Lupin, Gentleman-Hunter and Pentester: Interview with Roni Carta
Reading time: 12 minutesArsene Lupin, the charismatic and quick-witted confidence man, operates as a skilled burglar and a captivating figure reminiscent of Sherlock Holmes in the world of crime.
With a penchant for targeting the wealthy and powerful, his meticulously crafted plans transform into elaborate capers that leave both his adversaries and audiences enthralled.
This is the story that got Roni Carta, a young French bug bounty hunter and red teamer, hooked onto the world of hacking. From a young age, he found himself drawn to computers and breaking things. Growing up alongside technology, Roni's path has been one of exploration and experimentation, relying on the internet as his guide and testing the limits of what he could achieve.
Today, Roni is working as a Red Teamer, doing bug bounty hunting on the side and even starting his own company. To learn more about his background, his recent findings and play with AI to empower his bug hunting, we met up with Roni to hear it from him.
1. How did you get started in cybersecurity and what made you choose the red side?
Roni Carta: I have always had a deep connection with computers. From an early age, my parents introduced me to the world of technology, placing me in front of a computer when I was just a year and a half old. Growing up alongside computers, my fascination only grew stronger. By the time I reached 10 years old, I found myself engrossed in playing video games and harboring a desire to create my own. This prompted me to embark on my programming journey, starting with an unconventional language called Visual Basic Script on Windows. I must admit, it was quite a challenging experience. However, I quickly transitioned to C#, which became my language of choice.
My exploration into the world of programming and technology has always been driven by curiosity. I would spend hours online, experimenting with different concepts and seeing what worked. At the age of 13, I stumbled upon a book called "Arsène Lupin, Gentleman-Thief." This captivating novel opened my eyes to the intriguing world of a master thief whose methods remained elusive throughout the story. Reading about Lupin's exploits fascinated me and drew me into his mindset. It was during this time that I realized I could turn my passion for computers into something transformative, and that's when hacking entered the picture.
The hacking community became a major influence on my journey. I immersed myself in this world, eager to learn as much as I could. I began hacking and participating in Capture The Flag (CTF) competitions. It was a thrilling experience, allowing me to test my skills and break into various systems. As I honed my abilities, I discovered the excitement of bug bounty hunting. The thrill of uncovering vulnerabilities in companies' protected environments and collaborating with security teams was truly amazing.
After completing my high school degree, I found myself at a crossroads. I had no desire to pursue a traditional college education, as my passion for bug hunting had become all-consuming. I decided to dedicate myself full-time to bug hunting and was fortunate enough to be hired by a reputable company called ManoMano. As a bug bounty hunter working internally, I contribute to their cybersecurity efforts. Additionally, I am currently in the process of founding my own company, an exciting endeavor that combines my expertise and entrepreneurial spirit.
Photo by ARDITO Baptiste
2. Now that you are a part of this global community, do you see any differences between how American and European companies handle cybersecurity?
Roni Carta: In France, for instance, there is a prevailing culture of defensive security within companies, prioritizing investments in backups rather than penetration testing. Personally, I believe the correct approach is to be proactive and adopt an offensive security mindset. It's unrealistic to expect engineers to possess omniscient knowledge of the entire technical stack. Instead, we need individuals dedicated to identifying and addressing vulnerabilities before they can be exploited. This differs significantly from the approach taken by larger companies in the United States, where there is a greater emphasis on red teaming and an offensive security culture. In comparison, Europe tends to lean more towards a defensive security approach.
3. Is there any surprising or unexpected approach or mindset you needed to adopt to become a successful bug bounty hunter?
Roni Carta: Effective communication is a crucial aspect of hacking, often overlooked in the perception of it as a purely technical field. At the end of the day, it is essential to make people understand their vulnerabilities. While engaging in bug bounty programs or penetration testing, you often encounter non-technical individuals, including developers who may not be security-oriented or familiar with the specific vulnerabilities being discussed. To bridge this gap, you must possess strong communication skills to convey the situation in a manner they can comprehend. Collaboration is also paramount in this field. Even when working with like-minded hackers, finding ways to collaborate effectively is key. Building productive partnerships and fostering teamwork enables greater success in identifying and addressing vulnerabilities.
4. How would you explain the difference between red teaming and a pentest?
Roni Carta: Within the realm of cybersecurity, three major categories emerge: red teaming, pentesting, and bug bounty hunting. Red teaming encompasses exercises that often involve social engineering, where the objective is to subtly manipulate individuals into performing malicious actions without their awareness. This can include physical red teaming, phishing campaigns, vishing (voice phishing), and smishing (SMS phishing). Pentesting, on the other hand, focuses on identifying and exploiting vulnerabilities within a specified target and producing a comprehensive report detailing the findings. Bug bounty hunting requires agility and ingenuity to discover previously undiscovered bugs and uncover the most critical vulnerabilities. The scope in bug bounty programs is typically broader compared to pentesting. Red teamers benefit from a higher degree of flexibility due to the emphasis on social aspects and psychological manipulation.
5. You recently generated something close to a bug bounty report using GPT4All. Tell us a little about this.
Roni Carta: The ML model I use is similar to GPT and can be run on a MacBook. It provides results that align with what you would expect on such a device, making it fun to generate reports. Over the past year, I've been using GPT for bug bounty and offensive security. One advantage is that it helps improve communication by generating clear reports that non-technical people can understand. Another useful aspect is that it can analyze code snippets to find vulnerabilities and pinpoint the lines of code where they occur.
6. How do you see AI impacting penetration testing and automation? What are some pros and cons?
Roni Carta: AI plays a significant role in streamlining repetitive processes, particularly in tasks like report writing. It has completely transformed the arduous task of composing a 20-page pentesting report. Now, all you need to do is input the vulnerability and endpoint, and the AI generates the entire report. This not only saves a tremendous amount of time but also enhances efficiency.
Personally, I have managed to optimize four hours of my daily work by leveraging AI.
When it comes to analysis, AI may not provide precise answers for very specific queries at the moment. However, it excels in brainstorming potential vulnerabilities for a given target. In the realm of bug bounty hunting, having an AI tool like "Co-pilot" is truly remarkable. Its capabilities contribute significantly to the exploration and identification of potential vulnerabilities, elevating the overall effectiveness of the process.
Photo by ARDITO Baptiste
7. Give us some tips on how to use ChatGPT as a pro?
Roni Carta: I extensively use AI for code analysis, especially when encountering JavaScript code that is difficult to comprehend or lacks human readability. By pasting the code into ChatGPT and requesting an explanation, the AI generates a more understandable version, enabling me to analyze its functionality effectively. AI has made reverse engineering significantly easier.
When it comes to decompiling binaries, a task I struggle with due to my limited knowledge of assembly code, I can simply input the assembly code into ChatGPT, and it provides a clear explanation of what is happening. This approach has helped me identify vulnerabilities by gaining insights into the binary's operations.
Another valuable application of AI is in report writing, as long as sensitive information is not logged.
Additionally, AI facilitates subdomain enumeration. For instance, by providing a list of 50 names and requesting 100 new variations based on those names, I can employ AI-based subdomain enumeration techniques. This approach has proven itself in identifying vulnerabilities through the expanded search space provided by AI-generated subdomains.
8. Which vulnerabilities are the most impactful for organizations currently?
Roni Carta: Everything related to the supply chain. It's a scope that companies often overlook and one that you can target easily. It's challenging to know how misconfigured or how vulnerable the supply chain is in general. But this is the easiest way to attack a company and the attackers know that.
9. Walk us through your recon workflow.
Roni Carta: To comprehensively assess a website, I rely on Burp Suite to inspect and monitor all activities taking place. Within the realm of bug bounty hunting, there are two types of hunters: those who excel in automation and those who prefer a more manual approach. I find myself positioned between the two, striving to strike a balance. While I prefer manual techniques for many tasks, I resort to automation when necessary, especially for tasks such as enumeration or checking web servers. In such cases, I make use of tools from Project Discovery. By adopting this hybrid approach, I aim to uncover findings that may be overlooked by automation experts, ensuring a more thorough investigation.
In my workflow, I heavily rely on SecurityTrails, often integrated with tools like subfinder. This combination proves valuable in conducting reversals and identifying Cloudflare IP addresses.
By utilizing SecurityTrails, I gain insights into the attack surface of my target. This understanding is crucial, even when engaging in manual hacking, as it allows for the discovery of potential vulnerabilities such as server-side request forgery (SSRF) or subdomains redirecting to internal IP addresses (e.g., 10.0...). This knowledge can be leveraged to potentially bypass security checks. Hence, having a comprehensive understanding of the attack surface plays a vital role in effective bug hunting.
10. What SecurityTrails API™ feature do you most commonly use during red team engagements?
Roni Carta: Everything about subdomain enumeration—from trying to find the real IP of a server to history data—that is one of the best features. You can now also find acquisitions of a company so you can find associated domains and expand your attack surface, which is an amazing feature.
11. What's the most exciting piece of intel you've discovered with our API during a red team engagement?
Roni Carta: With SecurityTrails, I found data that other passive reconnaissance tools didn't. For example certificates, you can't find that amount of information in other sources. There was a lot of subdomain with strange activity. Once, it was a signup page where I managed to sign in and access a private github repository and got their entire source code just by visiting a domain only SecurityTrails had.
12. What are some of the other must-have tools in your stack?
Roni Carta:
- ChatGPT API key
- Google! For google dorking, and just asking questions
- Everything from Project Discovery
- Axiom
13. Your most starred GitHub projects: - send in an email
Roni Carta:
- cURL: I use the cli on a daily basis and it's the best Open Source project
- subfinder: easy to use with SecurityTrails integration and cool for a first overview of an attack surface
- gau
- puredns
- axiom
14. Give us your SecurityTrails API™ tips for using it as a pro - send in an email
Roni Carta: The WHOIS, IP and DNS Historical Data features can be easily used to unravel an IP behind a web application firewall. This can be useful when you want to bypass security features in order to easily test server-side vulnerabilities such as SSRF, path traversal, XXE, etc., that could be blocked by WAFs.
15. The most essential skill for a red teamer in 2023:
Roni Carta: If you are doing social engineering, you will need to have a good sense of psychology and philosophy. You need to find new ways of thinking and push the status quo. Sociology, psychoanalysis, neurology, there is just so much to learn, it's an amazing world!
But for more technical pentesting, one of the key things is creativity and imagination. Imagination is more important than knowledge. “Knowledge is limited. Imagination encircles the world”. It's the most important tool a hacker can have. It's also important to learn from history, and learn about the history of hackers, because everything comes back and we can learn from it.
16. Does having other creative outlets, such as music, positively impact your cybersecurity career?
Roni Carta: Absolutely. There are fascinating connections between hacking and music. In hacking, the objective is to discover vulnerabilities, while in music, it's about finding the perfect melody when crafting lyrics. The creative processes in both domains share striking similarities. They involve searching, repeating, encountering failures, and subsequently refining and improving. Engaging in music can also serve as a stress-management tool, providing a sense of relief and relaxation.
17. Best books for red teamers?
Roni Carta:
- No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing
- Social Engineering, Second Edition: The Science of Human Hacking
18. What advice do you have for people aspiring to enter cybersecurity?
Roni Carta: Education plays a crucial role, and one aspect that we often overlook in France is the culture of embracing failure. Making mistakes and encountering errors are essential for personal growth and improvement. If we fear failure, we hinder our chances of succeeding. It's important to recognize that failure is not a reflection of who we are, but rather a part of the learning process. Unfortunately, the traditional school system often labels failure as a personal shortcoming. However, it's vital to understand that failures are stepping stones on the path to growth. As long as we have a genuine passion for what we do, we will continue to evolve and thrive.
