All the Rapid7 webcast I've seen have been that way.

The information you get makes it worthwhile, though.

I guess I should read your posts more carefully! I didn't pick up on the "piped" part of the question! 

A staged payload uses a stager to instruct the exploit on how to shovel the payload to the victim over the network connection. Non-staged payloads are fully self-contained. The advantage to staged payloads is that they can fit into very small sections of memory, but they're not always as reliable.

You can read more here:

http://www.room362.com/blog/2011/6/26/metasploit-payloads-explained-part-1.html

Typically when I run across situations like this where the customer is trying to put restrictions on how we conduct the test, I try to explain that without the restrictions the client will get a more valuable report. If they continue to insist, I work within the Rules of Engagement and caveat the report where necessary.

Our normal setup for internal-type assessments is a laptop with pre-installed VMs with all our attack/assessment tools installed.

The link below is Linux specific, but there's quite a bit that could be adapted to Windows.

http://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells

Also, maybe something in there will click for you and give you some further avenues to explore.

Good luck!

Also, after re-reading your original post, I see there might be some confusion on what an ASV is.

A company is certified as being an ASV. The "V" stands for vendor. There are not individual (person) ASVs. You can verify this by browsing the published list:

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php#

Any person can use the ASV products of any of these companies to produce scan reports that will be accepted for a PCI QSA audit. It doesn't matter if you are an employee of an ASV, the company being scanned, or some other third-party.

External scan reports must be generated through an ASV company. An important distinction is that the person running the scan does not have to be an employee of the ASV company. You can manage your own scans through the ASV's portal. The report will contain a page that has the ASV number associated with the company that performed the scan. If you're ever audited or have to submit your report to your acquiring bank, the auditor/bank will be looking for that number on the report. Basically, you cannot scan your own perimeter with your own copy of Nessus, generate a report, and say you're compliant. It must be done by an ASV company.

Internal scan reports can be done by anyone knowledgeable in Vulnerability Scanning/Management. It should not be managed by a person responsible for maintaining the systems being scanned, though (separation of duties).

Hope that helps.

I don't have any further information about how Disney plans to implement this, but fraud within the parks would be very easy to detect. They're using RFID to track visitors. Each RFID chip will be uniquely identifiable, so they would be able to detect you pulling Fast Passes at the Magic Kingdom while simultaneously shopping at Downtown Disney.

The question is, will they implement fraud detection in the system? If the fraud becomes rampant enough that they're losing money, they will.

Funny thing is if you accumulate all the snow that's fallen my entire life in Mississippi, it probably would just barely be 2 feet of snow.

On an unrelated but uncanny note, I'm in Toronto with a foot or so of snow on the ground at the moment.

Jackson, MS

I know what some of you are thinking and YES, we have computers in Mississippi!!! 

We sometimes even wear shoes.

In my limited experience, the level of specialization required of a pentester is directly proportional to the size of the consulting firm you work for. The bigger the firm, the more specialization you can have. Smaller firms tend to need consultants that can do a lot of things well.

Congratz! And Happy New Year! I know what both of you will be making as a New Year Resolution!!! 

Thanks, all!


I really should do my CISSP, but I'm trying for a facilitator slot at SANS Sec West. So, whichever class they put me in will probably be the next cert I go for.

And, congratz to you on the OSCE!!!

So I found out yesterday that I passed! I'm now officially an eCPPT.

When work slows down a little bit, I'll post a review. There are a number of reviews out there already, but hopefully, I can add something to the conversation.

Thanks, Don! I thoroughly enjoyed the experience and did get a lot out of it.

Did the date for this change?

When I registered, I clicked on the "Import this event into your calendar" link and it showed up on my calendar for the 6th.

I'll still be attending, but I thought it odd.