cd1zz

Forum Replies Created

Viewing 15 posts - 16 through 30 (of 538 total)
  • Author
    Posts
  • #52496
     cd1zz 
    Participant

    I assume right click on the taskbar is dead too? Any right clickage?

  • #52487
     cd1zz 
    Participant

    Wireshark would do the trick. You just have to know what you’re looking for 🙂

  • #52494
     cd1zz 
    Participant

    Can you use removable media or is there a CDROM either virtual or physical? If so, just drop a shell and try to escalate from there. Are there any other apps the regular user can access at all? Like in the system tray? Sometimes AV will still be accessible and within the AV you can escape the restricted desktop via the same methods….help menu etc.

  • #52376
     cd1zz 
    Participant

    I hate Acunetix, I use Burp Pro for everything now.

  • #52417
     cd1zz 
    Participant

    I’ve been using Microsoft Expression (Free version)

  • #52328
     cd1zz 
    Participant

    It’s a pretty big field, what are you interested in? Just to name a few options….

    Pentesting, forensics, incident response/handling, security operations, security audit, research…….

  • #52284
     cd1zz 
    Participant

    I changed careers from network admin to pentesting at 30. I managed to do so without taking a pay cut. It’s possible, you just have to be strategic about it. Like ajohnson said, the next logical step in my eyes is for you to become a web app ninja. You’ll have to convince a potential employer that you actually know what you’re talking about. You might want to start blogging, or publishing useful code to the community…..whatever it is, just start showing that dream company that you’re a ninja. Where are you located?

  • #52260
     cd1zz 
    Participant

    That’s a cool idea and I think that would work well with what I usually recommend…. which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

    I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

    I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!

  • #52258
     cd1zz 
    Participant

    Weak passwords have already been mentioned…. I have pretty good success taking about 10 common passwords and spraying them across ALL the services I discover. Vmware, vnc, SMB, telnet, ssh…. everything…. In large environments, I usually hit at least one, which is typically the first step in total pwnag3 because of all the stuff already mentioned. Defense is hard. Glad I’m on offense.

  • #52254
     cd1zz 
    Participant

    What AJ said but in addition:

    – Sync’d local admin pws
    – Lots of LM hashing in use
    – Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible

  • #52205
     cd1zz 
    Participant

    Good to know I’m not totally crazy.

  • #52202
     cd1zz 
    Participant

    I had no idea there was a difference! Thanks for the clarification. I always assumed it was the same concept as egress filtering, which is apparently different!

  • #52198
     cd1zz 
    Participant

    It will stop attacks on ports/services that are not allowed. However, it cannot stop attacks for ports/services that are allowed. For example, you would hopefully deny inbound tcp/445 but might allow tcp/80 in for web services. We can still attack the web server and the web application….which is allowed by the ingress filtering.

  • #52174
     cd1zz 
    Participant

    You’ll see overlap because there is a methodology to pen testing. Techniques, however, are different between vendors. Depending on who you ask, you’ll get different answers on which pen test certs are “worth it.” One could argue that taking ALL of them would fill in the gaps the other vendors might have. Obviously, unless you have an unlimited training budget, that’s not likely realistic, so you need to prioritize what you want.

    As you’ve noticed, there are several “beginner” pen test certs and far less “advanced” ones. GXPN claims to be advanced, and it certainly is more advanced than some of them but in my opinion its lacking in some areas, for example.

    A point of clarification:

    What percentage of knowledge overlap would there be between OCSP and OSCE? Would someone who has completed OSCP & OSCE get value out of obtaining GPEN?

    OSCE and P are very different certs. OSCP is pentest focused, OSCE is exploit development focused (mostly).

    I personally started with OSCP and then went back and looked at the GPEN material. I decided that I wanted to spend that 5K somewhere else.

    However, at my company we like to push people into GPEN first, then push them to OSCP. They seem to work well together.

    Keep in mind, a lot of this stuff is teaching you methodology and “how to think” the rest is really just sharpening your own techniques and skills. Regardless of all the education you get, the best way to get really good at this, is to get real world experience in real environments.

  • #52151
     cd1zz 
    Participant

    Well,  spread the word!

Viewing 15 posts - 16 through 30 (of 538 total)

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?