|
Winner Announcement and Full Tutorial
Thanks to all who participated in Daemon: A Contest. Before we get to the winners as well as the tutorial on how to solve the challenge, EH-Net would like to once again thank Daemon author, Daniel Suarez, and all those involved in making this contest happen. It’s amazing how a few crazy ideas can all come together into something fun and educational while at the same time spreading the word of this truly unique work of fiction.
What started as a little game to hide a secret message turned into another classic teaching vehicle for EH-Net readers. The image is a twist on the usual steganographic content. Øyvind Østlund and Adam Wardon crafted some C# source code to hide data in an image of the author which is also invisible to the Daemon’s bots. What’s in the message still is up to you to find, but three talented people found the message and took the action it recommended. Because of that, EH-Net members jason, blackazarro and ozpj have won signed, pre-release copies of Daemon, Hard Cover Edition. And now, with the coding expertise of regular EH-Net contributor, Ryan Linn, we will show you how it can be done using a couple tutorial files and all free tools.
|
|
Read more...
|
|
 And the Scooby Snacks go to...
Thanks again to all who participated in this multi-faceted challenge. Although we all love Ed Skoudis' creations, Kevin Bong has once again proven to be more than worthy of penning some of our fun and educational contests. Where else can you find a 70s classic cartoon intermixed with some crypto to reveal a little Zeppelin all in the name of expanding your forensics skillz? Well done, Kevin. We look forward to another one of his creations later in 2009.
Since it is the start of a new year and yet another perfect time to show appreciation, this one goes out to our gracious host, Ed Skoudis on InGuardians. I've mentioned this in the past, but it is worth pointing out once again. For the betterment of EH-Net and the Ethical Hacking / Pen Testing Community as a whole, Ed volunteers his vast talents and resources to bring you what I truly believe to be a unique, educational experience. It is an honor to have him, and I look forward to many more years of collaboration.
Donald C. Donzal
Editor-In-Chief
Heeeeerrreee's Kevin!
|
|
Read more...
|
|
|
Review by Ryan Linn, CISSP, MCSE, GPEN
|
Hacking: The Art of Exploitation 2nd Edition (HTAoE) by Jon Erickson is frequently considered a "must read" for those wanting to understand exploits and exploit development. So when I wanted to understand more about the exploit development side of security this was the first book I picked up.
When talking about a book that involves programming, it is often beneficial to know where the reviewer is coming from. I do Windows, Unix, and network security, and I am pretty comfortable with programming although by no means a professional programmer. I have worked some with assembly programming, albeit in the days of Windows for Workgroups, and I really wish that I'd paid better attention in that class in college. Although I do have some experience in these areas, I'm going to point out what areas may cause individuals who haven't been exposed to much programming challenges, and also what areas should be understandable by everyone.
|
Free Sample Chapter Available Below
"0x300 EXPLOITATION"
|
|
|
Read more...
|
|
|
 Universal Plug-N-Play (UPnP) is a protocol that allows various network devices to auto-configure themselves. One of the most common uses of this protocol is to allow devices or programs to open up ports on your home router in order to communicate properly with the outside world (Xbox, for example, does this). The UPnP protocol is built on top of pre-existing protocols and specifications, most notably, UDP, SSDP, SOAP and XML.
This article will address some of the security issues related to UPNP, briefly describe the inner workings of the protocol, and show how to identify and analyze UPNP devices on a network using open source tools. While we will be specifically focusing on IGDs (Internet Gateway Devices, aka, routers), it is important to remember that there are many other devices and systems that support UPNP as well, and they may be vulnerable to similar attacks.
|
|
Read more...
|
|
|
Review by Ryan Linn, CISSP, MCSE, GPEN
|
After attending DEFCON in August and seeing the overwhelming interest in this book, I was eager to dive into The IDA Pro Book by Chris Eagle. Chris Eagle's team, School of Root, won the “Capture the Flag” event at DEFCON this year and Chris gave a presentation on CollabREate, a tool that integrates with IDA Pro to allow collaboration in reverse engineering (RE). All of that together - with the fact that the book sold out – screamed that this book should quickly make it to the top of my list.
Once I had the book in-hand, the cover alone offered some insight into what was to come. The quote on the front of the book is an endorsement from the creator of IDA Pro. The image on the front is a throwback to the Operation game by Milton Bradley, which reminds me of how I felt when I got started doing reverse engineering. I am not a professional Reverse Engineer or Malware Analyst, however, my coding background and my current position as a security professional at SAS affords the opportunity to dabble. This puts me in the perfect middle ground of being able to understand the material as well as assess its ability to teach.
|
Free Sample Chapter Available Below
"Chapter 12: Library Recognition Using FLIRT Signatures"
|
|
|
Read more...
|
|
|
At long last, we’ve completed final judging on the It Happened One Friday challenge. I apologize for the delay, but things have been very hectic here. We received a huge number of really top-notch entries in this challenge, and reading through every one of them and whittling them down to our final winners was fun but incredibly time-consuming. However, I’m really happy with the final results – the technical and creative winners did some awesome work, as did many others worthy of an honorable mention.
Given the unusual nature of this challenge, before I announce the winners, I’d like to provide a little context to describe why Matt Carpenter and I wrote it the way we did. If you will kindly indulge my explanation for just a bit, I’ll describe for you a little bit about the process of writing these challenges, and how this one in particular came to be. Alternatively, if you are impatient, you can skip these author’s notes and jump to the announcement of the winners by clicking here.
--Ed Skoudis, InGuardians
Author, Counter Hack Reloaded
|
|
Read more...
|
|
|
UPDATE: Part II Scheduled for Jan 21, 2009. Details coming soon!!
 If Ed Skoudis' webcast series entitled Penetration Testing Ninjitsu got your blood pumping, then this series will make your brain explode. EH-Net is proud to join forces with SANS and Core Security to bring you an exciting, new webcast series. This idea has been floating around for some time, so I can't tell you how jazzed I am with the final result.
The first webcast in this series, “Combining Network, Web App and Wireless into the Ultimate Penetration Test,” will take place Oct 15, 2008 @ 1:00 PM EST. Following the webcast, attendees are invited to keep the conversation going with Kevin Johnson, Josh Wright and Ed Skoudis from InGuardians during discussions hosted by The Ethical Hacker Network (EH-Net), a free online magazine for security professionals. For at least one week after each webcast, the crew will make themselves available to answer your questions directly and candidly in EH-Net’s Community Forums. All discussions will remain freely available on EH-Net for your continued reference.
|
|
Read more...
|
|
|
In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept, monitor, and modify a program's API calls, commonly called API hooking, effectively gives one full control over that process. This can be useful for a multitude of reasons including debugging, reverse engineering, and hacking (in all interpretations of the word).
While there are several methods which can be used to achieve our goal, this tutorial will examine only DLL redirection. This approach was chosen for several reasons:
- It is relatively simple to implement.
- It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.
- While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application's working directory.
- We can intercept any API call without modifying the target (either on disk or in memory) or any system files.
|
|
Read more...
|
|
|
 So, this is my first column for EthicalHacker.net. I'm quite excited, as I have spent a whole lot of years exploring penetration testing, vulnerability research and exploit writing, and most of the past couple of years working on exploiting people.
When I use that term, I'm not talking about how to open a third-world sweat shop. While "human exploitation" tends to fall under the traditional heading of "social engineering," that term has been beaten to death of late. For example, the top five articles in my "social engineering" Google News RSS feed as I write this refer to phishing, social network sites, and three different products claiming to protect against all manner of malware.
Unfortunately, this isn't the type of social engineering I'm going to write about in most of these columns. And I'm not going to talk about lock-picking, breaking into buildings, or any of the other "No Tech Hacking" type of stuff that Johnny Long and others have made famous over the past couple of years. Nope - this is going to be all about dealing face-to-face (or voice-to-voice or text-to-text) with real live people and exploiting the natural tendency to trust.
|
|
Read more...
|
|
| | << Start < Prev 1 2 3 4 5 6 7 8 Next > End >>
| | Results 53 - 65 of 103 |
|
(9) 
Network Pen Testing : eLearnSecurity - Early Look at New Low Cost Training
