Jan Fry

11 Oct 2014 | Guests

Who are you, and what do you do?

My name is Jan Fry. I work for Corsaire as an IT Security Consultant and I am also the minormind behind this website. I spend most of my time assessing web applications and I still get a kick out of finding cross-site scripting after seven years in the industry.

What hardware do you use?

A bit like Uri, I have minimalist tendencies and therefore my tech collection is quite sparse but I don’t mind spending money on the right piece of kit. I currently use a Sony Vaio SVS13A, for me it offered the best balance for power, portability and screen resolution when I bought it two years ago. I was tempted at the time to stick with Lenovo, having used a X200s for years, but for some inexplicable reason, RAM on Lenovo’s more portable range seems to have stalled at 8GB. The Vaio offered 12GB is just the right amount for me to be able to run my virtual machines.

As soon as I bought the laptop, I dropped a 256GB Samsung SSD840 in it and remain continually amazed at how fast it boots. 256GB gives me enough space for my regularly used virtual machines and tools. Everything else (e.g. ISOs) lives on an assortment of USB keys.

I also have an iPhone 5; it has so far survived the upgrade itch and a selection of useful adapters and cables.

And what software?

My host OS is a pretty basic Windows 7 install, I use this mainly for Interweb browsing. My “toolkit” collection also lives on my host and I share the folder across my virtual machines. There are currently five main ones:

• Windows Thin PC for daily testing - This is lightweight version of Windows 7 which I have found works for most of my testing requirements. This was the closest I could get to my old heavily stripped down Windows XP build without bluescreening daily. Occasionally I will need to build another full Windows 7 VM for particularly fussy thick-client applications.
• Windows 8 for reporting and other office related work - I like to keep this stable and separate from my testing VMs. I built it using the WIMBoot option, it is a fairly small install size too.
• Ubuntu for everything that won’t run on Windows Thin PC.
• Kali as a backup.
• BeeBox for testing tools.

The toolkit itself has a collection of tools, scripts and installers that I have built up over the years. I’ve gone through a few different attempts to organise it all and while I can generally find what I’m looking for there is definitely a lot of tidying up to do. I should really back it up more often than I do.

I could ramble on for a while about all the tools in my collection but I’ll stick to the most frequently used:

• Firefox with addons - Still my favourite browser for everyday web app testing with add-ons like Tamper Data, FoxyProxy and HackBar. I realise you can get similar add-ons on Chrome but its permission requests weird me out (More tinfoil for your hat, sire?)
• Burp Suite - No surprises there, (almost) everyone’s favourite proxy tool. I have been looking closely at ZAP’s development but find it hard to make the switch as I have a comfortable work flow with Burp. I will occasionally break out Fiddler for some proxy-chaining action if Burp is misbehaving, particularly for weird NTLM/Kerberos configurations.
• DirBuster - Another soft spot of mine. I could probably cover the same ground with other tools or within Burp but I’m just used to DirBuster now. Combining it with Daniel Miessler’s awesome SecLists project makes for a very handy little tool.
• SQLMap - Another predictable entry I suppose but still the best tool for finding SQLi in my experience.
• SWFScan - Helps sniff out vulnerabilities like XSS and redirects on flash files. Comes in handy surprisingly often!

On the non-testing side (i.e. report writing), there are the usual “necessary evils” of Microsoft Word and Excel.

What would be your dream setup?

I am, once again, drawn to the Apple ecosystem. The ideal would be a 12” MacBook Air with 12+GB RAM and a retina display. I’d like to be able to run most of my tests from the host OS (although the idea of not being able to snapshot gives me the heebie-jeebies). It would be super-awesome-cool if I could run any of my tools without having to consider which OS they require (Docker mayhap?)

I’d also like to find a more elegant way to organise, maintain and backup my toolkit but I’m not sure what that really looks like yet! I have attempted on a couple of occasions to create a local wiki of sorts, but inevitably end up neglecting them and reverting back to random text files and poorly organised folders of scripts and applications.

I realise I may be trying to reinvent the wheel and that half of the two people, who will still be reading this far, will be thinking “use Kali, you idiot” but I actually quite enjoy thinking about my setup and trying to streamline it to my own requirements. Having said that, suggestions are welcome ;)