Partly yes, but take a look at Exploit-DB and my youtube channel (maxel3g3nd) this or next week, there's going to be something about this 

But ontopic, URL encoding can be useful in some directory traversal scenarios but in some cases you need to bypass it, all depending on how the target application code is written 

Thanks for clarifying most of what I meant and as you mentioned, there's plenty of resources :-)

If you just want to claim your ISC2 points then it's enough by either passing the exam or by submitting your lab documentation as far as I know.

However with the exam it is required no matter what, that you achieve a certain amount of points in order to pass. For OSCE it's slightly above 80% if you convert the amount of points to percentage.

If you calculate a very good attempt (as in being very close to completing the minimum requirements), then I was around 70-75% during my first attempt and this week I am going to have my second attempt. It's not going to be easy but after all it's OSCE, good luck to all of you taking / doing OSCP or OSCE 

I am aiming at 100% this time 

Sometimes, .. or perhaps .. is filtered and therefore a custom "bypass" usually has to be made though if it's exploitable, then it's relatively simple. Just a heads up that not all directory traversal vulnerabilities are like ../../../etc/passwd 

Welcome to Ethical Hacker, lemming2012  


My best advise in order to pass any certification, even the very hardcore OSCE (by Offensive Security) is to anticipate the unknown as much as possible, know your limitations but also where you can improve, so if you fail then you know exactly what you need to do so you'll pass the next time.

If you know your own strong and weak points, then you also know what you could potentially fail on during a hardcore test (challenge or examination) going way beyond any book ever written, where you'll have to improvise, use (perhaps) all your skills and can't ask anyone for help in particular 

Fight for what you want to become, and you'll eventually become it.

The Web Application Hackers Handbook:
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778

I heard it was good, but I haven't read it yet.

Open Source Tools can e.g. be found in The Penetration Testers Open Source Toolkit vol. 2 which may seem a bit "outdated" to some since an older version of the rapidly evolving BackTrack linux distrobution is mentioned, however most of these tools are essentially the same even though there may be new features and bug fixes in later versions.

Some of the tools I use are:
FireFox with these addons: Firebug, Tamper Data, Live HTTP Headers and Add 'N' Edit Cookies.
(There's a list here too, but it is not up2date: http://firecat.intern0t.net/ )

I should note that I only use a few select tools, because I really don't need to use
a lot of tools. If I need something beyond the tools I have, I just write it in Python or PHP etc.

Now when you have FireFox with at least most of these bare minimum addons (Add 'N' Edit Cookies hasn't been available for later versions of FireFox for a longer time.), then you can proceed onto learning and of course installing:

- Nikto (written in perl, so you also need to install perl.)
- A transparent proxy (Burp Suite, WebScarab, Paros Proxy, etc. Most of these are written in Java.)
- W3AF (Not that easy to use and install, but it works quite good for some types of pentests but mostly I don't use it.)
- And a bunch of online tools like http://intern0t.net/xssor (encode strings in a fast way.)

However with these tools, you should have a good start.

You could also install: SQLmap since you're aiming at finding SQL Injection vulnerabilities, but keep in mind that most of these tools are indeed very nice, but they are unfortunately not that easy to use for especially beginners and all of the tools except the manual method can return false positives too. Even false negatives.

Of course, I suggest you check out BackTrack if you're just wanting a lot of tools but as mentioned previously, you need to understand how these tools work and also how to hack manually. Being able to audit (review) code is not a requirement but it adds a big plus in case you need to find more "obscure" vulnerabilities.

The easiest way in case you want to see everything which is transmitted between
you and the possible chinese domains is to do the following setup on your network:

[computer] => [NIDS] => [Internet Lol Internet]

The NIDS is a Network Intrusion Detection System which is basically another computer (cheapest solution) which can be running Snort which also detects attack patterns in the traffic from the computer through toe NIDS to the Internet. (Most likely via a router of course.

Now on the NIDS you should perhaps run Wireshark or tcpdump and then dump a good amount of traffic when the computer is idle and then just wait for the chinese domains to resolve. When they are resolved you can follow the TCP stream easily in Wireshark on perhaps another computer and even configure the NIDS to alert you whenever a connection is perhaps made to any chinese domain.

This is not easy, but this is the way you will be 100% sure what's going on if there's activity on your computer while it is idle. If there isn't, do the usual thing while the NIDS captures a "small" amount of packets for like 10-15 minutes. Or perhaps more.

Keep in mind the more traffic and the longer time you capture traffic, the less easy it may be to analyze the data.

A must is of course to understand HTTP, DNS, FTP, and other protocols too since you don't know what kind of protocols the malware may use in case  there's any, except that it may be using DNS to resolve the C&C servers.

I hope you have a good hint on how to do this, good luck 

I agree with impelse, but I liked the info.

I am very curious though, do pentesters really charge companies ~10-30k$ USD to check their website?


I have heard of pentests on government websites for around 7.5k$ USD for the "small package" which apparently didn't include 1x SQL Injection and 3-4x Non-persistent XSS and 1x Directory Traversal (path disclosure) vulnerability.

What I call the excuse, was that the full package of 15k$ USD wasn't bought and therefore these vulnerabilities wasn't found.

But after providing my services afterwards, to the exact same instance, then these vulnerabilities were discovered in ~1 hour. (Without charge. (personal contact)).


Anyway back onto the topic, you can use a commercial tool like Acunetix, it's efficient and it is able to find the most obvious security holes including a few not so obvious security holes. However, no commercial tool that I know off, is able to find the well "hidden" and more obscure security holes.

These also exist on many websites, and luckily most script kiddies doesn't know how to exploit these, but blackhats do or will be able to.

Therefore I still think the best option is as COm_BOY said, would probably be to hire a pentester which you of course must trust both ethically but also in his or her skills.

Educating an employee already interested in security, could be a big plus too but this takes time and thereby money as well. But it may be cheaper over the long term, if the target employee is able to learn and keep up with the trends and attack vectors in Web Application Security. (New attack methods are developed ~yearly, mostly related to incorrect implementation of Javascript, PHP, ASP, etc.)

Very nice list though it only aims at software exploitation (aka service exploitation) which can contain many bugs of course, but web applications nowadays are also entry points into the target system.

Knowing PHP and or ASP is a good idea in my opinion but besides that, there's my tool list for Web App Sec:
- FireFox with Firebug, Live HTTP Headers, Tamper Data and Add 'N' Edit Cookies.
- Burp Suite (free) - For more advanced stuff
- Nikto - A very nice active web application scanner which is good if you don't have any obvious entry points.
- Maltego - Information gathering, it's a must to have installed.
- Whois, Netcraft and Google - Useful services to find information about the target.

Extras:
- W3AF - Open source web application scanner
- Acunetix - Commercial but quite efficient web app scanner.
- Pangolin - SQL Injection "Assistant". I am not sure if you can fully trust this program but it is very nice.
- SQLmap - Nice open source SQL Injection Assistant tool. (It it quite good, but knowledge about SQLi is a must.)
- Metasploit - It has some nice Web App Sec modules and scanners but I hardly ever use them.

Whenever it is possible to execute PHP code on the target system I tend to use this:
HaXxd00r - http://intern0t.net/haxxd00r/ (it's a backdoor creator, it's used when I need to create and encode a backdoor in php fast.)
XSSOR - http://intern0t.net/xssor/ (mostly used for XSS encoding, but I use it to encode backdoors too.)

And of course custom Python and PHP scripts written on-the-fly. (Mostly simple yet helpful stuff.)

I hope someone will benefit from this list even though it looks incomplete but Web App Sec, doesn't really require that many tools because most of the tools available, are just made to speed up the process or aid during a pentest.

Keep in mind that some hosts filters vulnerability scanners and denies them access by looking at the user-agent so if you modify that then this limitation shouldn't affect you. Furthermore, vulnerability scanners produces a lot of traffic including logs, keep that in mind if you need to be stealthy, stay away from these scanners.

If it's only a matter of traffic, simply use these scanners while there's a lot of traffic towards the target site. However sometimes, "attacking" while there really isn't any traffic can be a good idea too.

I can't guarantee anything, but take a look at the MS08_067_NETAPI exploit in Metasploit

Also, take a look at the other exploits in Metasploit. There is usually opcodes for most operating systems included in the exploits, so if it was me then I'd take one of them and try to use it.

There was another site which had a huge database too, but that's unfortunately down as well. 
(Dead reference: http://www.securityfocus.com/archive/82/445612/2010-08-29/1 )

I did try to find cached examples of that opcode list he had, but I couldn't find any.

If you ask him nice, and if you can find him, then "Jerome Athias" is the guy you need to look for about that opcode database I'm referring to. Good luck! 

HaXx.Me #03 has begun!  Good luck to the participants 

Sorry for "spamming" my own thread, but I am sure someone will love this challenge.

Finding a 0day in a software service may be very time consuming, but it all depends on the target.

Finding 0days in Web Applications is relatively easy in most cases.

Using only known exploits will limit your chance of cracking the perimeter, except if the target is seriously outdated or new exploits has just been released for you to use and so forth.

Sometimes, it's just a matter of time before a new vulnerability emerges.

There are a couple of solutions:
A) Buy a new harddisk and replace the old physically with the new one. Then install an operating system fully up2date. (Install a good firewall and anti-virus system too like Kaspersky, Symantec Norton 2010, or similar.)

If you're into computers, install Linux and configure it in a secure way.


B1) Your father may have installed a rootkit which does not get wiped by a regular Windows re-format. If you're not going for a new harddisk to be sure you don't got a hard2remove rootkit installed, get a "harddisk eraser" from IBAS or similar. (It's just a special magnet messing up the bits on the magnetic harddisk, in case it's not an SSD disc.)

B2) Perhaps, if there is a rootkit on your computer, a simple re-partitioning and format of the harddisk in Linux may erase everything. You can get LiveCD's in case you're not familiar with the linux console, and such a tool could be QTParted or GParted. I'm not sure how well Norton Partition Magic would work in this case.

B3) Do one of those Government Clearing of your harddisk where the data is wiped +5 times. (Depending on the method you choose, one of them will erase the data more than 30 times on your harddisk. It's a quite cool tool but I forgot the name unfortunately.)

C) Your father may have installed a rootkit in the BIOS, if so you need to replace the BIOS chip if possible. Otherwise buy a new motherboard or get a new computer. (Since it's a laptop, there isn't very much you can replace.)



Anyway, when you've done that and installed an Operating System do a FULL DISC ENCRYPTION!

Install TrueCrypt, and do a full disc encryption and set a good, long password with mixed upper and lower-case letters, numbers and symbols.

When you've done that set a password in the BIOS and make sure it is not possible to boot up on anything besides the harddisk. (Set the harddisk to be the first device in the boot order.)

Then you could set a password for booting up the computer as well.

There is however a reset jumper on most computers nowadays, which is able to reset the BIOS password. If you want to disable that functionality you need to do some hardware modifications to the motherboard in your laptop which I cannot recommend.


But if you follow most of what I wrote above, you'll be fine.

When you've installed your operating system and a firewall and an anti-viral system, don't visit websites your father suggests you   (He may be a rogue hacker too.)

Avoid using instant messaging programs except IRC.

Use HTTPS (ssl) whenever it is possible and encrypted protocols as well.


Now we're on the paranoid path, but depending on how well you want to hide everything from your father and anyone else, you're getting pretty close.



If you just want to confirm whether he's spying on you or not, do the following:
1. Set up a LAN where NAT is enabled. (A simple network with local ip-addresses, a router and another computer.)
2. Set up the second computer to log all communication from your computer to the Internet.
3. Don't use the laptop for anything but browse to a few websites you visit and then check the second computer if there's traffic that shouldn't be there.

This is NOT something that's easy, but it's fun  


Good luck and have fun  


PS: This reply was quite "brief" in how to do the above suggestions and these do not reflect my entire view on the possibilities on confirming whether your father has hacked your computer or not nor does it confirm how many ways there is to lock your computer down entirely. (In short, there's more to it than what I just said.)

FreeBSD  There you go: www.freebsd.org/   

If the price was $3k, how much time would you expect to use on such a pentest then? I'm just wondering since I honestly don't know the overall pricing either 

Sorry to break your dreams H1t M0nk3y ;-)

Congratulations to the winner(s)!