By Chris Gates, CISSP, GCIH, C|EH, CPTS

Oracle applications are not what you’d call simple.  I think any DBA or Oracle Application Server Administrator will be the first to attest to that fact.  Oracle, with its great products, comes with some un-pleasantries.  These are:

1. Oracle applications are complicated (hopefully we all agree on this).
2. They come with loads of default content and no clear way to remove that content.  There is no IISLockdown equivalent for Oracle applications.  Content you don’t want must be removed manually.  Some of this content can be used to run database queries, read documents, gather information via information leakage on the pages or perform XSS attacks.
3. Users have to pay for patches and extended advisory information (even then, no Proof of Concept code is released by Oracle).
4. And lastly, you have a fairly complicated patch/upgrade process which leads to an "it’s working, don’t touch it" mentality by a fair amount of admins.

This provides a target rich environment for pentesters and bad guys. Let’s take a look.

del.icio.us

Discuss in Forums (4)

The entire hour and a half video of the webcast
and complete slide deck are now available.

On March 22 last month, EH-Net presented a webcast with James "egyp7" Lee who took the participants on a technical deep-dive through the new features of the free and open source Metasploit Framework version 3.6, focusing on techniques valuable to professional penetration testers in red teams and consulting firms.  This included post exploitation modules (a more powerful replacement for Meterpreter scripts) and using platform-agnostic payloads for increased pwnage.  Before the lengthy Q&A, he also covered some of the feature highlights in the commercial editions, Metasploit Pro and Metasploit Express. Webcast participants and now viewers of this video should be familiar with the concepts of Metasploit and penetration testing.

James "egyp7" Lee has been contributing to the open source Metasploit Framework as a core developer and project manager since April 2008. Before joining Rapid7 to work on Metasploit in a full-time position, he discovered numerous vulnerabilities in SCADA and Industrial Control Systems at Idaho National Laboratory. James has presented at DEF CON, Black Hat USA, Black Hat DC, SANS Process Control & SCADA Security Summit, and other events.

del.icio.us

Discuss in Forums (2)

We Have a Winner!!

Live, online courses by top instructors without the need for travel expenses... That's SANS vLive! Be sure to take advantage of this SPECIAL OFFER! Attend Josh Wright's Wireless Course, SEC617, use Coupon Code 'WISPY_EH' and get a FREE Wi-Spy DBx portable spectrum analyzer from Metageek (retail value $599). Students will also receive a coupon code to upgrade Wi-Spy from Chanalyzer 4 to Chanalyzer Pro for only $200 instead of $400, an additional $200 savings. This offer will be good until class starts on April 19th. Students outside of the US will be responsible for paying any duties, customs or import fees imposed by their country of residence. And now the drum roll... SephStorm is our deserving winner this month and gets a free seat worth $3500 in either:

- Security 617: Wireless Ethical Hacking, Penetration Testing, and Defenses Tuesday, April 19, 2011 - Thursday, May 26, 2011
- Security 542: Web App Penetration Testing and Ethical Hacking Monday, May 16, 2011 - Monday, June 27, 2011
- Security 504: Hacker Techniques, Exploits & Incident Handling Monday, June 13, 2011 - Wednesday, July 27, 2011

Editor's Note: This is the last time Josh will be teaching this course in any format until July. So if you were thinking of doing this class with the courseware author, this is your shot. And you can do it in the comfort of your own home or office in your pajamas. OF course I'd suggest the former location rather than the latter, but I guess that all depends on where you work. Either way, congrats to SephStorm and all the future winners of EH-Net's Monthly Giveaways.

del.icio.us Discuss in Forums (14) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Course Review by Wardell Motley

I recently had the opportunity to travel to Colorado Springs, Co. and took the Information Security Assessment Methodology (ISAM) course by Security Horizon. The ISAM, which was formerly the NSA-IAM\IEM, course has now been merged into a combined 3-day, 24-hour course.

The ISAM was created by examining the processes and techniques implemented within the information security community by seasoned assessors from both industry and government sectors. The purpose of the ISAM is to provide a detailed systematic standard for the community to perform an information security assessment by thoroughly examining cyber vulnerabilities. Unlike other courses, the ISAM concentrates heavily on the actual methods and processes of an assessment and is not a tool-based or theory-heavy course.

Although no class can teach the fundamentals or give the experience of being able to communicate effectively with the target audience, the ISAM provides a roadmap on how to deal with flaky answers from executives and scared employees that fear their answers may end up putting them out of a job.

del.icio.us

Discuss in Forums (3)

We Have a Winner!

EH-Net member tturner has been with us since 2008 and wins a choice of course and platform (excluding CISSP) worth almost $4000! FishNet Security's Training Services offers the peace of mind in picking a training company that can handle all of your security training needs. They offer courses in a variety of platforms for multiple areas such as 7Safe's CSTA & CSTP, Check Point, Juniper, EC-Council, ISC2, et al. Many thanks to all members new and old. I'm awed by what we all accomplish together, and I'm truly excited for the future.

FishNet Security has been delivering training to the market since 1998 constantly focused on delivering high quality, real-world, hands-on, expert instruction. FishNet Security has witnessed the security landscape change and constantly developed new training offerings and instructional techniques to match real-world requirements. FishNet trainers don’t teach straight from the book; they customize their courses to fit your organization’s unique security paradigm. At FishNet Security Training Services, “We help security professionals become security experts.”

If you didn't win this month, don't fret. Use Coupon Code EHacker2011 for 15% Off FishNet Security Training. Thanks again and congrats. Many more prizes to give away this year, so keep up the great work. 

del.icio.us Discuss in Forums (13) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Metasploit Pro 3.6 was released today with a slew of new features aimed at facilitating pen testers throughout the entire penetration testing process.  One such new feature is asset tagging of groups of hosts, so that they can be grouped together easily.  Utilizing another new feature, global search, makes managing large engagements a breeze.  In addition to a free webinar on March 22 with James "egyp7" Lee on the Metasploit Framework, EH-Net regular columnist, Ryan Linn, explores Metasploit Pro.  He not only shows off some of those new features but also walks the viewer through the basic steps of performing a pen test with Metasploit Pro with the following 3 videos:

- Getting Started With Metasploit Pro
- Post Exploitation
- Reporting and Cleaning Up

As we all know, a pen test is not over when the hacking is done.  Rapid7 realizes this as well, so the new reporting capabilities are a very welcome addition.  It is now easy to generate PCI compliance notes based on the findings throughout the penetration test.  These reports indicate exactly where the failures are and actually provides evidence to support those findings.  For those that need more detailed reports on all of the activity performed throughout a penetration test, the activity report shows all commands issued and all gathered evidence.  These two reports alone can save a lot of time for testers who need to present this type of information to their clients.

For those that haven't learned to 'stop worrying and love the GUI,' Metasploit Pro now has a console mode where you can interact with Metasploit Pro just like the Community Edition.  For those that have embraced the GUI, the addition of tags allows for easy grouping of assets, and the tags can be used in many of the fields as shortcuts for specifying specific IP addresses.  This really speeds up every step in the process.

So let's get a feel for Metasploit Pro as a whole as well as the new features of v3.6.

del.icio.us

Discuss in Forums (7)

Column by Mike Murray

These days, it’s hard to perform a penetration test without attempting some sort of online social engineering, and most often, this takes the format of some type of phishing attack (whether targeted or across a wide user base).

While we spend epic amounts of time getting our exploits and payloads perfect (even if we’re using SET), far too often we see testers using stock emails or variants of canned emails that they’ve been taught to use without thinking about the real keys to getting their emails read and acted upon.

These are my five most-often overlooked secrets to making sure that your email phishing works...

del.icio.us

Discuss in Forums (3)

Join us for a Free Webcast on March 22

James "egyp7" Lee takes participants in a technical deep-dive through the new features of the free and open source Metasploit Framework version 3.6, focusing on techniques valuable to professional penetration testers in red teams and consulting firms.  This will include post exploitation modules (a more powerful replacement for Meterpreter scripts) and using platform-agnostic payloads for increased pwnage.  Before the Q&A, he will also cover some of the feature highlights in the commercial Metasploit editions Metasploit Pro and Metasploit Express. Webinar participants should be familiar with the concepts of Metasploit and penetration testing.

James "egyp7" Lee has been contributing to the open source Metasploit Framework as a core developer and project manager since April 2008. Before joining Rapid7 to work on Metasploit in a full-time position, he discovered numerous vulnerabilities in SCADA and Industrial Control Systems at Idaho National Laboratory. James has presented at DEF CON, Black Hat USA, Black Hat DC, SANS Process Control & SCADA Security Summit, and other events.

Date:  Tuesday, March 22, 2011
Time:  11:00 AM - 12:30 PM CDT

Even if you can't join us for the live event, please register for future details on how to get the video!

del.icio.us

Discuss in Forums (19)