Thursday, 19 July 2012

My pentesting setup

I think you can learn a lot by sharing how you work and why you work that way... so I will start and explain some of the key points I can think of.

First, the operating system, I'm using Linux because it's more flexible and easier to drive. I can pretty much do anything I want without having to really think about it. I can control most things without having to use the mouse (wasted time) or search (wasted time again). Since pentests are short engagements, the quicker you're, the more you can do. For me, working on OS X or Windows is just too much time wasted (I do understand that people prefers it because they are used to it). Furthermore, I cannot work without at least 8 to 10 virtual desktops.

Regarding windows manager, I tried a lot of them and I'm now using wmii, it's not better than any other windows manager, it's just better for me. On some windows manager, when you want to access a given application, you need to ALT-TAB until you find the right one, and the applications' order always changes, that's just a waste for time again. On wmii, or other similar windows manager, you can just use vi shortcuts to move between Windows and use one virtual desktop for each application (you can do the same on other wm like gnome or KDE but you need to set it up).

Personally, I setup my virtual desktops in the following way:
  • 1: "administration shells", IRC and taking notes
  • 2: Firefox (my testing browser)
  • 3: Burp Suite
  • 4: Chromium (my "working" browser)
  • 5-9: different stuff: rdesktop, code review, eclipse, emulators... depends on the engagement
  • 0: Music

I used Firefox for testing because it's more flexible and has better error messages than Chrome. I used Chrome for work because I like it better (and it feels safest).

For taking notes, I use vim with the following .vimrc:

set foldmethod=marker
set foldmarker={{,}}
set expandtab
set ignorecase
set smartcase
set paste
syntax enable
set ts=2

My notes files looks like:

{{ Network


{{ Credentials


{{ Issues

  [ ] 



  [ ]



It work perfectly with vim;s scaffolding. This notes file allows me to keep track of any information during the testing and keep all the findings together. During the testing, I modify the findings from:
  • [ ]: new finding unreported to client;
  • [-]: finding reported to client;
  • [X]: finding reported to client and written in the report.

Another thing I want to share is how I organise my tests. Every time, you're doing a code review or pentest, you see yourself writing some really simple code to test something. For this, I have a code repository with one repository per language:~/code/ruby, ~/code/php, ... That way, I have working examples of common vulnerabilities and secure methods for each language and I can have a quick look every time I need to.

Last thing I keep is a method folder, it's a basic write-up of current technics and methodologies:
  • script to setup a gateway in few seconds,
  • script to build SSL certificate and setup socat to MITM SSL,
  • review scripts for a lot of different systems,
  • how to audit different systems, how to review applications in a given languages
  • webshells,
  • ...

That's basically it, what tips do you have to share now?


Anonymous said...

I just wanted to take a minute to thank you for this post. If I had anything of value to contribute I would. I would love to hear more about your setup and why.

Thanks again.

Louis Nyffenegger said...

Cheers, make sure you check our exercises.

For the setup, choices are mostly done for productivity ;)

Anonymous said...

Not so much software... But multiple monitors. Ideally 3 x 24" screens...
Plus a good keyboard and mouse... Makes things much more enjoyable...