.

Q&A for Pen Testing Perfect Storm Webcast Series: Part I

<<

KevinInGuardians

Newbie
Newbie

Posts: 15

Joined: Wed Oct 15, 2008 1:26 pm

Post Wed Oct 22, 2008 10:46 am

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

Options to prevent the "BeEF" attack is preventing the use of a wireless network by an admin ?


Actually, the only prevention of BEeF attacks is to fix the XSS vulnerabilities within applications.
<<

KevinInGuardians

Newbie
Newbie

Posts: 15

Joined: Wed Oct 15, 2008 1:26 pm

Post Wed Oct 22, 2008 10:48 am

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

What tools can be used to automate SQL injection attacks?


There are a number tools for SQL injection. 

SQLMap and Absinthe come to mind immediately.
SQLMap is available from http://sqlmap.sourceforge.net
Absinthe is available from http://www.0x90.org


I personally recommend w3af as it includes SQLMap and many other tools for web testing.
W3af is available from http://w3af.sourceforge.net
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Wed Oct 22, 2008 12:50 pm

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

Sorry I got here late, I'm about to watch it but I need the real player, so I headed over to get it at www.real.com/ downloaded it, uploaded it to virus total and got:
http://www.virustotal.com/analisis/7899 ... 65d202aa05
False Result? What you guys think?
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Wed Oct 22, 2008 7:00 pm

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

I would guess false positive but wouldn't guarantee that.  :D  On a kinda unrelated question is there a reason virustotal misspells analysis as analisis?  Or is that a correct British spelling and I am being a stupid American?
CISSP, CEH, GPEN, GCIH, GCFA
<<

LSOChris

Post Thu Oct 23, 2008 2:12 pm

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

1/36, so its either a really good piece of malware or a false positive.  or maybe a real result considering the installer probably calls home or to the net to grab updates.

if you are really paranoid run in a VM with a sniffer and see what it does.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Thu Oct 23, 2008 6:33 pm

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

Got ya, just I've seen safer files. Thanks.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Oct 29, 2008 11:18 pm

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

Could we also leverage karmasploit for this type of attack to push clientside exploits, own the admin laptop, and then dump the password hashes, crack them, then use them to access other machines or the protected wireless internal network?

If that is functionally equivalent, which one of these attacks is better for a pentest? which one would be faster?

and on a side note, when is Jay going to release the middler? ;)

Thanks Inguardians crew!
<<

rlallen

Newbie
Newbie

Posts: 1

Joined: Wed Apr 01, 2009 9:37 am

Post Wed Apr 01, 2009 9:47 am

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

Does anyone happen to have the full webcast (.arf file) posted somewhere? Core and SANS seem to have removed it.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 15, 2009 4:43 pm

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

Sorry to resurrect an old topic, but has anyone gotten the AirCSRF, “Air-Sea-Surf” tool that this webcast mentioned?  I had on my list to follow up and I still can't find it.  Any word on its release?
~~~~~~~~~~~~~~
Ketchup
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Apr 16, 2009 9:00 pm

Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I

Ketchup wrote:Sorry to resurrect an old topic, but has anyone gotten the AirCSRF, “Air-Sea-Surf” tool that this webcast mentioned?   I had on my list to follow up and I still can't find it.  Any word on its release?


I still don't think it is available
twitter.com/timmedin | http://blog.securitywhole.com
Previous

Return to Special Events

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software