BillV you forgot to include IPv6 address, nmap does support it now 

Uperkurk, a number of these types of posts happen on a regular basis, it is not to say anyone hinder your from learning, but you just need to realize what you are asking and where you are asking it.  Curiosity is a great thing, but it is true about it killing the cat.  Many of the early hackers were grayhats, they saw things and wanted to see how they worked.  Unfortunately some folks went a bit too far and authorities started catching on.  In any case as a network engineering student it is important to know where networking vulnerabilities lie and what types of access attackers may have once on the network. 

Another thing to keep in mind, depending on the University, they may have countermeasures in place to pick up network scanning from their networks.  So the moment you begin to scan, you may be discovered and at the least your traffic will be blocked and your connection turned off.  If they are really serious, they could kick you out of school.  If you have questions about accessibility of the network, bring them up in class.

Toss vista ;-)  For a future upgrade go with a Windows 7 x64 and toss in more RAM.  That way you can run multiple VMs without worrying about skimping on the resources.  Some password bruteforcing is happy if it can get more RAM to run.  Backtrack 5 will have all the tools you may need to start.  Remember, you may not use all the tools or need all the tools and tools don't make the hacker.  They just tend to make the job a bit easier. 

If you can, absolutely, toss in a Windows victim machine.  The majority of your networks are running mostly Windows so that is why you see more Windows exploits than any other.  Pick up the De-ice builds, they are linux builds with a vulnerabilities and challenges associated with them.  They are designed to start out easy and then get more difficult as you work through them.  Another nifty testing app is Web Goat, it turns your Windows XP system into a really vulnerable web site.  Metasploitable is another, it is a linux build created with exploits in mind from metasploit attackers. 

That should keep you busy for a bit

Good short answer, in my opinion, a good pen tester should have experience in many disciplines since it is never known what you will be asked to do.  As for remediation, absolutely, if you discover vulnerabilities that are exploitable then your report should include steps to fix or prevent exploitation of the vulnerabilities.  Some are not simply fixed by patching but configuration.  As for knowing how to program, well knowone expects you to code Operating systems, but if you have that knowledge on top of networking and web app testing, well you may have a pretty good arsenal to throw at the environment.  I think now-a-days most IT security folk come from one background or another, there are few that come right out of gates as security pros.  Though if we were all doing our first jobs correctly, many of us could say we've been practicing security for how ever many years.  But now we get to concentrate on it and our opinions tend to mean more to management when they come from someone with a Security title.

So learn some code, learn about networking and learn your systems.  Learn how to use some tools to help you figure out the best path of exploitation.  Learn how to hack people.  If you are lucky enough to be part of a pen testing team, well then you can concentrate more on an aspect of the job.

And yes, anything posted by Sil is always worth the read.  He has a great writeup on getting into ethical hacking.

Excellent insight MaXe!  I appreciate the input.  Friend of mine and I were bouncing around the idea of maybe not using web traffic but using the TCP-over-DNS method.  Of course we need a DNS server out the outside under our control, that should not be difficult to accomplish.  The client side may be a bit more of a challenge.

If anything I got the gears turning on this.  And in theory just about anything is possible.  I just need more time in the day to work on this.  Unfortunately most of this has to be done when I am at home due to certain restrictions at work.  If I come across something I'll be sure to update.

Thanks guys, I'll take a look through those.  I guess what we are trying to test is the following...

• Malicious software gets on victim system.
  
• Victim doesn't know and software is not exhibiting any strange behavior so scanners and IDS are not picking it up.
  
  • Software needs to get out to internet - oh snap authenticating proxy what shall I do???
    
  • oh hey, you have an active IE session open already, can I borrow that?  Thanks!
    
  And boom goes the dynamite.  Now given if the above is possible our next challenge is how can we detect such traffic?  I will fiddle around with Burp/Paros as well, either way they look like fun.  Sadly Gray-world is blocked here, but I can take a look at that later at home.

So we are trying to test some of our defenses and one of our IR guys asked if I can try to hijack an active HTTP session on my system and try to send other traffic through that session.  We use authenticating proxies with no single sign-on so all web traffic requires authentication.  We are trying to see if an app can hide/cloak/piggyback on an active authenticated session.  Any ideas?  Can something be done using netcat?  My skills are a bit weak in this area and I am exciting to learn something new.  It sounded like a fun challenge.

Thanks in advanced.

I am trying to strengthen my knowledge of Python and have looked at 3 different books.  The freebie online ones: Dive into Python and Learning Python the Hard Way as well as Beginning Python: Novice to Professional. 

I started with Beginning Python and was getting frustrated with the differences in code, they released the Python 3 edition before Py3 was officially released so there are numerous code mistakes right in the beginning.  Also it went over all the principles and standard functions of Python, which I found helpful, but not enough to keep me interested. 

At this point I will probably focus on Dive into and The Hard way.  Dive into has the most accurate information on both the 2.6/7 versions as well as 3 and they kick it off with a small python script and break it down per section to explain things.  The Hard way is basically a number of excercises to get you comfortable with programming but not overload you with the different functions and modules of Python, at least early on.  And it emphasizes that YOU MUST TYPE OUT EVERYTHING... DO NOT COPY/PASTE!!!  Once you work through all the excercises and extra credit it then recommends to go back to some of the other books to learn more advanced stuff.  So far I like the setup of this one. 

Awesome point Sil.  hmm, I actually got to feel the bite of not having any tools available.  I recently started a new job (2 months now) in a very large enterprise.  The last place I was at was small, only a few hundred users and 100 servers 50% VM.  I had the keys to the kingdom there being the Security Admin as well as having a good amount of knowledge on the other areas in our support group.  Now I am in something that dwarfs my last job.  14K users, almost 1000 servers and many restrictions placed on the workstations.  So no keys, limited access to some log data and it took 2 months to get local admin so I can start installing some tools like nmap.  So for the 2 months I had to make due with what I had to investigate systems.  nslookup, ping, tracert, netstat etc... 

Its kinda fun to poke around using only what you have. 

I guess the easiest explanation is that a script requires a way to run and a program has been compiled to run.  It can sort of stand on its own.  Its easier to change a script than it is to change a program.  Also you can just dump any old script against a website, it really depends on what is running that site.  For instance you can't inject a vbscript if there is no way to tell the webserver to run it.  The cogs of the machine determine what tools you use and that comes with clever recon of that site.  Much of what is used is used to help the pen tester in launching attacks against the site based on the vulnerabilities that are found, i.e. SQL injection if it is discovered that the site uses an SQL server somewhere in the background to store information.  If the site runs PHP, there are ways to determine what versions are in use and run attacks based on known vulnerabilities. 

Of course this should only be done with the written consent of the client and you should never use this knowledge to play on sites you don't own. 

I doubt that anyone really memorizes all the syntax, unless they do nothing but code and in some cases they are not always coding in the same language.  But like hayabusa said, its the general principles that we must learn and the basics of what each language entails.

Think of it like an actual speaking language.  Latin is the basis of most Western European languages.  Spanish, French, English.  Thought they are all different, much of their base is Latin and the initial principles are the same.  They sometimes even share the same words or variations of words.

Thanks to some intro programming courses I am able to at least read through some code and understand what some of it is doing.  At that point its just a matter of learning a bit more.  Best bet is to learn a language that may assist you in future tasks.  Scripting is used quite often so if you look to PERL or Python to start, that might work.  From Python you can branch into Ruby which is supposedly a bit easier and is used quite a bit in Metasploit.

It is very wrong and illegal.  So you will probably not get the answer you seek here.  If you want to study ETHICAL hacking, you should be aware of laws and such.  If you are caught doing this on campus, you will most likely be tossed and could face some additional charges depending on how serious UNI is on such activities.  Don't kill your career before it starts.  Set up your own lab and practice on yourself.

Excellent point Sil.  It also helps when you want to sell a product to management.  Most managers and CFO types will see the cost of say a Juniper or Tipping Point and say

"hey isn't there some free opensource product we can use??"  

And you, being the person who would have to manage that, could say

"well we can, but we will need to hire a person to maintain and monitor this device and we will have to pay that person 75-85K a year plus benefits.  Also if the system breaks we will have to wait for someone on the interwebs to come up with a solution.  Oh yeah and if the device goes down we will not have internet access since it sits between our firewall and internet modem."   "So lets spend the 25-40K for a supported solution and if anything goes wrong we could call the 24/7 support line and open a ticket with a 4 hour or less response."  

As a geek though, well yeah we want to play with the opensource and figure out the inner workings and even get the direct exposure to discover a new threat not seen before.  But then that is for our home labs and not for the business.

I agree with cd1zz.  With virtualization you can easily have both OSes to use.  The last company I was at, we had a pen test being down by an outside firm and the tester was using a Mac, running Windows and Linux.  Using Windows to dump hashes from other Windows systems etc...  Just like testing malware, you need a Windows system as a victim machine as well as a linux system for further analysis.

You have metasploit on your attacking system, metasploitable is victim.  Commence cracking!  It does have holes, you only need to find them.  Sort of like tossing WebGoat on an XP system.   If you are having a hard time with the MSF console you can cheat a little and use Armitage.  But hell work the console and learn the hard way!

Planning on heading down, well not planning, definitely since I got my room booked already.  Last year was fun so a 2-dayer is certainly going to be a good time.