The document discusses how mistakes are an inevitable part of learning and progress. It provides quotes from influential figures about learning from failures and mistakes. Specific examples are given of mistakes made, such as incorrectly specifying IP address ranges and assumptions in security testing, to demonstrate how lessons can be learned from errors. The overall message is that mistakes happen but can provide valuable lessons if we reflect on what went wrong and how to improve.
Power point inglese - educazione civica di Nuria Iuzzolino
Infosec Europe 17 - PentestFails
1. Adam Compton – Senior Security Consultant
Learning From Mistakes -
They Will Happen
2. Learning from Mistakes – They Will Happen
• Who am I?
• Simple answer:
• Father/Husband/Son/Brother
• Programmer/Pentester/Researcher
• Hillybilly
Me Me Me…
3. Learning from Mistakes – They Will Happen
“I have not failed. I've just found
10,000 ways that won't work.”
- Thomas Edison
4. Learning from Mistakes – They Will Happen
“The only real mistake is the
one from which we learn
nothing.”
- Henry Ford
5. Learning from Mistakes – They Will Happen
• /bin/sh used to truncate commands after a certain length
• AAA.BBB.237.0/24 != AAA.BBB.2
• Nmap used to auto-append implied CIDR notation
• AAA.BBB.2 -> AAA.BBB.2.0/24
• AAA.BBB.2.0/24 != AAA>BBB.237.0/24
Watch those octets
6. Learning from Mistakes – They Will Happen
“You build on failure. You use it as a stepping stone.
Close the door on the past. You don't try to forget the
mistakes, but you don't dwell on it. You don't let it have
any of your energy, or any of your time, or any of your
space.”
- Johnny Cash
7. Learning from Mistakes – They Will Happen
“Success is not final, failure is
not fatal: it is the courage to
continue that counts.”
- Winston Churchill
8. Learning from Mistakes – They Will Happen
“A person who never made a mistake
never tried anything new.”
- Albert Einstein
9. Learning from Mistakes – They Will Happen
“Mistakes are a part of being human.
Appreciate your mistakes for what they are:
precious life lessons that can only be learned
the hard way.
“Unless it's a fatal mistake, which, at least,
others can learn from.”
- Al Franken
On a different engagement, Cheap Pentests R
Us was contracted to perform an electronic
Social Engineering engagement consisting of
just phishing emails.
copy-n-paste campaign
scenario 1 - no success (servers not turned on)
scenario 2 - limited success (wrong company
name and logo)
10. Learning from Mistakes – They Will Happen
“Our greatest glory is not in
never failing, but in rising
every time we fail.”
- Confucius
11. Learning from Mistakes – They Will Happen
• Always double check everything
• If something does not feel right, it probably isn’t
• Never rely on just one access vector
• It is okay to make mistakes
Takeaways
12. Learning from Mistakes – They Will Happen
adam_compton@rapid7.com
@tatanus
Questions ? Comments ? Thoughts ? Stories ?
Notes de l'éditeur
Welcome.
I hope everyone is ready to hear a few painful stories of how I ... and others have made humorous mistakes on pentests and learned something along the way.
Me? I have been around for a while…
about 18 years or so in the InfoSec field.
Over that time, I have been a programmer, researcher, and pentester (currently for Rapid7).
But most of all, I am a father, husband, son, and brother.
As I hope you noticed on the schedule or because I placed it on the first slide, today I will be talking about mistakes, FAILS, and lessons learned.
What? I am not going to talk about some new exploit or some awesome new tool or something like that? Not this time. I have done that in the past an will likely do it again, but this time, I wanted to take on a different topic that is not often discussed.
In InfoSec, via social media, conference talks, colleagues, and the news, we hear a lot about new discoveries, new exploits, and new data leaks on a regular basis. But we typically do not hear about all the failed attempts and all the long hours that went into producing those awesome WINs.
Obviously, it is always fun to hear and talk about those things, but at the same time it can be very discouraging, especially if you are one of the people who is not always making the new discoveries or is simply prone to making lots of mistakes like I do.
My hope is that by bring stories of these difficulties and failures out into the open, it may help a few people learn that it is okay to make mistakes.
Our director of research always says that it is the experience you build over time that matters, not that it just took you 2 hours to do something.
When I first started in InfoSec, I had no idea of what I was doing.
1st day - build a lab
2nd week - go on an engagement (make mistakes)
Usually paired with mentor
took many months to feel competent
Over the years, I kept making mistakes and learning from them to become more proficient. Did I every stop making mistakes, of course not.
...
After it was all said and done, my boss and peers of course laughed about it a bit but no one tried to make me feel bad about it. The general response was that, we all make mistakes and it is fine. Just try to learn for them as to not make the same one again if possible. That stuck with me and has become a sort of life motto for me.
Enough of my life story, let’s laugh at and learn from some other people’s fails now shall we.
Network based web cameras…
I have some friends which work at another company,
One on particular internal engagement, they were targeting a university. --LEON
On a different engagement, they were targeting a legal office’s Internet facing systems. --SCHOOL
Let’s get Physical
pen testing the wrong building
locking ourselves out of the building on a physical
Pentesting when tired
listening to the intern and closing out the only access we had
phishing emails.
copy-n-paste campaign
scenario 1 - no success (servers not turned on)
scenario 2 - limited success (wrong company name and logo)
As anyone who knows me can attest to, I have made more mistakes than I can count.
Luckily I have slowly been learning from my mistakes and gradually I have been improving. I have made it a point to never let a mistake derail me.
Most mistakes I can shrug off and continue as normal. However, every once in a while, I will encounter a mistake/failure that it is so profound that it does stop me for me a bit. At those times, I stop, regroup, take it a step at a time and before I know it, I am back to fighting shape and on my way.
If you let them, fails and such will have a profoundly negative impact on you. Just remember that everyone makes mistakes. Just learn from them and try not to dwell to long on them.
Always Double Check Everything
If Something Does Not Feel Right, It Probably Isn’t
Never Rely On Just One Access Vector
In closing, I would just like to repeat that mistakes do happen and that is ok.
It is a matter of how you deal with them and what you can learn from them that will determine how they affect you in the long run.
And if you are so inclined, please share your hard-earned lessons with others so that you can possibly help other to not make the same mistakes.
And Thank you.
Now, any questions?