I think this is probably against their TOS. I know if you want to use the Amazon Cloud to do a pentest, you have to get authorization before you start. To analyze malware  you'll likely allow it to propagate if it has those capabilities so I would guess they wont let you do it. I would just use a local VM environment. If you're extra worried about it breaking out of the environment, use a separate box with nothing important on it.

If you can swing it, I would go get an MSDN subscription. It's the best $250 you could ever spend. It gives you access to every product MS makes for "testing and development" purposes. With this subscription you can play with all the major players like Exchange Server, Terminal Server, Active Directory etc etc. etc.

There is no substitute for actual experience in the work place but an MSDN subscription can really help you bridge the gap.

You might also want to look into some of the MS certs like MCITP. I think this is the one that replaced the MCSE. I got an MCSE back in NT 4.0 and quite honestly it has helped me more than any other cert. Even if you dont do the certification the books and literature are pretty good.

I've been living in this arena for a long time, feel free to ping me with any questions.

Fresh on the new EH Hacktivism board!

http://www.npr.org/2011/06/16/137226643/hackers-eye-u-s-government-targets

Another thought I had - you might want to look into unicornscan instead of nmap.

Sounds like you need to do a bit of recon before you hit such a wide range of IPs. For example, ping their webserver. Does that IP fall into one of the blocks they gave you?

If so, scan that so you can be sure you're getting some results back.

Recon and info gathering is a critical first step.

Did they give you the block of external IP's to test or is this a black box scenario?

If this is the block they gave you, you might want to slow down your nmap scans. It's possible the FW knows you're slamming it with nmap scans and is just dropping your traffic. It's also possible they spotted you and are dropping all traffic from your IP.

I would try the -t (i think) flag in nmap to change the interval so that it slows your scans WAY down. I would probably also try from a different server with a different public IP just in case they blocked your IP as a matter of Incident Response.

-C

While I don't condone their activities, I think it's great for business like you said above. It is hard enough to get people to pay attention to security but with major headlines, your clients begin to listen. I find it highly entertaining as well to watch this stuff unfold.

Yep, they only come into play if you're very close to the passing score.

I'm not even sure if you could do this to maintain the forensic integrity, but could you take an image of that box and then attempt a system restore back to when you think it was installed?

HA!

If MaXe's instructions don't work try these:

1. Turn on PC
2. Study networking and security concepts for 5-10 years.
3. Hack friend.
4. Get arrested.
5. Go to jail for awhile.
6. Re evaluate plan.

Nah, I was just going to pound out a bunch of practice tests and skip the book. HA, just kidding. Yes, I actually have a few books I've been reading but was just curious of what other folks have used in regards to practice questions.

If you're using a reverse_tcp, make sure you have your multi handler setup correctly on your bt box....

You're on the right track. Mine is done in C++.


Yep, but social engineering isnt as hard as you think 


They actually incorporated that into the OSCE course... The problem with the code cave is that a lot of the AV vendors will pick up the "stub" but there are ways around that too!

As soon as Metasploit adds something, the AV vendors quickly create a definition for it. Here is a article that speaks to exactly what you're asking by scriptjunkie. I worked with him to create a completely undetectable payload. This will clear it up for you.

http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/

There are other ways of doing this as well like backdooring legitimate exe's by using something called a code cave but the published ways are usually picked up as well.

MaXe published this awhile back which is also helpful: http://intern0t.net/papers/BPAV%20-%20InterN0T.pdf

How much did you rely on practice tests for the CISSP exam? If you think they helped you? If so, which ones do you recommend?

I'm forcing myself to start this cert, I can't put it off any longer!

As always, thanks for your input.