I agree with don and unsupported.  I've written many reports (not related to IT) and have never used the second person ("you").  If I have to, I use the third person, but prefer to avoid the situation by rephrasing the sentences as suggested by unsupported.

I'd be happy to look through the article for you awesec, providing it isn't a 10,000 word thesis!

Another for Windows (the majority mentioned in the wikipedia article are for *nix):

http://digg.com/programming/Web_server_on_a_stick_an_USB_stick

linking to:

http://www.server2go-web.de/

Perfect - many thanks.  I just wondered if, by "outside scan", you meant an online scan of some sort, rather like the online AV scans or Gibson's ShieldsUP (https://www.grc.com/x/ne.dll?bh0bkyd2).

Sorry to jump in at the end of such a lengthy discussion.  I'm intrigued about this and how an "outside scan" can be implemented.  Can you enlighten me please?

Thank you.

The cost varies, depending upon the centre where you study.  I've just completed CCNA and got the exam.  The centre where I've been studying charges 400GBP per semester (2 semesters per year) but I know of one that charges only 100GBP per semester.  I have no idea why there's such a difference but, If I'd known about the second one earlier, I would have transferred!

I've seen threads about this software elsewhere and the posters didn't manage to get anywhere with it.  They were suspicious that it was some kind of hoax (hence the "Kon" in the title) and someone even suspected that it installed a rootkit.

I've not played around with it myself, nor will I until I've seen reputable folks on the fora where it's been discussed have tested it thoroughly and given it the thumbs up.

Adrian Crenshaw (http://www.irongeek.com/) has recommended the site a number of times.  He's fairly well known in the security (and grey activity) fields.  I don't know of any others though.

Sorry to jump in, but it's relevant to the MSDN route.  I'd heard about that but is it possible to use the software several times?  For instance, I want to have a virtual domain in VMWare so I would like to install Windows 2003 (possibly 2 so I can experiment with this format) and 2 or 3 instances of XP Pro.  If I got the XP Pro or Windows 2003 down the MSDN route, would I be able to install them multiple times into the VMWare?

If this isn't possible, what other suggestions do I have?  I guess that VLK versions of Windows 2003 and XP Pro would work - but I don't have access to these versions.

Thanks dean - that's exactly the sort of thing that was going through my mind.  I'm relieved to know that my idea (for using this in a pen test) wasn't completely ridiculous!

I'll dust off my books and take the purposely-modified snippets that you provided to see if I can come up wth something that I can use for testing purposes in a VMWare network.

I've had an interest in obfuscated javascript for several months because I was "got" by the technique and had to reinstall my OS!  I managed to get the malicious code and deobfuscate it manually and just wonder if the technique used (via RDS.DataSpace object) and detailed here:

http://spamwars.com/dl/javascript_malware_delivery.pdf

might be of use when doing a pen test?  If you were on the network and had a page containing the code on a web server under your control, a target machine could browse to the page.

I doubt it would need to be obfuscated but just wonder if any AV might react violently.  I guess there are techniques which could be used to bypass tha AV.  Is this likely to add to the battery of techniques that the experts here might use?

Thank you Ryan - that's crystal clear now.  My confusion was about the terminology.  When you mentioned logged in, I interpreted "logged into the PC" as if it were standalone and not connected to the domain (hence my mentioning SAM).  I appreciate now that I (as the victim of your attack) am actually logged onto the domain via the PC on my desk.  I realise that you are somewhere else on the network and compromise my system.  I was unaware that my domain credentials would be stored in RAM and that Windows uses them every time that I access a resource.  When you've explained it as clearly as you have, it all makes perfect sense and it would be a real pain to have an annoying username/password dialogue every time I wanted to access something!

Thank you for your efforts and, like others, I am looking forward to your future video tutorials.

I posted this question in a different thread but, following advice, I split the post and here's the question about which I'm confused:

There's an administrator logged on locally and don is logged onto the domain (how can this occur on the same XP SP3 PC?).  I'm not sure how it's possible to do the Pass the Hash attack.  I didn't hear specifically how the network was set up (I assume it was a domain in VMWare).  It appears that hashes are retrieved from the local SAM (I realise that a user logged on locally has the hashes stored there, so how would that help in gaining access to the DC?  As far as I understand, when the user logs onto the domain, the username and password are checked against the DC and the local SAM is of no relevance.  Are don's hashes retrieved from RAM using the utilities in the toolkit?

Sorry if my misunderstanding spreads to others, but maybe it's my interpretation of what you (Ryan) said.

Thanks for your time.

Thanks for the rapid feedback.  I wasn't sure if the scenarios that I presented for a Pen Test were realistic but it seems that they were.  I realise that the instructing company would have specific rules that they would like you to follow, though it does seem rather artificial if they say specifically "you can do THIS" but "you can't do THAT" (in terms of using a specific technique or loading tools rather than interfering with company data).  If they had a real threat (whether from within or outside), the malicious person wouldn't follow any rules.

EDIT: following advice, I've split this post and moved my question to the thread about Ryan's video.

OK - I suspect that this might raise some eyebrows ("what a daft question!") but here goes:

I just saw Ryan Linn's video about Pass the Hash and it sparked a question, which is not related specifically to his video, so I decided to start a new thread.

When a Pen Tester is engaged by a company, and has the appropriate written authorisation and "rules of engagement", what is the typical scenario at the outset?  Is the tester:

a)  given access to a room in the company's office with a table, chair, power outlet, ethernet socket to the network and nothing more; or

b)  access to a VERY locked down account using a company PC on the network; or

c)  instructed to access the target's network remotely across the internet from the comfort of his/her own office or home; or

d)  something else?

I suspect that there might be a spectrum of scenarios but I wonder if one is more likely that any others.  Depending upon the response(s), I suspect that I'll have al least one question which does relate to what Ryan demonstrated so I suppose I'll have to decide whether to continue in this thread or transfer to his.

Thanks for your time (and patience!).

As a newcomer, I have a question about the chicken and egg situation:

How do you get the job or experience without the qualification if you can't get the qualification without the experience?

I'm in a "do it yourself" situation and would like nothing more than to get into a security/pen testing job but I know that's not possible at present.