We think we know what it takes to build hacking tools
- Article tags
Why would someone spend a lot of their time making penetration testing tools? Especially when it takes what it takes to maintain them.
Today on We think we know, we're peeling back the layers of offensive security with the enigmatic Panagiotis Chartas, also known by his alias - T3l3machus - a nod to his Greek heritage and the strategic depth of his expertise.
Stay tuned as we explore how tools like Nmap and sqlmap have shaped penetration testing over the last two decades, and stick around to discover which aspects make pentesting predominantly a craft - and which parts have become standardized (and what that means for your work).
Panagiotis Chartas bio
Panagiotis, also known as Telemachus, is a passionate penetration tester and researcher whose goal is to solve real-life problems with technology
Known for his dedication to the offensive security community, Panagiotis crafted notable tools like the Villain C2 Framework, HoaxShell, and many more, with his work even making its way into Kali Linux's repositories.
His deeply analytical approach combined with impressive data structure and offensive security skills - as well as an exceptional out-of-the-box thinking - make him one of the strongest contributors to our community.
Unpack this conversation to discover:
The depth of the work involved in crafting offensive security tools [04:45]
What you can learn only by developing and maintaining tools [08:03]
How Villain evolved and key learnings from building it [17:00]
The challenges of finding balance in deep offensive security work [21:30]
How Panagiotis uses automation to make his work smoother [25:35]
How building his own tools shaped his thinking [32:00]
What makes penetration testing a craft (with hands-on examples) [38:12]
Why (and how) he finds the motivation to do meaningful work [48:16]
What kind of projects keep him energized [50:55]
Venture with us into the evolution of hacking tools, as T3l3machus shares his journey from admiring early toolmakers to becoming a pioneer, creating tools like BabelStrike and Villain.
Enjoy!
Resources from this episode:
Panagiotis on LinkedIn
Panagiotis on GitHub
His YouTube channel
How to create your own GitHub projects
John Hammond about hacking using Villain
Listen to this conversation on:
Episode transcript
Andra Zaharia: Only the most curious and persistent people thrive in offensive security. How do I become a better hacker? How can I build and maintain my advantage over adversaries?
And what's limiting my ability to think creatively?
This podcast is for you. If you're the kind who's always digging deeper for answers, join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.
This is We think we know, a podcast from Pentest-Tools.com
Today, on We think we know we're peeling back the layers of offensive security with the enigmatic Panagiotis Chartas, also known by his alias T3l3machus, a nod to his Greek heritage and the strategic depth of his expertise.
Andra Zaharia: Venture with us into the evolution of hacking tools as Telemachus shares his journey from admiring early toolmakers to becoming a pioneer himself, creating tools like BabelStrike and Villain. Stay tuned as we explore how tools like Nmap and sqlmap have shaped penetration testing over the last two decades, and stick around to discover which aspects are predominantly a craft in pentesting and which have become standardized and what that means for your work. This episode promises to hack its way into the depths of your curiosity with a guest whose passion for ethical hacking knows no bounds. Enjoy!
Panagiotis, welcome to We think we know. I'm really excited to talk to you today. Thank you for accepting the invitation, and I cannot wait to unpack all of the great things that you do and know.
Panagiotis Chartas: It's great to meet you and thank you for the invitation.
Andra Zaharia: So I wanted to start with something first that's not directly tied to work, but it is. Why did you choose T3l3machus as your nickname? I'm a huge lover of just anything Greek, especially ancient Greek history. And I thought that that was such a great choice, and I thought that maybe you'd like to share with us why you chose that particular name.
Panagiotis Chartas: I've been waiting for years for someone to ask that, so I can explain why. Because I also think it's a cool name for someone that is into hacking, because Telemachus, in Greek, literally means someone that is fighting from a distance. And Telemachus was the son of Odysseus, in Greek, Odysseus. And he was an archer. And I am also Greek, so I thought it was cool to pick up this alias because I'm Greek and it describes someone that fights from a distance, like a hacker does.
Andra Zaharia: I love that. Actually, I didn't get that nuance, particularly from the myth, from the story, and from the Odyssey and so on and so forth. So that's really interesting to me. And I feel like a lot of symbolism in hacker culture comes from a lot of ancient concepts, including ciphers and cryptography, and many of the symbols that have shaped our culture over the last couple of thousand years. Now, I'm really glad you're bringing that into your work.
Panagiotis Chartas: I guess that's true. Also, many famous tools have legendary beast names. For example, Hydra. Actually, that's not a hacking thing. This is just a protocol for authentication. But, yeah, Kerberos, for example. Also something Greek and very old.
Andra Zaharia: Yeah, I really love that. And a good name. We both know it goes a long way into making things memorable and making things stick. I mean, for as much as we love the technical minutiae of things, the technical details, we also love kind of the universe that we built around tools, around our processes, around the work that we do, because it just makes it more enjoyable.
And speaking of that, you are a true builder. You've built so many tools and frameworks, and you've done so much for the community and put so much out there. And what I'm really curious to learn is, what are the things that you've learned developing these tools and putting them in the community that maybe otherwise you wouldn't have?
[04:45] Panagiotis Chartas: I started making tools because I really admired some people that many years ago, the people that started making hacking tools, like 20 years ago, 15 years ago, and they created the path to this community that we are enjoying today. The hacking community would not have been the same if some very talented people just shared their very creative ideas.
For example, think of Nmap and Metasploit. It opened a way for people to learn to come into cybersecurity, and not only, maybe even IT, and programming by interacting with systems. And imagine this, if you didn't have Nmap and Metasploit, when you don't know so much about computers and cybersecurity, to just interact with something and see how it feels like. How can I do a port scan? What are the results? How do I deliver an exploit? How do I slap an exploit in a weak service and I get a reverse shell? How do I create malware, like a file that's malicious, that if someone runs it, will give me access to his computer?
If there were no tools like this, then it would be almost mandatory to have studies in information technology and computer engineering, software engineering, to be able to understand these concepts. And someone would still have to follow this path, the dark side. He would have to be a Sith. It would be really complicated.
Panagiotis Chartas: But now we have all these people creating resources and tools and guides and everything, and it's actually definitely much easier than what it was 15 years ago to join. And years ago, when I also started practicing and studying information technology and I was using Nmap and I was wondering, what are these results? What does it mean? The output of this tool? What does it mean? And I started learning. I admired these people so much that they created something. So it's so cool. Okay, let's just admit it. It's just like the coolest thing you can do. It's like playing electric guitar or something. I don't know. Two of the coolest things you can do in your life are creating a hacking tool or playing the electric guitar. Okay, so I saw it and I said to myself, one day when I will become better and I will learn much more about programming and computers, I will try also to create tools. And this is a little bit how I ended up doing this. I'm not sure I answered your question. Maybe I just started talking about tools.
Andra Zaharia: No, that is an excellent background. And I love how you highlight the fact that tools have shaped this industry and our thinking and have actually opened the door for more people to start engaging with it and start developing their tools. And I guess another layer of that is what you learned while building them, but also while putting them in the hands of the community. Because it's like building a tool is one step, one stage, but then seeing how people use it and getting their feedback and engaging in those conversations, that amplifies the experience. So I was wondering what you got out of this, both in terms of specific professional development, but also maybe just through the community that you've built around them.
[08:03] Panagiotis Chartas: Well, the obvious answer is it helped me learn some of the programming languages, scripting languages that I used. It helped me to learn them better. Some computer concepts, of course. Some tools I built needed some knowledge that I had to study and see how protocols work and how can I use them in the way that I wanted.
And the feedback was generally positive. It was fun and encouraging to see people create videos for tools I published and demonstrate them or write articles and sometimes even use them in ways that I did not intend to. For example, recently I published a tool that is called BabelStrike. And the name is ridiculous, I know, and the tool is pretty buggy. Also, it's a work in progress. We're getting there. But the purpose of this tool is to help solve a problem that occurs sometimes during the phase of a penetration testing that we're trying to establish a foothold.
Here's the thing, penetration testers many times will scrape social media platforms to gain various information. Some of it is employee data because this is useful because you can find some sensitive group of employees like point out that hey, this guy is an administrator, this guy is the CEO. And this could be useful in certain types of attacks. And also something we usually do is compile lists of full names of employees. This is useful because we pass it then to other tools that take these full names and generate possible valid usernames out of these full names.
It's something we do, and this helps with performing automated password attacks. When you're trying to guess a valid username and password pair or enumerate valid domain users, which is something really common. And here's the thing. If you're targeting a very large organization, if you're for example, you have a project against Microsoft or Amazon or, I don't know, some organization that has a lot of employees, and you start scraping LinkedIn for example, which is very common to do, you will probably end up with a list of full names that includes many non-English names. This is a problem because if you input a Greek name like mine for example, in this process, it will probably generate usernames. If your tools don't error out, it will generate possible valid usernames that are not really valid usernames because it will have Greek characters. And the possibility of a system administrator of an active directory realm to have used non-English alphabets is highly unlikely. I'm not even sure it's possible, but I don't think anyone is doing this, so it's a problem.
And sometimes it could be multiple languages because someone might have created his profile in Greek, which is his native language, or Spanish or I don't know what it could be Russian, whatever. So I said, okay, cool. I will make a tool that can transliterate lists of full names and then generate possible valid usernames to automate this process fully and be confident. This just raises your chances of success when you're doing this whole process of enumerating usernames, password attacks, maybe something like that. So I created this tool that does that the best it can, okay? It will improve. Some time ago a person made a post about this and he used it in combination with another tool that is really famous in the pentesting scene. It's called CeWL, and I hope I'm saying this correctly. This tool takes a URL as a command line argument and some other parameters and it crawls a website, a target website that you have pointed out, and it's compiling a list of words that exist in this website.
This is useful because again, in password attacks, you would be surprised to see how many times users will use a word for their password that is present in the content of a website. It happens, and it's a thing in CTFs also this. And to not make it super complex, you can take these words and perform other transformations on them and make them look more like passwords. Okay, let's not make it too complicated. So the same problem occurs there because you might crawl a Greek website or a Spanish website. It depends what is your target. So the problem persists. And this guy took this tool and he used it with CeWL and he transliterated the words that he found on some website that was not English to make it closer to valid possible passwords. And I saw it and I was like, oh, right, yeah, that too. And I didn't think about it, which is kind of stupid. But no, I was focused on solving the problem that I had the full names that I wanted them to be transliterated correctly because it's a big if.
There are solutions that will transliterate text from other languages, but they will not transliterate it in a way that a human would probably do it. And every language is particular. So I said, maybe I can make a project, a skeleton around this process and maybe other people can contribute the character substitution maps. This is how this tool works for other languages. Native speakers. I created the Greek one, a friend of mine created the Polish one, and some other people gathered, found the project and they created more. And it's still a work in progress. It's not used that much, but it is something that recently happened. There was also, of course, negative feedback. I don't believe it's impossible probably to not get negative feedback, right? Even if you produce top-quality content only, even if you are the Jesus Christ of what you're doing.
Panagiotis Chartas: Even IppSec himself would probably have received hate comments or bad messages or something. And I just revealed that I worship IppSec. Wouldn't it be funny if I just raised my shirt and there was an IppSec tattoo here or something?
Andra Zaharia: We can definitely do that for after the conversation we had.
Panagiotis Chartas: He would probably block both of us for life and never talk to us again. But yeah, it doesn't matter. So I think the most negative. You know, I just remember something funny. There was a guy. If you check my YouTube videos, you will probably find some bad comments as well. In a couple of them, I think there was this guy that posted some curses, but it was in Greek, but the guy was not Greek. It was kind of obvious that this person is not Greek. So check it out. He went into the process of, he said, hey, I want to curse him. He's Greek. So I will search for Greek curses because it will be more painful and I will curse him like that. And when I saw it and I understood a little bit what happened, I thought it was. I respect him for doing that.
Andra Zaharia: It was a level of commitment.
Panagiotis Chartas: Yeah, I take it hurtful at this point. I didn't even delete it. It's still there, and I like to see it sometimes. It is funny.
Andra Zaharia: It is absolutely fascinating to watch what people do with the work that we put out there, whether it's creating content or creating tools, or starting conversations. And I think that's one of the largest, like a big chunk of the learning process, realistically speaking, because that's when you learn the most, like new use cases, people being creative, which is the very heart of hacking, the very heart of this type of work that is actually incredibly generous. And maybe not many people acknowledge that because they only see the technical side, just the technical acumen that it takes to bring these things to life. But then it combines with people's native creativity and intuition and curiosity, and that turns into something else, just like you mentioned. Like Nmap, it has so many applications that it's built into so many things around the world that it spiraled in a good way into something that most likely its founders never anticipated, which is a good thing. That's how industries grow, and that's how we help develop each other. And I was wondering if you could share.
Thank you for sharing this about BabelStrike, but I thought you could share a bit another story about one of your other tools that actually became rather famous. And I'm talking about Villain, of course. How did that come to be? And what was the experience like, to see it kind of validated in the industry in the way that it was?
[17:00] Panagiotis Chartas: It was really surprising. It happened a little earlier because Villain is kind of like the evolution of another tool that was called HoaxShell. Some proof of concept idea that I made about bypassing establishing a pseudo shell on a Windows host that did surprisingly well against anti-malware solutions. And the idea behind it is not something new. The implementation is something new, but the idea is not really something new.
And it was actually quite simple, I would say. Sometimes I refer to it as stupid because it was super simple. It wasn't something crazy. But it really took off this project. And after that, I had the inspiration to develop this further and create something more sophisticated out of it. For example, HoaxShell at the beginning could only handle one session and many people complained. They told me, hey, why didn't you make it multi-session? Are you dumb or something, man? What are you doing here? And actually, I agreed with that and I was in a very creative phase, I still am, and I really wanted to try and see where it goes. I did the best I could.
There are some features in Villain, which is a C2 framework that currently supports TCP-based revershells and hopshells. This listener that I made for some HTTPs or HTTPs pseudo shells, and it has some good characteristics. You can connect with others very fast, like two people, three, four people running Villain on their machine, they can connect with each other, sessions established on reversals established on various hosts. And it's kind of cool and really fast to install and has some additional features.
But to be honest, it's not like your best option of C2. There are other implementations that are much more sophisticated, but it's something I'm working on and everything. It was really cool to see that offensive security added it in the network repositories of Kali Linux. That was really encouraging. Also, John Hammond made probably the coolest video presentation that was possible to make about this tool. And it was really encouraging. Yeah, I haven't developed it that much lately. I will come back to this project because I have many other tools that are not public, that I use very often in my everyday work, and I needed to focus on some other projects right now. But yeah, it's something I loved doing and I will definitely come back to.
Andra Zaharia: And we're very grateful. I mean, I speak on behalf of the community, or I think it's a part of it when I say we're really grateful for the tooling that you put out there, because all of these corner cases that we've talked about, that's part of the grit and the determination that you need to have in the approach that you have towards offensive security, whether it's red teaming or penetration testing or a combination of activities, you need these highly specialized tools exactly when you get stuck. And to be frank, you do get stuck in this line of work quite frequently, simply because it's trying a lot of possibilities and figuring out which one of them doesn't fail, realistically speaking.
And I was wondering, behind all of this work that you put into these tools and into explaining concepts for the community and creating very useful, very practical frameworks and examples, what is it like? Well, first of all, how do you find the time for them? How do you balance your work with doing this kind of effort for the community? Because working, I mean, using these tools as part of your work is one thing, but creating this body of work for the community and then engaging in those conversations and helping others use your tools, now that's a whole different thing and it feels like a full-time job. So how do you manage to keep these things as balanced as possible in your life?
[21:30] Panagiotis Chartas: I don't. This is the answer. When it comes to me personally, there is no balance. I never managed to achieve that in my life. Probably when I wanted to do something, I just devoted as much time as I could from my personal time even to it. And this is the same thing that happened with making tools, and the same thing happens with studying for certifications or playing CTFs outside of business hours. And I think this is the case for all of the people that want to make steps quickly and they are really passionate about what they do and they want to learn. And yeah, it's something that I really need to work on because it does take a lot of your personal time to have many passion projects. Let's say it does take a lot.
Andra Zaharia: And maintain them, because then we have technical debts and things like that that come creeping in there.
[22:25] Panagiotis Chartas: This is something you can't underline enough, the cost of maintenance. It's something that younger people maybe need to hear. It's something that needs to be in your planning, the cost of maintenance in everything you do, because it's not like you achieve a goal. Okay, we're talking about penetration testing tools. It's not like you will write an awesome tool and that's it. It will need to be maintained. This means if you have published something on GitHub, it means you will have to respond to issues, pull requests. A pull request could be a code review and it will all take time. You will have to test it. Also, testing is really painful. Also something that I didn't do enough for many tools I published and they were buggy. Okay, I guess buggy code is in the process.
Yeah, but the cost of maintenance is really important, something you should consider before you get into something big, a big project, because we're not talking about scripts. A script of 1000 lines of code or something like that is something that the penetration tester would do almost every day. Probably you will write scripts to test something real quick. I'm not talking about projects like this. I'm talking about something that you are really passionate about, you want to make it huge, you want to have tons of functionality and build a community around it or something like that.
Andra Zaharia: Thank you for sharing that. That is an important reminder and something that we don't talk about too often, because it's not the most appealing, most fascinating, most intriguing thing. And in the space of offensive security in general, we tend to go after things that seem more intricate, the more complex, the more difficult the puzzle is, the more we want to solve it, which is wonderful. And it is definitely something that I applaud and many of us seek. But at the same time, there are a lot of mundane activities that are part of the workflow so that we can do those extra cool things that we want to achieve.
Andra Zaharia: I feel like this is a perfect segue to the topic of automation and how building your own tools and maintaining them, but also trying to figure out how to plug all of these new things that are happening and understand them and break them down and figure out how they play, what role they can play into your work. It feels like that side of things, the automation side of things can be overwhelming sometimes. So I was wondering what your relationship to that is, because you're definitely very tied to the craft aspect of beneficiation testing, which is definitely something that I want to go into further in our conversation. But what is your relationship to automation and to, let's say, tools or processes or all kinds of other things that come to alleviate, or claim to alleviate some of that pain of the mundane work and other things like that?
[25:35] Panagiotis Chartas: Yeah, I use a lot of automation and I kind of enjoy it also like automating stuff. It's cool. I think it's something that, in performing technical assessments, it's something that more or less everyone is into writing bash scripts, Python, power cell, whatever it is, it's a real thing. And the obvious use case is, of course, repetitive tasks. I mean, if you have a repetitive task and there's absolutely no reason, why wouldn't you spend some minutes or hours or even days to create some solution for that, that will make your life easier. And in the penetration test, in the typical penetration testing process, there's unlimited tasks that could be automated, given on the results you get by enumerating targets, test cases that you will come up with, there will be probably the need for automation.
Maybe, for example, you will have some weird output and you want to perform a sequence of decoding routines against every line of a list of crazy strings to see if something comes up, something that is readable. Something that makes sense. For example, maybe you will have somehow exported a base 64 encoded byte arrays that are in the list. I'm just seeing random things now that could be some possibility. Not a great example, but yeah, I think probably someone will get it. This is something you can automate and a million other things like what I said before, the transliteration of these full names or turning full names into possible valid usernames. For example, you have an input line, Jon Snow, this could be: J Snow, Snow JS, J_S, J.S. And one of them could be valid. And there's unlimited amount of such things in pentesting that you can apply automation.
Another area is scheduled tasks. Maybe there is a set of commands that you want to run periodically, like every hour or two times per day. I think a great example of this is how bug bounty hunters sometimes treat the programs that they follow. They probably create something like monitoring of targets. For example, you have a domain, you're monitoring a specific domain for new subdomains. And if something new pops up, then probably these guys have set alerts to get an email from their program that says, hey, there's a new subdomain for Microsoft that you were trying to hack. And if you're first and you look into it and there's a vulnerable component in it, maybe you will end up with a bounty and make money, that's a cool example I can think of.
Blue teamers, also the so-called smurfs by some in our community, they use automation heavily to detect malicious activity. I think their toolset is mostly based on automation. They use, of course, manual stuff also, but they also make heavy use of automation.
Andra Zaharia: Which absolutely makes sense because we wouldn't be able to function without it. I mean, at the scale and at the rate that things are expanding right now, it is impossible to not do this without automation. But what's particular about offensive security is how we use this. And because there are so many cases that are very specific and because we're looking for corner cases, the stronger the defenses a company has, the more we have to look for a way and to gain that initial foothold, then the story is, well, not, the dynamic is definitely somewhat different, but we can all benefit from each other's experience.
And I see a lot more of that today, a lot more knowledge sharing and a lot more coming together of offensive and defensive security specialists. Is that something that you've experienced? Do you draw inspiration from blue teams? Do you collaborate with them at work? What's that dynamic like for you?
[29:55] Panagiotis Chartas: Yes, we do collaborate with them. We simulate specific attacks and they are waiting from the other end to see if they can detect it with the tool set they have and the rules they have set. And we help tune their tools better and make sure that if something malicious pops up, they will get it.
Also, when new vulnerabilities, new exploits, new malware stuff come up that really have some high criticality, high severity, we also perform tests to see if we can catch that. Sometimes some of them are really creative. They create their own rules to detect specific threats that they have studied for and they want us to make an exercise on that. They explain to us how it all works. Sometimes some guys are really into, I don't know, it's really complicated, the things they are trying to detect. Yes, more or less. That's it in that area.
Andra Zaharia: But that's so extremely interesting because we need a lot more of that. We need a lot more of this type of practice where we simulate things for each other and learn from each other's tools and tactics and thinking about.
Because our conversation is very tool-centric, I wanted to add another layer to that and ask how your relationship with tools, any kind of tools, the ones that all the community uses, like paid, open source, whatever they are, how has it shaped your thinking and your approach in the work that we do? And how has that evolved from a couple of years back until now? Because it feels like you've had this meteoric rise in the past few years and you've done so much to give to the community and you've grown so much in your role as well. So I was wondering exactly how using these tools and building them has shaped your thinking and your approach.
[32:00] Panagiotis Chartas: I learned a lot of things about myself by creating content. I also started doing YouTube at some point. I did it mostly to explain what are these tools supposed to do, why? And also kind of keep an archive of myself, my work back then, because I thought, hey, you know what? Years will pass. Maybe it will be cool to be able to return to it and see the way you were thinking back then and have an archive of yourself.
But honestly, I received the most negative feedback from myself while doing this. It's hard to explain. I made many things that I consider mistakes. I rushed into publishing stuff. I published buggy code. I did not make any research before. Like any research. Okay, I did make some research. I mean, it's a good thing before you dive into an idea that will take a lot of time to develop whatever it is to do some uniqueness assessment.
Because if you have an idea that has already multiple good implementations, maybe it's not worth diving into it. And maybe you should invest your time and energy somewhere else. And definitely there should be a plan. Like you should try to look into the future, try to see what the first version would look like and what will be the continuation from that. And not just be super passionate about something because you think it's cool and dive right into it and devote a significant amount of time that after that you will do the math that you should have done before and realize that I didn't do this greatly, I could have done this much better.
This has happened to me a lot because unfortunately sometimes I'm driven by passion. Also, I did not calculate at any point the cost of maintenance of anything. No regrets. It's just what I took out of making these tools and I have not achieved the goal I had when I started doing this. And I'm not done, of course, yet. I think you're giving me more credit than I deserve with this tool making or something. And some other people as well too.
Andra Zaharia: What I know from my own experience as well and many other people is that we are our worst critics and that we're kind of hunting our own mistakes quite a lot, especially when we look back. But the measure of progress is exactly that. Looking back at our work and figuring out like, oh no, now I see all of these things that I could have done better and that I can do better now.
And that in itself I feel like that is something that's worth celebrating or acknowledging at least as a good thing. Because without putting ourselves out there, without creating work, any kind of work, that involves such a degree of vulnerability and a bit of courage and a bit of sitting in an uncomfortable situation where you don't know how people are going to react to this work and doing that, the emotional labor of that mental effort is definitely worth it.
And yeah, I think that we are own worst critics and that it's something that sometimes keeps people from doing anything at all, from putting anything at all out there and what I've seen and why, if we look at people that we appreciate, they've put things out there. And even if they were imperfect, we appreciate them because we get to learn from them and because they inspire us to do the same. So I think there's a lot of value in the work that you do. And I appreciate you, again, sharing so honestly about this because it's not easy to talk about the things that make us feel uncomfortable, especially when there are things that make us kind of bunch up on the inside and say, yes, but I could have done this so much better. So thank you for that.
I feel like that is a creative struggle that actually resembles. So this is where hackers resemble artists, because it's such a unique type of work, because it's unique to everyone who is in this field. It's unique to their background, to their stories, to their passions and curiosity, and in corner cases that they want to study. It's all of that together. And if you look at all of the kind of resources around creativity, they all kind of bring up the same things. This uncertainty, the self-criticism, the creative blocks that we have and that we try to overcome, and having people who share in the community and who do this in spite of that fear, in spite of that annoying, kind of nagging feeling that this could be better, that's a huge, huge win for the community at large. And this is the craft aspect of it, too, isn't it?
Because the key topic of this first season of this podcast is why penetration testing is a craft and not a commodity. Like, unfortunately, let's say one part of the industry is trying to push, hey, we can do this for, a previous guest was saying that they saw MSPs trying to sell penetration tests for $90. You could get this for $90 and you'll be fine. You're going to get everything that you need that's fully automated, of course. How otherwise would you be able to sell this at even at this discount just for nothing? I was wondering what your perspective is on that, because you're so deeply analytical and you're so thoughtful with these elements. What makes penetration testing a craft for you, and why do you think it's important that we communicate that further in our companies, with our customers, beyond the community?
[38:12] Panagiotis Chartas: Hacking as a concept, and for simplicity's sake, let's give it a short definition here, okay? Let's say it's interacting with a system, or sometimes even with the operator of a system, in a way that results in gaining unauthorized access to system resources, applications, networks and information. Or all of it, right? Whether ethical or unethical, in my opinion, hacking meets all of the characteristics that makes something a craft. It requires deep knowledge and understanding of various computer networking programming concepts. It requires familiarization with documented adversary tactics and techniques and known vulnerabilities. It requires creativity and thinking out of the box. I mean, how else would you discover vulnerabilities and exploit them? Probably the most important characteristic, for me at least, is that it requires a very sophisticated, that it often requires a very sophisticated toolset that is constantly expanding. Here goes this part. I told you before about all these tools, how they influence the community.
And I will give you another example that I love talking about because I love sqlmap, probably most of all tools out there. I don't know. I really like this one. It's a great example, I think, about the impact these tools had in the world generally. SQL map, a tool that automates the process of identifying and exploiting SQL injection issues, okay. It was published, I believe, in 2006. So it's almost 20 years old. And I don't have right now research to back up what I'm about to say.
But I bet everything I got that if there was no sqlmap and derivatives of sqlmap similar tools, the cybersecurity incidents related to SQL injections would be 50% less, maybe more globally. Also, the SQL injections that were discovered during authorized assessments, the other side of the coin would be significantly less. And especially the ones that had a proof of concept like, yeah, this is a vulnerable component and here's how it can be exploited and what's going to happen.
Because this is important to do, to provide a valid and accurate proof of concept because you need to motivate the recipients of a pentest report to patch and fix systems.
And if you don't manage to do that, it is a possibility that you will find something that is vulnerable and you won't manage to exploit it. It is in the game. So sqlmap and these kind of tools, for example, played a great part in achieving that, both the actual hacking and the patching, because of a discovered vulnerability.
And let's not forget the impact of a cybersecurity incident. What could be the impact? Maybe personal data will be leaked, especially when we're talking about exploiting databases like this tool is specializing in. Maybe personal data will be leaked credentials of people. Because if a huge database is leaked and passwords go out in the wild, then our accounts are not safe anywhere because we tend to reuse passwords. And also, and most importantly, a company could lose its credibility because it created software that was vulnerable and it got exploited, and now clients are just jumping off and nobody's using it anymore. So this means losing business. This means people could lose their jobs. And if you just put all of this into perspective, a tool that probably started as a script and grew, right? There's a huge impact. We're talking about almost 20 years that it exists and people are using it for evil and people are using it for good and the shape that it would have. And especially if you think about the combination of all these tools together that are so many nowadays, it's huge. It's huge, and I think everyone understands it.
But scales are important in life, and scales are sometimes difficult to comprehend. Sometimes people, they don't comprehend them correctly, I think. So all of these are examples of craftsmanship, what makes pentesting a craft.
Panagiotis Chartas: But to be honest here, and to show a little bit the ugly side, you also mentioned it in a way already, penetration testing and any other service actually is something that could be provided in the form of a commodity, something raw and something standardized. And this happens even if you don't have that intention. Sometimes you may come across a client that is impossible to work with, as you would expect, because you may cooperate with an organization that comes and requests a pentest that they don't have a clear understanding of what they're supposed to do. They might not be in a position to define a clear scope. And sometimes getting access is really challenging, because in certain assessments, you need access to networks to perform your test, or even accounts, user accounts, if it's a grey box test, for example.
And sometimes it's really challenging to work with some people to give you these accesses, or sometimes they give you access and they don't set off firewalls, and then you can't interact with all of the systems in scope or something. These things happen. And of course, there's always a time limitation in everything. And at these points, even if you always want to produce great results, I am one of these people. I always wanted to return quality results the best I can because I care about that. I just care. And sometimes you just can't do this, even if you wanted. Sometimes you have to provide a commodity because maybe they won't just give you a choice. It happens. It's the ugly truth. Nobody will say it in an interview, I guess, but it's a reality. It happens sometimes.
Andra Zaharia: And it's important to acknowledge, and I appreciate you for keeping things grounded, for keeping the conversation in the realm of realistic scenarios where sometimes "good enough" looks very different from what we'd want it to be. And gaining that trust from the customer to give you that kind of access, I feel like that is one of the most difficult parts of penetration testing work, actually.
How do you deal with that? How have you perhaps worked on your communication skills or approaches, or how you present the potential benefits and outcomes of a penetration test so that you establish that bond of trust with clients, whether they're internal or external so you can actually do your best work? How do you get them to give you that freedom and create that context for you to deliver your best work to them?
[45:18] Panagiotis Chartas: Well, usually there's also some legal coverage there, right? NDAs and everything. There's hopefully a well-defined scope like you can target these machines and everything else is out of scope. Sometimes it's a thing that they will give you dedicated laptops to perform your test. Some companies are really open to that. They just provide the necessary access and you can do the pentest in another country from your home. Sometimes you will have to go there on premises. It really depends on people, and if they really know what they want and they are willing to cooperate to get the best result.
Also, sometimes the company may have the best intentions and you have a problem with a specific person, the system administrator, a key individual in this whole game. And some people are just hard to work with. It's not like maybe the company doesn't have any problem with the process, maybe this person is suspicious or I've seen many scenarios. I can say that generally it works. It's not generally a problem, but yeah, sometimes obstacles occur.
Andra Zaharia: And it's important to factor them in. And that's all part of kind of maturing, the way that you do this kind of work. And also honestly, just reaching a new level of personal maturity because dealing with difficult situations or sensitive topics, which is what penetration testing is all about at the end of the day, that takes a lot of tact, it takes a lot of diplomacy, takes a lot of skill in how you present things, especially when you're delivering bad news and trying to also motivate people to do something that's good for them, but that is uncomfortable.
And it actually involves putting in some work and doing some extra effort, which honestly, at the rate of how everyone is working, is quite asking for a lot. So just having that ability to adjust to all of these scenarios is such an important skill to just cultivate and have and nurture.
Andra Zaharia: And one of the other things that I wanted to approach in this conversation was what's something that keeps you going in this difficult work? Because it's challenging, complex work that takes a lot of studying and analysis and research and practice and failing and learning and all of that, all at once, over and over again. What keeps you going? How do you find energy for all of these things? And what's particularly mentally stimulating for you in this line of work?
[48:16] Panagiotis Chartas: I really like this job. I will tell you something that you will probably not understand if you read my LinkedIn profile, for example. I'm one of these people who switched from something else into computer stuff generally, and after that, into cybersecurity, because at the age that we all study, I studied music and I played music professionally. But soon after my studies, it was really complex to explain to you why there were particular reasons why I wanted to switch fields. And I chose information technology. And soon after I went into cybersecurity.
It's something I chose very consciously, and I jumped into it. I really loved it. I love that you can use these skills to help people protect themselves in the virtual world, right?! And I'm not disappointed at all, because in the many years that I've been doing this for now, I have discovered many critical vulnerabilities, sometimes even not in projects. Sometimes I was just messing around and I was trying to learn, and I disclosed vulnerabilities that I didn't even get credit for it, but I know that it would have significant damage if it was exploited. And it just gives me satisfaction that, hey, you know what? I'm doing something that offers value in the end, it's pretty okay.
Andra Zaharia: I think it really is. It does help us sleep better at night. And this is something that I try to personally contribute to the industry, is to get people outside of the cybersecurity industry to understand how many people like you fight for their security and for their safety every day, through everything from protocols to how we build technology to how we integrate it, everything, all of the madness that happens behind the screen.
It's actually such an act of creativity and generosity to keep people safe at the end of the day. And that's a beautiful way to make a living. It's an awesome way to make a living, to actually help someone else, not just keep safe, but also help other people understand why this is important and why technology is shaping society and our thinking and even our biology in a way that we never anticipated. It will. At least not so fast. Not as fast as it's happening today.
Andra Zaharia: One other thing I wanted to ask is, what is something that's particularly exciting for you right now? Like, what is something that you're researching and interested in and spending time with right now?
[50:55] Panagiotis Chartas: I really want to get into bug bounty really seriously, and I am creating tools that are specifically for that. And it's offline projects. I haven't published any of them. They're pretty buggy to publish them now, but it's also big projects, a lot of code. I have been building them for months and I use them sometimes in projects actually quite often, and shape them all the time, making them better and better. And yeah, this is something I'm in pursuit right now. I want to join the proud tribe of bug bounty hunters, but I want to do it. I want to go there with all of my tools sharp, all my axe. I want it to be super sharp. My arrows, everything will be in place and kind of carve my own way of doing that.
Because it is an area where there's a lot of space for creating methodologies and strategies and approach this. And it's really challenging. And the toolmaking thing is, I think it's one of my favorite things. It's something that I will certainly keep doing. And I want to return to some projects that I have temporarily abandoned, like Finland, for example, that you, you know, you don't have time to do everything. I'm one person.
[52:19] Andra Zaharia: That sounds really exciting. And I bet that we're going to see a lot more interesting things for you. And I'm just rooting for you to get all of that sense of reward after putting in so much work to see your results come in. It's just we need a lot more of that. I think we need more celebrating the results because we're always like, I've now done this, and onto the next thing because the list never ends. Like, our roadmap is lifelong. And we keep adding things to that and we keep going back. We're very good at creating work for ourselves, which is both great and also that we need to introduce some balance there.
So I really appreciate everything that you shared with me today and all of the examples and the thinking around them, your context, your personal motivation. It's such a great example to be able to talk openly and honestly about these things and just give perhaps other hackers, people who want to make a switch and want to come into offensive security, give them a lot of potential exploration points that they can sort with. So I really appreciate you for having this conversation with me today. And you're definitely, like honoring your nickname in a big way.
Panagiotis Chartas: Thanks so much. This is really kind of you to say. I really enjoyed it. It was awesome to have this conversation with you.
Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time.
Thanks for wandering through this maze with us as we tackle the nitty gritty flipped misconceptions on their heads and maybe, just maybe, made you rethink some of the things that are important to you.
This has been the We think we know podcast by Pentest-Tools.com and before I sign off, keep this in mind.
There's always a backdoor, or at the very least, a sneaky side entrance.
See you next time.
