EH-Net

Was bored so I figured I'd do a write up on how to use ModSecurity as an offensive pentesting testing (huh!?) ;)

http://www.infiltrated.net/index.php?option=com_content&view=article&id=33&Itemid=39

As always (and expected)... yet ANOTHER great writeup, sil.

Thanks (these are useful, not only for OUR learning, but for easily proving points, to those whom we're trying to persuade, regarding security practices and postures.  ;)

I was going to use Canvas client side attacks but not everyone has Canvas so I did the next best thing with Metasploit on a 2008 server. I may or may not re-do the article, kind of short :\

Sil you are a mad genius, if this is what you get into when your bored I can only imagine what your capable of when properly motivated  ;)

Screw Data & Neo...SIL!

S = Sentient
I = Info-Security
L= Lifeform




Max

Very interesting article.

I would like to see more like this one on the net. Also, I would be curious whom are you following (blogs, twitter...)

These are the only blogs I follow mind you, almost all are forensic incident response:

http://taosecurity.blogspot.com/
http://console-cowboys.blogspot.com/
http://windowsir.blogspot.com/
http://blog.didierstevens.com/
http://blog.mandiant.com/
http://dvlabs.tippingpoint.com/blog/

As for twitter, I don't really follow anyone nor do I use it anymore. Most of what I learned its come via tinkering. I read a lot of books - and I mean a lot. Everything from crypto, to systems, to networking.

YES!

I was following the first one, but had no ideea about the others. I put them on my list and I will try to read them as much as possible.

About twitter... well, I tried it once to use it, didn't get the idea and I decided that it is not for me. So... no twitter for me. Actually, lately I only follow security related websites and news (I know I am not paranoic, and I enjoy doing this).

Besides security I read a couple of books about nutrition (I recommend all of you Can We Live 150 Years?: Your Body Maintenance Handbook by Mikhail Tombak ), and other books about motivation and psychology (in order to keep myself sane :) )

Thanks agains, and I really like your posts.

Sil, your mind is like a perpetual motion machine set to produce cyberstuff.  How do you do it??

There is nothing special that I can do that no one else can't. I know systems really well and I know networking very well... Security is the hobby part of the equation. I tend to think in the following terms:

1) I am in a game that I need to win
2) I need to NEVER get caught
3) I need to be aware that the admin is better than me
4) How would I DEFEND this trget system on an impenetrable scale if possible?
5) Now how do I break those defenses?
6) How do I do so with as little noise as possible.

Offense believe it or not is somewhat easy. It's delivery that becomes tough. I can almost guarantee you that even in the most compartmentalized networks and systems, there is always error. Its understanding the errors, knowing what to look for.

When I do things I almost always lab things up for my sanity and do my best to understand what my opponent can possibly see. I then try to figure out ways to minimize that. Here is a kicker for you... Tiger... Tiger is a Unix auditing tool. In the early mid 90's I would love finding it on clients' machines... Because Tiger was almost often misconfigured, I would gladly run Tiger on a machine I compromised ;) This enabled me to see the flaws I needed to find. The admins? They thought all was gravy, after all, Tiger was auditing their system.