I guess this goes back to the question in the original post then: How do you prepare for the CRT exam?

I hear that the 7safe course is pretty good http://www.7safe.com/ethical_hacking_course-technical_hands-on.htm for prep work.

What kind of salary ranges do "junior" pentesters command?

ThreatAgent Drone™ bootstraps security assessments by providing Attack Surface reports for Humans

Drone takes a different approach when it comes to passive Open Source Intelligence (OSINT). It is built provide actionable intelligence on limited sources, not trying to collect "all the things". My belief is that you can be just as effective on social engineering, penetration testing, and user awareness training with smaller sets of data.

An example of smaller data sets is Drone only looks through the top 100 search results for LinkedIn. Sure there could be thousands of results for any organization, but 100 will suffice for an successful attack. Drone also take a similar approach with hosts, it only tries to identify the low hanging fruit and attack scenarios that are likely to happen.

Drone shouldn't be viewed as a final product when it comes to a security assessment or attack surface. The attack surface report can be used to bootstrap assessments and their reports. Drone can also be used to educate students, organizations, and especially management on attack surface, threat modeling, and OSINT.

Drone intentionally offers less in order to provide more value which is a key principle taught in Rework. I believe the organizations are inundated with too much information and struggle to make decisions to improve security. Too many tools focus on scenarios that are "highly" unlikely to ever happen. Sometimes less is better.

Instead of building tools that provide information to feed into other tools, I'm building tools for humans. You can follow the journey at www.threatagent.com.

Two years ago while spending some time with the Nmap Scripting Engine (NSE) someone mentioned that we should try the classic telnet login root:root on random IP addresses. This was meant as a joke, but was given a try. We started scanning and quickly realized that there should be several thousand unprotected devices on the Internet.

After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand. Starting with one device and assuming a scan speed of ten IP addresses per second, it should find the next open device within one hour. The scan rate would be doubled if we deployed a scanner to the newly found device. After doubling the scan rate in this way about 16.5 times, all unprotected devices would be found; this would take only 16.5 hours. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour.

At least, I have learn quite a few things along the way...

Ah, turns out I was wrong. You can't do an offline attack because you need to extract the hardware key.

It looks like Elcomsoft has a commercial tool too: http://www.elcomsoft.com/eppb.html That might be worth a shot if nothing else works and the photos are worth $80 to her.

If all you're doing is registry changes, just use group policy: http://technet.microsoft.com/en-us/library/cc753092.aspx

That's much easier to manage.

Did she use iCloud for backup?

I downloaded the VMWare image. When I tried to open it using my VMware Workstation 8.0.4 on Win 7 pro 64 bits I received the following error.

"The configuration file "D:\VMware\kali-linux-1.0-i386-gnome-vm\kali-linux-i386-gnome-vm.vmx" was created by a VMware product that is incompatible with this version of VMware Workstation and cannot be used.

Cannot open the configuration file D:\VMware\kali-linux-1.0-i386-gnome-vm\kali-linux-i386-gnome-vm.vmx."

"Cannot find a valid peer process to connect to."

I'll try at home with a newer version of VMware.

Rapid7 are offering a free webcast on Using Metasploit on Kali Linux, the Evolution of BackTrack Thursday 21st March 2013 at 3:00PM ET:

In this webinar for IT administrators and security professionals, Mati Aharoni, Devon Kearns, and HD Moore will talk about Metasploit on Kali Linux, the evolution of the popular BackTrack Linux, a free security auditing operating system and toolkit.

Kali Linux incorporates more than 300 penetration testing and security auditing programs with a Linux operating system, delivering an all-in-one solution that enables IT administrators and security professionals to test the effectiveness of risk mitigation strategies.

Responding to the strong community demand for Metasploit on BackTrack Linux, Rapid7 reengineered Metasploit in accordance with the Debian standards on which Kali Linux is built. Metasploit users now benefit from a more integrated and robust experience with the toolkit, as well as Rapid7 technical support for Metasploit Pro users.

The webinar will include a live demo.
Participants will learn:

    How taking an offensive approach can help your defensive security
    What’s new in Kali Linux compared to BackTrack
    How to successfully use Metasploit on Kali Linux
    Tips & tricks for successful security auditing with BackTrack

Speakers:

    Mati Aharoni aka muts, Lead Trainer & Developer, Offensive Security
    Devon Kearns aka dookie2000ca, Technical Operations, Offensive Security
    HD Moore aka HD Moore, Chief Security Officer, Rapid7


http://information.rapid7.com/kali-linux-webcast-registration.html?LS=1794076&CS=web

4.2 GiB compressed. 15 GiB uncompressed.
1,493,677,782 words

What's in the list?

The list contains every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.