-
Going with my wife to her former workplace (a very nice seafront touristic village). She will hang out with former colleagues, I will relax reading “Deep Learning” by Goodfellow, Bengio and Courville and improving my Golang scraper.
-
How do you like scraping in go? I have done tons of scraping with python, and I imagine (perhaps wrongly) that not having a REPL to create scrapers is pretty difficult. Of course, ease of concurrency might make up for it.
-
-
Trying to get back into radio “stuff” so i picked up a rtl-sdr (https://www.rtl-sdr.com/), This is what is called a “software defined radio”. Somewhat like a fpga for radio. The rtl-sdr is super cheap, $30 for a kit with the receiver and some antennas.
My first attempt will be messing around with ADS-B. I’m still learning about it but it seems to have something to do with aircraft positioning. I’m near a few airports so i should have luck with this.
Anyone else into radio???
-
-
Learning Chinese.
-
Writing a scaper to convert an online Chinese course in a podcast.
-
Installing Docker + Docker Swarm in a cluster of C.H.I.P. for my home lab.
-
-
This was a really nice write-up, thanks!
Apologies if this is off-topic but this seems like a lot to ask someone to do for an interview. How long were you expected to spend on this?
For example, the company could have cut down on your time requirement by expending some of their own time and effort creating the environment. I suspect they would have a higher rate of returned tests: perhaps more subtly, you would have learnt more about how they work and who they think their clients are.
If you were happy to do it, all good. But I feel like this is bad interview technique on the company’s part.
-
Apologies if this is off-topic but this seems like a lot to ask someone to do for an interview. How long were you expected to spend on this?
They give me around 1 week, but working full time I spent almost 4 days on it.
For example, the company could have cut down on your time requirement by expending some of their own time and effort creating the environment. I suspect they would have a higher rate of returned tests: perhaps more subtly, you would have learnt more about how they work and who they think their clients are.
You are right, but I think they decide to leave me “alone” just because they want person that can solve every kind of problems by themself. It’s a startup that has just passed a Serie B round, then they are not still structured well.
If you were happy to do it, all good
It was a challenge and I was glad to be one of the two persons who passed it :)
But I feel like this is bad interview technique on the company’s part.
Yes. The company was not very professional because they suddendly disappear after 4 interviews and they stopped replying my email. This is one of the reasons why I decided to publish the writeup.
-
-
Just some quick feedback as someone who has been in the consulting game for quite a while that you and others might find interesting or helpful to how the OffSec world works;
I used the first techniques that I found working
This is actually what you want. In a real world test you might have a week to do 40,000 live hosts on a network and the “low-hanging fruit” that you find might actually give the client the most for their money. If you can prove easy ways in and provide them with feedback that can systemically fix issues, it doesn’t matter how easy it is. Plus ease of reproduction is valuable in it’s own right.
a demo version of Mikrotik RouterOS
I’m not certain I understand the logic of this, was this to connect into the VPN? A bit confusing and as a person doing the hiring I’d like to hear some justification for this. It’s not a huge deal, just a curiousity to see how some people think.
the payload will be encoded using msfvenom, in order to evade with shikata_ga_nai encoder
I see this a ton on entry level testing write-ups and as someone who contributes to the Metasploit framework, shikata_ga_nai doesn’t work on any remotely up to date AV for the past probably 5 years. I’d even be skeptical that they were using AV at all. Did you do anything special with it? Why did it used to be so good at AV bypass?
The rest looks pretty solid imo, good job :)
I’d personally have no hesitations hiring someone who can do this and at least explain their methodology. Remember, the reporting is actually the product from a Penetration Test, so while the technical bits are really important it also really matters if you can create a report that is consumable by the client and can give all the remediation steps on top of issues discovered.
Some other quick tips that might be helpful to you in future testing, check out the impacket examples and understand how they could impact an AD network. One of the most common mechanisms for attacks these days is to simply abuse AD built-in functionality to gain Domain Administrator. Why even bother with the PSExec route if you can user a kerberoasting attack to gain access to SPN accounts (which are often privileged). Oh, and persistence generally isn’t a huge deal, in a pentest scenario you aren’t trying to secure your footholds, you are looking for bredth of issues not depth.
-
I’m not certain I understand the logic of this, was this to connect into the VPN?
No. The whole environment runs on one of my own laptops (I spent one day preparing everything with KVM). One of the requirements was to run a simple firewall (no NGFW), then I decided to use Mikrotik for this purpose.
Did you do anything special with it? Why did it used to be so good at AV bypass?
Not really. The AV was only Windows Defender (as required by the interview) and shikata_ga_nai seems working well to avoid it. After the interview, I tried also different encoding and most of them was recognized by Windows Defender. I think that a most advanced AV will recognize also shikata_ga_nai encoding, but I did not try it. This could be a good starting point to learn more about AV evading techniques. Thank you :)
Some other quick tips that might be helpful to you in future testing, check out the impacket examples and understand how they could impact an AD network. One of the most common mechanisms for attacks these days is to simply abuse AD built-in functionality to gain Domain Administrator. Why even bother with the PSExec route if you can user a kerberoasting attack to gain access to SPN accounts (which are often privileged).
Thank you for the suggestions. I already know impacket and I have used in other PT. I have also tried kerberoasting, but I was finding some trouble (I don’t know it so much, then probably I was making some mistakes) and then I decided to use something that I know working, mainly because of limited time.
Thank you very much for your feedback, I really really appreciate it!
-
-
We finally launched gambe.ro, the italian equivalent of lobste.rs. This week I(we) have to work on the first batch of feedbacks and maybe work on a dark theme that can be contributed back to lobste.rs
-
-
Preparing for OSCP with HackTheBox.
-
Buy a small Mikrotik (like hAP Lite) and configure it to enqueue the traffic on a 100k queue. You can also made some more specific rules, like putting videos packet in a low priority queue.
-
-
Bitcoin, Ethereum and Monero withepapers.
-
apg
2 years ago
|
link
| on:
How much work is it reasonable to ask for in a take-home "code challenge" during hiring?
The company I work for has a long history of doing unpaid “as much time as you can give” starter projects, in which you work closely with a member of the team on a task you’d actually be doing if you were hired. When I did mine, 3 years ago, I gave up two days, which is basically foolish, but showed my skills, and learned a lot more about the team, company and other things than I would have otherwise. This was valuable signal for both parties.
My team decided to drop the starter project when we started to hire again, and settled on a coding task that mimics the system the candidate would be supporting at a much smaller scale, but large enough that brute force solutions don’t work well. We give the candidate 4 hours (it took me 15 minutes, and some colleagues about 1.5 hours) to complete this (we haven’t had a single person refuse), and basically make a decision after this. In addition, the problem spec includes the discussion questions that we’ll chat about during the technical debriefing of the coding task.
We’ve had about 8 candidates go through this, and not a single one has complained about the length of time commitment, or stated the problem was too tricky, or anything but fair. However, we’ve had a success rate of 2 out of 8. It doesn’t test data structures, or algorithms, and there are very liberal bounds on acceptable runtime length. It’s fundamentally, sum up fields in a file grouping by ‘foo’, ‘bar’. The part that has tripped people up is almost always related to the fact you can’t store everything in memory. And, the guy with a 64GB machine, didn’t understand how to use Python’s dictionary type…
I do wish we paid the person for their time, but I’ve been quite happy with the results of this recent experiment. Lots of candidates that looked good on paper that were just… not… very great.
-
Working closely to the new team is great also for the employer, because you can understand the culture and the philosophy of the new team. At on of my previous job, there was some problems (narcisism, lack of competence, micromanagement, lack of empathy, etc.) that you can recognize easily working closely with the developers.
-
-
I’ll change job in a month, then I’m study to be ready for the new job.
-
work:
– getting pmacct <> rabbitmq <> influxdb working, then putting a nice frontend on top of it
– auditing a Palo Alto install the MSP royally boned on the migration. I know BGP is somewhat obtuse on PANOS but…no excuse. in pre-sales you, unprompted, mentioned having one of four experts qualified to configure whatever is after the top of the line 5000 series. c'mon!
– quickly utilizing the last six days of my Azure $200/30 day credit to boot OpenBSD, get IPsec tunnels with BFD running, and do some iperf tests between regions for a PoC
– setup graylog to ingest wireless controller and firewall logs and make nice dashboards for front line support network troubleshooting
fun work:
– continue building class outline and course work for a “python for network engineers” (a working title as it’s already in heavy use by Kirk Byers)
– lots of unikernel stuff. Kafka as a unikernel, pmacct as a unikernel. getting rumpkernels to boot with vmm on OpenBSD. getting ExaBGP into a unikernel, then doing ‘stress’ testing against OpenBGPd
– osm + packet clearing house IXP list + peeringDB + d3js = transform spreadsheet currently sitting at http://peering.exposed/ (after a particularly whiskey-infused discussion @ RIPE73)
– play with a couple of network verification tools I recently read and have been reading about, respectively: Propane and NetKAT
-
-
@work: working with Python and RADIUS attributes for Change of Autorization
@home: writing a Python software to automatically update BGP filter in an IXP peering router.
-
A friend of mine commented that DDoS attacks are typically a flood of UDP packets with forged IP headers. Why don’t ISPs simply block all packets with a forged origin? Since ISPs are the ones allocating addresses to end-users in the first place, detecting IP forgery would be dead simple.
This solution sounds too easy. Are there any problems that would arise from dropping packets with forged headers?
-
ISP engineer here. Majority of DDoS attack are made with UDP, but it’s not easy at all to detect them because the spoofing parts it’s about the protocol payload (NTP, DNS).It would require very expensive hardware to inspect the application layer. Furthermore, when a DDoS is arrived on the ISP network it’s too late because the upstreams link or routers may be already saturated. The more you block close to the sources, the more it will be effective. Even blackholing the destination should be not so much useful. You should use some BGP tricks (like the smart use of communities), but fighting DDoS it’s an hard work.
-
I think ChadSki here is referring not how to detect and drop DDoS traffic at the receivers end but why this problem is not solved at the source by the network providers who do know what IP addresses they have assigned and use and to filter out the (egress) traffic leaving their network that claims to have a source IP from outside those ranges. If the sender is unable to get spoofed source IP packets beyond their network providers borders, it kills the DoS at source.
The answer is, they could, this is covered in BCP38 and when I used to follow it the NANOG mailing list had plenty of grumbings about the lack of uptake.
Typically this is implemented by using reverse path filtering so that before a router forwards the traffic, it looks at its own routing table to see if to send traffic back to the ‘source’ (maybe spoofed) it would send it back over the network interface the packet arrived on. If it matches, the packet is ok to forward, if not it is dropped.
This is something most ISP’s (users behind xDSL, leased line, fibre, etc) and hosting providers (co-location, VPS, cloud, etc) can do. It is functionality that has been baked into software and hardware routers for over a decade.
There are some reasons why this may not be a straight forward and possible for some ISP’s, typically if they also offer transit provider, but this is now pushing me past my rusty memory as an “ex-ISP network administrator” and I would need to do some catch up reading before I declare all ISPs lazy/stupid/… :)
-
-
OpenBSD’s pf has an antispoof rule for just this. Maybe someone with more knowledge of it, can comment on its effectiveness, but yeah, it seems plausible.
But, I also highly doubt that spoofing source IPs is the leader in DDoS techniques. If I can purchase time on bot nets across 20,000 different nets, I can simply use the source IP of the bot, and get a ton of legitimate looking, randomly distributed sources, which are not so easy to deal with without disruption. If I can get 200,000 different net sources, then any operator trying to block them all, has a high probability of blocking legitimate, customer traffic, which is denial of service in and of itself.
I am not trying to defend Cloudflare here, but its CAPTCHAs and Kill-Bots itself seem like really good strategies for dealing with this, unfortunately.
-
-
-
For big carriers, I imagine you are often dealing with lots of transit and peering, so you may not always know the full sources of an eventually reachable AS being routed through you.
But for last mile connectivity networks, you would certainly think it would make sense. I wonder if it comes down to the fact that unless most people do it, it probably doesn’t help much…and until most people do it, it probably doesn’t make it worth the effort to do it and maintain it.
-
For big carriers, I imagine you are often dealing with lots of transit and peering, so you may not always know the full sources of an eventually reachable AS being routed through you.
Big carriers (Tier 1) have some complex network policies, but they must know how the AS traffic is flowing through the network. There are some BGP filters about AS paths on the incoming ports just to prevent DDoS.
But for last mile connectivity networks, you would certainly think it would make sense. I wonder if it comes down to the fact that unless most people do it, it probably doesn’t help much…and until most people do it, it probably doesn’t make it worth the effort to do it and maintain it.
Last mile connectivity network has a few BGP peers (providing default route), than it’s easy to control traffic flows.
If you are interested in some products that can fight DDoS look for Arbour Network or Radware.
-
There were also 100Gbit NIDS built a while back to enable such applications. So, it could be done. Priorities and pricing are key issues as usual.
-
-
What are you talking about? Im clearly talking about the Tier 1-3’s backbones who could actually afford or use a 100Gbps appliance. A customer with ADSL is screwed the second the traffic hits their line. Saturation attacks should be handled upstream of them where the pipes are big and pockets are deep.
-
-
-
-
-
-
- Erlang
- Golang
- Assembly
Working with architects on renovating a 150-year old Kyōmachiya and trying to imagine ways to move back to Kyoto while continuing working on engineering challenges I’m passionate about. Sadly, Kyoto’s not exactly a major tech hub.
I have written lot of scrapers too in Python (I also create my own basic framework based on BS4 + aiohttp in order to plumb my own scraping pipeline), but right now I think Golang is a lot faster and very easy (using colly+goquery). I am not using REPL for Python, then it’s not an issue me. Anyway you can use Go Playground in order to have something similar to REPL. Golang is less “battery included” comparing to Python, but concurrency is amazing