For me, ESXi does everything I need.

It's getting dated now and doesn't fully match my current setup but I wrote about my lab network setup previously, might give you some ideas.

Blog post: Virtual Lab Network

I've used GNS3 in the past, with mixed success.

I can understand the desire to build a 'lifelike' lab, but from my own experience I found GSN3 a step too far, as I spent more time getting it running and configuring the network than I did actually utilising the lab. Of course this does get you some network admin exposure and skills so may not be entirely time wasted depending on your goals.

Once the system is running, most of your tools/attacks won't notice the difference if you're popping shells over BO/SQLi/etc, the network is just the transport mechanism.

Plus, as GSN3 still requires you to provide your own Cisco IOS image this may be a deal breaker depending on what Cisco kit you can get access to.

For my own lab, I stick with ESXi's network capabilities plus a virtual Vyatta appliance to handle routing/natting/etc. depending on the scenario I'm trying to work with, but mostly I just stick my attack platform and target on the same subnet and get on with it.

Also bare in mind, the De-ICE images (and some others) don't have a default gateway set. So if you're wanting to use them in a more complex environment you need to get full root access to change the network config to add them to your environment, before attacking them. Bit of a chicken and egg issue.

The Register have just run a new article on a common theme; data breaches, intrusions, malware etc. are increasing *shock* *horror*.

Apart from rolling my eyes when I see these kinds of articles as the kind of FUD that's used as link bait, I also often stop to think behind the stats:
Are these incidents actually increasing?
Are we as an industry just getting better at identifying these occurances so we're now reporting issues that would have been missed previously?
Are the topics just becoming more news worthy so we're getting more newspaper inches?

I'll be honest, I've got no answer to these questions, just a few gut feelings. Would be interested to know others thoughts.

Thanks, I'd seen a few people linking to specific clips, but hadn't seen the full site. Should keep me busy with the afternoon coffee

I'll add a few to the list, they're all a bit dated as I read most before I started Uni, but if you want to keep your mind active on tech subjects or broaden your professional horizon they're still good reads.

Where Wizards Stay Up Late: Origins of the Internet
Covers the development of the systems and protocols that would eventually become the Internet of today. If you don't know your Licklider's from your Postel's it's well worth adding to your library.

The Hacker ethic
Not necessarily the hackers of computer security, but covers those that think outside the box and work beyond the norm to do the unusual and 'supposedly' impossible.

Hackers and Painters
Covers the computerisation of everyday activities and the impact on our work an personal lives.

Everything points to this being an interesting bug. Immunity have released a blog post indicating that there was actually two different 0-day bugs being exploited to achieve full compromise from the PoC:

Available here

This bug may hang around for a while as there is evidence surfacing that the issue is reproducable in most JRE implementations.

That's a little extreme, but love the dedication

P.S. I'm purposefully ignoring the potential that could be fake/temporary etc.

Hey Barcardi,

welcome to the boards

Firstly, that's one hell of a list of certs on offer. I was like a kid in a candy store reading down your options.

From my own perspective I'd look at GCIH to get a good grounding on the technical side followed by CISSP, although mostly to open HR doors in lieu of a degree.

As cd1zz has mentioned, take a look at OSCP. It's not on your list, but it's a relatively cheap set of training and certification in comparison to the others. I used it as a jump off point from network/system administration that I had been doing for a few years into security. It gave me the technical information I needed, and I was also able to leverage the sysadmin skills I already had to complete several of the challenges (know the defaults on some of the target systems can really reduce some of the difficulty accessing unhardened systems.

It might not be purely security, but given your background getting your MSCE/MSCE-sec certs shouldn't be too much of a challenge, would prove the skills and experience that you have and (hopefully) ensure that you remain employable for the years to come.

Good luck with you A+ and Sec+ exams, and whatever you chose to follow them with

Any reason for this? Unetbootin (or alternatives) are the right tool for this job.

If you've just transferred the files to your external HD your files should be there, but your system may not know to boot from the external rather than local HDD. Is the boot order correct for what you're attempting? (dd wil have the same issue)

Which Live OS are you using? (assuming BackTrack given forum topic), without using unetbootin you can boot the iso, then use the install option, pointing the installer at the correct external HDD. (Make sure you pick the right option, making a mistake could will hose your local system).

Hope this helps, but we'll likely need more info than you've provided to assist further if not.

Thanks Don, can't wait to get started.

There's been a few threads recently for feedback on various training option so I'll try and document my thoughts and progress as I go through. If I don't, feel free to chase and nudge me, I've got a habit of getting side-tracked whenever I've got an interesting project and I'll definitely class getting access to the DoJo as interesting!

I'll counter that, much prefer python, and from my experience I'd definitely question the thinking behind Perl being easier for a beginner.

My reasoning is largely non-technical; I find some of Perl's idiosyncrasies a nightmare to get my head around, especially if I've not coded for a while and need to knock a quick script up. In comparison as Python's syntax and formatting focuses on whitespace, most Python code looks and feels similar when trying to come back and update something later.

I'm not a developer by any stretch of the imagination, but I can generally write code (badly) in any language. I'd suggest just picking a language that feels comfortable and starting there, if you need to change to a different language a lot of what you learn will be transferable (I started with VB and PHP, yuck).

For a beginner I've been suggesting python purely based on the additional support and guidance available through the securitytube resources.

From the article:
N.B. Emphasis mine...

I could be going out on a limb here but; if you can't script, at least to a basic level you're not a sysadmin?

As for the rest of the article:

• 'Sys admins are being outsourced' - to who? Someone still doing the work
• Web design:'DIY tools eliminating need for experts' - really? (although this does explain a lot of the cruft....
• Datacenter specialists: This is my bread and butter, no let-up in demand here from the trenches
• repair technicians - True from an end user device perspective, but lets see you replace a blade-centre/SAN/etc. for less than the repair costs...

who writes this junk?

I came across hackarmoury for the first time a few weeks ago, I think it's got a good collection of tools and a great source for showing some of the breadth and depth of available tools that you might not know are available for specific tasks.

BUT, from my testing (completely non-scientific) I found many of the tools available to be behind the latest vendor version and I'm always nervous about getting tools from source (see Download's bundling of nmap with malware last year for an example).

Personally I'll still be taking my tools from source, or at least 'trusted' repos.

Missed that one (recording on my 'to watch' list); same reason, sat in CV clinic.