Joe Sarkisian

Okay. So you're like, oh, okay, cool. You got it set up. All right. I'll be right back. Let me get the guy.

Okay. So you're like, oh, okay, cool. You got it set up. All right. I'll be right back. Let me get the guy.

And do you remember his face when he saw his wife?

And do you remember his face when he saw his wife?

Mm-hmm.

Mm-hmm.

Yeah, my name is Joe Sarkisian. I work for Wolfen Company PC out of Boston. I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced security assessments, things like that. So we have a... Client, not a big company, maybe like 20 people. And they contracted us to do your average assumed breach pentest, so to speak. So we're on the inside, we're given access.

Yeah, my name is Joe Sarkisian. I work for Wolfen Company PC out of Boston. I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced security assessments, things like that. So we have a... Client, not a big company, maybe like 20 people. And they contracted us to do your average assumed breach pentest, so to speak. So we're on the inside, we're given access.

What would happen if somebody gets in there? So we send them a remote Dropbox, a little Raspberry Pi that we send them, they plug it into their network, and then we connect to that remotely. And it's kind of like we're sitting there in person. We've got on-the-wire access at that point on a subnet that they put us on. So I begin the test.

What would happen if somebody gets in there? So we send them a remote Dropbox, a little Raspberry Pi that we send them, they plug it into their network, and then we connect to that remotely. And it's kind of like we're sitting there in person. We've got on-the-wire access at that point on a subnet that they put us on. So I begin the test.

Typically, and here's the funny thing, is you'll look at pen test frameworks. You should start here. You should do this. You should do that. I would challenge you to find a pen tester that doesn't fire up Responder the second they get on a network and try to get creds and be off to the races as soon as humanly possible because that's what we do, quite frankly, on a lot of tests.

Typically, and here's the funny thing, is you'll look at pen test frameworks. You should start here. You should do this. You should do that. I would challenge you to find a pen tester that doesn't fire up Responder the second they get on a network and try to get creds and be off to the races as soon as humanly possible because that's what we do, quite frankly, on a lot of tests.

Well, that's the scary thing is our method is the same thing that any bad guy all around the world can do, right? We have an Amazon account, right? And we can spin up Amazon EC2 instances. So what we do is we spin up these Tesla GPUs on an instance. We have a couple of them. And we will take that GPU power to just blow through password ashes as fast as we possibly can based on that power.

Well, that's the scary thing is our method is the same thing that any bad guy all around the world can do, right? We have an Amazon account, right? And we can spin up Amazon EC2 instances. So what we do is we spin up these Tesla GPUs on an instance. We have a couple of them. And we will take that GPU power to just blow through password ashes as fast as we possibly can based on that power.

It's going to be a lot faster than doing it with Raspberry Pi or your local PC, unless your local PC has a ton of graphics cards in it, which ours is not. So yeah, we do that all in the cloud, relatively cheap, not super expensive to get done. And usually we get results pretty quick, within the first couple of hours.

It's going to be a lot faster than doing it with Raspberry Pi or your local PC, unless your local PC has a ton of graphics cards in it, which ours is not. So yeah, we do that all in the cloud, relatively cheap, not super expensive to get done. And usually we get results pretty quick, within the first couple of hours.

I'm going to go 90 plus percent. That depends. If we've been there before and they took our recommendations, it's going to take a lot longer. It's going to be a lot harder.

I'm going to go 90 plus percent. That depends. If we've been there before and they took our recommendations, it's going to take a lot longer. It's going to be a lot harder.

So we will probably get on average, I would say, and again, whether we've been there first or not, they're taking recommendations, we'll probably get 50 to 60% within the first like four hours.

So we will probably get on average, I would say, and again, whether we've been there first or not, they're taking recommendations, we'll probably get 50 to 60% within the first like four hours.