the same goal in mind so it can become frustrating.

    Jim: You did go into sports medicine, though.

    Brice: Yes. In fact, I even became a kinesiology (body mechanics) teacher from 2004 until 2010. I enjoyed it and I still dabble in it some, but I was ready for a change. What I found was a job with a software company out of Finland. They needed someone who understood their product and who could teach it to others, and oddly it was still in the health-related arena. The jump to technology sparked interest and was refreshing.

    Jim: Right up your alley on both counts.

    “Spending time with my family is what I enjoy most. My wife is a professional photographer and we have a four-year-old son. We work and work out, but we manage to work in a lot of time for our family.” — Brice Jager

    Brice: Yeah, and the great part is that it gave me a way to move into IT. I was dealing with the company team that built the software at the same time I was interacting with the customer. That helped me understand the struggles on both sides and led to my next job at the helpdesk of a hospital. Eventually, I became a systems administrator, but I was really a jack of all trades. I was doing everything from installing software to repairing IoT devices. What I didn’t do was a lot of cybersecurity.

    Jim: There was a cybersecurity incident at that time, right?

    Brice: That’s right. My first experience in the wild from the perspective of a victim as it happened. It took a lot of work to recover but it was accomplished in 48 hours.

    Jim: That left an impression, I guess.

    Brice: It sure did. I started pentesting on my own and really got excited about ethical hacking as a profession. Within a year, I had my CISSP, OSCP, OSWP, PNPT and KLCP (professional cybersecurity certifications).

    Jim: Wow! I understand that each of those requires a lot of time and energy.

    Brice: You bet, but it helps if you’re passionate about the field. It’s a LOT of sacrificing to accomplish the certifications between work, family, and life.

    Jim: How did you find your way to Raxis?

    Brice: Oddly enough, I was doing some research on another company that I was considering. I reached out to Bonnie and she and Mark talked with me at length. Based on how easy they were to speak with, I knew it would be a great place to work. You just know good people when you talk to them.

    Jim: What’s your favorite part?

    Brice: My favorite part of this job is that pentesting is my job! And pentesting is, by far, the favorite job I’ve had so far. I love working with the best in the business here. It’s easy to ask questions, and it’s easy to weigh in when you’ve got an answer.

    Plus we get to break in to stuff . . . without getting in trouble.

  • What to Expect with a Raxis Wireless Penetration Test

    Although social engineering attacks – including phishing, vishing, and smishing – are the most popular and reliable ways to gain unauthorized access to a network, some hackers simply don’t have the social or communications skills necessary to perform those attacks effectively. Wireless attacks, by contrast, are typically low-risk, high-reward opportunities that don’t often require direct interaction with the target.

    That’s one reason why pentesting for wireless networks is one of Raxis’ most sought-after services. We have the expertise and tools to attack you in the same ways a real hacker will. In fact, I’ve successfully breached corporate networks from their parking lots, using inexpensive equipment, relatively simple techniques, and by attacking devices you might never suspect.

    To appreciate how we test wireless networks, remember that wireless simply means sending radio signals from one device to another. The problem with that is that no matter how small the gap between them, there’s always room for a hacker to set up shop unless the network is properly secured.

    So, if Raxis comes onsite to test your wireless network, the first thing we will likely do is map your network. This is a mostly passive activity in which we see how far away from your building the wireless signal travels normally. But we also have inexpensive directional antennas that allow us to access it from further away if we need to be stealthier.

    Using an easily accessible aircrack-ng toolkit, we can monitor and capture traffic from wireless devices as well as send our own instructions to others that are unprotected. (I’ll go into more detail about that in a moment.)

    As we establish the wireless network’s boundaries, we also determine whether there are guest networks or even open networks in use. Open networks, as the name implies, require no special permission to access. Even on controlled guest networks, we can usually get in with little effort if weak passwords are used or the same ones reused. Once we’re in as a guest, we’ll pivot to see if we can gain unauthorized access to other areas or other users’ data.

    While this is going on, we will often set up a rogue access point, essentially just an unauthorized router that passes traffic to the internet. If the network is configured properly, it should detect this access point and prevent network traffic from accessing it. If not, however, we can capture the credentials of users who log into our device using a man-in-the-middle attack.

    Scottie with a directional wireless antenna

    Our primary goal here is to capture usernames and password hashes, the characters that represent the password after it has been encrypted. In rare cases, we’re able to simply “pass the hash” and gain access by sending the encrypted data to the network server.

    Most networks are configured to prevent this technique and force us to use a tool to try to crack the encryption. Such tools – again, readily available and inexpensive – can guess more than 300 billion combinations per second. So, if you’re using a short, simple password, we’ll have it in a heartbeat. Use one that’s more complex and it may take longer or we might never crack it.

    If a network isn’t properly secured, however, we might be able to find a way in that doesn’t require a password. Many people who use wireless mice and keyboards, for example, don’t realize that we can sometimes intercept those signals as well. For non-Bluetooth devices, we can use our aircrack-ng tools to execute commands from a user’s (already logged-in) device.

    As a proof of concept, we sometimes change screensavers or backgrounds so that network admins can see which devices are vulnerable. However, we can also press the attack and see if we’re able to pivot and gain additional access.

    The good news for business owners is that there are simple methods to protect against all these attacks:

    • Never create an open network. The convenience does not justify the security risk.
    • If you have a guest network, make sure that it is not connected to the corporate network and that users are unable to access data from any others who may also be using it.
    • Use the latest wireless security protocol (WPA3) if possible.
    • If you’re using WPA2 Enterprise, make sure the network is requiring TLS and certificates.
    • If you’re using WPA3 Personal, make sure your password is at least 30 characters long. (That’s not a typo – 30 characters is still out of reach for most hash-cracking software.)

    Here’s the most important piece of advice: Test your network regularly. New exploits are found every day, and hackers’ tools get better, faster, and cheaper every day. The only way to stay ahead of them is with professionals like us who live in their world every day.

    And, trust me, you’d much rather have Raxis find your vulnerabilities than the bad guys.

  • 5 Things You Should (and Shouldn’t) Take Away from the Starlink Hack

    “As a professional, ethical hacker, I’ve gotten questions from family, friends, and neighbors about what this means – from its impact on the cost of the service to the future of humanity, depending on the paranoia level of the person asking.”

    Scottie Cole, Lead Penetration Tester

    The big news from this year’s Blackhat and DEF CON 30 hacker conventions came from a presentation by an engineer from Belgium, Lennert Wouters, detailing how he successfully hacked the entire Starlink ground network using one of the company’s own Dishy McFlatface® receivers. The way oversimplified summary is that he built a circuit board that allowed him to introduce a fault into Starlink’s security, which he then exploited to run custom code on the device.

    After seeing some of the headlines, I now understand why some people are a little freaked out. So, as a public service, what follows is my opinion of what the non-hacker public should (and should not) take away from this news.

    1. Yes, it’s a big deal (but maybe not for the reason you think). Let me be clear from the start, Lennert Wouters is a genius who deserves great respect for both the creative thinking and tenacity it took to accomplish this feat. This was a very complex hack that required a lot of hardware and software expertise, as well as a great deal of time to complete. That’s why . . .
    2. The media’s “$25 in off-the-shelf components” is highly misleading. Scalpels are cheap, but you still don’t see a lot of DIY brain surgery. Expense usually isn’t a barrier to hackers, but expertise, time, and motivation frequently are. Wouters conceived of and executed the brilliant hack, but he was working on it because . . .
    3. It was part of Starlink’s bug bounty program, designed to engage and reward super smart white hat hackers for finding problems first. In that sense, Wouters didn’t defeat Starlink’s cybersecurity but rather was an integral part of it. Other bounty hunters are still busy working on other exploits that could prove more significant – as are the bad guys. In fact . . .
    4. The Russians (and likely others) have been trying to take down Starlink because the Ukrainian government now relies on the satellite network so heavily. State-sponsored hackers reportedly took down the Ukrainian government’s internet service early in the war. According to Starlink founder Elon Musk, however, the Russians have not been able to disrupt Ukraine’s access to the service or breach its network. Taken together, what all this means is that . . .
    5. The Starlink hack, though impressive, likely does not represent a significant threat to the company or its users. On the one hand, I think this is a great story because I’m an electronics and “gadget” guy. As a penetration tester, however, I worry when business owners place a lot of focus on high-risk, low-probability hacks simply because they make the news. Over the course of thousands of penetration tests, the most common vulnerabilities Raxis finds are ones that are much simpler to exploit. Weak passwords, missing software patches, insufficient network segmentation, and a host of other, more pedestrian problems. The vulnerabilities might not make news, but the successful attack that follows – on a business, a hospital, or a school – many times does.

    Wouters used a Starlink setup much like this one, plus “$25 in off-the-shelf materials” to carry out his hack. It’s a fascinating story, but there are much bigger threats facing businesses today.

    Wouters used a Starlink setup much like this one, plus “$25 in off-the-shelf materials” to carry out his hack. It’s a fascinating story, but there are much bigger threats facing businesses today.

    The most important takeaways are that the biggest corporate networks on Earth (and beyond) can be hacked. The most secure networks are those that have an effective testing protocol that identifies vulnerabilities before they become breaches.

     

  • What is Web App Pentesting? (Part Two)

    I’m Matt Dunn, a lead penetration tester at Raxis. This is the second of a two-part series, aimed at explaining the differences between authenticated and unauthenticated web application testing. I’ll also discuss the types of attacks we attempt in each scenario so you can see your app the way a hacker would.

    Although some applications allow users to access some or all their functionality without providing credentials – think of simple mortgage or BMI calculators, among many others – most require some form of authentication to ensure you are authorized to use it. If there are multiple user roles, authentication will also determine what privileges you have and/or what features you can access. This is commonly referred to as role-based access control.

    As I mentioned in the previous post, Raxis conducts web application testing from the perspectives of both authenticated and unauthenticated users. In authenticated user scenarios, we also test the security and business logic of the app for all user roles. Here’s what that looks like from a customer perspective.

    Unauthenticated Testing

    As the name suggests, testing as an unauthenticated user involves looking for vulnerabilities that are public-facing. The most obvious is access: Can we use our knowledge and tools to get past the authentication process? If so, that’s a serious problem, but it’s not the only thing we check.

    In previous articles and videos, we’ve talked about account enumeration – finding valid usernames based on error messages, response lengths, or response times. We will see what information the app provides after unsuccessful login attempts. If we can get a valid username, then we can use other tools and tactics to determine the password. As an example, see the two different responses from a forgot password API for valid and invalid usernames below:

    Different Responses for Valid and Invalid Usernames

    From an unauthenticated standpoint, we also will try injection attacks, such as SQL Injection, to attempt to break past login mechanisms. We’ll also look for protections using HTTP headers, such as Strict-Transport-Security and X-Frame-Options or Content-Security-Policy, to ensure users are as secure as they can be.

    With some applications, we can use a web proxy tool to see which policies are enforced on the client-side interface and which are enforced on the server side. In a future post, we’ll go into more detail about web proxies. For now, it’s only important to know that proxies sometimes reveal vulnerabilities that allow us to bypass security used on the client and allow us to interact with the server directly.

    As an example, fields that require specific values, such as an email field, may be verified to be in the proper format on the client-side (i.e. using JavaScript). Without proper safeguards in place, however, the server itself might accept any data, including malicious code, entered directly into that same field. In practice, this can be bypassed, leading to attacks such as Cross-Site Scripting, as shown in my CVE-2021-27956 that bypasses email verification.

    Authenticated Testing

    During an authenticated web application test, we use many of the same tactics, toward the same ends, as we do with unauthenticated tests. However, we have the added advantage of user access. This vantage point exposes the application to more vulnerabilities due to the expanded surface area of the application. This is why we recommend authenticated testing, to ensure even a malicious user cannot attack the application.

    Once authenticated, we attempt is to see if the app restricts users to the level of access that matches its business logic. This might mean we log in with freemium-level credentials and see if we can get to paid-users-only functionality. Or, in the role of a basic user, we may try to gain administrator privileges.

    As with an unauthenticated test, we also see how much filtering of data is done at the interface vs. the server. Some apps have very tight server-level controls for authentication but rely on less-restrictive policies once the user is validated.

    Though it may seem simple from the outside, one of the hardest things for web app developers to secure is file uploads.

    This is another topic we’ll explore further in a future post, however, one good example of the complexity involved is photo uploads. Many apps enable or require users to create profiles that include pictures or avatars. One way to restrict the file type is by accepting only .jpg or .png file extensions. Hackers can sometimes get past this restriction by appending an executable file with a double extension – malware.exe.jpg, for example.

    Another problem is that malicious code could be inserted into otherwise legitimate file types such as word documents or spreadsheets. For many apps, however, it’s absolutely necessary to allow these file types. When we encounter such situations, we often work with the customers and recommend other security measures that allow the app to work as advertised but that also detect and block malware.

    Conclusion

    As a software engineer by training, one advantage I have in testing web applications is understanding the mindset of the developers working on them. People building apps start with the goal of creating something useful for customers. As time goes on, the team changes or users’ needs change, and sometimes vulnerabilities are left behind. This can happen in expected ways, such as outdated libraries, or unexpected ways, such as missing access control on a mostly unused account type.

    At Raxis, we employ a group of experts with diverse experiences and skillsets who will intentionally try to break the app and use it improperly. Having testers who have also developed applications gives us empathy for app creators. Even as we attack their work, we know that we are helping them remediate vulnerabilities and making it possible for them to achieve their application’s purpose.

    Want to learn more? Take a look at the first part of our Web Application Penetration Testing discussion.

  • How to Hire a Penetration Testing Firm – Part 1

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer. Penetration testing is a niche in the cybersecurity field, but one that is critical to the integrity of your network and your data. This is the first of a two-part guide to help you select the right firm for your needs.

    Step 1: Identify Your Why

    There are lots of reasons why companies should routinely do penetration testing. The most important is to understand your vulnerabilities as they appear to hackers in the real world and work to harden your defenses. It may also be that your industry or profession requires testing to comply with certain laws or regulations. Or perhaps you’ve been warned about a specific, credible threat.

    Whatever your reasons for seeking help, you’ll want to look for a firm that has relevant experience. For example, if you run a medical office, you’ll need a penetration testing company that knows the ins and outs of the Health Insurance Portability and Accountability Act (HIPAA). If you’re a manufacturer with industrial control systems, you’ll need a company that understands supervisory control and data acquisition (SCADA) testing. The point is to make sure you know your why before you look for a pentest firm.

    See a term you don’t recognize? Look it up in our glossary.

    Step 2: Understand What You Have at Risk

    A closely related task is to be clear about what all you need to protect. Though it might seem obvious from the above examples, companies sometimes realize too late that they are custodians of data seemingly unrelated to their primary mission. A law firm, for instance, might receive and inadvertently store login credentials to access clients’ medical transcripts or bank accounts. Though its case files are stored on a secure server, a clever hacker could potentially steal personal identifiable information (PII) from the local hard drives.

    Step 3: Determine What Type of Test You Need

    General use of the term “pentesting” can cover a broad range of services, from almost-anything-goes red team engagements to vulnerability scans, though the latter is not a true penetration test. In last week’s post, lead penetration tester Matt Dunn discussed web application testing. There are also internal and external tests, as well as wireless, mobile, and API testing, to name a few. Raxis even offers continuous penetration testing for customers who need the ongoing assurance of security in any of these areas.

    Raxis offers several types of penetration tests depending on your company’s needs:

    Step 4: Consult Your Trusted Advisors

    Most companies have IT experts onboard or on contract to manage and maintain their information systems. You may be inclined to start your search for a penetration testing service by asking for recommendations from them – and that’s a good idea. Most consultants, such as managed service providers (MSPs), value-added resellers (VARs), and independent software vendors (ISVs), recognize the value of high-quality, independent penetration testing.

    In the case of MSPs, it might even be part of their service offerings. However, it might make sense to insist on an arm’s-length relationship between the company doing the testing and the people doing the remediation.

    If your provider is resistant to pentesting, it might be because the company is concerned that the findings will reflect poorly on its work. You can work through those issues by making it clear that you share an interest in improving security and that’s the purpose for testing.

    The downloadable PDF below includes this list of Raxis services with an explanation of what we test and and a brief explanation of how we go about it.

    Raxis Penetration Testing Services
    PenetrationTestingServiceBriefDownload
    Step 5: Consider Ratings and Review Sites

    Another starting point – or at least a data point – is review and rating sites. This can be incredibly helpful since such sites usually include additional information about the services offered, types of customers, pricing, staffing, etc. That gives you a chance to compare the areas of expertise with the needs you identified in steps one and two. It can also introduce you to companies you might not have found otherwise.

    Here are some resources you might find helpful as a start:

    Step 6: Check References

    Once you have your short list of companies, it’s a good idea to talk to some of their customers, if possible, to find out what they liked or didn’t like about the service. Ask about communications. Were they kept in the loop about what was going on? Did the company explain both successful and unsuccessful breach attempts? Did they get a clear picture of the issues, presented as actionable storyboards?

    In addition, it’s a good idea to ask about the people they worked with. Were they professional? Was it a full team or an individual? Do they bring a variety of skillsets to the table? Did they take time to understand your business model and test in a way that made sense? It’s important to remember here that many pentesting customers insist on privacy. The company may not be able to provide some references and others may not be willing to discuss the experience, However, some will, and that will add to your knowledgebase.

    If you’ve completed steps 1 through 6, you should be armed with the information you need to begin interviewing potential penetration testing companies. You’ll be able to explain what you need and gauge whether they seem like a good match or not. And you’ll know how their customers feel about their service.

    If you found this post helpful, make sure to follow our blog. In the weeks ahead, we’ll be discussing the questions you should ask potential pentesting companies – and the answers you should expect to hear.

    Want to learn more? Take a look at the second part in our How to Hire a Penetration Testing Firm Series.

  • What is Web Application Penetration Testing?

    I’m Matt Dunn, a lead penetration tester at Raxis. In this series of posts, I’m going to introduce you to the Raxis method of penetration testing web applications. We’ll start with a look at what a web app test involves and how it differs from the network testing we do.

    By their very nature, web apps deserve special scrutiny because they are designed in most cases to be accessible to a broad base of users, often with different roles that convey higher levels of privilege or access. Additionally, they are often used to perform wide ranging functionality, from shopping and banking transactions, to accessing healthcare data. With that accessibility and functionality comes exposure to a wide range of threats from malicious actors who want to exfiltrate data, modify the application, or otherwise disrupt its operation.

    When Raxis performs a web application penetration test, we typically approach it from the viewpoint of both unauthenticated and authenticated user roles. In many cases, some of the app’s functionality is going to be behind some form of authentication. We’ll go into greater detail about authenticated and non-authenticated tests in a subsequent post. For now, however, we’ll limit the discussion to tests in which we are given credentials for all user roles.

    Armed with the appropriate credentials, we examine all the functionality of the app to find out what features are accessible to users and how the application is intended to work. Can users’ profiles be changed? Are users allowed to upload files? Where can the user input their own content? What is each user supposed to be allowed to do? These are just some of the questions we’re looking to answer in the beginning of the test.

    Once we know what the app should do, we’ll test all these features to see if the business logic is correct. For example, an app may allow only administrators to delete uploaded files. So, we’ll attempt to circumvent that restriction and see if we can accomplish that with lower-privileged credentials.

    Raxis approaches a web application test from the perspective of unauthenticated users and authenticated users in multiple roles when more than one role exists.

    Login webpage with username and password

    Next, we will try to exploit the app’s features. For instance, we’ll test the various input fields to see if we can insert malicious code. If so, the app may be vulnerable to cross-site scripting (XSS) – a topic I’ve covered extensively on our blog and YouTube channel. In a similar manner, we’ll test areas where we can upload files to see if we can upload malicious content as part of an attack.

    One question we get from time to time is whether web application testing is included as part of our network penetration tests. The answer is no, for two reasons: First, it’s unlikely that, within the time of a well-scoped network test, we will be able to find credentials to all roles and parts of your web app. Second, network tests are broader in scope and identify the highest risk vulnerabilities across the entire network (as time allows). Depending on other findings, we often test the accessible pages as well as the authentication features. These include logins and “forgot password” pages, to name just a couple. Our goal is to see if we can gain unauthorized access, perform account enumeration, or attack the application externally. But we won’t test as a verified user unless we’re able to gain authenticated access, and even then, we will not focus on the web app in the same depth as we would in a web app test.

    That’s what makes web application testing so important. And with so many companies relying on (or even built around) web apps, it makes sense to conduct these tests regularly and address the findings in order of priority. Even if you are already performing network penetration tests, I strongly recommend that you conduct specific web application tests as well.

    Want to learn more? Take a look at the second part of our Web Application Penetration Testing discussion.

  • So, You Want to Earn Your OSCP?

    I’m Andrew Trexler, senior penetration tester at Raxis. As the Raxis team member to earn the Offensive Security Certified Professional (OSCP) designation most recently, I’m sharing my thoughts about the experience. My goals are to provide you with information I found helpful as well as to share some things I wish I had known in advance.

    Why take the OSCP?

    If you’re serious about being a penetration tester, the OSCP is, for all intents and purposes, the industry standard. As I considered pentesting as a career, I spoke with lots of people who were working in the field already. Consistently, they recommended getting the certificate, which requires taking the Penetration Testing with Kali Linux (PWK) course. I also watched a great YouTube video by John Hammond in which he recommended it.

    In truth, the course is useful for any career in cybersecurity, not just pentesting. If you’re working on a blue team, for example, the experience of hacking into a network provides a lot of valuable insights for developing a cyber defense strategy.

    Where to Start

    As I mentioned, you start officially with the PWK course. Going through it is helpful, and you really do learn a lot. The course includes a manual along with a lab environment. It is self-paced, so you go through it on your own time and schedule the test when you’re ready to take it.

    However, there are some things I recommend doing beforehand. If you are new to the pentesting/cybersecurity field I would start with some capture-the-flag (CTF) exercises like those found here. After getting comfortable with CTFs, you might find it helpful to move on to  sites like Hack the Box  or TryHackMe. Doing these first will help you hit the ground and get running a little faster in the lab environment.

    How to Make the Most of Your Coursework

    Take lots of notes. While going through the lab, you’ll do many different things – and you’ll do the same things multiple times. Keeping notes on how you got access to each machine during the lab work (yes, with copy/paste commands and explanations) will help during the test. Your notes can give you ideas and help you remember difficult syntax. Also, notes that act as cheat sheets with common commands are especially helpful. (I use Obsidian to take notes in Markdown.)

    Further, I recommend spending as much time in the lab as possible. While there is a forum for users, it may sound like the people there are speaking in code. If you struggle, just keep working the problem and learning. If you do get stuck, ask questions in the forum. From my experience everyone is helpful, but they know it’s more important to guide you to an answer than give it to you. Those who answer usually do it in a way that makes you learn the solution on your own, and you’ll thank them for that when you are taking the OSCP exam.

    About the Lab

    The lab houses more than 70 different computers. Most of these computers contain vulnerable software that can be exploited – and some don’t. The idea is to exploit a vulnerable machine, grab any information it’s storing, and then use it to access a machine that does not have a vulnerability.

    Among the vulnerabilities you’ll see in the lab are ones that are well-known and that have been around for years. EternalBlue is one example. Then, there are smaller applications that still have known vulnerabilities, but require a little searching to find the right exploit.

    The real challenges are the custom applications that either can be used to gain access or have their own vulnerabilities that require custom exploitation, using anything from XSS to SQLi to LFI/RFI. There are also remote and local exploits to gain access and then escalate privileges.

    See a term you don’t recognize? Visit our glossary.

    To me, the most interesting part of the lab is the subnet structure. There are different subnets that require access to an initial computer, at which point you can pivot and pass traffic through that computer. This proxying traffic can be the only way to hit and exploit the other machines on the subnet.

    Andrew Trexler, Lead Penetration Tester
    How the Test Works

    There are five different machines on the test. On each are text files that can be submitted to prove your access. Depending on the difficulty of the machine, these files are worth varying numbers of points. Of 100 available points, you’ll need 70 to pass the exam.

    However, to get credit for those points, you have 24 hours to write a report that includes the steps you took to exploit the machine. These must be replicable by a technically competent reader and must contain either the link to the exploit code used or the exploit code if changes were made to it.

    During the exam, you are not allowed to use automated exploit tools. Metasploit can only be used once during the test, whether it works or not. Other exploits must be created manually by inputting the correct data or scripts, which may require some trial and error.

    What to do Before the Exam

    It sounds counterintuitive, but I don’t recommend studying or practicing right up until test time. Instead, try to take the day before the exam to prepare for how you’re going to take it. The exam must be completed in 24 hours, but you can pick an early or late start time. If you’re an early riser, start early. If you like to sleep in, start later. The point is to make sure that you play to your own strengths.

    Use your prep to do other helpful things as well. Maybe make sandwiches for the next day or set up the computer you are going to use to take the test. Figuring out things that you can do the day before can and will make things easier come test day.

    What to do on Exam Day

    The hardest part of the exam is the time management. The attacks to gain access are straightforward once you find them. However, you might have to change things up to get the exploit to work.

    Be sure to watch out for rabbit holes. There aren’t many, but being able to recognize them and get out of them quickly is a critical skill. Part of what they are testing is how quickly you figure out when you’re on the wrong path . . . or if you just haven’t gone far enough down the right one.

    Also keeping things fresh and not getting frustrated is key. That’s why it’s important to take your time, despite the deadline. I felt pressured by the 24-hour time limit, but it helped a lot to take a five-minute break about once each hour. Walking away from the computer and just re-setting a little bit can bring the burst of inspiration that helps you get to the next step.

    Incidentally, time management is a skill that’s even more essential in your career as a pentester. There’s only a certain amount of time allotted for testing, so you can’t get sidetracked chasing dead ends.

    Final Thoughts

    Remember that this is a professional certification, and many people don’t pass it on their first try. Let that take some of the pressure off. If you don’t pass this time, you always have next time.

    And, yes, it’s very hard. But that’s a good thing. If it were easy, everyone could do it and that would rob you of the satisfaction and respect that comes with earning your OSCP.

  • How Artificial Intelligence Will Power Raxis Continuous Penetration Testing

    A few years ago, Mark Zuckerberg of Facebook and Tesla’s Elon Musk feuded very publicly over whether artificial intelligence (AI) would be the key to unlocking our true potential as humans (Zuck) or spell doom for our species and perhaps the Earth itself (Musk). Apparently, neither of them accepts the notion that AI, like all technology, will expose us to new concerns even as it improves our lives.

    Meanwhile, here in reality, business owners are still facing the less dramatic, but more urgent threat posed by all-too-human hackers. Most seek money, some are in it for fame, others cause havoc, and many want all of the above. It’s against this mob that Raxis is using AI, more accurately called machine learning, to give honest companies an upper hand in the fight.

    Here’s how it works:

    Human Talent Sets Us Apart

    Raxis has built an incredible team of elite, ethical hackers, who are all the more effective because of their diverse backgrounds and skillsets. Our process starts with a traditional penetration test. Based on our customers’ parameters, we set our team to work testing your defenses.

    Think of this like your annual physical at the doctor’s office (without the embarrassing paper gown). Our goal at this stage is to find ways into your network and determine where we can go from there. Once you know where you’re vulnerable, you can remediate and feel more comfortable that your defenses are solid.

    AI Extends Human Capabilities

    One major challenge of staying cybersecure is that new threats are emerging and new vulnerabilities are being discovered even as I write this sentence. The point of continuous penetration testing is that we leverage technology to account for the pace of this change. Our smart systems will continually probe your defenses looking for new weaknesses – with software that is updated in real time.

    In keeping with my earlier example, this part of the process is analogous to wearing a heart monitor and having routine blood work. As long as everything remains normal, we let the system do its job.

    Humans Enhance AI Effectiveness

    When our AI discovers an anomaly, it alerts our team members, who quickly determine if it’s a false positive or a genuine threat. If it’s the former, we’ll simply note it in your Raxis One customer portal, so you don’t waste time chasing it down. The latter, however, will trigger an effort by our team to exploit the vulnerability, pivot, and see how far we can go.

    Consider this exploratory surgery. We know there’s a problem, and we want to understand the extent so that you can fix it as quickly as possible. That’s why we give you a complete report of the vulnerability, any redacted data that we were able to exfiltrate, and storyboards to show you how we did it.

    More than a Vulnerability Scan

    If you’re familiar with vulnerability scanning, you’ll immediately recognize why the Raxis Continuous Penetration Testing is different . . . and better. Ours is not a one-and-done test, nor is it a set-it-and-forget-it process. Instead, you have the advantage of skilled penetration testers, aided by technology, diligently monitoring your network.

    AI isn’t ready to change the trajectory of the human race just yet, but it is improving our ability to protect the critical computer networks we rely on.

    If you’d like to learn more, just get in touch, and we’ll be happy to discuss putting this new service to work for your company.

     

  • Meet the Team: Mark Fabian, Senior Penetration Tester

    My name is Mark Fabian – but to my friends and colleagues, it’s just Fabian. Today, I’m in the spotlight, discussing what really is my dream job — lead penetration tester here at Raxis. After just a few short months, I can highly recommend that you check our careers page and our YouTube channel to see if this is the career path and company for you.

    Jim: Mark, I think it’s important to let folks know that you represent “Raxis West” as the only Californian on the team.

    Fabian: That’s right. I’ve spent all but four years of my life in Northern California, here in the Sacramento area. Even the time away was just down south in San Diego.

    Jim: You must like it out there.

    Fabian: This is a perfect spot for folks who like to spend more time outdoors than indoors. Personally, I enjoy all kinds of activities like hiking, wakeboarding, dirt biking, riding jet skis, going out on houseboats, and just hanging out at the lake with my friends.

    Jim: Sounds like you’re definitely in the right place.

    Fabian: Yeah, the weather out here is great, though the water levels at the lakes have been down this year. There’s also an amazing number of activities within just a short drive, such as snowboarding or surfing.

    Jim:  Speaking of activities, I understand you’re a musician.

    Fabian: I play guitar and some other instruments . . .

    Jim: You should get together with Tim Semchenko. He can sing while you play.

    Fabian: I was actually in a band for a few years that played metal and punk. I love all things music. I even used to run the soundboard for my church.

    Jim: You have that in common with (VP of Business Development) Brad Herring.

    Fabian: That’s interesting because church is also how I got started building websites. I made a remark about how outdated the church’s site was and they invited me to do better. The short version of the story is that I did and that became my duty.

    Jim: Is that how you first got into tech?

    Fabian: My interest in technology started a lot earlier. When I first started using the internet, we had an old, slow dial-up connection. But my neighbor had a much faster connection and Wi-Fi. As a joke, he said if I cracked the password, then I could use his Wi-Fi. I don’t think he ever expected me to crack it, but I did. Faster internet, here I come!

    Jim: Are you really telling me that hacking was one of your first tech achievements?

    Fabian: Ha! I guess so.

    Jim: Geez. Where do you go from there?

    Fabian: For me, it transformed into an interest in the mechanical side. I started repairing smart phones and tablets, adding memory to computers . . . that kind of stuff, mostly for friends and relatives.

    Jim: That mechanical interest went beyond computers, though, right?

    Fabian: Right. I grew up rebuilding cars and taking them to the track.

    Fabian changing fluids in his 2010 Mazda Miata

    Jim: (Raxis CEO) Mark Puckett must have enjoyed your interview.

    Fabian: Apparently, since I got the job. When I talked about my interest in cars, (COO) Bonnie Smyre joked, “Well, that’s it. We probably don’t need to know any more.” But I should add that I work on older, slower cars. No Porsches or Lamborghinis. And our track is more for drifting than racing.

    Jim: Did you find you had a knack for mechanic work, a greasy thumb or something?

    Fabian: Yes, as I kid, I used to rebuild gas powered scooters. Also thought it would be a blast to take a weed-whacker motor and attach it to my bike. It did not disappoint. As I grew, the projects just got bigger. So, I started rebuilding car engines, changing out the suspension, doing custom fab work, and so forth.

    Jim: Did you consider making that a career?

    Fabian: In a way, yes. When I really focused on what I wanted to do for a living, three possibilities were at the top of the list: helicopter pilot, master mechanic, or a job in the tech field. But helicopter instruction is very expensive, and it would have taken as long to be a master mechanic as it did to develop the same level of skills in the tech field. Plus, technology seemed more versatile.

    Jim: Once you decided on technology, how did you decide that penetration testing was going to be your area of focus?

    Fabian: That was always my biggest interest. I just didn’t know how to get there at the time. So, I started with building websites, affiliate marketing, landing pages, that kind of stuff.

    Jim: College?

    Fabian: I did get my A.A. degree in computer science, but then I decided to start working on certifications instead of continuing in college. I got a helpdesk job because I thought that would be a good first step.

    Jim: Seems like it was.

    Fabian: It was, but there were a lot more steps in between. I went from doing helpdesk work to becoming an IT admin. I moved from there into a security operations center (SOC) analyst role to doing blue and purple team assignments. Finally, I landed at Raxis.

    Jim: Is it as good as you thought it would be?

    Fabian: Absolutely. This was the dream job, and working with the Raxis team has been an incredible experience.  I love offensive security, finding and exploiting new vulnerabilities, and learning more every day. I also appreciate that we get to work independently, but we can reach out when we need help and offer help when it’s needed.

    “As others have said, the people are terrific and have a wealth of knowledge. They have high expectations for performance, but they give the team members a lot of flexibility and they encourage creativity.”

    Mark Fabian

     

  • Chained Attacks and How a Scan Can Leave You Vulnerable

    The results from your vulnerability scan showed only a couple of low or moderate level findings, but there is no denying that two experienced hackers now have domain admin rights; the freshly printed summary document on your desk spells out in excruciating detail how they traversed the darkest corners of your network and gained access to critical data.

    Fortunately for you, they’re Raxis team members, and you’ve paid them to do just that.

    The Chained Attack

    This scenario plays out frequently for Raxis customers who previously relied on companies that pass off vulnerability scans as faux penetration tests. It highlights why a scan, by itself, can give businesses a false sense of security about their cyber defenses. At their best, scans only point out individual links in what skilled and experienced hackers can turn into a chained attack – using one vulnerability to discover others, increasing or escalating network access with each move. In the case of parameter or business logic exposures, scans often remain blissfully unaware, failing to identify the exposures at all.

    UNFAMILIAR WORD OR TERM? VISIT OUR GLOSSARY.

    We’ll use a real-life example from a recent Red Team engagement to illustrate just how this works. Keep in mind that the following recap is just one way to employ a chained attack. There are many others. In fact, it’s such a common technique that it’s part of the test ethical hackers take to earn the Offensive Security Certified Professional (OSCP) certification. (Read about Senior Penetration Tester Andrew Trexler’s experience with the OSCP exam.)

    The First Link

    Using a response poisoning attack, our testers achieved Man in the Middle (MitM) and relayed Server Message Block (SMB) handshakes to hosts with SMB signing disabled, which allowed them to execute local commands and extract local password hashes stored by the security account manager (SAM). One of those hashes was associated with a local administrator account, and they used it to connect to a system on the internal network.

    Once inside, they exploited a known design flaw in Windows authentication and used this local administrator hash in a Pass-the-Hash (PtH) attack using CrackMapExec (CME). They didn’t even have to crack the hash and get a cleartext password. Just sending the hash was sufficient to allow access.

    Creating the Chain

    Using PtH, our ethical hackers enumerated users logged on to a system, determined valid usernames, and extracted their Kerberos ticket hashes. This time, they did have to crack the hashed ticket for an administrative service account they found. A weak password and robust cracking hardware made this possible within seconds.

    Having identified the cleartext password for that administrator account, they found that it was shared amongst numerous systems. They connected to other systems across the network and found a domain administrator logged into one of them. An attempt to access the Local Security Authority Subsystem Service (lsass.exe) file failed at first because the company’s security blocked “procdump.exe,” the tool we were using to gather a memory dump of the process. However, a second attempt with Process Explorer was successful and allowed our team to download a memory dump of the “lsass.exe” process, giving us access to the runtime state of the service that performs Active Directory database lookups, authentication, and replication.

    Another tool, Mimikatz, enabled our testers to extract the contents of that file, including the reusable NTLM password hash of a Domain Administrator (DA). Again, using CME, they used the NTLM DA password hash to extract the contents of the entire Active Directory database. This is the database housing all Active Directory objects, including users and their password hashes for the entire domain (that often means every employee at a small company or every employee in a division of a large company).

    “Vulnerability scans are excellent point-in-time snapshots of potential problems. But it takes comprehensive penetration testing to demonstrate how easily a malicious hacker can link them together to create a chained attack.”

    Tim Semchenko
    Owning the Network

    Using this DA access, our team created a new backdoor domain administrator account in the Domain Admins group – ample proof for the customer that Raxis had in fact pwned their network.

    What else could they have done? Anything they wanted, including staying on the system indefinitely or just logging in periodically to steal data or disrupt operations. Once a hacker has this type of access, it’s very difficult for a company to know if their access has been truly and completely removed.

    How is this possible? Because a serious security flaw – one that would not be revealed in full by a vulnerability scan – offered our skilled team members an entry way to take down an entire network had they been bad guys.

    The point is that vulnerability scans are excellent at providing a point-in-time snapshot of potential problems on your network. But it takes comprehensive penetration testing to find out just how serious those issues are and to demonstrate how easily a malicious hacker can link them together to create a chained attack.

  • Meet the Team: Andrew Trexler, Senior Penetration Tester

    I’m Andrew Trexler, senior penetration tester and one of the newest members of the Raxis team. Recently, I spoke with our marketing specialist about how I got interested in penetration testing and what led me to Raxis. Take a look at our careers page — Raxis is always interested in speaking with qualified pentesters who may fit well with our team. So, visit the page and subscribe to our YouTube channel.

    Jim: Andrew, you started at Raxis recently, but you’ve been involved in information security for a while now, right?

    Andrew: Yes, I graduated from Pitt in three-and-a-half years. After I finished, I really wanted to focus my attention on cybersecurity, and I became obsessed with pen testing.

    Jim: From what I’ve heard, you earned a couple of high-end certifications as well.

    Andrew: I had my bachelor’s degree in Information Science, but, in the penetration testing field, certifications are just as important, if not more so. While I was looking for a job, I earned the Offensive Security Certified Professional (OSCP) and the eLearning Junior Penetration Tester (eJPT) certifications.

    Jim: Other Raxis team members have told me the OSCP is a very difficult cert to get. Was that your experience?

    Andrew: It took a lot of work over a long period of time. I only had a month of lab time, but I began studying for it five months before that. For the final exam, I had 24 hours to hack into five computers.

    Jim: That sounds painful.

    Andrew: The test was hard, but I really enjoyed the labs. My favorite was hacking into one computer, finding nothing on it, then figuring out how to use that computer to hack into others that did house the data I was after.

    Jim: What spurred your interest in technology initially?

    Andrew: I’ve always enjoyed computers. They’ve always just made sense to me, and so, in high school, I took all the computer classes that were available. Majoring in information science at Pitt was a natural next step. That’s where I got interested in network security and figured out that hacking and breaking into things is just plain fun.

    Jim: How did you find out about Raxis?

    Andrew: I was just looking around on the internet and came across the website. I interviewed with several companies, but Raxis really stood out.

    Andrew preparing to electronically detonate fireworks.

    Jim: How so?

    Andrew: For one thing, (chief operating officer) Bonnie Smyre really went out of her way on multiple occasions to make sure my questions were answered and to encourage me to take the job. The people I spoke with all seemed to enjoy what they do. It really felt like a happy family and it still does.

    Jim: You’ve said that hacking and breaking into things is fun, but I understand you’re also an expert at blowing things up.

    Andrew: I guess you could say that. On occasion, I get to be a pyrotechnics artist, putting on fireworks shows.

    Jim: I’m tempted to say, “That must be a blast,” but I’m sure you’ve heard that one before.

    Andrew: Ah, yeah, a few times.

    Jim: In all seriousness, it seems like that would be very exciting or terrifying, depending on your perspective. How did you get into that?

    Andrew: It started out as a one-time thing, helping my cousin put on a show. Next thing I know, I’m a trained technician.

    Jim: Where do you put on your shows?

    Another successful show.

    Andrew: My hometown is here in Monroeville, Pennsylvania, just outside Pittsburgh. We do shows here and as far away as Altoona. Mostly for the minor league baseball games.

    Jim: Isn’t that a dangerous occupation?

    Andrew: We take a lot of precautions, so we keep our operations very safe. It takes us anywhere from an hour to three hours to set up for what, sometimes, is a 15-minute show. Also, our mistakes tend to be blown up or burned up.

    Jim:  You don’t make many, I’m guessing.

    Andrew: Ha! None that you know about.

    Jim: It seems like fireworks would be computer-controlled nowadays? Is there a high-tech component to that work?

    Andrew: Some of the bigger shows use electronic controls, but, for the most part, ours are just old-fashioned fuse-lit fireworks.

    “Even the most senior people at Raxis will stop what they’re doing and help you out when you need it. On top of that, these are fun people to work with who are really, really smart.”

    Andrew Trexler

    Jim: It’s hard to compare with the excitement of a fireworks show, but you obviously enjoy your work with Raxis. What’s your favorite part so far?

    Andrew: What I’ve enjoyed most so far is being able to ask questions of my teammates and answer theirs when I can. The culture is one in which everyone is here for everyone else. Even the most senior people at Raxis will stop what they’re doing and help you out when you need it. On top of that, these are fun people to work with who are really, really smart.

  • Meet the Team: Mark Puckett, CEO

    I’m Mark Puckett, CEO of Raxis. By now, you’ve met all but the newest members of our team, so it’s time I step up and tell you more about how this company came to be. Before I do, however, you should know that the secret to Raxis’ success is the incredible individuals you’ve met up to this point. I’ve never worked directly or indirectly with a finer group of people anywhere. I’m fortunate to call them colleagues and friends. If you’d like to be a part of our team – and you have what it takes – keep an eye on our careers page. Maybe you can be part of our exciting future.

    Jim: Mark, it’s a small percentage of people who have the courage to start a business – and then only a relative handful that enjoy the success Raxis has had over the past decade. How did you decide that launching a business was the right move?

    Mark: Initially, I chose a different path by working for large corporations like GE and Home Depot, as school always taught us that was the best path for success. Yet, I always had an interest in starting a business. My mother is an entrepreneur at heart. My parents owned a jewelry store when I was growing up. Later, my mom started a translating and interpreting agency that provided language services for the legal industry. It took some time for me to realize that I had that same inclination toward entrepreneurship.

    Jim: Was Raxis your first attempt at starting a business?

    Mark: Yes and no. I’ve owned the raxis.com domain name since 1999, and it started out as a website hosting business. Then it morphed into a rental property management company, an SEO business, back to web hosting, and then to secure software development. But after 18 years in corporate America and toying with side-businesses, I decided it was time to take a shot at making Raxis my full-time endeavor, only this time as a penetration testing company.

    Jim: With apologies to Tolkien, one doesn’t simply walk into pentesting. You must have had a strong background in security to even consider the field.

    Mark: That’s true. Penetration testing became an interest of mine years ago when my career pushed me in that direction. I moved from a network and application security defense role to managing Home Depot’s internal Red Team. After a couple of years in that role, I found I really enjoyed penetration testing and realized it had a lot of business potential as a relatively young concept at the time.

    Jim: Seems like a scary prospect to jump in with both feet.

    Mark: Knowing that you can’t really tell two stories well, I knew I had to leave Home Depot and take a chance at running Raxis full time. For a true entrepreneur, the scariest proposition is not pursuing an idea. So, I left Home Depot in 2011 to chase my dream. That dream, known to many as Raxis, has been profitable since inception and growing steadily to date.

    Mark with the Raxis leadership team on a job in Anchorage, Alaska

    Jim: A very common theme among most of the Raxis team is this intense curiosity that seems to be present from an early age. Was that true of you as well?

    Mark: As a matter of fact, yes. And I think that deep curiosity is a character trait you’ll find among all the best ethical hackers. We know there’s a way in, and we will find it. And I can remember that same feeling of determination from early in life.

    Jim: How did that emerge?

    Mark: First, it was an interest in electronics that started when I was about 6 or 7 years old. I really enjoyed taking apart electronic toys and appliances to see how they worked. I’d salvage all sorts of parts like motors, lights, LEDs (only in red at the time), and switches. I came up with all sorts of little projects just for fun, like fasten parts to a cardboard box to make a “switchboard.”  Mine was only able to turn on and off lights and run a DC-powered fan that used a popsicle stick for a prop, but I really thought it was fun to build. My parents correctly realized they were on to something. So, they got me a 50-in-1 electronics kit from Radio Shack that I absolutely loved.

    Young Mark with his 50-in-1 electronics set

    Jim: Was that your ‘gateway’ tech?

    Mark: Yes, apparently so. Because, as soon as computer technology became affordable to consumers, I had to have one. My first computer at age 8 was a Tandy Color Computer 2, also from Radio Shack. I taught myself how to write BASIC programs from typing in code I got from a computer magazine subscription. That began a life-long relationship with technology. After the Tandy CoCo 2, I became an avid IBM PC clone fan, then to Linux, Windows, and now MacOS X.

    Jim: Another theme that recurs in these interviews is the close-knit relationship among the team members. Raxis’ COO Bonnie Smyre talked about your friendship that began in high school and continued through the years. And (VP of business development) Brad Herring is a longtime friend as well, right?

    Mark: That’s right. I’ve been friends with Bonnie since high school, and we stayed in touch until I convinced her to join Raxis several years ago. I’ve known Brad even longer. My family moved from Carrollton, Georgia to Marietta when I was 10 years old. I met Brad in middle school, and he was my first new friend in a new town. He also had a computer and really enjoyed technology, so we had a lot in common. There were times our lives led us in different directions, but we always were able to keep in touch. We were catching up at a lunch, just as we did every now and then, when I mentioned to Brad that I needed some help with generating more business for Raxis. Brad jumped in with both feet and was able to build a first-rate sales program that has exceeded expectation since inception

    Jim: Speaking of Brad, he told me that, in addition to your love of technology and electronics, you also have a longtime passion for cars. Is that what keeps you busy when you’re not focused on Raxis?

    Mark: Aside from spending as much time as I can with my lovely wife and three beautiful daughters, I seem to be a jack of all trades and master of none when it comes to hobbies. My favorite hobby is pretending to be a race driver at Road Atlanta. I also enjoy boating (but not so much fishing), cycling, photography, videography, astronomy, and home theater.

    Mark indulging his need for speed in his Porsche GT3 at Road Atlanta

    Jim: One of the Raxis YouTube videos discusses teamwork as the company’s “secret sauce.” What’s your take on that statement?

    Mark: Truer words were never spoken. Raxis hires people, not positions. We look for folks who care about making a difference more than just making a paycheck. It takes longer to find the right team members, but it’s so worth it when you see how well all our various skillsets complement each other. And, even though we’ve got absurdly talented people here, we don’t have giant egos to deal with. As a result, we’re continuously learning from each other and our customers get the best service possible.

    I don’t take credit for their great work, but I’m certainly proud to be a catalyst for bringing them all onto one team.