Security Associate, Bishop Fox
Who are you, and what do you do?
My name is Mike Park and I’m a security associate at Bishop Fox. I do pentesting. Mostly application pentesting but also mobile pentesting, network pentesting, and wireless. Whatever the needs of the day are.
What hardware do you use?
What does your testing network or lab look like?
It’s all the VM’s. I do everything on VM’s on my laptop, mostly because with 3 kids I can’t afford a whole lot of extra equipment laying around, but also because its portable. If I need to go to a hockey tournament with one of my kids I can bring my laptop and after they go to sleep I can hack around without having to worry about VPN’ing back home. I use VMware Fusion. I played around with VirtualBox but I’ve been using VMware for 8 years so I just kinda know it inside and out, even to the point of where if I have to go in and edit a VMX file to add a serial port to do kernel level debugging between two VMs I can do that because I’m familiar. I have no clue on how to do that on Virtual Box.
What tools and software do you use for your trade?
For reverse engineering I use IDAPro and I’m trying to learn some Radare. I use most of the stuff that is your basic app pentesting stuff. I use SQLMap and I’ve used CMSmap recently which is really good, it led me to a couple of interesting places. I use SSLyze for TLS/SSL scanning. Really anything to poke and prod to see what’s going on in a system. Bishop Fox has a whole series of tools like Search Diggity and DLP Diggity… I use those quite a lot. And nmap of course, who doesn’t use nmap!?
I have an old generation iPod, a newer iPhone, and a iPad at iOS8 (all jailbroken). I have a Nexus 8 tablet and Galaxy Nexus phone laying around for when I need them. For iOS, I use TCPrelay.py to SSH into the devices. I also use some tools by Jeremy Levin (on occasion) for iOS monitoring and debugging that you recommended a while back. I also really like the project IDB by Daniel Mayer, although its not as stable as I’d like. It’s not bad considering I’m using a ruby app that’s calling to a GTK lib on my mac, lol, it’s actually pretty good. I use SSL Trust Killer on Android and iOSKillSwitch on iOS for MiTM. I’d love to try Hopper to see if it does a better job reversing than IDA but I’ve used IDA for so long, it’s just really expensive.
What is your dream setup?
Oh boy. It’d be basically what I’ve got but two of them. Probably a couple more monitors and then I’d love, internally, to have a little red network (wired) with a bunch of different “heavy iron” servers that I could put a bunch VMs on for research. I’d like to go further and have actual hardware because one of the things I’m really interested in is embedded hacking. I have a couple of dead iPhone’s I can take apart but I’d like some raspberry pi’s. I am also hankering for antenna for my SR71 card after this latest wireless assessment =)
I want to get into IoT and Embedded a bit more. Everyone wants to own a router and stuff but (as you and I know from doing mobile testing) all the vulnerabilities that were patched in 2003 suddenly reared their ugly head again on 2008 when Android and iOS came out. I’m looking forward to that on newer memory constrained devices. You just know they are so constrained that they have no DEP or ASLR on them, so all you have to do is find one buffer and you’re doing old-school exploitation circa the 90’s. I’d like to see and do more of the paired Windows and embedded device research as well, like that one where they stuck a raspberry pi into an ATM machine to control the dispenser… I’d like to look into that kind of attack more.