I will try to give a full picture on firesheep..

Wireless packets are encrypted using WEP/WPA keys. On a public wifi connection, the packets that are sent and back forth are unencrypted. The unencrypted wifi packets are perfectly normal and not the focus of the problem here.

A wireless card set in promiscuous mode would be able to sniff all the packets in the network. As by default HTTP packets are not encrypted, session cookies can be stolen making it possible to hijack sessions. Okay this scenario has been known for several years now, but the tool to make this look easy was not available. Firesheep exactly did that. The focus of the problem is popular sites(Facebook, Twitter) not offering HTTPS by default and the author made the tool and made it public to force these sites.

Remember that the scenario is same for all other tcp protocols that do not use SSL layer - ftp, pop, smtp, imap etc and so on. Believe me its not hard to write a tool for sniffing passwords and I am sure there are plenty available now(cain and abel?).

Regarding the working.. I think its pretty simple
1)Steal the cookie from HTTP requests
2)Send a new request to the site with the stolen cookie

Forensics(CHFI) will be under blue team.

One more to the list.
Reverse Engineering - CREA, GREM

Yes there are some certs(CEH) that are more recognized, easier to attain covers fundamentals but does not really say that you can do the job.

H1t M0nk3y is right. I assume turning off DHCP is to defend against ARP poisoning. Assigning static address to machines does not defend against arp poisoning but static arp tables does. Hope that was implied.

I believe you will be allowed to download the IOS from Cisco site if you purchase a cisco product . Not sure. Please confirm it before buying.

Also check this out
https://learningnetwork.cisco.com/message/17111

Simulators are an option here.
http://www.gns3.net/
http://dynagen.org/ 

This might interest you.
www.sans.org/20coolestcareers/

Its ideal to have all possible combination of OS version and SPs installed. As once you get into exploit development it will come handy. At the beginning you will not be needing any more than Windows XP sp2. Of course if you wanna try vista/windows 7 exploits from metasploit then you got to have it installed.

Add some debian, redhat, slackware OS flavors to your list. And a real old version of redhat/debian to practice buffer overflows in linux. Its easier that way otherwise you got to be tinkering with gcc options and /proc kernel options to make it work.

Also check this excellent post by Equix3n-
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6209.msg33158/#msg33158

+1 for virtual box. It just gets the job done.

If its TRACE enabled, then you might want to check on Cross site Tracing
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

If its CONNECT enabled, then you might want to check on HTTP Connect tunneling.

You can manually find the vulnerability if you have the source or sometimes by guessing/experience. I can give you a quick look on how its done manually.

 If you have the source, lets take php, you look for include "<filename>" where filename is obtained as input from the client usually as a get/post parameter. This is almost always the condition for directory traversal. You then replace filename with "../../../../etc/passwd" and check if its vulnerable to directory traversal attacks.

The guessing knowledge is usually obtained from experience like you get to know that sometimes people dynamically include stylesheets based on user input. But it is not possible to check all possible scenarios manually. Hence the tools. In order to obtain that kind of knowledge check the heuristics used by the tool for detecting directory traversal vulnerabilities.

I am sure a beginner(1-3 yr exp) who just spectates as a member of either teams would walk out with a ton of knowledge and stories to share ... Great write up sil..

Normally by the inherent nature of how email works it is possible to spoof email ids. But as you are seeing Undelivered reports, seems something fishy.

Your email might have been hacked.

1)Change your password
2)Change your security questions
3)Change the backup email address that you might have given in case if you forget the password

If you system is infected, then doing all the above is just waste of time. Do the above steps on a clean system. Then format the infected system. This is better than scanning the system for malware as you will be never sure whether all the threats has been neutralized.

Are the images being verified by vmware ? Does anyone know how the trust model works here?

http://www.mlsite.net/blog/?p=76

Found this link accidentally. This is a nice collection of redundant opcodes. It came handy for an exploit I was working on(Bad character issue). Thanks to the author.

By "access"  i guess tturner meant network access to the idle host... Otherwise the change in the sequence no cannot be realized by the attacking host..

Yes a VM is sufficient and you will be given a link to backtrack VM image that is in tune with the manual provided.

There are couple of programming exercises but none requires expert knowledge. As you are able to read programs, I believe you will be right at home with the programming exercises. I would suggest python for this course. Learn to write simple network related programs with python. But it really doesnt matter if you choose ruby, perl.
As you write assembly that is gonna definitely help with exploit-development and understanding buffer overflows.
Good luck.

Thats a really good link... Thanks j0rDy

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5993.msg31886/#msg31886

An excellent "dump" by sil