in theory this goes completely against the purpose (mission and vision) of the company, making the whole idea ridiculous.

thanks for the links! this seems as a pretty good starting point. i picked up shell scripting first to get back in the game, after that i will get back into either perl or python.

to keep the discussion going, there is no influence of external factors like girlfriends, wife, family or other things. part of being happy is having the right job isnt it?


this is good to know!  so type of occupation has influence on the possibility of getting a greed card...interesting...keeping this in mind means that everybody is pretty stuck at the location there currently at

they always say know your strength, but know your weakness better. at this point i do, and i intent to do something about it.

i lack a pretty good foundation in programming and i'm willing to start with some basics. however, when i look at the programming languages used in the ethical hacker field i see mostly perl,python and c. i was wondering whats the best language to start with according to easiest learning curve and power. also, where do i find good documentation/tutorials to start?

first of all, this is a threat intended for people living outside of the united states and having a hard time finding the proper job or career they would like to have, focussed on pentesting ofcourse.

even though i havent been working in this profession for a long time, at this point i'm (already) walking into some walls. i see that the demand for good ethical hackers / penetration testers is a lot lower then i would like to see. i think this has something to do with the characteristics of the typical dutch people, but thats a completely different story.

i think this profession is way more appriciated in for example the united states, and what i'd like to know is how does this affect job opportunities and if you are willing, is it wise to move to the united states to boost you carreer? any experience here?

did you set the parameters right? hydra can close the connection before he gets the result, so try to ajust the number of connections and the time it waits for response.

here's some reseach material:

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3745276

i quote:
The Tuning tab is used for selecting the number of login attempts that are submitted simultaneously, and this number can be quite critical. Too high and the chances of being detected or locked out of the system are much higher, but too low and it could take days to work through your password list.

there's no insurance for either the buyer or seller in this matter. its like a drugsdeal (which go bad almost all the time, if we believe hollywood). both have something they want, but is it legit? how does either of the both party's know there not getting crossed? like hayabusa said, its like making a deal with the devil, hoping he's a saint. i'd like to see this initiative to work, but there has to be extream caution in getting this bulletproof.

correct me if im wrong, but i see some flaws on either the CFO's side as the pentesters side. Dave acted correctly from the moment he discovered the "hack". The CFO should have never given permission to attack the availablity of the infrastructure, and the pentesters should have never kicked up that much dust to get detected. however, when compromising the availablity of the infrastructure, youre pretty sure you will be detected.

i'd say go for truecrypt, being an open source supporter and all. At work we use SafeBoot, which comes with McAfee i believe. i dont know if it supports mac and linux as well, but i'm pretty happy with it.

remember that free information is always welcome (one way or the other), but support the hacking community and BUY books you really like and use them often. it also looks good to have a full bookshelf, even if it is just to impress your (hacker)friends

this is probably the best link for web application testing!

all the methods are explained and even how to test them yourself! just start with this document and try all the different vulnerabilities/attacks. make a chart of what worked, what didnt work, how it worked and how you will prevent them from happening in production. this is probably the best way to test it (atleast best practice)

@ zeroflaw: break open that piggybank!

@ Ryan:

thanks for explaining the differences between the certificates. i must say according to my experience youre right about CEH, however it does cover some thinks like snort, so it isnt completely 100% offensive. i think CEH and GCIH will be pretty close information wise.

i really like the part you wrote about where to go next after CEH/GCIH. i believe web application will be hot in the next few years. the focus will be shifted from network/os to (web)application. maybe this is the best step after getting your basics.

you wrote you had prior knowledge about writing scripts for nmap and metasploit, and writing simple buffer overflows. how did this help in studying for OSCP? i'm trying to get a feel how technical you have to go for this cert. i have little knowledge of programming but understand the concepts of writing for example buffer overflows. i'm afraid my lack of (good) programming skills will slow me down during the training. what do you think?

last but not least: good luck with the CTP cert, although i think you will do just fine 

Great work on the giveaways! you would almost think i signed up just for this! good luck to all and keep up the good work!

congrats! can't wait to see the reviews!

@hayabusa: just wait until you received the books, them the drooling will start for sure!

Congatulations! keep up the good work!