Category Archives: Reviews

[Review] eLearnSecurity – Professional Penetration Testing course

0
Posted by Skyler on June 13, 2011 – 2:08 pm
Filed under Reviews

I finally completed the eLearnSecurity Professional course. Before I go into the review let me outline for you how the course looks, and the context from which I will review it:

The course consists of three sections: Web Application, Network, and System. Each section is taught by a different instructor/instructors who have background in the area. Although they follow a similar presentation, I was surprised at how different the learning experience would be in each section. Based on what I took from the class, as well as what I have read from their marketing and discussed with their owner, here are the things that the eLearnSecurity Professional course tries to provide for their students:

  1. Real world penetration testing skills (Fantastic)
  2. Penetration testing process (So so)
  3. Up-to-date information (Great)
  4. CEH level of depth (Superb)

I would say that the course measured up to about 90% of that, which is pretty dang good when you consider a lot of the hacking courses out there. Now, my experience with most of my certifications involved a curriculum book and a review book. From there I would take the test and hoped I part. So when I review this course I am assuming that the user is in a similar situation and is looking at eLearnSecurity as an alternative.

Web Application

In my opinion this was the best section. I really started my pen testing at the web app level.

  • Pros: I felt like the instructor did a great job at presenting the information in a clear to understand manner. The information took me deeper into the technology than traditional CEH level training, which tends to keep you at a “script kiddie” level of complexity. Although the instructor took time to explain some underlying technology, he also did not overwhelm you with it. While most trainings take you as far as XSS and SQLI, eLearnSecurity then presses you into CSRF, HTTP Header Injection, RFI, and more. I was even more impressed when he explained about exploit chaining. As with their Student course, they did a fantastic job at not overwhelming you with tools, but helped you focus on one or two key tools that are prominent in the field today; not some antiquated script from the 90′s. The interactive slides made it easy to follow along and easy to understand the anatomy of the payloads. In addition to that, the instructor teaches the student how to completely case a web application and record findings that could be organized enough for a team of testers and eventually help create a test report.
  • Cons: I dont have any real qualms with the content. However, I do wish that a more exercise based approach could have been done. I need to be fair and state that there were quite a few exercises involving Burp Suite and Wireshark, however the other tools were neglected. I can understand the difficulty of setting up a virtual lab environment and distributing it on an iso. By no means did I feel like my learning experience was wasted without such a lab, but at the same time I can imagine a less-informed student struggling a bit more without a hands on walkthrough available. Thats my only gripe about the web app section. Other than that is was fantastic!

[EDIT] The eLearnSecurity guys provide a free two week access pass to their Web Application Coliseum which provides a mission oriented lab to try out your web application hacking skills [/EDIT]

Network

  • Pros: Network penetration testing is a hard thing to teach. It usually requires a fairly extensive lab environment with simulated networking equipment and systems in order to do justice to the possibilities out there. The instructor of this section did a very nice job presenting some of the basic principles of network hacking. He mostly covered the enumeration and exploitation of windows and NetBIOS related technologies. He also explained about host discovery, port scanning and SNMP. I felt like the information that was presented was done so clearly and concise enough to help less network savvy individuals keep on target. The nature of network attacks also made it easy for the instructor to outline the basic hacking process from information gathering to establishing persistence.
  • Cons: I guess I was pretty spoiled after the other two sections, but I was expecting this section to give me an extra zing like the System and Web App sections did. Dont get me wrong, he covered pretty much everything that is talked about in the CEH. I guess I was just spoiled by the rest of the course ;) (thats a good thing, right?). I really wanted to see some more depth here. I understand the difficulty of going too deep too quickly when it comes to networks, but perhaps some more content could be added in a few other ways? For instance, going over the ICMP protocol in details is actually a very helpful thing to know.

System

  • Pros: You can definitely tell that the instructors of this section know what they are talking about. Although my background in system hacking (Buffer Overflows, ASM, etc) should be considered only fair, I feel like I can give a fairly good assessment of this section as being quite helpful. I have watched and read many “intro” guides to these complex topics, but I felt that the eLearnSecurity instructions were some of the easiest to understand. To top it off, this section has amazing hands on examples and exercises that I had been really wanting in this course. I became even more blown away when the instructors took us into Shellcode creation, malware techniques, and rootkit development. I was getting a little worried that some of the basics of systems hacking were being ignored (like ADS), but sure enough they came up. This section was quite superb and is sure to be a section I would refer to often.
  • Cons: Due to the nature of the topic im not sure it would be fair to call it a con, however I guess it should be said. There were some points during the more advanced sections where I felt very lost. But like I said, how can I expect them to teach a student all of the subtleties of the Windows kernel and APIs? So with that being said, I wouldn’t say its a con, just more of a steep learning curve that would require outside reading to fully understand. Maybe they could provide some good resources?

 

Overall this course was very good. How does it compare to the CEH? Well, it covers pretty much everything the CEH intends to cover. Some little things were left out (like the before mentioned ICMP stuff, etc), but I felt this course does a much better job at teaching you the skills used in penetration testing. One let down was that the pen testing methodology was only covered weakly. One thing the CEH did do well was ensure your understanding of the stages of hacking. After that the ECSA then helped with more organizational aspects of conducting a penetration test. However, if you were to take both the Student and the Professional course, you would get a very thorough understanding of the pen test process, as well as techniques that would get you on your way to becoming a skilled tester. I would still would like to see a lab VM shipped with the course that came loaded with tools and services to test the Web App and Network type stuff on.

In conclusion, I very much enjoyed these courses. They were quite informative. They did have some grammatical issues and some of the slides were a bit mundane, but try reading the “ISC2 Official Guide to the CISSP CBK” and then you can talk to me about mundane reading. Although the courses were not perfect and the price could be hard for some, I would have to agree that eLearnSecurity better provides the skill set that you would hope to get from many other ethical hacking courses out there, specifically the CEH. Remember, these courses are not meant to be In-Class trainings so dont expect them to be. Also, a certification is included in the course (and the cost, which usually is like 250$ for any other cert), and although I have not taken it, I anticipate that its reality based test wont let you down. So bravo to the guys at eLearnSecurity. Keep up the good work, I am eager to see how even better the course turns out to be in a few years.

[Review] eLearnSecurity – Penetration Testing Student Course

2
Posted by Skyler on May 28, 2011 – 11:21 am
Filed under Reviews

A while back I had posted a reader’s opinion on the eLearnSecurity Online Penetration Testing Course. For those of you who have read it, you will remember that is was fairly negative. As a result, the owners of eLearnSecurity have offered me the opportunity to view the entire suite of their courses in return for a review of my own. This is the first of three reviews, this one focusing on the Student level course.

 

I would first like to lay some “ground rules” that are important to understand when giving a fair review.

  1. Target Audience – To accurately assess the quality of training we need to understand that there are different levels of audiences that may view the actual content. For this reason more experienced viewers will be less stimulated by the learning than someone with less experience. Therefore, we must approach the review from the standpoint of the target audience.
  2. Medium – We must also consider the median (i.e, Videos, In-Class, Online, etc). This too has a major effect on the learning, and should only be compared amongst similar medians.
  3. Claims – More than the others even, we must only expect to take away from the course what the trainers claim to provide. It would be quite unfair to not take this into account.

 

The Setting

eLearnSecurity provides their “Student” level course for those brand new to the field. Through emails it was not made completely clear to me how novice these students would be. However, through the content of the course it was fairly clear that they did not expect a whole lot of technical background from their target audience, but would provide the groundwork for them.

The purpose of the course is to prepare the student to take the “Professional” level course, which I have intentionally not gone over yet. From reading other reviews and advertisements I know that their main course is meant to be the “CEH Killer”. So when reviewing this “Student” course I will approach it from one who would be looking to lay a foundation for undertaking a CEH level course.

 

The Review

I will start off saying that doing this review was actually quite difficult. Because my level of understanding is beyond that of the target audience, it made it difficult to assess whether or not certain areas were covered in depth and clear enough. However, I believe I have done a fairly good job of putting myself into a novice’s shoes.

When you start the course you are presented with two choices, “Preliminary Skills”, and “Penetration Testing”. I began from the very beginning focusing on the Preliminary Skills.  I think they did a fairly good job at presenting the base understanding necessary to comprehend penetration testing and its required skills. Because of the nature of hacking and pen testing, the necessary skill set to really delve into the industry requires an immense amount of technical background in all different IT related fields. This course provides a very basic outline of those skills. I don’t know if I personally could say for certain that their Preliminary Skills portion is perfect in providing this background. However, I believe that it probably does an adequate job to prepare the student for the Penetration Testing portion of the course. I found it quite refreshing to find a training resource that did more than just instruct you to do personal research of prerequisite skills.I will say that students should take time to read and study the recommended reading found at the end of each section.The part I appreciated most of the Preliminary Skills portion was the fact that they explain to us why each skill (routing, protocols, etc) is important, how it will help with penetration testing, and what hacking skill it supports. This definitely encouraged me to gain better understanding of the topic and put the skill into context. Overall I think the preliminary skill index was well done and quite useful. But like I said, I would not recommend it (nor would they claim it) as the sole source of learning for a complete IT novice.

The Penetration Testing slide portion of the Student course was quite fantastic in my opinion. However, the lab portion was a let down. The lab setup provided was not really used, nor is there specific tasks assigned or instructions provided on how to execute any sort of “assignments”. The setup was simply BackTrack and Metasploitable. What I would like to have seen was specific tasks and perhaps walkthroughs on how to do these specific attacks in the lab environment. However, I understand that this course is almost entirely theoretical in nature. Heck, the CEH is even less hands-on unless you take an In-Class prep course. So I believe it is fairly reasonable to expect the eLearnSecurity courses to fall somewhere in between self-study and in-class when it comes to hands-on training. I should also mention that the videos are presented in a way to permit a “follow along”, so there is some limited hands-on available.

The content of the Penetration Testing slides were great. They wont overwhelm a novice with a list of a million tools, they focused on those most commonly used today by Pen Testers. In addition, the videos provided were detailed, clear and thorough. Things were more clearly explained than I had learned in the past and certain things were taught which I had never seen covered at that level before. They cover a broad range of attacks and give a great base to build further Penetration Testing courses off of.

Now, some people got upset about the course medium itself. Yes, the course is a large collection of slides and videos. However, I don’t think that is unreasonable nor does it make it ineffective. True, certain things could have been better done; Not all of the slides had voice, some were plain and bland, etc. However, overall I think that the slides and the interaction available in a good portion of them allows you to learn better than in a self-study book.

In Conclusion

I think this course is a great beginners course. I would recommend this course as a sort of Security+ level of Penetration Testing. I will say that ff you are looking for an experience like you would get in an classroom environment, than you may be let down. But that’s not what this course claims to be. In my opinion, this is the perfect way to do a self-study course opposed to traditional books that are out there. Coming from a guy who has done all of his certifications via self-study and books, I can tell you that if I had something more interactive like this then my certifications would have been much more enjoyable to attain.

Stay tuned for reviews of the Professional level course as well as their Web Application Coliseum.

Hackers Use Social Engineering? Duh…

0
Posted by Skyler on May 20, 2011 – 8:10 am
Filed under Reviews

[Review] About Face: Defending Against Penetration Testers

0
Posted by Skyler on January 25, 2011 – 9:38 am
Filed under Research, Reviews

Every so often I check into the SANS reading room to see what interesting papers have been published recently. Being a penetration tester, the title of this one stood out to me (see post title). It was written by MAJ TJ O’Connor of the US Army, an instructor at the United States Military Academy.  At first I was a little skeptical of the paper. The first section he outlined the penetration testers “arsenal”. He mentioned some big ones: Metasploit, Nikto, Nessus, NMap, and Maltego. But as you can see, he neglected some of the more powerful tools a professional Pen Testing team will utilize. I must say that my impression of the paper was that it would be yet another “know thy enemies tools” list. However, that changed as I read.

The paper is organized in a way that loosely follows the Pen Testing/Hacking methodology, namely Recon, Enumeration, Exploitation and Documentation. He then outlines different “stumbling blocks” that could disrupt the Penetration Testing process. I must mention, these techniques are meant to be applied during a Black Box test. That in and of itself presents some issues that I will discuss. There are summarized as follows, including my opinion on each technique:

  1. Defensive Social Engineering: Using a unique set of contact information for Whois Lookup information. Also, utilizing false reports/messages to direct the Pen Testers at a non-vulnerable target, or giving out false architectural information. Clever yes, but easily overcome by a real attacker.
  2. Tarpit their Scanning and Enumeration: Utilize existing tools, or Scapy to create decoy targets. Great technique, have seen it be effective on many occasions. Also he recommends utilizing the BSD Blackhole property. This works great too, but it would be better to use ipfw for that.
  3. Setting the Bait for Honeypots: Use Bind 9, false records, and a fake external DNS server to disrupt enumeration of targets. Also utilize a honeypot (HoneyD is the one he names). I prefer a bait and switch configuration.
  4. Give them a vulnerable web app to attack: Utilize a PHP script that mimics allowing an attacker to upload any file. Also, falsely populate your robots.txt file with false information and a false directory tree.
  5. Hide your Identify with Banner Masking and OS Personality: Place false banners, and scramble TCP fingerprinting capabilities.
  6. Give the enemy hashes to crack: False password hashes. Very clever. Will waste time, but how do you leak it in an unsuspecting manner?
  7. Sticky Honeypots: Utilize a honeypot that increase RTT upon each request.
  8. Whitewash Traffic: Probably my favorites so far. Proxy everything and scrub out user-agent data, etc from traffic. Will help prevent exploitation techniques. Also, rewrite PDFs, to avoid certain application attacks.
  9. ACL The World: what do you think?
  10. Bind your ports: Quite clever. Bind all of your ports, so that an attacker cant create a bind shell.
  11. Hide with NAT and IPv6: what it sounds like.
  12. Use the shell in unexpected ways: Essentially, make the CLI hard to find and use.

What I Don’t Like

Most these techniques are great, and truly effective. However, some of the purposes are poorly recommended. An attacker doesn’t have a time restraint, a budget, or a scope to adhere to. Why would you try to use that against your pen testing team? I guess I dont’ have any qualms with the content of the paper. In fact, I think its probably the title, and implied application that I have issues with. I tend to agree with Ed Skoudis on the topic of Black Box vs. White/Gray Box testing. Although Black Box testing is the most accurate “simulation”, it also has the least depth (cost-benefit), most time consuming, and expensive. A better approach is to utilize all the testing types into a multi-tiered methodology. Begin with a Black Box amount of information, then give the team more and more information to help them identify true vulnerabilities, rather than miss those because of (dare i say it…) obscurity. This leads to another thought on this paper: Would these tricks offer real protection for your organization? Would true information leak out or would holes be exposed in the process of “disrupting” a pen test? The purpose of penetration testing is to evaluate the state of your organization’s security. Playing pranks on the team would do little to help the organization. Although it may save you some grief during the test results review, it may cost you your job in the event of a real attack. Exploiting the fact that pen testers have time, budget, and scope limitations does nothing to help protect you against a real attacker who has none of those limitations.Organizations need to learn that you WANT the penetration testers to succeed. You WANT them to find the vulnerabilities before the attackers do. The difficult thing about the whole industry is that skill is so important. What if the skill-set of a the attacker is greater than that of your testing team? Wouldn’t you rather help them out in locating vulnerabilities rather than throwing brain teasers at them that some lucky hacker might bypass/figure out? It is like fighting: Most people will have fun, scrap around, and mess with some friends they know wont really do them any harm. But what happens when you take a real punch to the face? This is the exact reason why so many n-th degree black belts get their trash handed too them in a real fighting situation. You need to learn to take the hits before the real situation. When it is an enemy staring you in the face, attacking with unrestrained violence of action, he is gonna kick you when your down then take your wallet and run away laughing. Penetration Testing is about digital self defense. Prepping and preventing real world hurt. Focus on testing your current incident response teams, your forensics teams, and your currently implemented controls. This is the difference between good training, and bad training. The harder you make it on yourself, the better it is in a real world situation. In the words of my old cadre, “if it ain’t raining, it ain’t training”.

What I Do Like

I dont want you to think I dont like this paper at all. In fact, i really do enjoy it! I would say its a topic “after my own heart”. I love the ingenuity, and “poor mans” approach. If you recall Tom Liston and Paul Asadorian’s podcast about Offensive Defense (Blue Teams: dont call it a come back), this is something we really aught to be looking into more. With that being said, I think the paper is great, and I would love to use some of his techniques myself. I would find it quite useful in a lab to learn how to identify, and overcome these hurdles in a real world situation. However, I would leave the author one suggestion: rename the paper to something like, Close Ranks, March: Seizing the Initiative by Disrupting Hackers.

Thanks MAJ O’Connor for the excellent article. I am glad to see some other hands working on the offensive-defense front. Read his whole article here and his other publications here.

Top Ten Web Hacking Techniques of 2010 Announced!

0
Posted by Skyler on January 17, 2011 – 12:53 pm
Filed under News, Research, Reviews

Jeremiah Grossman of White Hat Security has announced the winners of the “2010 Top 10 Web Hacking Techniques” vote. The vote was conducting in stages. First, a public vote and nomination of numerous possible techniques. The top 15 were then selected and voted upon by a board of specialists. Here are the results:

  1. Padding Oracle Crypt Attack
  2. Evercookie
  3. Hacking Auto-Complete
  4. Attacking HTTP With Cache Injection
  5. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
  6. Universal XSS in IE8
  7. HTTP POST DoS
  8. JavaSnoop
  9. CSS History Hack in Firefox without JavaScript for Intranet Portscanning
  10. Java Applet DNS Rebinding

See the article and read more here.

My CISSP Experience

7
Posted by Skyler on January 1, 2011 – 3:22 pm
Filed under Certifications, CISSP, Reviews

After 4 months of studying, I took the CISSP exam on the 20th of November. Let me share with you my journey:

Preparation

I began with a very intense and structured study schedule (see my previous CISSP study post). After starting back up the last semester, and having a wave of testing assignments come up, I was forced to simplify my study plan. I used 3 primary sources:

  1. The Official (ISC)2 Guide to the CISSP CBK
  2. CISSP Study Guide (Syngress) by Eric Conrad
  3. CCCure.org

I spent the first couple months simply chewing through the official coursework. In retrospect, I think I might have been better prepared if I had used Shon Harris’ book instead of the offical book. Although the Offical Guide was full of great content, it was often hard to undertand and apply the principles. This is extremely detrimental to the CISSP candidate (for reasons I will explain further down). So although the content is supposed to be the most “unadulterated”, it perhaps was too cryptic for the average person to benefit from the most.

The Study Guide by Eric Conrad was fantastic! Although it did not go through the same breadth of topics as the Offical Guide, it covered nearly 95% of the topics, and emphasized what I found to be the most testable topics. I appreciated the simplicity of Conrads book and helped me to better understand topics that I had only partially understood from the Offical Guide. So the way I used the Conrad book was as follows. I would read the chapter of the official material, and then read the Conrad book’s corresponding chapter. After that finish those books, I read the Conrad book again, taking a page worths of notes from each chapter (see below for detail on the notes I took).

CCCure was amazing. The videos were fairly redundant for what I had read, but if you have time I would suggest watching all of those before starting any of the books. What I benefited from the most was the quizzes. I took nearly all of the quizzes possible (in sets of 25), and kept chart of those areas I struggled in most. I used these test results to help me identify what I needed to take notes on and study further when I reread Conrad’s book. I must say that the quizzes were the biggest help in solidifying my conceptual understanding of the CBK. I have to also mention how helpful Clement (the owner and operator of CCCure) was. He was quick to respond with emails, and had personal responses to my questions. He also sent me an amazing summary of BCP/DRP. Although you dont get to see your test results if you pass, I do believe that I didn’t miss a single BCP/DRP question because of that guide. There are also some amazing last minute review guides on the CCCure website that were of great assistance. I took one with me until the moment I walked in the door to the testing room.

Taking the Exam

The test day wasn’t too bad. I took it at the University of Utah in their medical building. There must have been 15-20 people in the testing session with me. I was by far the youngest, and was intimidated to find that many (much senior) candidates were taking the test for their 3rd and 4th time. At that moment I figured I would fail miserably; perhaps the experience would be a good was to prepare for my next time. Here is what I found about my experience:

  • Although you could bring food, and drink, I didn’t really need it. The proctor brought some water, but other than that I didn’t want to waste the time eating my snacks.
  • The time calculates down to actually a fairly short amount of time for each question. As a response, I decided that I would read through all the questions, filling in the questions I knew for sure, and skipping any question I had the least amount of doubt about.
  • When actually answering the questions, I used good ‘ol test taking skills. I would first identify the outlandish answer and scratch that off. Then I would Identify any other answers that were contradicting the remaining ones. From there I would scratch my first impression on what the correct answer was, and move on. When returning to those questions after my first pass through the exam, I found that my nerves were calmer, the questions seemed clearer, and the answers stood out more easily (whether they changed or not depended on my reading of the question, which I found I had often misread/misunderstood on the first reading).
  • I finished with about an hour to spare. I could have gone through the questions again, but I was so mentally exhausted I just wanted it to be done. After all, I wanted to avoid the second guessing that occurs during stressful tests.

The Exam

I must say that what I had heard about the exam worked it up to be some evil device only the devil himself could have created. In actuality, it is quite opposite. I cant give many details about the actual test, but I will say this:

  • It is very well written. However, it does use double negatives and other tricky wording. So if you have trouble with reading comprehension, you should take great care.
  • It is NOTHING like the CEH. The CEH is nearly all the memorization of facts. The CISSP was very different. It required more understanding of the concepts and principals. So dont go into the CISSP studying as if you are going to be regurgitating facts. Dont get me wrong, you need to know the facts (about protocols, encryption, etc), but questions will require the knowledge of facts within the application of principles.
  • Dont expect to find the answers to questions within other test questions. I read a post by someone saying that this was the case, but I seriously doubt that they actual took the test.

The Aftermath

Yes Yes, everyone has their aftermath story. Mine was like this: I was feeling great… until I got to the entry hall of the building we were in. There I saw one of the other candidates, and we asked how we felt we did. I guess I hadn’t read enough about the actual exam, because the fellow explained to me how the questions were weighted differently. You see, I was confident that I had answered over 75% of the questions correctly; very little doubt about it in fact. However, after that I was panicing that I had failed. As I explained to my wife, “I am sure I won the popular vote, but I may have been killed by the electoral college” (a little bit of political humor).

After weeks of waiting (probably because of the holiday season), I got my congratulations email at 6:30am the day before christmas eve.

If you have any questions, feel free to post them!

[Research] HTTP Parameter Pollution

0
Posted by Skyler on December 9, 2010 – 6:58 pm
Filed under Reviews

HPP Has been talking about for a while. Here are the results of a study done. It has tested some of the top websites (according to Alexa).

Basically, they were testing to find sites where user input would show up in the HTTP parameters.

read more here

Call For Review: eLearnSecurity vs. Offensive-Security

0
Posted by Skyler on November 2, 2010 – 8:42 am
Filed under Reviews

I am writing this because of a thread on the Security Focus pentesters email list.

Has anybody taken both the eLearnSecurity and Pentesting With Backtrack courses?! We are desperately trying to compare them!

Nexpose Vs OpenVAS

3
Posted by Skyler on September 1, 2010 – 7:57 am
Filed under Basics, Fu (a.k.a Tips), Reviews

For those of us that don’t have the money to get license software, we are forced to use the less-functional versions of vulnerability scanners. For a long time the vulnerability scanner world was dominated by Nessus (OpenVAS is the free version). However, recently Rapid7 has released Nexpose, a new and powerful vulnerability scanner to rival Nessus. It too offers a community version for those that lack funding, although it comes in a less capable version. Here are a few points about Nexpose for those that are unfamiliar with it:

  1. Scan results are nearly identical to Nessus (although not OpenVAS. Ill explain)
  2. Same distributed server-client architecture as Nessus.
  3. Easy to read reports and front-end.
  4. Keeps a history of past scans
  5. Seamlessly integrated into Metasploit (more so than Nessus)

By far one of my favorite features is the Metasploit plugin. Since the framework was annexed by Rapid7, these two tools now have complete integration. Loading the Nexpose module in Metasploit will allow you to preform a scan, then initiate db_autopwn in one action. Nice and seamless. The generated reports are also nice

Whats Makes Nexpose Better Than OpenVAS?

This is the big debate, and the reason for me writing this article. Every since the release of Nexpose I have been a big proponent of it. Most of my friends have been trained and limited into thinking that OpenVAS was the “only way to go”. There is one problem. For those familiar with OpenVAS they know that its limitations are regarding its vulnerability database. Since Tenable sells its plugins/vulnerability signatures as part of the Nessus tool, it delays and limits the release of those to the OpenVAS platform. On the other hand, Nexpose Community edition is updated with the same signatures as the Enterprise edition is. However, Nexpose Community does limit the amount and type of IPs that can be scanned. So although Nexpose does not completely defeat the need of OpenVAS, you will avoid false negatives using Nexpose in all possible scenarios.

[Review] Pentesting Ninjitsu

2
Posted by Skyler on August 19, 2010 – 7:15 am
Filed under Reviews

This is an older (2008) series of webcasts produced by Core Security. It features Ed Skoudis, from InGuardians, and a SANS Instructor.

This was an absolutely fantastic learning experience. If you are like me, when you first learned about hacking you figured that a “real” hacker could just sit down at any machine and do whatever he needed from a command shell; info gathering, scanning, exploitation, maintaining access, etc. After actually learning more about the field, I began to understand the near necessity of tools and the importance of having a nice arsenal.

In this podcast Ed Skoudis brings us back to the leetness of pure command line hacking. And to top it off, its primarily focused on cmd.exe; not what a pen tester would call their weapon of choice.

Skoudis goes over using cmd.exe as a port scanner, backdoor, wardriving tool, and more. I definetly recommend everybody check this out. I guarantee it will help you in your future assessments by overcoming scope issues, as well as post-assessment cleanup.

It reminded me of one of the CTFs at the HBN:Combat course I took at Black Hat this year. I had to capture some packets of a proprietary protocol, and then replay it brute-forcing some hundred different combinations. I ended up capturing it with wireshark, then doing some nasty loop and replace functionality with powershell. I then set up some capture filters on wireshark and was able to get my results. Not very sexy, yet worked. It was my white belt version of PenTesting Ninjitsu.

Anyway, check it out, and enjoy!

you can find it here!

Bad Behavior has blocked 275 access attempts in the last 7 days.