No. I don't wait for the research to patch issues. But, when research is already done, I don't see a valid reason for suppressing it. Generally speaking, a lot of times it turns out worse for the vendor than to just be upfront with the PoC/research.

If there's enough market saturation of their product, the bad guys will be motivated to produce their own exploit. And by releasing a patch, they pretty much have what they need to do so. Taking the company's logic one step forward, if the company feels that their user base isn't technically proficient enough to patch (as the original poster stated) AND the patch might provide enough detail for an attacker to develop their own exploit, should they have even release the patch?

I don't know that this company is doing anything untoward, but by the way it's been presented so far, it sounds a lot like "hush" money.

They are working under the (probably misguided) assumption that you are the only person that knows about the vulnerability. The problem with their approach is that while a fix might be available, they are withholding important information from their clients about why they should patch!

I find with hydra that you have to balance speed with accuracy with the "-t" switch. The default is 16 threads. However, if you drop that down to 8 or 12 you may find you get better results.

Try:

$ hydra -l admin -P password.txt -t 8 -e ns -v -s 8080 xx.xx.xx.xx http-head

Good luck!

My Raspberry Pi is being shipped soon.

You don't even have to go back to pick up your scan results. A reverse tunnel allows full control of your plug for all kinds of goodness....

We're not storing our gold bars here.

I agree that it's not security best practice to store passwords in plain text and send them through email, but I think it's perfectly acceptable for an Internet forum to do so. If my bank was doing it, I'd take my business elsewhere without blinking.

Check out Volume Shadow Copies as well...


http://www.securitytube.net/video/3767

Memorizing ALL the command switches isn't necessary. You should have the most useful ones (at least to you) memorized so that you're not constantly using man pages.


I had to look it up b/c I didn't remember, but you can find all you need to know about the virtual labs here:

http://www.redhat.com/training/ways/livelabs.html

The nice thing about the RedHat rented environment is that it is exactly as you will see it in the exam, so you can perfectly recreate anything they'll throw at you. Honestly, though, what I did was go back through ALL the labs in my manual from class. I spent more time where I felt I was weak.


The best place is your class manual. Second, the RedHat website itself:

http://www.redhat.com/training/courses/ex300/examobjective

Third, there are a number of books available through Amazon for the RHCE. (I don't know that I would recommend any of them, though.)

I can't stress enough, though, that time management is very important. Its not about the 'perfect.' Instead, it's about the 'good enough.'

The RHCE was a tough exam.

You have to accomplish a lot during a very short amount of time. Therefore, you need to be comfortable enough with the services/commands you'll be working with that you don't spend time in the man pages. I'd also recommend that you have a deep understanding of what you're doing instead of just following along with the labs you use to prepare. You will be thrown curve balls.

When I took the exam a couple years ago, RedHat offered a monthly subscription to a virtual lab environment that was the same network setup as the actual exam. You could use this to practice setting up services and configuring them. It was really cheap too and well worth the money I spent.

Beyond that, think how you can best manage your time and have a plan for that going into the test. If you go in thinking you're just gonna check off the boxes one by one as you work down the page, you'll likely run out of time. Multi-tasking is KEY!!!

http://www.securitytube.net/video/2702

I'd check out all of those videos...not just that one. There are some great tips on Metasploit there.

Beyond that, try:

http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X

I hate to be glib...but if someone sent me one of those things and I saw a timer telling me I couldn't read the message anymore in like 30 seconds, the first thing I'm gonna do is open Notepad and do a good ole CTRL-A, CTRL-C and CTRL-V. (or Print Screen or "Save Page As" from your browser or the list goes on)

As far as trying to recover one...nope, sorry. I'd never heard of it before.

Congrats on the GCIH! That was probably one of the most fun of my certifications to study for!!!

Try the "services" command instead.

They did away with db_services with Metasploit 4.0, I believe.

Some books have a table of contents, but for the ones that don't I make one first and foremost. Then, I go back and read the books page by page marking where I don't feel 100% comfortable with the material, but the first read through is not for taking detailed notes. Once I've gone through them all, I go back and re-read. This time I'm not re-reading for retention of material except where I've marked during the first read through. Instead, I gloss through the materials and I take notes of what I want to include in the index. A good rule of thumb I use is have at least one entry for every page. Some pages, though, will obviously have more and some won't have any, but I try to find one. My entries for my index are "<term> <tab> 1.11." The first number is the book number and the second number is the page number. Once I've gone through all the books, I type the index up and print it out double-sided, multi-columned.

As dynamik/ajohnson pointed out, if you're looking up all the answers go back to the material and study some more. While they may give you enough time to look up all the answers with a good, detailed index, you're not doing yourself any favors by having to look them all up. I find, though, after going through the class and reading the books multiple times, I usually know the material fairly well.

I think what aweSEC might be trying to tell you is that its more common to find a misconfiguration that leads to privilege escalation than a local privilege escalation exploit from a site like exploit-db.com.

Sure.

Say you're assessing a site for abc.com, and you want to look for sql dumps carelessly left on their webservers...go to Google and search for the following:

filetype:"sql" site:abc.com

As long as Google has indexed it, you're in business...