A release announcement went out for Metasploit 3.2 today.  You can read the announcement here:
http://www.metasploit.com/documents/RELEASE-3.2.txt

Some of the new awesomeness includes:
Pass The Hash capabilities
Better Karmetasploit support
IPV6 support
PHP Payloads
and much more...

You can get the new hotness either via svn or by going to:
http://www.metasploit.com/framework/download/

and downloading the newest version.

I'm actually working on a review of it now.  This is a great book for getting the bases down for understanding how exploits work and how to write them.  This is sort of the primer for understanding many of the most common exploits out there today.  It is heavily unix centric, but in my opinion that makes it easier to understand.  I didn't find the examples horribly useful though, and I actually tested what I learned over at http://www.smashthestack.org/ and referenced back at this book at shellcoders handbook on a regular basis as I went through the excercises.

I'll be slightly more helpful, if you have NO idea what something is vulnerable to, you may want to try a vulnerability scanner like nessus.  There is another option for you to google which is db_autopwn.  If you search for that, and you use backtrack3 things will get easier for you.  If you use this approach for evil, you will get caught, it is EXTREMELY noisy and will have a low success rate.  If you do find a vulnerability, do a sessions -lv and it will show you what exploit you are vulnerable to.

You probably aren't vulnerable to that either, or something was wrong.  Since you may not be vulnerable to much, you may want to check out DVL linux (damn vulnerable linux) and start messing around on there.  That might get you further in the process.  Or install windows xp without service packs or patches and then metasploit becomes a lot more interesting.

I ran across a blog entry a few days ago discussing a programming language for beginner programmers called Small Basic.  Small Basic  is, much like it sounds, a stripped down version of Visual Basic.  What is beneficial about it, is that it contains many of the core elements of common programming languages such as functions, objects, conditionals, loops, and even contains graphical elements.  For those of you who are already programmers and may remember Logo, the turtle is back! 

While there are many languages that contain these same elements, one of the things that make a language a good starter language is the introduction.  Small Basic has a great getting started guide that will walk you through your first "Hello World" and then help you understand what is going on.  From there variables, conditional statements, and loops follow.  Once some of the basics are down, graphics come in and you will gain an understanding of windows, managing colors, and drawing shapes.

The next chapter in the tutorial is on Logo.  If you haven't heard of Logo, it was a language that was invented in the 70's and later had a turtle added and turned into many peoples first programming language.  The turtle has a few basic commands including movement commands for going forwards, backwards, and to the sides.  The Logo turtle is used in this chapter to understand objects and is used to bring many of the skills from the first few chapters together.  This chapter is also an opportunity to try to do some fun things with what we've learned thus far.   

The final chapters focus on subroutines, events, and tying everything together to build our first whole application, a basic paint program.  The tutorial is cut short here with a "(Pending completion)" note, but the appendices have some additional goodies.  Appendix A has a bunch of small sample programs to try out and modify.  Some of these include creation of a game and a fractal program.  Appendix B has a listing of colors that you might like to use along the way.  This is a handy reference regardless if you are a seasoned programmer or not. 

By the end of this tutorial, you won't be an expert programmer, but you should have an understanding of the constructs enough to have an idea of what programming languages can do.  Once you've gotten a little bit under your belt, you're ready to pick up "Hello World" in something like Python, Perl, Javascript, or Visual Basic and getting started with something with more features. 

If you want to check out Small Basic, go to http://msdn.microsoft.com/en-us/devlabs/cc950524.aspx.

 

I agree with Craig, but on top of the things that Craig mentioned, the answer partially depends on what you are trying to protect.  If you were a banking institution then the answer would be different than an online forum. 

Unfortunately due to proxy use in some of the larger ISP's, the IP address is a bad thing to use for security.  There will be some users who will get denied just becase of their ISP.

The security is to have your sessions themselves timeout after a short period of time if you can.  That is why if you go and get a cup of coffee while you are on a bank site you will find yourself logged out.  Unfortunately allowing short session times doesn't work with everything.  For instance, it isn't much fun when your session times out while you are trying to make a post on a forum.  So you have to balance the two.  For a bank, maybe 10 minute session timeouts.  For forums, maybe 2 hour timeouts.

You can also tie some client information to the session if it is important that the information remain safe.  This won't stop people who are very creative, but does raise the bar some, and for automated attacks may cause fewer problems.  For instance, keep the user agent in the server stores session, if the user agent changes, log the person out. Browsers are also pretty noisy in many occasions as to what they will tell you when they make a request.  Adding in something random like the Accept-Charset field which is accessible from most applications may make it secure enough to deter someone who isn't overly intent on messing with you.

Overall, the best way to prevent session theft is to make sure that your website is properly coded and you have input validation issues handled.  Making sure you have good input validation will go a long way to preventing XSS, SQL Injection and a few other types of attacks.  Check out the OWASP top 10 for common ways to prevent application problems. 

Hope this helps!

This is a really neat challenge.  I haven't worked on my answers yet, but there is some really cool stuff in here.  Unless you are REALLY into cryptography, there should be some cool stuff to play with in this challenge.

I'm primarily looking for cool things to give adult males.  I have a number of co-workers who I need to get gifts for, and aside from a bigger lab with more toys in it, I need to find some reasonable things that I might like.  I'm completely out of touch with what cool new gadgets and toys are out there.

phn1x: I completely agree with you there.  I love the books.

I thought that this was a great explanation.  We don't know for sure what what Robert E Lee is going to say about the vulnerability, but this is good reading none the less.

http://insecure.org/stf/tcp-dos-attack-explained.html

I'm working on making a list for what might be good gifts for the holiday season.  I have no idea.  What thoughts do y'all have ?

I would say that there are probably a few routes that wouldn't be bad.  Computer Science is kind of interesting, personally I learned a lot about programming theory, while not as much about good programming practices, secure programming, and common pitfalls.  I was able to pick up a fair amount of networking theory, so I guess part of choosing a major depends on what you want out of it.

Of the people I know who are doing pen testing and information security things, many of them came through other IT functions, such as networking and sys-admin.  One of the great things about college is that the atmosphere of learning frequently doesn't stop at the classroom.  If you can find a part time job working with an IT group or something like that and find a mentor who will help you learn more about enterprise environments, what your degree is in may not matter as much.  When it comes to IT security, I think that in many cases, people are going to be looking for people with experience first, then a degree second. 

Another great option is to find a co-op opportunity through your school with a local company who has an infosec team who is taking either summer students or co-ops.  I've worked with summer students before and that's another opportunity that will end up being whatever you make out of it.  You probably will have to do some stuff that isn't as fun but is something that needs to be taken care of, but walk in and do the things that you're tasked with and show that you know your stuff and then suggest things that you'd like to be involved in. If you show that you are capable, those folks are probably going to be good references for you both technical and employment wise in the future.

The biggest thing is though, college isn't just about the classes.  You have a whole lot of resources at your disposal as far as professors, staff, and other bright students.  Make the most of all of it, and don't forget to have some fun along the way.

EH Columnist Chris Gates presented on something similar at ToorCon.  What he presented on was given a domain name, what can you find out.  Depending on what the IP resolves to, this could definitely be useful. Check out the link to the PDF at : http://carnal0wnage.blogspot.com/ . 

One thing that I haven't seen a lot of mentioned was google.  I know it's probably common sense, but I've been able to track down IP's directly to people based on mail archives, IRC logs, etc. 

Personally, I think that if a script kiddie is going to own a box, for the owner of the box it is probably better if they used servifythis in order to create their back door.  It can uninstall itself, which is awesome.  I'd much rather have that than some of the other stuff out there.  Aside from the fact it can be handy for a pen tester, it has some great uses for other people too.  Microsoft already has a tool called SRVANY.EXE which will let you do something similar, but it's more complex to use. It definitely lowers the bar for people who want to run netcat as a service, but at least you know it is going to go in and out of your machine cleanly instead of worrying about registry keys and such with the current tools out there. 

All of these features are basically raising the security bar on security.  With each thing, the amount of skill and effort it takes to get a working exploit rises.  That's the basic point of all the security stuff we throw out there.  Whether it's firewalls or service hardening or whatever, if there is a person motivated enough and skilled enough with a lot of free time on his/her hands, eventually they will either figure out how to get in or give up to find something more fun. 

There was discussion at DEFCON of how to defeat some of these things.  If you read this article http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html there is the discussion that talks what tntcoda said.  The things that I read that seemed most important is that a portion of all of this depends on software developers doing the right thing.  This is also implied with the grsecurity software here: http://www.grsecurity.net/confighelp.php.

In my opinion, we as security people can keep putting up barriers, but when we look at software development, even the folks that the developers frequently look up to such as Microsoft, are opting out of their own security measures (see the first article referenced).  If we are running OS's with only the base services enabled and fully patched, I think that the bar is pretty high up there, but as soon as you start installing software on there, the attack vector just gets bigger.  With Vista as an example, I am pretty confident that many people that got bothered by UAC just turned that puppy off and there goes another layer of protection.  Knowing that IE has opted out of additional security features along with this, and your attack space has gotten larger.

In my opinion, if we want to make sure that the systems are security, it needs to be a multi-pronged approach.  1) it needs to be convenient for the user, 2) it needs to be built into the OS, 3) it needs to be enforced by the applications.  Developers are going to need to start writing code that doesn't opt out of DEP (Data Execution Protection) and ASLR(Address Space Layout Randomization), but sometimes that's hard, and we're willing to compromise. We all compromise some, I am sure that I'm not the only one that's hit the "remind me later" button on Acrobat when I'm trying to read a PDF off of a site that I trust. The compromise is what really gets us in trouble i think.

I think that it may actually be better to approach your questions in reverse order.  I would recommend starting with some basics such as here: http://www.securiteam.com/securityreviews/5DP0N1P76E.html.  Once you understand what's going on, if you have access to the source of the applications that were listed by your IPS as vulnerable and look at the URL's that the IPS reported on.  Look for places where input is accepted from a user and then a query is being run against your SQL server without the variable being checked for validity and special characters being escaped.  For instance, if your site houses articles, and you request articles by a url like "http://myreallyawesomesite.com/articles.php?articleid=31337" then you would want to validate in your application that it checks to ensure that articleid really is a number. 

Before you start running any automated tests, I will start out with a warning.  If you don't understand what is happening with the web app you are scanning, proceed with caution.  Some applications are not coded well, and if you are running a scanner against a poorly coded application bad things could happen.  Just be prepared and if you are not the maintainer of the application, talk to your admins before you start scanning.  There is the chance of data destruction or an un-intentional denial-of-service attack when you run the tools.  For an example, take the URL from the example above and assume that it is vulnerable.  Most applications will try something like add "or 1=1--" to the end of a query string.  If the application is taking the results from the query and finding other examples that might interest you, and it does it for every article you could end up causing the database server to chuck for quite a while which might cause website or database degradation. 

If you have decided to run a tool, you may want to consider http://www.parosproxy.org.  It is quick and simple and essentially you should be able to point your web browser into paros proxy and browser to the applications that your IPS reported and then choose the scan option after clicking on the script and it should generate you a report with problems it has found.  http://grendel-scan.com/ was also released at DEFCON this year, and after playing with it, it does have potential but getting it to only scan select pages is not trivial.  There is also http://www.sensepost.com/research/wikto/ which is also not trivial to configure, but has been around for a good period of time and does detect common misconfigurations and can scan for XSS and SQL injection.  There are also commercial tools which are more thorough and more expensive such as http://www.whitehatsec.com, HP WebInspect, and CORE Impact is now getting into the web-app scanning/exploit market.

Finally you probably want some resources on how to fix the problem.  Check out http://www.owasp.org/index.php/Data_Validation , it has some good rules of thumb but you want to look at the abilities contained in whatever language your applications are in to fix the problem and without knowing the language there are too many possibilities to list out here

Good luck with your assessment.

-Ryan