Burp+SSLintercept with Kali+Docker+Java+Python+Browser

I couldn’t find a single source for setting this up, so I thought I would copy/paste my notes for others to reference. Feedback appreciated.

The goal is to proxy all http-80 and https-443 traffic in a docker/OS stack through Burp with (trusted) SSL intercept.

My Environment:

Host OS:
- Kali v2018.3
- Burp Suite Community Edition v1.7.35
- Docker v17.05.0-ce
- Openjdk 10.0.2, but also works on Java 10.0.2
- Python 3.6.6
Docker OS:
- Debian v9
- Openjdk 10.0.2, but also works on Java 10.0.2

Notes:

root@host:~# will be used when showing host commands to run
root@docker:~# will be used when showing docker OS commands to run
Run everything as root

The Steps – Host OS:

Install Burp from the apt-get repo or from portswigger.net.

If you have trouble with this, you can Google how to install Burp.

Disable ipv6 to ensure IP/port bindings are compatible with everything else.

root@host:~# vi /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Permanently set environment variables.

root@host:~# vi /etc/environment

export http_proxy=http://127.0.0.1:8080/
export https_proxy=http://127.0.0.1:8080/
export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"
export HTTP_PROXY=http://127.0.0.1:8080/
export HTTPS_PROXY=http://127.0.0.1:8080/
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt # used by python

Source the above into our shell on login

vi /root/.bashrc

source /etc/environment

Proxy apt requests

Note, this will cause problems with certs not validating, which I’ve been unable to solve as of yet. Skip it if not needed.

root@host:~# vi /etc/apt/apt.conf.d/95proxies

Acquire::http::proxy "http://127.0.0.1:8080/";
Acquire::https::proxy "https://127.0.0.1:8080/";

Tell Java to use the proxy.

root@host:~# echo $JAVA_HOME

The above should give you the path to Java’s home path such as

/usr/lib/jvm/java-10-openjdk-amd64″ or “/usr/share/java/jdk-10.0.2

root@host:~# vi [JAVA_HOME FROM ABOVE]/conf/net.properties
Example: vi /usr/lib/jvm/java-10-openjdk-amd64/conf/net.properties

# Make sure the following are uncommented and configured to:
http.proxyHost=127.0.0.1
http.proxyPort=8080
http.nonProxyHosts=localhost|127.*|[::1]
https.proxyHost=127.0.0.1
https.proxyPort=8080

Export the Burp CA Cert

Go to the Proxy tab in Burp
Go to the subtab, Options
Click on the export CA Certificate button
Export Certificate in DER format to /tmp/burp.der

Convert the CA Cert and drop it in the needed locations

root@host:~# cd /tmp/
root@host:~# openssl x509 -in burp.der -inform DER -out burp.pem -outform PEM
root@host:~# chown root:root burp.pem
root@host:~# chmod 644 burp.pem
root@host:~# cp burp.pem /usr/local/share/ca-certificates/burp.crt
root@host:~# c_rehash -v /usr/local/share/ca-certificates/.
root@host:~# update-ca-certificates

# Assuming the symlink is already present, these steps are not needed
root@host:~# cd /etc/ssl/certs/
root@host:~# sudo ln -s /usr/local/share/ca-certificates/burp.pem
root@host:~# sudo c_rehash -v .

# These likely not be needed either, but placing it here for future reference...
root@host:~# cd /usr/share/ca-certificate
root@host:~# cp /tmp/burp.pem burp.crt
root@host:~# dpkg-reconfigure ca-certificates
# select burp cert (should be top of list) and hit "ok"

Locate the Java certs location:

root@host:~# find / 2>/dev/null |grep /java/cacerts

In kali, it should be at /etc/ssl/certs/java/cacerts

root@host:~# keytool -importcert -alias startssl -keystore [THE CACERTS PATH FROM ABOVE] -storepass changeit -file /tmp/burp.pem
Then type "yes" and hit enter.

Don’t forget to import the burp cert into your browser. Google “install ca certificate in X” for Firefox or Chrome.

The Steps – Docker OS (mainly):

Setting the environment variables

This was supposed to set env variables in the docker image, but did not. Leaving it here until I figure that out…will update:

root@host:~# vi /etc/default/docker

export http_proxy=http://[HOST OS IP]:8080/
export https_proxy=http://[HOST OS IP]:8080/
export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"
export HTTP_PROXY=http://[HOST OS IP]:8080/
export HTTPS_PROXY=http://1[HOST OS IP]:8080/

If the above does not work, add it to the docker image:

root@host:~# docker exec -it -u root [DOCKER NAME] /bin/bash
root@docker:~# vi /etc/environment

export http_proxy=http://[HOST OS IP]:8080/
export https_proxy=http://[HOST OS IP]:8080/
export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"
export HTTP_PROXY=http://[HOST OS IP]:8080/
export HTTPS_PROXY=http://1[HOST OS IP]:8080/

Set the proxy for Java in docker

Find the path for Java’s “net.properties”:

root@docker:~# find / 2>/dev/null |grep net.properties

Assuming you don’t have vi, echo the proxy settings to the file:

root@docker:~# echo "http.proxyHost=[HOST OS IP]" >> /etc/java-8-openjdk/net.properties
root@docker:~# echo "http.proxyPort=8080" >> /etc/java-8-openjdk/net.properties
root@docker:~# echo "https.proxyHost=[HOST OS IP]" >> /etc/java-8-openjdk/net.properties
root@docker:~# echo "https.proxyPort=8080" >> /etc/java-8-openjdk/net.properties

Copy the Burp CA Cert to the docker container

root@host:~# docker ps -a

Copy the container ID.

Upload the cert to the docker container:

root@host:~# docker cp /tmp/burp.pem [CONTAINER ID]:/tmp

Tell Java (in docker) to trust the burp cert

root@docker:~# find / 2>/dev/null | grep /java/cacerts

It will most likely be: /etc/ssl/certs/java/cacerts
Use it below…

root@docker:~# keytool -importcert -alias startssl -keystore /etc/ssl/certs/java/cacerts -storepass changeit -file /tmp/burp.pem
Then type "yes" and hit enter

Commit docker changes

root@docker:~# docker commit [DOCKER NAME] [NEW IMAGE NAME]
root@docker:~# docker kill [OLD CONTAINER ID]
root@docker:~# docker rm [OLD CONTAINER ID]
root@host:~# reboot now

On startup (do every time):

Fire up Burp and do the following

Disable intercept from proxy tab
Set the interface to “all interfaces”, not just loopback, or your docker container will not be able to hit the port

Schedule a no obligation consultation with PEN Consultants today! Information & Cybersecurity Testing - Penetration Testing, Red Teaming, Vulnerability Scanning and Assessment services for Apps, Web Apps, Network, Wireless, and more!

Categories: Blog

Tags: Random

Web Application Vulnerability Scan

Web Application Vulnerability Scanning is one of our most simplistic services. It offers valuable testing for common vulnerabilities and identifies weaknesses in your web app.

Basic Service

The basic service will run one or more industry standard vulnerability scanners against your web app and deliver the raw report to you for review. Your development team would then review the findings, determine which are potentially false positives, and remediate the remaining issues.

You can review a sample report here: SampleWebAppVulnerabilityScanReport.pdf

Standard Service

The standard service includes everything in the basic service, and, in addition, each finding is verified and a custom Findings and Recommendations Report is created.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

Micro: Apps with less than 12 pages or major functions and 2 user roles (or less)

Basic: $3,500

Standard: $5,500

Small: Apps with less than 25 pages or major functions and 2 user roles (or less)

Basic: $5,250

Standard: $8,000

Medium: Apps with less than 50 pages or major functions and 3-4 user roles

Basic: $7,000

Standard: $11,250

Large: Apps with less than 100 pages or major functions and 4-5 user roles

Basic: $9,500

Standard: $16,000

xLarge: Apps with more than 100 pages or major functions and 6+ user roles

Varies

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Network Vulnerability Scan

Network Vulnerability Scanning is one of our most simplistic services. It offers valuable testing for common vulnerabilities and identifies weaknesses in your network.

Basic Service

The basic service will run one or more industry-standard vulnerability scanners against your network and deliver the raw report to you for review. Your information technology team would then review the findings, determine which are potentially false positives, and remediate the remaining issues.

You can review a sample report here: SampleNetworkVulnerabilityScanReport.pdf

Standard Service

The standard service includes everything in the basic service, and, in addition, each finding is verified and a custom Findings and Recommendations Report is created.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

External

Micro: Less than 10 active IPs

Basic: $1,750

Standard: $4,000

Small: 20 active IPs

Basic: $2,250

Standard: $4,750

Medium: 40 active IPs

Basic: $3,000

Standard: $5,500

Large: 75 active IPs

Basic: $4,000

Standard: $6,500

xLarge: More than 75 active IPs

Varies

Internal

Micro: Less than 250 active IPs (<25 servers)

Basic: $4,250

Standard: $7,250

Small: 750 active IPs (65 servers)

Basic: $5,500

Standard: $9,000

Medium: 2,000 active IPs (150 servers)

Basic: $7,000

Standard: $11,250

Large: 7,500 active IPs (375 servers)

Basic: $8,500

Standard: $13,500

xLarge: More than 7,500 active external IPs (>375 servers)

Varies

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Mobile Application Security Testing

Mobile Application Security Testing tests Android and/or iOS apps and the web services/APIs they interact with.

Testing involves automated and manual evaluations of one or more apps to ensure they provide protection against abuse of your data. We use industry-standard tools to carry out automated scans looking for well-known vulnerabilities, and we also conduct manual testing to find vulnerabilities and attack vectors not otherwise detectable by automated tools.

This is more than a simple vulnerability assessment. We actively attempt to circumvent security controls by carrying out exploits that take advantage of discovered vulnerabilities, revealing what an adversary would be able to do. During testing, we look for any method that can violate the CIA Triad security model (confidentiality, integrity, availability).

Confidentiality is limiting information to only the authorized person(s) who should have access to it.

Integrity is ensuring data/communication at rest or in transit can only originate from, be sent to, or be modified by an authorized person(s).

Availability is the ability for an authorized person(s) to access the resources when needed.

The purpose of testing is to enumerate your exposure (within the given time constraints), identify and verify as many vulnerabilities as possible, ensure the security of your app is strong, and then provide actionable solutions to help you protect against attack/compromise. For example, we use industry-standard tools and techniques to look for well-known/unpatched vulnerabilities that allow an attacker to gain access to carry out remote code execution, privilege escalation, circumventing intended controls, gain access to sensitive data, etc.

See additional examples
all relevant web app testing techniques and attacks, interaction with web services, security controls are server-side, data storage & privacy, system credential storage facilities, sensitive data in logs, 3rd party app & service interaction, keyboard cache, IPC, backups, backgrounded and locked screen privacy protections, memory analysis, device security policy check & enforcement, strong, modern & properly configured encryption, protocols & algorithms, up-to-date system dependencies and jailbroken checks, minimum permissions requested, webviews, properly signed & provisioned app, decompiling, reverse engineering & trojanizing, non-debuggable build, anti-tampering, device binding, obfuscation, RCE, and more

In most cases, we will leverage the discovered vulnerabilities to (1) verify it is exploitable and (2) determine the exposure, should it be breached. The testing is largely centered around the OWASP Mobile Security Testing Guide, but also includes our internal/proprietary methodologies.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

Micro: Apps with less than 10 major functions and 1 user role – $11,000

Small: Apps with less than 20 major functions and 1 user role – $14,000

Medium: Apps with less than 40 major functions and/or 1-2 user roles – $18,000

Large: Apps with less than 75 major functions and/or 3-4 user roles – $25,000

xLarge: Apps with more than 75 major functions and/or 4+ user roles – Varies

* Add $500 for iOS

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Referral Program

$1,000 credit (or $250 cash) for each referral!

It’s simple: tell someone about our services and refer them to us. If they utilize any of our consulting services, you receive a $1,000 credit toward your next testing service with us OR $250 cash…your choice!

Program rules:

Terms

referral – the recommendation itself

referrer – the person/organization making the referral

referee – the person/organization being referred to us

You may refer our services using any legal means: in person, social media, phone call, personal email, etc.

Within 30 days of the referee executing a statement of work (SOW), you will be contacted to arrange credit/payment.

You must choose one reward or the other, not both. You will receive a $1,000 credit toward your next service contract with us OR $250 cash (i.e. electronic transfer, check, etc.).

Credit not to exceed 6% and cash payout not to exceed 2% of SOW.

Although you will receive notification that one of your referrals contracted services with us, we will NOT be able to disclose who it was for privacy reasons. The referee is free to disclose that to you, if they choose, but we are not.

Referral reward is only paid out to the referrer if the referee is a NEW client, not a current/former client of ours.

If two or more referrals are made for the same referee, we will make a good faith effort to determine who made the first referral, and they will receive the reward. Once awarded, other referrals for the same referee will not qualify for the reward.

Additional Information:

The referee must mention your name when they initially contact us.

The referrer does NOT have to be a current/former client of ours or have any previous ties to PEN Consultants.

The referrer should send us their contact information and let us know someone was refereed. This could be as simple as sending the referee an email and CC’ing us.

There are no limits to the number of referrals per referrer or payouts.

Cybersecurity Unlimited

PEN Consultants’ Cybersecurity Unlimited service gives you full access to our entire range of testing, training, staff augmentation, and consulting services at any time, on-demand. This allows us to form strong partnerships with our clients, meeting your specific organizational needs and maximizing your return on investment.

Additionally, this service is a great framework to use in place of traditional, fixed-price testing. The benefits of this option include:

Generally less costly than fixed-price testing.

Maximize testing within your budget, be it less or more than fixed-price. We can test right up to your budget and stop.

Ability to adjust testing aspects mid-testing – prioritize testing hours, add/remove to/from the original scope on-the-fly, etc.

Provides the option for a less formal / less costly report, depending on what is found, level of detail desired, etc. Notes: The raw findings are documented in real-time (as we find them), so you will have access to those immediately and throughout testing. By default, our fully detailed report is included unless otherwise directed. Some clients are comfortable with the “raw findings” level of detail, which eliminates several hours of reporting / cost. Others want something in between our fully detailed report and those raw findings. There is a lot of flexibility in determining the level of detail you want – you only pay for the level of detail you want.

Contract Details

Number of hours: no minimum

Service Level Agreement (SLA): 24-hr phone/email response time

Any/all of our services, as seen on the services page, can be used – testing, training, staff augmentation, consulting, etc.

Live access to our working notes, hours worked, projected hours, etc.

Client directs/re-directs how every hour is spent

At minimum, quarterly client/consultant meetings

Rates are for labor-only. Travel or other non-standard expenses (specialized equipment, materials, etc.) will be billed separately, if applicable.

Contract length: standard is 12-month

Option A – Pay-As-You-Go

Our standard rate ($275/hr) is billed at the end of each month based on the number of hours incurred for that month.

Option B – Pre-Paid

When agreeing to pre-pay a number of hours per month during the contract period, the hourly rate is discounted as follows:

5+ hrs/month: $265/hr

15+ hrs/month: $255/hr

45+ hrs/month: $245/hr

175 hrs/month: $235/hr

The following additional terms apply:

Monthly payment is due upon contract execution, and pre-paid monthly thereafter, through contract expiration.

If hours are exhausted within a given month, the default, non-discounted, monthly billed rate applies to added hours.

Unused hours may roll over month-2-month, but not past the contract period.

Unused hours at the end of the contract period may be refunded at 50% of the purchase price or unused hours can be rolled over/applied to a new contract.

Pre-Paid Hours (Bundles)

Additional bundles of hours may be added on at any time (to Option A or Option B). Bundled hours are available for use immediately upon purchase. Unused hours roll over month-to-month through the end of the contract, but not past the contract period. Unused hours may be refunded at 50% of the purchase price, or they can be rolled over/applied to a new contract. Payment in full is due at the time of purchase and must be received prior to bundled hours being available. Bundle options include:

20 hrs: $272.50/hr – $5,450

40 hrs: $270.00/hr – $10,800

60 hrs: $267.50/hr – $16,050

80 hrs: $265.00/hr – $21,200

100 hrs: $262.50/hr – $26,250

120 hrs: $260.00/hr – $31,200

>120 hrs: $260.00/hr

Multi-Service Discount

When we perform multiple services for you under a single contract, you will often receive a discount for each additional service above the core service. Discounts are always based on how much overlap there is between services.

Example: An external network pentest in conjunction with a web application penetration test may grant you a 10% discount on web app testing. Add on an internal network pentest, and you may receive a 15% discount.

Client-Side Application Security Testing

Client-Side Application Security Testing tests “thick” applications that are run and/or installed on an endpoint (workstation, server, etc.). It is typical to perform this in conjunction with Web Application Security Testing when the application is an “agent” running on the endpoint and interacting with a webservice/API.

Testing involves automated and manual evaluations of one or more applications to ensure they provide protection against abuse of your data. We use industry standard tools to carry out automated scans looking for well known vulnerabilities, and we also conduct manual testing to find vulnerabilities and attack vectors not otherwise detectable by automated tools.

This is more than a simple vulnerability assessment. We actively attempt to circumvent security controls by carrying out exploits that take advantage of discovered vulnerabilities, revealing what an adversary would be able to do. During testing, we look for any method that can violate the CIA Triad security model (confidentiality, integrity, availability).

Confidentiality is limiting information to only the authorized person(s) who should have access to it.

Integrity is ensuring data/communication at rest or in transit can only originate from, be sent to, or be modified by an authorized person(s).

Availability is the ability for an authorized person(s) to access the resources when needed.

The purpose of testing is to enumerate your exposure (within the given time constraints), identify and verify as many vulnerabilities as possible, ensure the security of your application is strong, and then provide actionable solutions to help you protect against attack/compromise. For example, we use industry standard tools to scan for and verify well known/unpatched vulnerabilities that allow an attacker to carry out remote code execution, privilege escalation, circumventing intended controls, gain access to sensitive data, etc. In most cases, we will leverage the discovered vulnerabilities to (1) verify it is exploitable and (2) determine the exposure, should it be breached.

The testing is largely centered around static code analysis, fuzzing, and manual analysis using our internal/proprietary methodologies.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

Micro: Plugins, extremely basic applications – $4,250

Small: Single binary, basic/common functionality – $7,250

Medium: Multiple binaries or intermediate functionality – $13,000

Large: Multiple binaries, intermediate/advanced functionality, and unique – $20,000

xLarge: Many binaries, advanced functionality, and unique – Varies

* Pricing does not include testing of web services. It is common to include either Web Application Vulnerability Scan or Web Application Security Testing.

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Network Security Testing

Network Security Testing (AKA Network Penetration Testing) involves both automated and manual evaluation and testing of your network to ensure it provides protection against abuse of your data. We use a combination of automated industry standard scanning tools to look for well known vulnerabilities as well as conduct extensive manual testing to find vulnerabilities and attack vectors not otherwise detectable by automated tools.

This is more than a simple vulnerability assessment. We actively attempt to circumvent security controls by carrying out exploits that take advantage of discovered vulnerabilities, revealing what an adversary would be able to do. During testing, we look for any method that can violate the CIA Triad security model (confidentiality, integrity, availability).

Confidentiality is limiting information to only the authorized person(s) who should have access to it.

Integrity is ensuring data/communication at rest or in transit can only originate from, be sent to, or be modified by an authorized person(s).

Availability is the ability for an authorized person(s) to access the resources when needed.

The purpose of testing is to enumerate your exposure (within the given time constraints), identify and verify as many vulnerabilities as possible, ensure your security configurations are strong, and then provide actionable solutions to help you protect your organization from attack/compromise. Types of common vulnerabilities found during this testing include those that allow an attacker to gain remote access into your environment, escalate privileges, gain access to your most sensitive data, and exfiltrate it from your network. In most cases, we will leverage the discovered vulnerabilities to (1) verify it is exploitable and (2) determine your exposure, should it be breached.

The testing is largely centered around the PTES, NIST SP 800-115, and OSSTMM testing guides, but also includes our internal/proprietary methodologies. This is “noisy” and may generate alerts in the monitoring solutions you have deployed.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

External

Minimum: Less than 5 active IPs – $8,250

Micro: 10 active IPs – $11,500

Small: 20 active IPs – $15,000

Medium: 40 active IPs – $20,000

Large: 75 active IPs – $25,500

xLarge: More than 75 active IPs – Varies

Internal

Minimum: Less than 50 active IPs (<5 servers) – $13,750

Micro: 250 active IPs (25 servers) – $17,000

Small: 750 active IPs (65 servers) – $20,500

Medium: 2,000 active IPs (150 servers) – $27,500

Large: 7,500 active IPs (375 servers) – $41,250

xLarge: More than 7,500 active IPs (>375 servers) – Varies

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Wireless Security Testing

Wireless Security Testing involves the assessment of your Wi-Fi infrastructure and wireless clients to ensure there is adequate protection against eavesdropping and unauthorized access. Because the RF (Radio Frequency) signals typically “leak out” of your building and/or campus, an improperly secured infrastructure makes it easy for an adversary to “sniff” your corporate data and possibly even access your corporate network from your parking lot or outside your fence line.

Testing involves performing a wireless site survey, looking for known vulnerabilities, identifying rouge access points, testing various attacks (against the APs and clients), testing isolation controls (especially on guest access APs), examining the configurations of a sample of the wireless clients, reviewing the overall architecture (including physical), etc.

Our testing methodology largely centers around the wireless portions of PTES, SANS‘ Wireless Audit Checklists, and DISA’s wireless security checklist, in addition to our internal/proprietary methodologies.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

Micro: Less than 5 APs and 250 wireless client devices, 1 SSID – $5,000 + Travel

Small: Less than 10 APs and 500 wireless client devices, 2 SSID – $6,500 + Travel

Medium: Less than 25 APs and 1,500 wireless client devices, 3 SSIDs – $8,500 + Travel

Large: Less than 50 APs and 3,000 wireless client devices, 4 SSIDs – $12,250 + Travel

xLarge: More than 50 APs and 3,000 wireless client devices 5+ SSIDs – Varies

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Red Teaming

Red Teaming has overlap with penetration testing and application security testing, but in addition to testing the technical mitigation aspects of your security stance, it also tests the humans and detection capabilities in your organization.

Red teaming activities range from stealthy recon and penetration of your defense, to working directly with your blue team/SOC. Red teaming falls into two categories: Adversary Simulation and Technique Simulation.

Adversary Simulation

This form of red teaming is an objective driven, stealthy, adversarial simulation which attempts to actively circumvent security controls by carrying out exploits and attack vectors that take advantage of a series of discovered vulnerabilities and/or weaknesses in technical controls, human behavior, process and detection gaps, etc. The red team operation often takes output found during the pentest and/or app testing portion of the engagement, physical attacks and/or social engineering, exploits them, then moves as deep into the network as possible, just like an adversary would.

The objective(s) can include comprising high-value workstations and servers in your network with a persistent backdoor/RAT, gaining access to and exfiltrating your most valuable data, getting domain admin, gaining write access to source code repos, etc. An overarching goal to the specific goal(s) set forth is to avoid getting caught/seen/detected. Once the objective(s) is achieved, assuming we are not caught in the act, we will “get noisy” so your incident responders will see us. This gives them the opportunity to practice the incident response process, including discovery, containment, eradication and recovery.

Adversary Simulation is largely centered around current attacker techniques and campaigns, but also includes the usage of PTES, NIST SP 800-115, and OSSTMM testing guides and our internal/proprietary methodologies.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Technique Simulation

The second category we put red teaming activities into is Technique Simulation, sometimes referred to as “purple teaming”. This type of red teaming gives the best ROI of any security testing service. During this testing, we work closely with your blue team staff while launching individual attacker techniques. We monitor the activities to ensure they are mitigated and/or detected, and if not, help your blue team build the needed capability to do so. This cycle repeats numerous times to cover as many techniques as the engagement scope allows.

Parts of this testing use automated processes, while other techniques require manual methodologies. As such, it is common to run the automated processes first and then perform as many of the manual techniques as the engagement scope allows.

Technique Simulation and the techniques tested are largely centered around the MITRE ATT&CK framework.

Sample Pricing

Because our Red Teaming services are highly tailored to each client engagement, it is not possible to give sample pricing. The following are some of the key criteria in determining the costs for Adversary Simulation:

Small: No dedicated SOC, minimal technical control – basic level engagement

Medium: Basic out-of-the-box security controls, basic security staff – intermediate level engagement

Large: Multi-layered, out-of-the-box security controls, SOC – advanced level engagement

xLarge: Custom security controls, advanced SOC – nation-state level engagement

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Social Engineering Assessment

As email security filters continue to evolve and improve, attackers are moving from email-based phishing to other social engineering methods, such as SMS, phone, in-person impersonation, media drops, etc. These non-email based forms of social engineering rarely have the security solutions in place to monitor and block malicious messages and attacks, which is an advantage for the attacker.

The Social Engineering Assessment could include everything from the Phishing Assessment service (email-based social engineering), but it could also include a custom-tailored combination of SMS (i.e. smishing), phone (i.e. vishing), in-person impersonation (i.e. physical social engineering), baiting (ex. USB drops), social media, mailed letters/packages, etc. The details of the assessment are tailored to your specific needs and risk profile.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

Because our Social Engineering Assessment services are highly tailored to each client engagement, it is more difficult to give sample pricing. The following are sample costs for some of the most common – vishing, smishing, and baiting:

Small: No dedicated SOC, minimal technical control

Single Campaign: $2,750 – $3,250

Three Campaigns: $7,500 – $8,500

Medium: Basic out-of-the-box security controls, basic security staff

Single Campaign: $4,250 – $5,000

Three Campaigns: $11,500 – $13,500

Large: Multi-layered, out-of-the-box security controls, SOC

Single Campaign: $6,000 – $7,250

Three Campaigns: $16,250 – $19,500

xLarge: Custom security controls, advanced SOC

Varies

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

Phishing Assessment

74% of data breaches start with an attacker sending a phish email to compromise one or more of your systems (source, 2018 Verizon Data Breach Report). Therefore, it is imperative to understand how your defenses measure up to this common, and probable, attack. Unlike other forms of attack, phishing requires an attacker to both exploit the user (ex. social engineering) and bypass security controls (ex. email filtering) to be successful.

PEN Consultants offers Phishing Testing for your organization as part of the Red Teaming Service and Social Engineering Assessment, but we also offer it as a focused and stand-alone service, as seen below.

Our semi-automated phishing assessment service provides much more than the typical phish simulation offered by other providers. PEN Consultants, like others, mimics the latest phishing themes and techniques used by attackers to gauge your user’s ability to distinguish between legitimate and varying sophistication levels of phish. But, we don’t stop there. We also include malicious payloads and links to our attacker platforms to see if your technical controls mitigate the risks. If we are successful at both, we take it yet another step and enumerate the systems/data the compromised user(s) have access to.

By executing all three steps, PEN Consultants is able to demonstrate actual likelihood, impact, and unique risks to our Client. This far surpasses the value of simulation testing performed by most providers.

To keep costs low, this is a semi-automated service in which you will provide a list of email addresses, names, and titles for us to target along with technical details of your endpoints and security stack. By eliminating the majority of the recon and testing phases, as compared with a full scope social engineering assessment or red team engagement, and automating the phish deliveries themselves, we can keep expenses substantially lower while maintaining the ability to accurately gauge your risk and the impact of various forms of phishing attacks.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

Small: No dedicated SOC, minimal technical controls, <250 targets

Single Campaign: $2,750

Three Campaigns: $7,500

Medium: Basic out-of-the-box security controls, basic security staff, <1,000 targets

Single Campaign: $4,250

Three Campaigns: $11500

Large: Multi-layered, out-of-the-box security controls, SOC, <5,000 targets

Single Campaign: $6,000

Three Campaigns: $16,250

xLarge: Custom security controls, advanced SOC, >5,000 targets

Varies

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

On-going quarterly engagements

An organization who wishes to have a certain measure of security will request a one-time testing engagement and may or may not have that repeated on an annual basis. An organization who desires to add an extra level of protection for its data will request an annual testing engagement, followed by a continual quarterly service.

One-time intense testing has advantages and disadvantages. The advantage is that the security tester will be completely focused on your site during the testing. The disadvantage is some real-world attacks require many weeks or months to fully perform, so they will not be completed by the end of a one-time engagement.

The continual quarterly service has several advantages:

Longer attacks can be carried out, which normally would not have time to complete during a one-time testing engagement.

Your network will be evaluated on a continual basis, with most aspects of testing being performed four times within the year.

The latest attacks and n-days will be tested against your organization much more quickly, soon after being made public.

Discount

Annual testing: 10% discount

Semi-annual testing: 20% discount

Quarterly testing: 40% discount

Note: Discount requires an initial full-scope engagement

Nonprofits

PEN Consultants offers a 10% discount on all services to nonprofits – including, but not limited to, nonprofit schools, churches, charities, humanitarian organizations, etc.. Simply Contact us to get started with the nonprofit discounts.

Additionally, we have created a grant program in which individual donors can contribute directly towards the costs of testing services for particular nonprofit organizations.

How it works – For Nonprofits

Contact us so we can discuss the type of service(s) you are looking for.

PEN Consultants will provide you the pricing for the requested services, along with the discount being extended to you.

How it works – For Donors

Submit the form at the bottom of this page to register as a donor.

We’ll contact you to determine the specifics of what types of organizations you would like to sponsor, maximum dollar amount, or any other restrictions you may wish to apply to your donation.

When a client requests services, we will reach out to you and confirm you are still willing to donate towards the testing and collect your donation.

Currently Sponsored Organizations

We are pleased to announce that because of the generosity of donors, we are able to extend additional discounts to the following nonprofit organizations.

Churches

Must hold to and teach the Bible being God-breathed, inerrant, and infallible, and hold beliefs consistent with the Apostles’ Creed.

30% may be donated

Christian missions or humanitarian organizations

Must have an overt focus on sharing the gospel, in the spirit of Mark 16:15.

30% may be donated

Christian logistical support organizations

Examples: transportation, technology, food services, etc.

Must have an overt focus on providing products and services to the Christian community solely, or predominantly, as evident by the nature of those products and services being offered, company core values and missions statements, etc.

20% may be donated

Donor Sign-up

Name or Organization *
Email Address *
Phone Number
Other Contact Method
Note
Phone

* nonprofit, as defined and approved by IRS, HMRC, etc.

Web Application Security Testing

Web Application Security Testing (AKA Web App Penetration Testing) involves automated and manual evaluation and testing of one or more applications to ensure they provide protection against abuse of your data. We use a combination of automated industry-standard scanning tools to look for well-known vulnerabilities as well as conduct extensive manual testing to find vulnerabilities and attack vectors not otherwise detectable by automated tools.

This is more than a simple vulnerability assessment. We actively attempt to circumvent security controls by carrying out exploits that take advantage of discovered vulnerabilities, revealing what an adversary would be able to do. During testing, we look for any method that can violate the CIA Triad security model (confidentiality, integrity, availability).

Confidentiality is limiting information to only the authorized person(s) who should have access to it.

Integrity is ensuring data/communication at rest or in transit can only originate from, be sent to, or be modified by an authorized person(s).

Availability is the ability for an authorized person(s) to access the resources when needed.

The purpose of testing is to enumerate your exposure (within the given time constraints), identify and verify as many vulnerabilities as possible, ensure your security configurations are strong, and then provide actionable solutions to help you protect your organization from attack/compromise. Types of common vulnerabilities found during this testing include those that allow an attacker to carry out remote code execution, DoS, SQLi, XSS, Directory traversal, privilege escalation, etc.

See additional examples
static and dynamic vulnerability analysis, information gathering through OSInt and public research, configuration management, temp files, logs, network & infrastructure configuration, HTTP methods, HTTP headers (ex. HSTS, CORS, XSS, X-frame, etc.), identity management, user registration & account provisioning process, account enumeration & guessable user accounts, authentication & authorization, brute-force, authentication bypass, privilege escalation, 2FA/MFA, cache weakness, password policy, directory traversal, insecure direct object references, secure session management, session timeout & logout, session fixation, CSRF, session control, puzzling & hijacking, input & data validation, sanitization, & format string attacks, XSS, SQL, command, & other forms of injection, SSRF, file inclusion, buffer, heap, & stack overflow, error handling, cryptography, secure data at rest (ex. local store), in use (ex. IPC) and in transit (ex. SSL/TLS), secure network communications, certificate trusts, protocols, ciphers, protocols, etc., MiTM attacks, risky business functions and logic, file uploads, process timing attacks, reverse engineering, user accessible logs and alerts for authentication history, password resets, account changes, account lockout, etc., DoS, and more

In most cases, we will leverage the discovered vulnerabilities to (1) verify it is exploitable and (2) determine your exposure, should it be breached. The testing is largely centered around the OWASP testing guide, but also includes our internal/proprietary methodologies. This is “noisy” and may generate alerts in the monitoring solutions you have deployed.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Sample Pricing

Micro: Apps with less than 12 pages or major functions and 2 user roles (or less) – $10,750

Small: Apps with less than 25 pages or major functions and 2 user roles (or less) – $14,750

Medium: Apps with less than 50 pages or major functions and 3-4 user roles – $18,750

Large: Apps with less than 100 pages or major functions and 4-5 user roles – $24,500

xLarge: Apps with more than 100 pages or major functions and 6+ user roles – Varies

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. You only pay for the following services you need:

post-testing briefings – executive level and/or technical level

Micro: $400 each, Small: $550 each, Medium: $675 each, Large: $825 each, xLarge: varies

remediation testing

Micro: $700, Small: $825, Medium: $975, Large: $1,100, xLarge: varies

assist technical support staff with mitigations

$1,100 per 5-hr block of consultant time

assist SOC staff in building detections

$1,100 per 5-hr block of consultant time

on-site supplemental testing and/or visits:

mileage fee of $3 per mile from 78006

plus, $300-450 per day for most visits

DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time.. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).

DISCLAIMER: Other than Wireless Testing, all testing is remote-only unless otherwise noted. Sample prices and prices quoted are for remote-only and do not include travel. See the On-site Supplemental Testing add-on for more information.

© PEN Consultants, LLC 2013 -

Burp+SSLintercept with Kali+Docker+Java+Python+Browser

Published on September 15, 2018

Burp+SSLintercept with Kali+Docker+Java+Python+Browser

My Environment:

Notes:

The Steps – Host OS:

The Steps – Docker OS (mainly):

On startup (do every time):

Related Posts

Vulnerability Disclosure Policy

Annual Team Meet-Up (2021)

Acquisition of PEN Consultants, LLC

Contact Us