Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools

Following previous presentations on the dangers penetration testers face in using current off-the-shelf tools and practices (Pwn the Pwn Plug and I Hunt Penetration Testers), this paper and presentation explores how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations. Widely available books and other training resources target the smallest set of prerequisites, in order to attract the largest audience. Many penetration testers adopt the techniques used in simplified examples to real world engagements, where the network environment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact. The accompanying presentation to this paper includes a live demonstration of techniques for hijacking a penetration tester’s normal practices, as well as guidance for examining and securing penetration testing procedures. The tool shown in this demonstration will be released publicly (with code) along with the first presentation of this talk. INTRODUCTION This paper is a companion piece to the talk of the same title. In both this paper and the correlating talk, previous work is presented, followed by a review of the threats to penetration testers. A study was performed on a large body of penetration testing learning materials, illustrating the lack of secure practices being taught— practices that have been observed to be repeated on real engagements. WESLEY MCGREW, PH.D. DIRECTOR OF CYBER OPERATIONS, HORNE CYBER [email protected] @MCGREWSECURITY