I thought this was simple to do offline if you open up the phone and remove the storage device. Invalid attempts aren't going to wipe it since that depends on the running OS software. You should be able to do that almost instantly if she was only using a four-digit PIN. I don't work with this much, so I don't know the specific tools, but I swear I've heard this attack discussed multiple times.

There's a group policy that disallows network authentication for the local users specified. We typically make organization's roll that out after we've run a train on them using those techniques. It ruins everything for us or whoever the next year, but it's simple and effective. Disallowing delegation for privileged accounts is huge too.

Another fun one is if they're setting the local admin's password via group policy preferences and you get a standard domain user account. You can read the groups.xml on the domain controller and there are scripts floating around that'll decrypt the encrypted password in it because Microsoft disclosed the key they used.

Edit: http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html

• Blank/Weak admin creds for SQL Server and Tomcat
• Still regularly see MS08-67 and NT4
• MitM attacks - ARP poisoning, name response spoofing, etc.
• Default credentials on web apps and devices
• Tons of random third-party applications that fall through the patching cracks
• VxWorks Memory disclosure is on about half of the assessments I do

I need to get going for my flight, but those are the ones that come to mind when I think of what I see over and over and over and over.

Nice post. I'm getting back into C++ myself and appreciate the sample code.

For whatever reason, Symantec only has an attack signature for Meterpreter's reverse_tcp payload: http://www.symantec.com/security_response/attacksignatures/ It's the stupidest thing in the world. Bind_tcp, reverse_https like you used, etc. work just fine.

Depending on the configuration, you are sometimes unable to disable smc in that manner (I believe this is functionality that can be disabled via the management console), so it's good to know about the alternate payloads.

Also, SEP was catching default msfvenom exes, but using the -t option with pslist.exe got around that. Sometimes it's just too easy.

This isn't directed at anyone who responded in this thread, but aside from garbage CEH trivia questions, I don't think there is a difference.

This seems to have caught on from the RFCs (2827 is actually superseded by 3704). However, these are specifically written for mitigating DoS attacks for service providers/large networks. They aren't literally defining the term.

There is no legitimate reason for ingress filtering to not mean the exact opposite of egress filtering.

+1 for going for it. You seem to have fairly well-rounded knowledge, so you shouldn't be at a complete loss for any of it (compared to someone that has no Linux experience, for example).

If you still feel weak in some areas after your lab time has expired, take some time to strengthen those skills, and then get another 30 days and hammer it home.

Microsoft is notorious for having multiple services on a single port, which may be the cause of some of your confusion.

Congrats on the pass! GAWN seems like it would be one of the more difficult exams since it appears to cover a lot of low-level material (pcaps, etc.). The breadth of 802.11x, Bluetooth, etc. would also be challenging. Don't beat yourself up over it.

As also mentioned above, I think you're in a pretty good place in terms of formal education since you already have a BS degree. I think engineering also demonstrates that you have aptitude for the technical concepts you'll need to master in this field.

That said, I don't think "Certificates vs. Degree" is the right mindset. They are complimentary, and you should strive to make each area as strong as you feasibly can.

Your master's is only going to increase in cost, and will also likely become more difficult to complete due to life responsibilities, the longer you wait. Since you've already started the program, I'd keep up that momentum and see it through.

If the material is as easy as you say, throw a cert or two into the mix to keep things interesting and strengthen that portion of your CV. Also, while obviously not as good as actually having the degree, showing that you have a masters in-progress is beneficial.


MaXe also told me I should learn how to ride a bicycle before attempting a backflip on a dirt bike. His advice is solid

I'd go hourly. I think you'll go through what's available with plenty of time to spare. They're regularly adding new labs, so having some hours left over will let you try out the new exercises that get released later in the future.

It mentions 445 twice. Here's another article that says NetBIOS over TCP/IP is enabled in newer OSes: https://isc.sans.edu/diary/Is+it+time+to+get+rid+of+NetBIOS%3F/12454 Or you could do a packet capture and see for yourself. Why do you think this is no longer the case?

1. What problems are you having here? It's simple and can be tested and a single host

# nc -lvvp 55555 < /etc/passwd
Listening on [0.0.0.0] (family 0, port 55555)
Connection from [127.0.0.1] port 55555 [tcp/*] accepted (family 2, sport 42529)

$ nc localhost 55555
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
...snip...

2/3/11. I'm not sure what's going on with your null/FIN scans. I'm testing against Windows 8 with the Kaspersky firewall active. *shrug* These scans are finicky and results can vary a lot based on what you're scanning.

5. No, the pre-master secret and master secret portions, just like in the MSKB article.

6. NetBIOS on 445: http://technet.microsoft.com/en-us/library/cc940063.aspx

8. You should review how trace route works. It starts with a TTL of one and then increments by one each iteration. It's able to identify the interim hosts by the ICMP error responses they send.

1. That binds to port 55555. As soon as you netcat to it (on whatever IP the system has), the passwd file will be dumped. You would supply an IP if you wanted it to establish a connection to a remote listener. Try it both ways.

2/3. The RFC states you should get a RST for a closed port and nothing for an open port, but MS never replies regardless of the port state. It sounds like you're experiencing different behavior (maybe a host-based firewall?); I don't receive any responses from my Windows systems. 

4. Looks like a typo.

5. Looks like the client initiates, but it's mutually agreed-upon: http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail

6. NetBIOS over TCP/IP is 445/TCP.

7. Semantics. You're both right depending on the perspective. You would usually install it in practice, but you can argue its technically compiled after make.

8. ICMP Time Exceeded (error) messages are generated and returned when the TTL expires, so this answer is correct. Do a packet capture.

9. I'd go with sniffing based on the way the question was worded since it specifies "capturing." It seems like the alternative requires accessing the device, which would be more active of an attack than capturing. I don't do much with bluetooth though, so take that with a grain of salt.

10. I've seen people argue over whether it should be OSI five or six, but six seems to be the most commonly used.

11. Again, firewall? I see all as being open|filtered due to no responses. Run nmap with --reason for more info.

12. Again, semantics. While you may be technically correct since that will take the shortest amount of time to run through, hybrid would likely be much more effective in practice. Unfortunately, there's not much consistency in terms of whether the questions are referring to technicalities or real-world situations. It seems like you're on track, so don't worry too much about missing a few garbage questions like this.

I think it demonstrates you have a decent understanding of networking, and it compliments pen test/security certs. I personally just wouldn't have let it expire. I'm not sure if I'd go back through it if I did though...

Skull Security has a great collection. There is also http://www.isdpodcast.com/resources/62k-common-passwords/ (which I believe includes some/all of the Skull Security lists). https://dazzlepod.com/uniqpass/ is also a nice collection if you don't mind parting with a few dollars.

They're not going to make you grind passwords for hours, so if you're not having any luck, maybe try being smarter about it -- i.e. reviewing HTML source for comments (random example unrelated to OffSec training/testing), or look for another attack vector. I found the darkc0de.lst file that's included with BT to be sufficient for most services with weak passwords in the lab.