Congratulations!

What's next?

Welcome to EH-Net by the way!

Make it a paperback then!!! 

Its a poorly worded question. He will "Guess the sequence numbers" in order to "Take over the session."

The part of the question where they say he performs sequence prediction on the target OS means that he has done statistical analysis on sequence numbers on the host to make brute forcing the sequence number on an already established session more efficient. But in order to take over the session he must still brute force the sequence numbers of a session in progress.

Hope that helps...

@sil


Wow! I think its time to update! 

I am not a professional pentester, so take what I say with a grain of salt. The answer about how to proceed is "it depends."

From my experience (which as I stated earlier is limited), you get a feel for what is going to be easy and what is going to be difficult. If in your initial scans there is an OS or a port/application that stands out as being easy to get a foothold on, then it might be a good idea to focus in on that first. If the environment is fairly heterogeneous, until your scans drill down into enough detail that the purpose of the box is more obvious, you need to focus on the network as a whole.

It sucks that you didn't get the little piece of paper at the end of it all, but congratulations on making through the process and being happy with the outcome! To me, that means you put in the level of effort and got as much out of it as you could. I know if I took the class/exam right now, I'd probably do much worse than 10 points from passing! But, believe it or not, your previous post makes me want to take the class....

I guess I'm a masochist along with you...

To add to hayabusa...there's always a good chance you'll find a misconfiguration or "human mistake" you can leverage, such as private keys carelessly stored, backup shadow files/SAM databases, etc., etc.

Its not the "sexiest" way to escalate your privilege, but usually its the easiest!

Jackson, MS

It was a fun week. John Strand instructed the 504 class. He did a mass CTF Thursday night with a big cooler full of beer. It was a good time. Although, the hotel didn't run the heat in the convention hall all week, so it was freezing the whole time!

Hopefully, I'll be able to make it this year, and we can go grab a beer or something! There's a great brewhouse on Decatur.

Are you serious?! That's where I facilitated last year SecEast 2010, New Orleans!

Depending on my situation, I may be there next year as well...

If you live near a major city where SANS conferences are held, the work study program is A LOT of fun and you get the course and certification for $800!

http://www.sans.org/security-training/advanced-penetration-testing-exploits-ethical-hacking-1517-mid

Anyone know much about this? I haven't heard much about it, but it seems pretty damn cool from the daily topics!

Thanks for the heads-up, Don. I am unfortunately trying to get management's ear about the updated PCI requirements..

If I'm not mistaken, the archive gets updated with an 'apt-get upgrade' in BT4. You'll also notice a nifty little script to search through your local copy of the archive in /pentest/exploits/exploitdb.

I apologize. I misunderstood the question. I thought you had access to the boxes.

Yes, Ketchup's suggestions are what I would go with...banner grabbing/analyzing traffic to/from that port is your only option.

Windows or Linux/Unix?

Netstat can be used on Windows...I don't remember the switch off the top of my head. On linux/unix you can use lsof -P.