Penetration testing from a phone

Suppose that I use a smartphone with an external WiFi adapter to cover up my real MAC address and on top of that I use a no-log VPN. In what way could I still be identified? I have heard a lot of talk against smartphones as hacking devices as they contain a lot of personal information, but I cannot see the validity of this argument as none of this personal information is related to the packages being sent when penetration testing another device.

I only see two things identifying oneself: MAC address and IP address.

Using an external adapter, the MAC address of the phone is not used. Suppose that the wifi adapter is bought with cash in some local store, there would be no way of identifying someone by knowing the MAC address of the external WiFi adapter.

VPN to fake the location and IP address.

Why would it be more secure to pentest or “hack” from a computer that contains no personal information about me compared to my smartphone? If the argument is because the entity that I am hacking could hack me and break into my system and reveal all my information, well they can’t. Understanding the Android system shows that everything is sandboxed, every app is within its own environment and cannot see the rest of the system. Hacking into an Android device would just hack into a useless environment that is completely locked down. Even commands like “iwlist” are not allowed. I see smartphones as more secure devices to hack from than computers.

Can anyone expand my knowledge or prove that I am completely wrong?

What can a victim company do when it’s hard to differentiate between a Physical Pentest from a Criminal Physical Penetration

Hypothetical Situation:

The company Blue hires the company Red to do a Red Team engagement on Blue. Here, I’ll be discussing only the physical part of the engagement, not social and cyber.

Red successfully infiltrates Blue and gives detailed reports of what was done in the engagement. Example part of the report:

... In building A:  At door A101, we picked the lock. Techniques used in picking: Raking, Bump Key. At door A102, we picked the lock. Techniques used in picking: Raking. ... 

The report includes details of techniques used to exploit and infiltrate.

A week after the engagement is done, Blue is attacked by real criminals and had their data exfiltrated from building A. They didn’t have camera footage of every door exploited. Installation of the doors and locks in building A are confirmed to be proper and most likely picked. However, those doors/locks have also been reported to be picked by Red during their engagement the week before.


The problem:

The locks being tested have been picked and exploited by both Red and the criminals. Forensics evidence would likely show traces of both or just Red‘s engagement. Since red team engagements are to simulate real criminals as accurately as possible, it’s hard to differentiate between evidence left by Red and those left by the criminals.

Blue is highly confident that those locks were picked by the criminals, and let’s assume they’re correct about that. Blue wishes to investigate how exactly the criminals got in and track down those criminals. Additionally, Blue also wants to claim insurance for those locks being picked. (I’ve heard we can get insurance from the lock manufacturer if the locks are picked and we take damage from that)


Question(s):

How can forensic evident on the locks be used in court (for insurance) and investigation? How should Blue use said forensic evidence to claim their insurance and track down the criminals when it’s hard to distinguish between marks left by Red and the criminals?

How should I use the target’s customers in penetration tests? [on hold]

This question concerns both physical and non-physical pentests.


Should I used customers’ accounts to pwn? (Assuming I’m not given an account by the employer/target for the engagement)

I may somehow manage to grab credentials of a customer of the target. The customer may not be mentioned in the scope. Using their account/credentials may negatively affect them personally so I think it should be avoided. However, I believe adversaries usually would directly target the customers to either just steal the customers’ credentials and assets or (somehow) use a customer account to get more information on the target or as an attack vector (a customer may be a VIP with extra functions).


In a physical pentest, we may come in contact with the employer/target’s customer (i.e. normal people in a company building, people touring the place, shoppers in a mall). Should we attempt to extract information from them or even social engineer them to use them as a help (get some people to swarm in front of a door) without them knowing?


This, I believe, mainly depends on ethics (we probably shouldn’t use patients in hospitals) and collateral damage (people having their data touched even just from us logging in as them).

(Please simple don’t say “it depends on the scope”. That’s always a big element but I’d like to learn about pentesting in general – rules that can apply to most engagements, or at least specified details on how the scope may greatly change this aspect of a pentest)

Should I present forged documents in a Penetration Test/Red team engagement?

A previous question of mine lead to this discussion which mentioned the subject of Document forgery.

I’ve seen many people (in videos) forge IDs and employee badges for such engagements so that seems fine as a test. However, if asked to present a more critical/serious document like a “Permission to Attack” slip (when caught), or asked by a police officer to present some ID, should we test them by first show them a forged “Permission to Attack” slip or ID and only show the real documents if caught?

Application and API Penetration Testing – SaaS solutions

I have managed projects where we have a used a third-party to do application penetration testing. Based on what I could gather, it entailed manual testing and did identify some good issues. We also used Zap to prep ourselves before we went to third-party pen testing. So familiar with that too.

I was wondering if there were SaaS solutions for pen testing that meet the following criteria:

1 – Easy to use in that canned policies exist that are meaningful. Example: You have never done any pen testing before on your app, let’s start here… You are requires to meet a specific regulation, try the following policy set …

2 – Have adequate depth and credibility (both subjective) such that the report will be accepted by a Fortune 500 company’s security team or by a SOC2 auditor (I recognize that the auditors really do not care how you did your pen test as long as you did it given that SOC2 does not really call for a pen test)

Thanks!

How to get apprpriate knowledge as a beginner penetration tester at home?

I want to apply for a job as a penetration tester in a good company. I have a fairly good knowledge of programming and have experience as a back-end developer.

I started to work with burpsuite,ZAP,Metasploitable2, Juiceshop and started to do some stuff locally. I want to gain more experience and do some challenging stuff but don’t know what to do. I also was suggested to learn Rust & Go and develop security applications. I don’t know how to start off and get my hands dirty on developing security applications to gain enough experience to apply for that job(I’m planning to complete it within a month)

Any Advice?

Free/online penetration testing tools

My employer has used an external consultant for penetration testing in the past, which has been really beneficial to the development team.

I’m now working on some development privately and can’t afford external pentesting. I’ve begun researching some online tools and have begun trying them out. Does anyone have experience of relying solely on free tools and what do you recommend? How does it compare to using a security consultant? I know it won’t be as good but is it really a lot poorer or do the consultants just use very similar tools anyway?!

Key penetration from guest OS directly to hard drive

Most of the key protections are used to encrypt key to protect it from malware or other tenants. What if the hypervisor “steals” my key?

If I am using a VM provided by a CSP, when I input a key to encrypt or decrypt my data, how do I know the CSP doesn’t store my key and “might” snoop my data without my notice.

Do CSPs provide this kind of trust that they won’t do this? Is there a method or technique that can do key penetration from guest OS directly to hard drive so that I know no one except me can see my key?

Which certification is better suited for a career in penetration testing? [on hold]

I’m currently enrolled in a BSCS program and interning at a company with the eventual goal of becoming a penetration tester/security analyst. I have heard so many conflicting thoughts on the certifications and I can’t seem to get a clear answer. Is it worth going through the EC-Council to get my CEH, ECSA, and/or LPT? Or is there a more streamlined, more accepted/more encompassing, all over better alternative? In short, what certs should I really be going for to get to my goal?