HO-LY Crap!!   

I remember that especially when he released sslstrip.  I just knew it was only a matter of time after that.  I guess a broken system on its way to being crushed.  But it will be interesting to see alternatives implemented.  I remember being at a talk by Marcus Ranum and he wanted to change AV since that has been defeated, crushed and left for dead.  He had some good interesting ideas of changing the "already too late" paradigm.  But we will see.  I know we need to have something or more dark days ahead. 




I am checking that out now.  Thanks for the links!

I watch Hak5 on/off.  I try to watch everyone when I can.  "http://www.grmn00bs.com"  is another site to watch some good blog videos. Not sure if that link was posted on here.

I think they should release a movie on him since I look back on "Track Down" after reading most of his book and it seems like none of it was actually accurate.  I mean it kind of sucked if you were really interested in what happened. I guess it reminds you to go to the source.

It looks like it is time to check your browsers for this cert.  Many are suggesting on your *nix boxes to use:

cd /etc/ssl/certs/
rm DigiNotar_Root_CA.pem

It seems like SSL is really getting hit these days.  And I do not think EV-SSL certs are going to save the day...


http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

Thanks for the link!

The book is pretty good.  I am almost done.  I truly cannot believe this is one man's life and not a movie. 

Thanks for the heads up.  Wasn't sure how that was handled.  Plus I know I will be installing BT5 R1 when it comes out tomorrow.   

Would the wordlists in Backtrack 5 be just fine or does it matter?

Congrats fellas!

First, thanks for all the replies.  I was curious of the "lessons learned" during everyone's pentests.  I have watched some of Joe McCray's videos and he always has some crazy stories. I guess I should have asked not only for first pentests, but craziest/funniest also. From the stories, it seems like the customers make the situation more unusual than it has to be. I have never heard of a pentest with those kind of parameters. A moving target in a van.  Ouch. And tturner brings up a good point. "These are the kinds of situations that no certification program on the planet will prepare you for". Anyone would have to agree with that. I guess that is why Sil made the point about paper certificates. Experience with knowledge helps with most obstacles especially with the unusal scenarios. I guess that is what brought up the question. I definitely learned a thing or two just by reading these stories.

Client side and web app attacks seem to crack any perimeter for one. Thanks again for all the replies.  Oh yeah, I did want to say, CONGRATS on the new job Jamie.R! Time to update the 'ol SET to v2....

I know there are a lot of Professional Pentester here so I wanted to ask if anyone would share their story of their first pentest? Without breaking their NDA of course.  Was it a piece of cake or a train-wreck? What would you have done differently knowing what you know now? Did your customer's restrictions kind of ruin the fun for you or made it more challenging? Would you have added more tools to your arsenal or just focused more on the tools you already had? Meh, just thought I would ask. 

Congrats MaXe! You definitely deserve it! We expect a full report too.   

Congrats.  Good luck on the new job!

I did not see this video posted anywhere but if it was, my apologies.  It is a very cool video on hiding from snort. I glanced at the commands before while reading MetaSploit Unleashed but it is nice to see them in action. 

http://vimeo.com/24455465
by T0X1C

Info on the commands:
http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Show_Command

Did seem a little too easy or fast.  But they do have every organization chasing them.  We will see I guess, who they really have.