Marc Smeets
Where it all began
Computers got my attention when I was about 10 years old. It started with games, but quickly all those weird commands you had to enter before the game got my attention. Not having a computer at home meant I would have to learn from computer magazines and OS manuals. I spent hours studying the lists of commands of MS-DOS. Eventually I understood enough to tune the memory management of my friend’s computer so we could play the latest games. When I was 15 I finally had my own PC to experiment. I spent years learning Windows, Linux, NetWare, AIX, Solaris, FreeBSD, OpenBSD, BeOS, etc. Years in which I thought of hacking as ‘getting something to work in a creative way’; albeit including bypassing copy protection of games with just a hex editor and creatively exploring the remote management interface of the ISP’s modems in my neighbourhood.
Where it went to from there
Although I tried studying Software Engineering, I never really found programming to be fun. I found my joy in a BSc in Network Infrastructure Design, a MSc in System and Network Engineering and some industry certificates like MCSE and CCNP. Studying this was easy, so I had time to do part time jobs in the hosting and ISP industry. This was fun, but I was surprised that my colleagues didn’t think security was that important. How could they leave the doors wide open? How could they use those easy passwords? How could they simply not patch? How could renowned tier 1 ISPs not do any input filtering at all on their BGP peers?
I never regarded hacking and security as a possible profession. That changed drastically when I was shown the powers of NetBus and Back Orrifice, the damage of SQL Slammers, and eventually spoke to professional hackers that showed me the way. This was so cool!
After getting my degree I found a job that combined all my passions: helping others and hacking. For over 7 years I was part of the hacking group of KPMG The Netherlands. Across many continents, I performed hundreds of penetrations tests, tore apart all kinds of networks, websites and (mobile) apps, trained dozens of fellow hackers and reported and presented to a lot of management boards.
I left KPMG to answer my inner urge to do the same work but self-employed. That was a lot of fun. But it was an easy choice when the opportunity arose to team with a group of very talented people, combining our skills to perform red teaming and attack simulation as it is meant to be done. Outflank was started.
My specialisms
I am sure I can break applications, but my specialism is in the underlying layers: infrastructures, network protocols, core routing protocols, Active Directory, operating systems. etc. I bring this to the team, together with a drive for ongoing research and exploration of new technologies.
My coolest project ever
I get my kick not per se from the subject of the hack, but from the way of attack. For example, once I was able to chain attacks together beautifully: trick a client’s laptop to authenticate to my WIFI hotspot, intercept the WPA2 challenge and crack passphrase, connect to the company’s WIFI network, setup a trunk to the switch exploiting a DTP misconfiguration, hop to the security VLAN, perform LLMNR spoofing, gather the security guard’s credentials, use that to register myself in the visitor’s system as a guest with high privileges and walk into the office of a very, very surprised client.