Most Recent Additions to The Ethical Hacker Network, the best, single source of educational content for forensics, pen testing and incident response. Hacker Challenges with prizes, free monthly giveaways, tutorials, articles, forums, certification info and more. http://www.ethicalhacker.net 2010-03-11T08:01:07+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/images/M_images/ehnet_banner1.jpg text/html 2010-03-05T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/298/8/ 5 Free Seats in OffSec Online Training! Offensive Security has carved out a place in the pen testing field that is quite rare. They offer not only high quality training but also at some of the lowest price points in the industry. For an insider's look at Pentesting With BackTrack (PWB), check out Ryan Linn's review of PWB and the associated exam, OSCP (content/view/299/24/). But as well know as PWB is becoming, let's not forget they also have 3 other courses. For you wireless pen testers, there's OffSec Wireless Attacks AKA WiFu (http://www.offensive-security.com/backtrack-wifu-online-training.php), for Windows environments there's Advanced Windows Exploitationand (AWE... text/html 2010-03-04T12:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/297/8/ We Have Our Winners! Registration Is FREE! (index.php?option=com_smf Itemid=35 action=register) text/html 2010-03-01T10:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/299/24/ Ryan Linn's Column Page (content/category/7/40/24/) for Parts 1 - 4 as well as several other contributions to The Ethical Hacker Network and our community of security professionals. del.icio.us Discuss in Forums text/html 2010-03-01T08:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/289/2/ Review by Jason Haddix Have you ever seen Man on Fire? If you haven’t and you like watching kick-ass, kick-you-in-the-teeth, relentless, Denzel-Washington-type of-action-flicks… you might want to Netflix that one. Our interview this week is kind of like Denzel in Man on Fire but with less guns and more SQLi strings meticulously crafted to pwn your databases. Enter Joe (j0e) McCray of LearnSecurityOnline… Joe is a long standing friend of both Security Aegis and The Ethical Hacker Network, and, after wanting to keep the limelight off of himself and his teaching projects, we have finally pestered him enough to agree... text/html 2010-03-01T06:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/296/2/ Hello challenge fans. Sorry for the long delay, but better late than never, right? Actually this one caused a little debate, because we did not have anyone that gave a completely accurate answer on either the technical or creative sides. But in considering that these challenges are not just contests but also great ways to learn, we decided to release the answers without any winners. So although there are no signed copies of Ed Skoudis' book, Counter Hack Reloaded (http://www.amazon.com/exec/obidos/ASIN/0131481045/thedigitalcon-20?creative=327641 camp=14573 adid=0W0TMYWJ6BXR5RPTG9N8 link_code=as1), a couple of you still get your name in lights as we mention some of your good... text/html 2010-02-01T14:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/293/8/ We Have a Winner!! Black Hat DC (http://www.blackhat.com) on us. The Washington, DC version of the world's premier technical event for security experts is being held January 31 - February 3, 2010. One Passport Admission Ticket worth $1995 allows our winner entry into the 2-Day Briefings portion of the event. The event is described as, Understanding the increasingly complex threats posed to an enterprise can be a daunting task for today’s security professional. Knowing how to secure an enterprise against those threats can be overwhelming. Black Hat is the premier information security event for senior-level professionals to learn the latest... text/html 2010-02-01T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/292/8/ As a courtesy to our members, we try to keep you informed of some of the more interesting items that have been published in our online magazine by sending out an electronic newsletter by email. But not everyone interested in our content is a member. For that reason, we have decided to also publish the newsletter in article format for all to see. Each EH-Net newsletter features the major articles of the past month such as our Free Monthly Giveaways, reviews of books, courses and products as well as other newsworthy items. The newsletters also includes updates on our Hacking... text/html 2010-01-07T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/290/2/ Review by Jason Haddix Today we showcase a new web application scanner called Netsparker (http://www.mavitunasecurity.com/), and believe us when we say that we put this app through the ringer. There's a big distinction between testing a tool against dummy apps in a lab and using it first hand against a large environment. Luckily for us we got to do both. Over the course of a month we ran several engagements and specifically watched Netsparker’s performance compared to other tools we normally use in the assessment process (w3af (http://w3af.sourceforge.net/), Grendel Scan (http://www.grendel-scan.com/), Nikto (http://cirt.net/nikto2), Wikto (http://www.sensepost.com/research/wikto/), Websecurify (http://www.websecurify.com/), Paros (http://www.parosproxy.org/index.shtml), Burp... text/html 2010-01-04T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/286/2/ Review by Joel Dubin, CISSP The Payment Card Industry Data Security Standard (PCI DSS) has taken it on the chin recently. With several high profile breaches of credit card numbers, some critics of the industry standard have said it either isn’t strong enough, or should be abolished altogether. But as Dr. Anton Chuvakin and Branden Williams correctly point out in the second edition of their book, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance (http://www.amazon.com/dp/1597494992?tag=thedigitalcon-20 camp=14573 creative=327641 linkCode=as1 creativeASIN=1597494992 adid=1SBDGWTPQJD15XH1E75W ), PCI is here to stay. This is no ordinary field manual to the PCI... text/html 2009-12-14T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/285/2/ Merry Christmas, challenge fans! As you know, my friends and I write several challenges per year for EthicalHacker.net. But, we've made it a bit of a tradition around here of reserving the December challenge slot for me, an honor which I sincerely appreciate. During past holiday seasons, you got to tangle with the Santa himself (content/view/218/2/). This year, Kevin Johnson and I worked together on a challenge in which you'll get to save Santa Claus from the insane asylum! We call it Miracle on Thirty-Hack Street , after the classic 1947 movie. In this tale, you'll get to analyze... text/html 2009-12-04T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/284/2/ SANS Security 550 - Information Reconnaissance: Competitive Intelligence and Online Privacy (http://www.sans.org/info/51609) A pessimistic view of the Internet: A network that enables every human to be within a few milliseconds from every psychopath and criminal on earth. Bryce Galbraith of Layered Security (http://blog.layeredsec.com/), a SANS certified instructor, has authored a new one-day course titled “Information Reconnaissance: Competitive Intelligence and Online Privacy.” The course is designed to educate IT professionals on the risks associated with information disclosure. It also teaches the students tools, tips, and techniques that assist in discovering information. The amount of our personal information... text/html 2009-11-27T15:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/283/2/ PCI DSS (Payment Card Industry Data Security Standard) (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml). The conversation ranges from practical advice on “how to get compliant” all the way to branding PCI as a devilish invention (Google for “PCI is the devil”). Fiery debates aside, PCI DSS guidance helped countless organizations to see the light of security where there was none before. It goes without saying that it didn’t magically make them “become secure” – no external document can. One of the frequent criticisms of PCI focuses on the misguided view that “PCI is all about passing an ‘audit’.” Many people would be surprised to find... text/html 2009-11-27T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/282/24/ 'Pentesting with BackTrack.' (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) As a reminder, PWB is described by Offensive Security as, An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern... text/html 2009-10-19T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/281/24/ 'Pentesting with BackTrack.' (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) As a reminder, PWB is described by Offensive Security as, An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern... text/html 2009-10-18T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/279/2/ Salutations, challenge fans! Ed Skoudis here, ready to introduce our newest challenge. Jim Shewmaker, SANS Instructor and creator of the Netwars Capture the Flag Competition (http://www.sans.org/netwars/), has taken the keyboard this time, creating an awesome challenge for you based on the TV show, Sliders. It's got some fun twists and turns, and includes jumps to parallel universes! What's not to like? Have fun unwrapping this mystery. As always, we'll choose three winners: the best technical one, a creative entry that is also technically correct, and a random draw. Even if you don't know all the answers or can only guess,... text/html 2009-10-17T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/280/8/ IronKey S200 (https://www.ironkey.com/l-secure-flash-drive?ik_c=s200_launch ik_s=ethicalhacker ik_t=banner ik_ad=true), the World's Most Physically and Cryptographically Secure USB Flash Drive! And the winners are... Negrita, Dengar13, Oyle, ChrisG, Manu Zacharia (-M-), jimbob, blackazarro, slimjim100, dalepearson, BillV, xXxKrisxXx, g00d_4sh, Kev, Andrew Waite, sgt_mjc, awesec, jason, Ketchup, Jhaddix, timmedin. As an extra bonus, I have asked all of the above members to be on our Community Board of Advisors. This is an informal group that I will rely on in matters concerning the growing community we have all created. Each of the winners has devoted a lot of their time and efforts in making this community... text/html 2009-10-12T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/278/2/ Hello, challenge fans! This is Raul Siles, author of the “Prison Break - Breaking, Entering and Decoding” (content/view/268/2/) EH-Net challenge, here to announce the answers and winners for this tough competition. BTW, the answers for this challenge were released to The Informer (http://ihackcharities.org/category/informer-blog/) subscribers a few days ago. EH-Net had teamed with The Informer; in Johnny Long words, (It is) a fund raising effort run by Hackers For Charity. It is designed to give subscribers a backstage pass to the world of Information Security. For $54 per year, subscribers get early, exclusive access to all sorts of... text/html 2009-09-24T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/277/2/ EH-Net Exclusive - Free Download of Chapter 4: Setting Up Your Lab Review by Andrew Waite, EH-Net Member, InfoSanity.co.uk (http://www.infosanity.co.uk/) When I first heard about Thomas Wilhelm's new book in my Twitter feed, the title immediately caught my attention, 'Professional Penetration Testing: Creating and Operating a Formal Hacking Lab (http://www.amazon.com/dp/1597494259?tag=thedigitalcon-20 camp=14573 creative=327641 linkCode=as1 creativeASIN=1597494259 adid=0146GHM3FER1CFNJHBXA ).' As I'm currently trying to build up my own training and testing environment, this tome promised to provide answers to all my questions. A quick Google search to learn more and a useful discussion right here in the EH-Net Forums (component/option,com_smf/Itemid,54/topic,4514.0/) left me... text/html 2009-09-19T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/276/24/ A new version of the Browser Exploitation Framework (BeEF) (http://www.bindshell.net) has been released. This new release incorporates both my code from my Security B-Sides update of the ChicagoCon Talk Cain Beef Hash: Snagging Hashes without Popping Boxes as well as RSnake and Jabra's modules presented at Defcon. Enclosed in this update are some videos describing how to use the modules that I created which allow for realtime interaction with Metasploit (http://www.metasploit.org). These modules directly communicate with Metasploit to setup the modules which will be used in further browser exploitation. These videos demonstrate how to use the RSnake... text/html 2009-09-14T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/274/24/ 'Pentesting with BackTrack' (previously known as Offensive Security 101) (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed... text/html 2009-09-11T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/273/2/ Review by Jason Haddix If anyone hasn't seen or used The Academy Pro, then you're missing out on an incredibly valuable resource. Peter Giannoulis and friends have put together 400+ videos on setting up and using optimally all our *favorite* security technologies. Need to set up IronPort? They have a video. GFI Languard? They have a video, too. Need pentest tool tips? They have over 70 different VA/Pentest video tutorials. Heck, they have our Security Aegis videos. Last month, Peter started the buzz on a new training class he will be offering. It’s called eLearnSecurity. So far we know it... text/html 2009-09-03T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/272/24/ 'Pentesting with BackTrack' (previously known as Offensive Security 101) (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed... text/html 2009-08-16T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/270/8/ We Have a Winner! Certified Ethical Hacker seat delivered via its iClass format (http://iclass.eccouncil.org/index.php?option=com_content view=article id=69 Itemid=102), both concerns have been taken care of for you. iClass is EC-Council’s live, online, instructor-led training modality! There are two delivery formats: 1. FlexClass: This schedule is designed to spread the learning out over a period of time and avoid missing a full week’s worth of work. The times are 4pm – 8pm, MST twice a week for 5 weeks. 2. iWeek: This schedule is similar to the standard 5 day format found at the majority of training centers. The times are 8am –... text/html 2009-07-26T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/268/2/ Hello! Ed Skoudis here... with a new challenge written by my friend, Raul Siles. You may remember Raul as the victor in such challenges as Lord of the Ring Zero (http://www.counterhack.net/Counter_Hack/Lord_of_the_Ring-Zero_Answers.html) and When Trinity Hacked the IRS D-Base (http://www.counterhack.net/Counter_Hack/Trinity_Winners.html). Raul has whipped up a doozy of a challenge here, all based on the TV show Prison Break (http://www.fox.com/prisonbreak/). In this challenge, you'll work to thwart the sinister plans of The Company, an ominous, faceless group bent on world domination. To win, you'll have to do some network trouble shooting, plot a clever hack, and perform some file and packet analysis,... text/html 2009-07-20T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/267/2/ In Part I, Modern Social Engineering - A Vital Component of Pen Testing (content/view/242/2/), Chris Nickerson Mike Murray adeptly covered the generalities of Social Engineering, and how it is a repeatable process perfect for inclusion in penetration testing. So let’s go a little deeper into crafting these attacks. What are some of the tricks of the verbal trade that make people far more likely to fall prey to those phishing attacks or that fraudulent web site? What tools can I use to test and eventually utilize to attack… er… audit my target organization? This 1-hour webcast dives deeper... text/html 2009-07-17T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/265/2/ All of the answers from Brady Bunch Boondoggle (content/view/234/2/), the Skillz H@ck1ng Challenge from February 2009, are revealed as we continue our story with Oliver and Mr. Brady discussing the packet capture of the kids' hacking activity. While pondering who could help them with the analysis of the data, a bright light flashes with a rumble that shakes the house. Oliver asks What happened Mr. Brady? I moved the island Oliver. We're 3 months in the future now. Oh … OK. Who can we get to help us analyze this wireless packet... text/html 2009-07-09T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/264/2/ TerpSys (http://www.terpsys.com/home.html) I had the opportunity to attend SANS 2009 in Orlando, once again as a facilitator. This time it was to tackle the toughest course SANS has to offer, SANS SEC709 Developing Exploits for Penetration Testers and Security Researchers (http://www.sans.org/info/46063), currently their only 700-level course. As described on SANS web site: In this course, we bridge the gaps and take a step-by-step look at Linux and Windows operating systems and how exploitation truly works under the hood. This four-day course rapidly progresses through exploitation techniques used to attack stacks, heaps, and other memory segments on Linux and Windows.... text/html 2009-07-08T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/263/8/ We Have A Winner!! Black Hat USA (http://www.blackhat.com) on us, EH-Net. The world's premier technical event for ICT security experts is being held July 27 - 28, 2009. Featuring hands-on training courses and Briefings presentations with lots of new content. Network with thousands of delegates and review products from leading vendors in a relaxed setting, including Sustaining Sponsors Core Security, IOActive, Microsoft, Norman, Qualys and SAINT. At stake is a Passport Admission Ticket worth $1595 ($1995 at the door) that allows entry into the Briefings portion of the event. This year's venue is again Caesars Palace in Las Vegas. Registration... text/html 2009-07-01T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/262/2/ Review by Ryan Linn, CISSP, MCSE, GPEN “Gray Hat Python” by Justin Seitz, one of the latest releases from publisher, Python programming language (http://www.python.org) for reverse engineering. This book is subtitled “Python Programming for Hackers and Reverse Engineers” which is fitting as Justin is a member of Immunity Security (http://www.immunitysec.com), makers of the Canvas penetration testing platform and the Immunity Debugger. The foreword by Dave Aitel, Immunity's CEO, is an excellent introduction to why the content of this book is important. It focuses on the short time span that is required from discovery of a bug to... text/html 2009-06-15T02:00:00+01:00 http://www.ethicalhacker.net http://www.ethicalhacker.net/content/view/260/24/ This review is long overdue. My apologies to EH-Net readers, SANS and especially Joshua Wright, developer and instructor of SEC 617 - Wireless Ethical Hacking, Penetration Testing, and Defenses (http://www.sans.org/info/34528). Its lateness is more due to my inability to comprehend exactly what I experienced than to a lack of desire to complete the task. I honestly sat down at the keyboard multiple times, but each time I felt I wasn’t doing the course or Mr. Wright justice. OK… so like every other SANS course, it had quality courseware, the instructor was top-notch, and I walked away with much more knowledge...