Why usual pentests suck?

Martin Žember

May 21, 2019

usual pen-tests

  • network services publicly exposed
  • web application itself


an inquiry came to [email protected], a very well written document:

“test for us the following:”

  • network from the outside
  • social engineering via e-mail
  • social engineering via phone calls
  • physical security


  • logins
    • login names leaked via a 0-day
  • passwords
    • too simple

phone calls

  • “Which brand of antivirus do you have installed on your computer?”

  • “I do not know, but our network administrator is at the end of the hall, I can ask her right away!”

  • If they said they do not know, we offered them a “tool” that will report to us, which one is it.

  • “I will upload you the file to owncloud, just run it!”

e-mail spear-phishing

  • job application
  • probably did not open

a password guessed

  • Summer2019
  • gained access to e-mail
  • intranet


what did we find in the mailbox?

  • which flash drives are allowed
  • certainly not ours:


what did we find on the intranet?

  • security measures
  • building and network descriptions

how did it look outside

trash diving

how to get inside?

  • lock-picking useless here
  • guarded all the time, two people at the reception 24/7
  • cars: camera scanning licence plates + card + human
  • fence around

getting inside

even though we know so much now and have access to the internal network, the customer wants to know, what

  1. an attacker with skills can achieve
  2. an attacker without skills can achieve
  • without any information
  • with some information

what did we achieve

  1. access to owncloud
  2. access to end-user PCs
  3. access to the building
  4. a customer who is happy with the results


  • customer knew what he wanted
  • he specified a wide scope of the test
  • he did not limit us to widen it more
  • a limited test is not a quality test

the end