Tag Archives: Pentesting

Dodgy Link: Hiding the URL

It is very rare that I do Phishing campaigns (dang it I should ask to do more as they are interesting).  I do have to answer customer questions, and talk about security awareness training often though.

I have heard people saying that “just hover your mouse over a suspicious link and it shows you where it is going!”. Generally this is a good feature of web browsers. However, it is definitely not to be relied on as shown in the video below:

With a tiny bit of JavaScript you can defeat that particular part of someone’s security awareness training. The source code is available below:


<a id="hey" href="http://totallylegit.com"
onmouseover="document.getElementById('hey').href='http://totallylegit.com'"
 onclick="document.getElementById('hey').href='https://en.wikipedia.org/wiki/Dodgy'"
>Totally Legit</a>

Quite simple:

  1. When the mouse goes over the link the “onmouseover” event handler executes. This changes the URL to “http://www.totallylegit.com&#8221; so that is what the Web Browser shows to the user at the bottom.
  2. If the user actually clicks on the link the “onclick” event is triggered which replaces the URL with whatever we are actually wanting our victim to interact with.

Nothing new. Nothing earth shattering. I needed to document it as I have forgotten how to do this a few times but now it is written down forever. Hope it is useful.

Standing Out: a Workshop for Wannabe Pentesters

I asked Twitter for questions to help me find topics people were interested in. The first response was very simple:

To me this boils down to the question “What can I do to make my CV or application stand out from the hordes of others?”. When I say “hordes” I literally mean it. I personally get approached a lot either via LinkedIn or email from candidates.

To deal with that question I have broken it down into three sections:

  1. Sharpen your CV
  2. Your online Content
  3. Your offline presentation

I will make sub-sections for each of these and if you feel that you have one of these nailed skip over it.

Sharpen your CV

Your CV is the gateway to your soul. Often it may be all that the company you are applying to is going to see. For the first step follow this process:

  1. Keep it exactly two pages long. No more. I have heard of hiring managers throwing anything longer on the pile or rejects before they go home and sleep like a baby. Harsh, but nobody said reality was going to be easy.
  2. Write it yourself. If your university has provided a template then you might find that the company has seen your CV many many times before. Familiarity with the format will not make it stand out. You do not have to go insane design wise but making it a bit unique is a good idea. Your CV is a chance to prove you can write in English and sell yourself. If you can do that, then you may be able to sell a vulnerability report to a customer. Genuinely write it yourself and resist temptation to pay someone to write it for you.
  3. Contact Details. Display clearly your contact details with your mobile number and address etc. I have had a few cases where I couldn’t call back, which doesn’t help. In mine I think I made it the header of the page so it is not eating up the real estate on the page but appears at the top of both pages.
  4. Link to online content. The next section contains how to fix your online content. Make sure that your CV links to that content appropriately. If you identify an organisation that blogs regularly about a thing that you have too then highlight that etc. If your research interests and theirs align you will find a willing buyer.

The general idea here is to make something that is the right length, ensure your key information is there, and that YOU wrote it.

Now I do not know how many of you are as hilarious as me? But I also end every CV I write with something outlandish under my interests as a reward to the reader getting that far.

I remember sauntering up to the MD of Pentest Ltd just as he got to the end of my CV when I was heading to meet him. He was still chuckling as I shook his hand. #nailedit. You might not get to an in person interview like that as the first step until you are rocking out as a senior like I was at that point in my career.

Pro-Tip: If you bump into me in person you can ask about my various CV jokes over the years but I won’t go into it here. Otherwise you will probably all just try and emulate those exact things.

Your online Content

There are so many places that you can put things online for your “work” self. A personal blog (like mine here!), LinkedIn, Twitter, GitHub etc. This can all be evidence of your activities that are relevant to penetration testing or IT in general.

Here are somethings I look for which I presume is what other hiring managers want:

  1. Actively exploring technology. If your blog is all about gadgets you have bought and stuff that was done just to play or learn with it. Then you may have the right mindset.
  2. Attending events. If your Twitter feed is a bunch of photos of you rolling around various Cyber Security events then we think you are definitely keen and trying to network in person.
  3. Speaking at events. If you are speaking at things like your local Defcon, OWASP or whatever then you are even more involved. Spreading knowledge to others is very much the mindset. Being able to talk to a room is also a tick in a box for consultancy skills. But speaking to rooms is not for everyone so it is not a REQUIRED skill.
  4. Coding ability. I am of the opinion that coding helps to make a great tester. Relatively recently I started posting stuff on https://www.github.com/cornerpirate. So now I look for people who do the same. You do not have to invent something that has hitherto not existed in the world. Someone who has sat making their own port scanner will have learned a lot. You do not need to shoot for unique. Implementing your own version of a thing is also a valuable exercise.

Try and separate your work and personal self in your online presence. Keep the photos of food to Facebook and Instagram or whatever mostly (I will break this myself deal with it!). Then keep your online career “self” focused and to the point. That means categories on your blog or using a different blog entirely for other things.

What am I looking for here? Well… The appearance you are active. By reading some technical blog posts I can see more about how you write. Remember a pentester has to document findings to customers. So I want to know that you can write. Via GitHub I can see what tools you have made or what problems you have solved. Knowing someone has familiarity with programming is a good idea.

A final word on your online presence. Put a clear picture of your face. I won’t win any beauty contests. But I put my face on things so that when people meet me in person they can recognise me. Yes there are hackers who will post Chinese characters, or ninja’s or whatever to make themselves anonymous. That is very cool and “op seccy” of you. But take a moment to realise you are applying for a career in the white-box and not the black-box. If you want to go break the law for a living I don’t know where you apply but start at the docks at midnight maybe?

By not putting a photograph, what you may be losing a chance for consistency. I have just completed a recruitment tour and have spoken to around 700 or so people in a month. Sometimes I have met people at multiple events. The faces are now vaguely familiar but try to keep that many names in your head? When someone follows me on Twitter after an event it is easier to try and clash whatever hilarious handle they have to the person if I can recognise them.

Pro-Tip: a clear picture of your face only really. Try not to be “the one in the middle of three folks” or something like that 🙂

If you are represented by a string of binary in green on black in real-life then I promise to try and remember you.

Your offline presentation

By this I mean when you appear in front of a company say at an event. This time you are showing your face and you may have only short time to talk. In that case come prepared. Some people have been handing me business cards in return for mine. That means I can then go and put their name in a spreadsheet for the event and look to see if they actually apply later. So that is a nice touch which I am now recommending.

I didn’t believe in business cards when I was told in 2004 how to get a job by my university. I was like calm down caveman, I’ll just wow them with my personality. Now I have considered what the other side of that coin looks like I say a business card may genuinely help! I have a stack of them now from Securi-tay 2017 ready to get added to a list.

Also you are more likely to remember the companies representative than they are of you. IF you have met them before, re-iterate your name, and where that was when shaking hands. This should tick some boxes in their mind and get you straight onto the “my aren’t they keen” list!

We are fortunate to operate in a hacker style industry. Nobody expects you to wear a suit to these events. So you get a chance to wear some kind of awesome t-shirt or hoodie which may spark a conversation. Your goal at IRL meetings is to literally try and stick in someones head for a bit.

Some people do this by trying to ask difficult questions of their prey. Mileage may vary on that one. I love a challenge, but maybe someone else won’t. It is a potential route to making yourself stand out.

There you have it folks. My thoughts on how to “stand out” when applying for a penetration testing career.

Regards,
cornerpirate.