Prateek Gianchandani has been a part of the Cobalt Core since 2019. He is one of the 300+ pentesters worldwide who has contributed to the over 4000 Cobalt pentests. We had a chance to learn more about how he turned his movie inspiration into reality as a security professional, why he loves iOS pentesting, and the lessons he’s learned from mountain climbing. Let’s dive in:
Can you tell us about your Pentester Origin Story? How did you first get involved in the information security community and pentesting?
PG: The field of information security first piqued my interest after watching the movie Die Hard 4.0 (or Live Free or Die Hard) during my final year of high school. The concept of an all-out cyber warfare attack on a nation's computer infrastructure (known as “Fire Sale” in the film) sounded super interesting. Curious to understand the technicalities behind it, I took some screenshots from the movie that pointed me to nmap. And once I started playing around with the tool and read the book, Gray Hat Hacking, my curiosity only continued to grow.
Despite studying at one of the top universities in India, the curriculum that was offered did not always align with my security interests. In addition to my academic studies, I would research and read InfoSec material on the internet. During my sophomore year, I had the chance to step out of the classroom and work on an IDS (Intrusion Detection System) with one of the best-reputed security researchers from India.
This experience would set me on track to conduct research on Timing Analysis attacks at the University of Texas at Arlington the following year. It was also around this time when I attended my first DEFCON and was fortunate enough to bump into Fyodor (founder of nmap). From that moment on I knew I wanted to pursue a career in cybersecurity. Since then, I have been fortunate to learn and grow with guidance and support from many mentors including Fyodor.
When it comes to pentesting, what motivates you?
PG: The fact that there is a vulnerability lying out there that no one has discovered yet is both exciting and challenging to me. It is important for professionals like myself to find it before malicious attackers, as it can lead to serious consequences for the customer. I look at it as more of an exploration in the digital world, while at the same time having a lot of fun in the process.
What do you feel makes a good pentest engagement?
PG: Communication is key. Throughout the engagement, it is essential that we are communicating with our customers by giving them regular updates. At the end of each engagement, we should provide not only a summary but also a full report describing what we found, what it means for them, and steps they can take to resolve any issues uncovered throughout the process. Well-documented technical reports with clear steps to replicate the vulnerability are extremely beneficial when it comes to getting these issues fixed.
On the customer side, having a well-defined scope and multiple accounts for testing is an added bonus for a pentester. This helps the pentester focus their testing time on what truly matters. Also, ensuring that the app works as expected helps the pentester. Of course, if the app isn’t working as expected then as a pentester you should let the customer know as soon as possible.
Do you have a pentesting specialty? If so, can you tell us more about it?
PG: I would say mobile and specifically iOS, simply because I have personal experience in developing mobile applications myself. If you can write an app from start to finish then it shouldn’t be too difficult to understand its security posture. This is one of the reasons why I always suggest newcomers to learn how to code.
With this experience, I wanted to build a testing platform so I have written DVIA and DVIA-v2, which are vulnerable iOS applications written in Objective-C and Swift. These applications allow mobile security students, professionals, and enthusiasts to test their iOS penetration skills in a legal environment. In addition to writing the applications, I have a blog series dedicated to iOS security on my website.
We noticed that you have given a few sessions at Blackhat. Could you share a little bit about these sessions? What are they? How did you come up with these sessions? Any advice for those who may have a goal to speak at a large industry conference like Black Hat?
PG: I have been training at conferences like Blackhat for over six years now. Giving back to the community has always been something I enjoy and it is one of the reasons why DVIA was created. After initially giving free workshops at conferences, I later realized that people were interested in longer sessions and decided to transition into giving professional training.
Personally, teaching gives me a lot of joy because it pushes you to the limit. In order to explain and teach something to an audience, it is important to understand everything you can about that subject. This also gives you the opportunity to work with some talented people in the industry and, at the same time, learn from them.
What are your go-to pentesting tools?
PG: The tools I like to use are Frida, nuclei, and Corellium. Correlium is a game-changer when it comes to testing mobile and iOS that lets you spin up any iOS device, with any iOS version, and perform tests on it. You can even install your own kernel extensions, attach a debugger to the kernel, and intercept network calls. All of these tests can be performed without a physical device.
Burp Suite is another very important tool that I use to intercept network calls. There are also a few Burp Extensions that I use regularly, such as Autorize and Burp Bounty. Apart from those tools, I have built my own custom shell scripts that I deploy depending on what application I’m testing.
Where do you go to learn about different security concepts?
PG: Twitter is my one-stop-shop. If you follow the right people, it’s not hard to stay up to date with the latest tools and techniques. For iOS, I have my own security list that you can check out here.
How do you conduct research and recon for iOS?
PG: Through different testing methods, I look at a vulnerability that has been identified and try to find the same pattern. This involves monitoring each vulnerability actively and replicating them in my own lab.
What advice do you have for those who may have web pentesting experience but are looking to get into iOS? What do you wish you would have known before you started?
PG: First, I would recommend spending some time writing a few custom applications yourself. You can do this by starting with a simple Hello World, and then transition into making more complicated applications. It’s important to try to understand the different debugging tools out there. In my honest opinion, to become a successful security professional it’s important to have coding experience under your belt.
Once you have some familiarity with the different acronyms used in iOS, start with the OWASP MSTG, then learn how Frida works, get to know Corellium, understand the ARM64 architecture, and learn the fundamentals of basic reverse engineering by using Ghidra. With this foundation, you should be on a good track to start pentesting iOS applications.
What do you wish every customer knew before starting a pentest?
PG: For customers, it’s important to make sure you finish the quality assurance of the app before sending it out for a pentest. We do encounter situations where the app is crashing or not working as expected that can add delays to our testing, and we as pentesters lose valuable time that could have been dedicated to identifying vulnerabilities.
What activities do you participate in outside of hacking?
PG: I absolutely love spending time in the mountains and pushing myself physically and mentally. Mountaineering has allowed me to share soul-filling adventures with some of the most amazing people I have ever met. The relationships formed while in the thin air of these high altitudes have been some of the strongest bonds of my life. Despite climbing several peaks that have been over 6000 meters, I found the beauty wasn’t in reaching the summit but in the process of ascending up the mountain that led to my growth.
With every step that you take, you are making progress in life. This allows you to learn more about yourself and grow outside of your comfort zone. Sometimes you fail at your mission, but you can learn from those mistakes. Mountains have taught me to be patient, persistent, and most importantly, to maintain immense gratitude for life. The paths I have walked in years past are still teaching me something every day and I am forever grateful for the lessons they have etched in me.
Aside from mountain climbing, my other hobbies include my love for card magic (I know a few sleights) cycling, and playing snooker (a billiards game).
Do you have a quote that you live by?
PG: My all-time favorite quote is by the mountaineer George Mallory in 1923:
“People ask me, 'What is the use of climbing Mount Everest?' and my answer must at once be, 'It is of no use.'There is not the slightest prospect of any gain whatsoever. Oh, we may learn a little about the behavior of the human body at high altitudes, and possibly medical men may turn our observation to some account for the purposes of aviation. But otherwise, nothing will come of it. We shall not bring back a single bit of gold or silver, not a gem, nor any coal or iron... If you cannot understand that there is something in man which responds to the challenge of this mountain and goes out to meet it, that the struggle is the struggle of life itself upward and forever upward, then you won't see why we go. What we get from this adventure is just sheer joy. And joy is, after all, the end of life. We do not live to eat and make money. We eat and make money to be able to live. That is what life means and what life is for.” - George Mallory
I feel that this quote can be applied to not just climbing, but also when approaching obstacles in cybersecurity. As security professionals, we encounter Everest-like challenges that we must overcome by pushing ourselves to sharpen our skills. Whether it’s a particularly time-constrained engagement or a difficult exploitation of a vulnerability, each challenge as a pentester should be treated as a new adventure. It’s in this process of learning that I find to be the most gratifying because these are what contribute to your growth.
What are your short term and long term goals?
PG: When it comes to security, my short-term goal would be to publish cutting-edge research on iOS and, more specifically, on Safari security. While my long-term goal would be to build my own company in Infosec.
Outside of security, one day I would like to reach the summit of Mount Everest, Denali, Mount Elbrus, and Mount Vinson Massif.