Review by Ryan Linn, CISSP, MCSE, GPEN

RUaNinja?

Test your ninja skills & win signed copies. See Forum Thread for Details.

del.icio.us

Discuss in Forums (2)

By Raphael Mudge, Armitage Creator

Metasploit is a popular exploitation framework that has seen plenty of coverage on ethicalhacker.net. This article introduces Armitage, a new GUI for Metasploit built around the hacking process. Today, I will show you how to use Armitage to scan a Linux host, find the right exploit, exploit the host, and handle post-exploitation. By following this process, you will learn how to use Armitage and Metasploit in your own work.

The target we will use is the Metasploitable Linux virtual machine. Metasploitable contains several vulnerabilities making it a safe, and, dare I say ethical, training ground for future penetration testers.

Read the Armitage documentation to get Armitage running. Through the rest of this article, I will assume that you have Metasploitable running, Armitage is ready, and that you have downloaded this Python script that we will use later.  Let's get to work.

del.icio.us

Discuss in Forums (4)

We Have a Winner!!

What a better way for EH-Net member yatz to have spent the holidays than contributing to EH-Net... right? Well it may not have been the best way, but he did win a CEH boot camp. And not just any CEH course, but one provided by Global Knowledge. If you're not in the know: 

"Global Knowledge is the worldwide leader in IT and business skills training. Leverage our security curriculum that includes the latest in vendor-specific training from Cisco, Microsoft, Foundstone, SonicWALL, Check Point and EC-Council, as well as certification prep courses for the CISSP, CompTIA Security+ and Certified Ethical Hacker exams. We deliver our courses via training centers, private facilities, and the Internet, enabling our customers to choose when, where, and how they want to receive training. Visit www.globalknowledge.com/security to learn more."

To make it even better, Global Knowledge's exclusive ethical hacker course is presented with content developed by CEH expert Michael Gregg (literally wrote the book). Read The Technical Foundations of Hacking from Michael Gregg's book, CEH: Exam Prep 2 right here on EH-Net. Students will be immersed in an interactive environment, where he'll learn to footprint organizations, perform port scanning, and exploit a variety of systems and architectures. He'll get in-depth knowledge with follow-along demos and hands-on labs. While many CEH courses focus on an end-of-week exam, this ethical hacking course focuses on teaching hands-on skills yatz can use. Congrats!

del.icio.us Discuss in Forums (9) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Hello, challenge fans!  Ed Skoudis and Yori “Skellington” Kvitchko here, with our announcement of the answers and winners from the holiday hacker challenge The Nightmare Before Charlie Brown’s Christmas.  In past challenges, we typically showed our answers first, followed by the winner announcement.  But, we know that everyone instantly jumps down to the winners first (we can tell this using the Metasploit-based tracking software we clandestinely installed on each of your systems while you read our packet captures – JUST KIDDING!).  So, in a topsy-turvy fashion for a change of pace, we’ll first announce the winners, and then provide our answers to the challenge.

As usual, this year’s competition was intense, with some of the smartest and most clever folks we’ve ever seen participating.  Also, many of you had a nice scent as well (we can tell via the new Meterpreter smell-o-matic script included in the payload of our tracking software; thanks for coding that one up, Carlos).  Our respondents included tried-and-true experts who have worked through many challenges in the past, intermixed with freshly minted newbies impressively building their skills, and everyone in between.  Many people commented that the challenge really helped get them engaged in VoIP attack analysis for the first time, which is one of the primary reasons we write these darned things.  Even if you didn’t win, we do hope that your had fun and learned some valuable lessons about VoIP (in)security.

--Ed Skoudis
EthicalHacker.net Challenge Master
Author of Counter Hack Reloaded, Co-Founder, InGuardians, SANS Instructor

del.icio.us

Discuss in Forums (2)

By Dr. Anton Chuvakin @ Security Warrior Consulting

Do not think of PCI DSS 2.0, that came out this October, as “PCI DSS 1.3!”

Instead, think about is as PCI DSS 1.2.2.  Despite the great fanfare, the changes in PCI DSS are small and tactical.  Don’t get me wrong, a lot of very useful clarifications, reminders and explanations have been added to the standards – both PCI DSS and PA-DSS.  However, a lot of media attention has made it sound as if the PCI Council has “changed everything … again,” and that is simply not the case.  Some of the requirements that are frequently seen by merchants as too specific have been made more generic, while some that have received criticism for being too have vaporous, have been tightened down.

Let’s go through a few of the interesting changes in PCI DSS and try to predict what the impact would be in the coming year of 2011 as PCI DSS 2.0 is put into practice.

del.icio.us

Discuss in Forums (3)

Happy Holidays, challenge fans! Ed Skoudis here, with this year’s holiday hacking challenge. Have you ever seen the classic video A Charlie Brown Christmas, and pondered why Charlie Brown is so upset at the start of the video? Also, have you ever wondered why the rest of the Peanuts gang is so focused on the materialism of the Christmas season? Well, this year’s hacking challenge answers these questions. In our tale, you’ll discover that something happened before the start of the Charlie Brown Christmas video that put these characters into such a state. That something is what we like to call…

The Nightmare Before Charlie Brown’s Christmas

These challenges, which are an annual tradition here at EthicalHacker.net, are designed to help people develop their skills, show off their abilities, and have some fun. During past holiday seasons, you got to tangle with the Grinch, Rudolph, that Messy Marvin kid, Frosty, and even Santa himself. And who can forget last year's Miracle on Thirty-Hack Street. Read this challenge, answer the questions, and send your responses in by January 3, 2011 to skillz1210 (at) ethicalhacker.net. We’ll choose three winners, each of whom will get an autographed copy of my Counter Hack Reloaded book. One prize will go to the best technical answer, another to the most creative answer that is technically correct, and the final prize is based on a random draw from every person who submits an answer. Even if you have no idea whatsoever for how to answer the questions, send in your best shot to be entered in the random draw. And now, without further adieu, the curtain rises on our story…

--Ed Skoudis
EthicalHacker.net Challenge Master
Author of Counter Hack Reloaded, Co-Founder, InGuardians, SANS Instructor

del.icio.us

Discuss in Forums (24)

We Have a Winner!

More great prizes for top EH-Net contributors. The winner is long-time contributor and newest member of the 1000 Post Club, awesec. He receives the highly regarded instructor-led ethical hacking course by InfoSec Institute. This 5-day in-person course includes a lab book, textbook, an ethical hacking toolkit, exam vouchers for both CEH and CPT and even meals! The only thing this doesn't include is travel & hotel, so he has chosen to do the online version of this course. As InfoSec Institute describes it:

"Our most popular information security and hacking training goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to hacking in this network security training course. The goal of this course is to help you master a repeatable, documentable penetration testing methodology that can be used in an ethical penetration testing or hacking situation."

Awesec gets to take this awesome course any time within the next 12 months. For a schedule of times and locations as well as more details on the course itself, click on InfoSec's Institute's logo or links above. While you're there, be sure to inquire about the SPECIAL PRICING for EH-Netters. Due to 8570 regs, we can't tell you the exact discount, but rest assured that the Institute will do their best to take care fo those eager to learn. Congrats and good luck to all members next month.

del.icio.us Discuss in Forums (10) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Cracking the Perimeter (CTP) is the latest course offered by the team at Offensive Security. The course teaches expert level penetration skills including advanced tactics in web exploitation, binary manipulation and exploitation, and networking attacks. Building on material in the earlier course, Pentesting with Backtrack (PWB - Read Review), this offering provides intermediate students with a learning platform that can be used to become advanced practitioners of certain exploit methodologies. This review will attempt to provide a high-level overview of the course and set expectations for students who may be considering it.

Divided into a registration puzzle, five sections, and an exam, the course provides a more in-depth view of common web application exploits, binary analysis and backdoors, anti-virus evasion, techniques for exploitation using memory concepts, exploit writing, and network exploitation techniques. The end-of-course practical exam assures that the student has a true understanding of the course material presented, allowing employers and other security professionals to rely on the certification as a testament of capability, not only authority. 

del.icio.us

Discuss in Forums (9)