what's better peridots or kali linux but you would say that because you're a parrot i see my kitty what is that kitty doing on the table is it learning parrot os yes she wants to be a hacker too everyone it's david bumble back again with neil bridges really trying to extract as much knowledge out of neil as we can during these these calls neil welcome thank you as always david i'm glad to be back so neil let's hit hit this one running get this question a lot what do you prefer do you prefer cali or do you prefer parrot os and why so so if i had to break it down to the two i'd say cali and and again you know i think there's no wrong answer and i think that's the first thing that i would say is i don't think that there's a wrong answer in this book but again i go back to to you know again call me a boomer or old or whatever it is you want to call me right but i mean you know you have to have the right tool for the right job but if you look at cali and you look at parrot all they're really doing is they're taking all of these github projects like metasploit like the social engineer toolkit like recon ng and they're just pulling them into a centralized distro there's nothing stopping you from taking an ubuntu distro like fresh from the ubuntu website going to the metasploit github and installing metasploit on an abund the latest version of ubuntu and quite honestly there's a number of penetration testers that i know you know that i've come up with in the industry that prefer to do that even to something like a cali or a parrot and and so there's no wrong answer but i think when i say cali if your path eventually leads you to a cert like oscp you know cali is going to be something that you want to be familiar with because it's something that you're going to use during oscp anyway i think you will eventually find yourself graduating out of cali and either building your own ubuntu distro that has the tools that you're awesome at um more so than than having um you know a reliance on the cali distro me myself when i would do penetration testing i carry with me three different vms i carry a windows vm um for all things windows i you know for cane enable cane enable only runs on windows it won't work on the wine version that's included inside of cali so i carry a windows version for that i carry windows versions just in case i want to join a computer to a domain after i've hacked into it for any of the adfs functions and things like that powershell scripting and things like that although you know cali's added a lot of that capability into it i carry an ubuntu vm that has a lot of the github scripts that i like to augment during my penetration test or if i've made any modifications say to my medical metasploit my metasploit distribution based on custom you know exploits that i've gotten that are out there that i've developed myself then i'll take you know that ubuntu vm that's that's developed and then i'll take a cali vm because it's super easy to hit power on on a cali vm and have over 300 tools at your disposal you know inside of a cali vm that are all ready to go so i think it's about looking at cali in the the holistic sense of your toolbox know that there's no wrong answer it truly is a preference and that's why i choose choose cali so i mean i'm gonna we're gonna talk about something else but i'm gonna push in a few things now um we we briefly mentioned this before if you took one machine to to go to to do an attack is it your mac that you that you mentioned i think before it is it is it is my mac um i i have a macbook pro um you know it's it's got you know 16 gigs of ram and and you know i make i make that relevancy to say like you know you you know i mentioned three vms right and and you want to be able to say just on an off case that you need to run all three vms at the same time that's a that's a rough day if you're running all three of those vms at the same time but you know you have that option if you if you need to um you want to have a high high ram computer it's not a requirement but it's helpful especially for some of the vms that you could be running um if you're you know you don't really want to be doing password cracking inside of a virtual machine it is possible and i would say that for some hashes that you would get for something like responder you know you could potentially put through john the ripper a on a vm your your efficacy is going to drop significantly i think you've done a video on this um specifically around password cracking um and that's why a lot of people have invested significantly in doing password crackers and shipping those passwords off so so how you use the vms could vary greatly but i think for most people who are coming up and learning if you can run one vm or if you've just got one computer and you're able to um one of the again we've talked about this during the last video dave we talked about thinking outside the box right yeah um you know i i one of the i i do the unpopular opinion thing on windows if if all you have is a windows 10 laptop i'm glad you're gonna mention that i was just taking notes now what laptop should i buy but i mean i think you've done i think you've done a video on this as well and i and i hope people took that video to heart but it's it's wsl it's windows subsystem for linux yeah and and i don't think people realize just how brilliant it was for microsoft to put wsl into windows 10 and i tell people frequently it's like look if you've got a windows 10 laptop use wsl and put ubuntu on there put cali on there in wsl and and you can you can achieve objectives without needing to necessarily run virtualbox or vmware or anything like that um to get a vm on there yeah i mean it's um so let me um i want to push you on this um neil a lot of guys i've had this on a lot of videos that so they're hilarious guys say you're not a hacker because you're not running kelly what did you what's your point on that like do you do would you recommend someone install cali on bare metal or would you tell them to put it in a vm i mean you know a i think you and i had had an episode on how do you handle haters and i hear people like i hear people say things like that and i'm like i'm like wow wow that's that's what you're going to choose to to to to knock people about no do you need to run cali on bare metal look i think um you know i've built a number of of drop boxes in my time i've built a number of specialized laptops because of sensitive penetration tests and sure you can put a penetration testing distro on bare metal i think you know if it's your if you're putting cali on bare metal and then you're trying to take that laptop with you to do work every day like check your email and you know write penetration testing reports and you know you're trying to make that also your day-to-day laptop i don't think you really have a concept of what it is you're trying to do with that laptop other than just look cool that you're using cali on a day-to-day basis because cali to use cali day-to-day for checking your email writing your penetration testing reports you know doing your research and things like that it is not equipped to do that whatsoever it's not a distro that that you know we use like windows or osx and things like that and i think people who try to make it that are really just people who want to say yeah i've got a laptop that's got like hacking stuff on it you know it's got cali which is you know the the hacking distro and so therefore i could open up this laptop and and hack your network today and that's just that's just not reality i mean the the lines between physical and virtual are getting so blurred because i mean with wsl uh with vmware with nested virtualization i mean the performance i saw the um the microsoft guys talking about the performance between wsl versus bare metal and i mean you're losing you're definitely losing but it's not that much and um i mean to your point if you're going to be doing gpu password cracking you're probably going to put that on a windows laptop sorry a windows rig or something where you can really make use of the gpus that's not the laptop that you're going to be carrying around so it's just coming full circle now you would use a mac um or would you recommend windows with vms so if someone was starting out because i get this question a lot david what laptop should i buy what would you recommend neil i mean we could start with like a low end laptop medium if you've got a lot of money or you can just give me like kind of things to to you know to point to think about if buying a laptop well and i'm glad you i'm glad you went into the money realm because i think the i think the money thing plays a huge role in it right and i think if you're if you're in a financially strapped situation um you know i think whatever you can get your hands on you can turn into a laptop that you can help you on your ethical hacking career right because you gotta remember you can put cali or ubuntu for that matter or any other linux distro on a usb thumb drive right and you can run you can run it from a usb thumb drive and and boot it from there so so i think if you're in a financially strapped situation you know you know you could get away with running some of these these very lightweight surfaces that that that microsoft puts out um you know i i wouldn't recommend going in so far as to get you know to doing a chromebook because i think a chromebook's a little too stripped down to to do it i don't know if i've actually ever seen anybody use a chromebook you know for cali or anything like that but i think if you were to look at some of these cheaper surfaces that's a good place to start um if you're if you're a little strapped for cash i think you know when you look at the finances of buying a laptop i think i would look at prioritizing ram and hard drive space over cpu right and that's just that's yeah well because ram is going to help you with the number of virtual machines you could run and to your point right there's not a there's there is loss between wsl and virtual machines i don't want to gloss over that but again tools fit form and function you know do you necessarily need 100 efficacy between wsl and a virtual machine right what are you hoping to accomplish you know between that that computing loss between those two um if you're just if you're just trying to get familiar right with kali linux then maybe you just need one cali vm that's got you know you know one gig of ram and so a four gigabyte laptop is probably good enough for you which is pretty easy to get off the shelf for a few hundred dollars right um but as you grow up in the industry and as you get your first job as you start to pull in some money you know doing ethical hacking you know i would definitely look to invest in yourself um my preference and what i recommend people is i recommend a macbook you can do um you know that that to me would be like the finish line right or the star that you shoot for because again remember macbook os x is bsd based which is effectively linux they've done a great job with technologies like home brew that allow you to install you know the same stuff that you can install from vm onto your mac natively you can actually do a metasploit installation and ruby installation via home brew you know natively on your mac so you can effectively have metasploit running on bare metal on your macbook pro um and then just the the flexibility that you have inside of that operating system to be able to to to do almost anything you can do in linux is is hands down the best and then also it's obviously got the power to support you know multiple vms and things like that that make it um uh you know make it powerful it's interesting the um i saw an article the guy who created ruby on rails he tried to a while ago try to move to windows from a mac and he tried all kinds of things and it was a disaster but that was before wsl and i think wsl has changed the game significantly because now you can run linux basically in this lightweight vm on your on your on your windows computer okay so just to summarize if you if you had to choose you would get like a windows laptop if you were starting out perhaps and then just run stuff in vms i mean vmware workstation play is free so or virtualbox is free so you could you could use one of those to to virtualize it or use wsl um i must say wsl i i find that it struggles with networking so if you want networking stuff i personally prefer vm at the moment but then the ultimate finish line you're saying is to get a mac just because of the the operating system is so close to linux and you know it's it's a good piece of hardware is that right absolutely and again you have to think about what you're doing as an ethical hacker right when you're an ethical hacker for a career perspective you know you're not just pen testing day in and day out right you have to write reports you have to check your email you've got to work on you know statements of work you know whether you like it or not you're in that business pipeline where you got to do that and so you have to think about those integrations with with business technologies with active directory with microsoft office and things like that and you know a linux based operating system like ubuntu yeah they've got a ton of great features but you're not going to get you know you're not going to get you know microsoft word for ubuntu you're going to get libreoffice and there there's there's stuff that's lost in translation to go from office to libre and from libre back to office and so you have to think about it holistically again for those of you who want to make a career in ethical hacking right that laptop is the laptop that you're going to go to war with when you go to a customer site and then you're going to come back and you're going to write your reports on it and so think about it from that perspective do you want to do you want to have two laptops right or do you just want to keep everything inside of a vm keep it contained and have a singular machine that allows you to accomplish the mission and do your job at the same time i mean the great thing about a vm is you can snapshot it so if you screw it up or you have a problem you just restore from snapshot um that's quite difficult to do with a physical pc i mean obviously you can restore stuff but it's not as easy well and if you if real quick on that same topic though because if you look at it again i get back to the practical side of ethical hacking from a career perspective if you're working with a client and let's say that they do have you know you do gain access to to you know personal health information or personally identifiable information things that are protected under gdpr um you know it makes it a lot easier for you to give the client a sense of um data security to say that all of your data is held inside of this vm you mentioned virtualbox and vmware that both support encrypting the vm in addition to cali and ubuntu having um you know encryption that that you can do from a an lvm perspective when you go to stand up the vm excuse me and so you can you can provide your client a sense of data security inside of that vm um that might be otherwise hard to do if you're you know you know you're trying to put it on bare metal and and having to reload it every single time or something like that yeah it's a great point i mean um i wanted to ask you this neil before i forget let's say i'm an ethical hacker i'm on the red team how much of my time is actually breaking in in in in in in relation to everything else i do because you spoke about you know you have to do sows perhaps you have to do uh all kinds of things and i mean obviously this will vary a lot but um can you give us an indication is it like 50 of my time 90 of my time you know i just think we need to put this in perspective because people focus very heavily on the on the hacking hardcore skills and then they forget about like writing reports and all the other stuff that goes with it yeah no that's a very good question and again you know mileage may vary and it varies based on company it varies based on you know you know your role in the organization and things like that and so i'm going to speak very you know broadly about a couple different levels right but generally speaking the two biggest things that you have to do as a penetration tester as an ethical hacker or red teamer is you have to hack and then you have to write reports this is why we talk very heavily on focusing on soft skills focusing on the writing part of it you you are a useless pen tester and i'll say this at the risk of unpopular opinion you are a useless pen tester if you write a [ __ ] a shitty report yeah i mean what is a healthy customer what does it help the customer if you rock rubbish you don't have any value to customers if you can't write a report and so you know if you want to if you want to be the best ethical hacker in the world and you want to go out there and learn how to write zero days and you want to go and you want to have like you know oscp and awe and all these other you know search that that offset puts out or you want to go get ptp and ptx from from ine and you know you want to go get all these awesome search that's all well and good but if you can't write a report that helps your client protect their environment you have failed as a penetration tester um and so i think those two things um you know those should be the sharpest tools in your toolkit is that now this is where you know again mileage may vary if you're you know depending on what your involvement is with the sales team depending on the company that you're at let's say that you're at a consulting company like a big four or you're at a consulting company like accenture or something like that um you know and you're um you know you're actively involved in the pre-sales process and you know you may be helping with scoping and so you may be sitting in on pre-sales calls that um you know you're listening to a client explain to you how big their network is or how many nodes that they've got or you know all these other things that kind of go into helping your sales team determine the scope of a penetration test and then you may be having those post-call conversations with the sales team that says well you know we could do this really huge pen test for a hundred thousand dollars or we can do this really small test for fifty thousand dollars and then you're having that conversation internally and this is something that i don't think people realize you know if you're on that consulting side um you're having that conversation internally because you as a penetration tester like i want to do the biggest baddest most awesomest pen test that i can do but it's going to cost the client a ridiculous amount of money and it may not be the right pen test for them and so you're having to practice those soft skills in terms of helping the organization organization um narrow down and scope the pen test that matters for the client um and so you're gonna you're gonna spend a portion of your time doing that you may spend a portion of your time um helping the marketing team explain to them what ethical hacking is and penetration testing is and red team is to put into a slide deck so they can you know make it better for the marketing folks if you're in a corporate environment um like you're working for for a company and you're a penetration tester for the company um you know your days may consist more doing more hacking than than some of the other stuff i mentioned since you don't necessarily have to do the sales stuff but you know your reports become equally more important because everybody is relying on you and there's so much focus on you inside of that organization and then you're continuously contending with the the inner office politics and this is you know again you know let's let's break down barriers and let's demystify like how awesome people think ethical hacking is inside of a company you can't just wake up on on what's today wednesday that we're doing this you just can't wake up on wednesday and be like i'm going to fish the ceo or i'm going to spoof the ceo's email address and and fish the entire company like that just doesn't happen in in most of these fortune 100 companies um you know even most fortune 500 companies you're not doing that you're not just waking up and being like well i'm gonna i'm you know we've got a new uh zero login you know exploit that's out today i'm gonna run it against the the domain controllers oh it's it's the end of the month and you bring down a domain controller that's connected to sap at the end of the month that's trying to do month-end billing you will lose your job over that like you will lose and so you have to contend with you know the the inter-office politics that comes with telling the organization that you're going to conduct a penetration test and literally getting everybody's buy-in from the network technician all the way up to the cso you know the cfo in some cases you know in terms of doing that and so it's it's not day in and day out hands-on keyboard hacking there and this is why we harp so hard on soft skills so i mean like let's say you're working for a big four consultancy firm is it like half your time as actual pen testing or i mean it's i know it's really rough to to to pinpoint this but i'm trying to just get a feel for why you keep talking about like soft skills being so important i think i think half i think half is at best at best okay at best i think i because i mean and especially the big four because at a big four they don't have a sales team and i don't know you know again people who who have not experienced the big four that was my big shocker when i went to a big four is that there isn't a sales organization inside of a big four regardless of the level that you're at whether you're an associate level up to a managing director level right you're selling you know something at some level inside of a big four and you're you're part of that responsibility and so um you know you're working on requests for proposals you're working on scoping exercises you're working on marketing material you're working with other people inside of a big four to do that sales process and that's why i think i mean and then you get on an engagement and that's awesome and you're excited but you have to remember in most of these cases a pen test engagement is a point in time engagement and it's gonna last for you know three four six eight weeks you know at best you're gonna do the penetration test and you're gonna be done and so yeah for those eight weeks you may be 40 hours a week plus doing that penetration test and it's going to feel like it's full time but then if you don't have another penetration test lined up after that for some reason whatever the case is you're now back to the other things that are associated with with trying to bring business into a big four a dedicated penetration tester for a big four doesn't necessarily assume that when you finish one pen test engagement you're gonna roll right next to the next pen test engagement you know all the way through throughout the year i mean that's really important to i'm glad you've mentioned that so you know if you look you said your top skills were like you have to have the technical skills and then the second one was you have to be able to write or um like write reports so neil practical as always how do i learn to write reports are there templates how do i get information to know what a report looks like um so so i want to answer that in two different ways right and so in in true neil fashion um the first one right which is how do i how do i learn how to write uh you write you write stuff um linkedin and and we're gonna do a completely separate topic on linkedin but you know linkedin gives you a fantastic platform to practice writing it's called posting content it's called writing articles um you know and people talk about like starting their own blog up right that's your that's how you practice writing you're going to get real time feedback if your writing sucks if your analysis sucks if if somebody finds a flaw you're gonna get that real-time feedback and that's gonna help you be a better writer um and so i think to learn how to write you need to start writing things um and so i always point people to linkedin and and have them just start writing stuff on linkedin whatever your passion is just start just pick up an article and write it so we'll go back to our thousand connection challenge that we did during the first video david and i'll say that if you're an ethical hacker um regardless of where you're at in the industry we've got four quarters we're in the mid we're coming to the end of the first month of the first quarter you should have four articles if you're an ethical hacker you should have four articles that's one a quarter that's crazy easy to do about something ethically hacking related every quarter and and i'll give you and i'll make it easy for you right there's three things that should be in your mind when you write any piece whether it's corporate america whether it's a pen test report whether it's an instant response report three easy segments what so what now what and so and so four articles that's all you got to do this year just four little easy articles on something ethically hacking related that covers what so what now what and if you can do that you have built your foundation about how to write and and i would just say keep doing that keep learning from from um you know the critiques that you get about it ask people to view it ask people to give you advice and critiques on it and keep growing in that segment now to your other part in terms of of pen test templates um these are harder to come by because obviously a pen test report gives you a blueprint on how to hack into a company and not a lot of companies are interested in releasing those types of blueprints on how they got their company owned and so you have to dig a little deeper to find penetration testing reports and there isn't really a standard um as to how a report should be written lord knows i i tried to create a template um you know when i first got out of the military in 2013. um and that template has probably changed two dozen times you know in the last seven years and it changes based on company you go to based on pen test type that you you perform in the the deliverables that you want to do and so you know pen testing templates are are hard what i would say is i would almost go look at breach reports so like go find a mandiant breach report go find a um you know some of these these breach reports from stuff that's happened and and look at how they go through the the kill chain or they go through the attack narrative right for uh for a breach i encourage people to write pen test reports like that i've seen too many pen test reports where somebody does a nessa scan and puts like 400 pages of nessus results into a pen test report and when i see that i i had a i had a massive telecom company i'm not going to say which one i don't but but i had a massive telecom company that had sold me a penetration test when i was working for one of the fortune 100 companies um and and i opened up the report when i first got it and it was 200 pages of vulnerability scan results i literally closed the document called up you know the the account executive and ripped them a new one for giving me a vulnerability report as a penetration test and then so i would encourage folks to think about breach reports how they talk through walking through the kill chain and i encourage people to think about their pen testing report writing in that same fashion okay but practically how do i find those where do i go have you got websites or books or stuff that i can look at i would start with mandiant mandian's a good resource because they they publish a lot of those i say kaspersky secure list um let me just make sure i'm spelling that one right secure list uh yeah i'll send this one to you so you've got this one secure list is is kaspersky's um uh kind of kind of threat research-ish type center and they've got a ton of um bulletins and a ton of um of uh breach reports and things like that um you know i think i think organizations like mandy i think organizations like kaspersky they've done a really good job of of trying to paint the picture of some of these large malware campaigns and some of these breach reports that they've investigated i even i mean krebs even though he's not traditionally security and he's got a crazy ego um i think his writing style helps you visualize the attack path pretty well and so i even i even recommend you know going to read how crap krebs writes up on you know some of his uh his attack narratives and that's what i would get people to focus in on is writing a report that walks a business person through how their organization got hacked that's great advice i mean i'll get the links from you neil and put them below this video for people who you know want to find them absolutely anything else you want to say neil because this is getting long again i want to talk about another topic in a separate video um so just going back again to summarize uh you prefer kelly over parrot os at the moment your preferred hardware is a macbook but windows is fine you wouldn't recommend running kali natively unless you had multiple laptops because you're going to spend a lot of your time writing reports things like that anything i've missed just to summarize no no i think you captured it all and um you know i just keep reminding everybody just to to keep learning and and keep uh keep keep pushing their skills to the limit that's brilliant neil thanks so much good to talk again absolutely david you
2021-02-16