At that same conference, the opening speaker, Richard Clarke (former chief counter-terrorism adviser to the US National Security Council) seemed to think completely opposite of that perception. He seemed to feel if we could get coders to write more secure software all would be right in the world.
What concerns me is if someone new to security simply downloads a copy of Backtrack and runs autopwn on their network and doesn’t get a shell, now feels his network must be secure. This couldn’t be further from the truth.
There is a site I have started to recommend to those new to security. Most of us know about it, but I am not sure how many have actually gone there and downloaded the live CDs and hacked them. I am referring to the DE-ICE.net live pentest cds.
This is such a great concept and I really support it for training those new to the field. Now I have only downloaded the first 2 and I will say any seasoned hacker can get through them quickly, but what I like is you can’t exploit them to get root with metasploit. You have to think like a hacker.
My understanding is the scenarios were created from “real life” pentests the author of these Cds Tom Wilhelm encountered in the field. The entire concept of live pentest CDs has so much merit. You can easily boot them up and hack away. If you screw things up, just reboot. The very best thing about this project is there is a challenge involved. That has always been the weak part of a home lab. Now I am a big supporter of having a lab and have made a number of posts here about doing that. But the one weak aspect is you already know if it’s vulnerable or not when you set it up. Well, unless you are into exploit research, but most CEHs are not doing that and are simply practicing with their tools. Being great with tools is fine, but it doesn’t teach you how solve puzzles and that’s what hacking is all about. A live pentest CD on the other hand presents a puzzle for you try and figure out. It teaches you how to “think” like a hacker and how to solve puzzles. This is in my opinion the most crucial quality to gain and I really don’t care how well you know all the switches of nmap or you know metasploit top to bottom, etc…
Yes, like anything there are some short coming and live cds are not perfect. They don’t give the feel of a networked environment. However you could rewrite them to be if you wished, but thats not really what they are all about any way. There are not many available so far and of course they are all presented in linux so you wont be hacking server 2003, but once you have the concepts down you could easily apply the concepts to any OS.
If you do decide to take a stab at the CDs , please resist the temptation to looks at the spoilers out there. There are even full video spoilers available, but this would make as much sense as going to an answer page of a crossword puzzle before you even try and filling in all the blanks! I doubt that will make you a better crossword player. Just to say again, the value is not that you are going to learn some new amazing hacking technique, but that you can learn to solve puzzles and think like a hacker.
From what I gather, this is the same attribute that Muts is trying to instill in his course and if you are going after that certification, before you take the test it might benefit you to run through these Cds. I really can only say good things about the concept and I hope one day it will be expanded to include every level of challenge.
http://de-ice.net/index.php?name=News&f ... icle&sid=1