Q&A for Pen Testing Perfect Storm Webcast Series: Part I

[KevinInGuardians]

Options to prevent the "BeEF" attack is preventing the use of a wireless network by an admin ?

Actually, the only prevention of BEeF attacks is to fix the XSS vulnerabilities within applications.

[KevinInGuardians]

What tools can be used to automate SQL injection attacks?

There are a number tools for SQL injection. 

SQLMap and Absinthe come to mind immediately.
SQLMap is available from http://sqlmap.sourceforge.net
Absinthe is available from http://www.0x90.org


I personally recommend w3af as it includes SQLMap and many other tools for web testing.
W3af is available from http://w3af.sourceforge.net

[xXxKrisxXx]

Sorry I got here late, I'm about to watch it but I need the real player, so I headed over to get it at www.real.com/ downloaded it, uploaded it to virus total and got:
http://www.virustotal.com/analisis/78991ac2576070f4b3181865d202aa05
False Result? What you guys think?

[geekyone]

I would guess false positive but wouldn't guarantee that.    On a kinda unrelated question is there a reason virustotal misspells analysis as analisis?  Or is that a correct British spelling and I am being a stupid American?

[LSOChris]

1/36, so its either a really good piece of malware or a false positive.  or maybe a real result considering the installer probably calls home or to the net to grab updates.

if you are really paranoid run in a VM with a sniffer and see what it does.

[xXxKrisxXx]

Got ya, just I've seen safer files. Thanks.

[Jhaddix]

Could we also leverage karmasploit for this type of attack to push clientside exploits, own the admin laptop, and then dump the password hashes, crack them, then use them to access other machines or the protected wireless internal network?

If that is functionally equivalent, which one of these attacks is better for a pentest? which one would be faster?

and on a side note, when is Jay going to release the middler?

Thanks Inguardians crew!

[rlallen]

Does anyone happen to have the full webcast (.arf file) posted somewhere? Core and SANS seem to have removed it.

[Ketchup]

Sorry to resurrect an old topic, but has anyone gotten the AirCSRF, “Air-Sea-Surf” tool that this webcast mentioned?   I had on my list to follow up and I still can't find it.  Any word on its release?

[timmedin]

Sorry to resurrect an old topic, but has anyone gotten the AirCSRF, “Air-Sea-Surf” tool that this webcast mentioned?   I had on my list to follow up and I still can't find it.  Any word on its release?

I still don't think it is available