RE: I want the PT list back....



Thank you for this post Joseph. It's posts like this discussing the more
esoteric and non-technical aspects of pen-testing as a community of
professionals where I get the most bang for my buck. Tools releases and
various techniques are always useful and illuminating and in the almost 3
years since taking over moderation of the list from Al Huger I've lost count
of the number of posts asking "What tool does X" questions. And you're
right, it does take some restraint to not only refrain from the inevitable
"just google it" but to also allow posts from members along the same vein go
through.

I'm somewhat on the other end of things as the moderator for the list. I try
to be as hands-off in discussions as possible and let members contribute
rather than answer questions myself. It's too easy to cheat and write up a
nice thorough reply to a submission while I'm processing posts and steal all
the thunder... though it'd let me look all-knowing :)

Jerry Shenk also brought up a good point regarding not knowing a particular
area of security very well and being hesitant to ask for fear of flames.
I've been in the IT sector and security in particular for a long time and I
still run into areas where I need assistance or don't have enough depth. A
recent case in point: I was looking for a enterprise multi-user password &
authentication solution (Password Safe and similar too limited/more
single-user oriented) and my google-fu was pulling up a lot of fluff. Aside
from Cyber-Ark's solution I was wandering in the dark for other options to
explore. Luckily I was able to ping some contacts and was turned on to a
wealth of other tools. For some list members, a lot of the questions &
discussions I let through are basic or prompt responses of "maybe someone
else who knows wtf to do should be doing it". However, even some of the
"dumb" questions can uncover something new and interesting.

When I have some more time, I'll follow up with some of the challenges &
areas I'm running into.


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Joseph McCray
Sent: Monday, December 10, 2007 9:51 PM
To: pen-test
Subject: I want the PT list back....

Guys, I've been on this list for years. And for the last few
years I've done a healthy amount of quiet complaining about
the questions and the posts on this list.

So I'm gonna go out on a limb here....

1. For the record this is not me trying to post for glory and
fame or to try and show how smart I think I am. This list is
full of people that have forgotten more about pentesting than
I could ever hope to learn.

2. This is not me saying the skill level of the members is
declining, or anything negative about the list members, or
new pentesters on this list for that matter. We were all
where new to pentesting, or new here once.

I remember several years ago when I wished I had skill to
understand some of the questions people asked on this list. I
remember when people on this list would ask questions about
situations they were facing while on a assessment. The person
asking the question would list all of the references he'd
already read, what he'd already tried and the error message
he'd received. And amazingly - people would actually help....


Are people afraid to post that kind of stuff anymore or what?
Have our NDAs pushed us to just talking with our buddies in
SILC servers, or just posting stuff in blogs?

There are a ton of really smart people on this list. I see
occasional replies from some big names in the industry -
really smart cats.

I'm doing 3 pentests a month now, and when I'm not working I
live on security blogs, and silc servers with my buddies - I
don't really follow the security lists and closely as I used
to because it just doesn't seem like people are sharing as
much information as they used to on here.

I don't know if anyone else is feeling this way about this
list, if you disagree with me say so....


Guys here is what I'm dealing with out there - what about you?

* NAC Solutions (tricky, but not as tough as Host-based IPS -
MAC/IP spoofing still gets by of the stuff I've run into)

* Host-Based IPS Solutions (really tough to beat - at least for me)

* Wireless IPS Solutions (a joke)

* 802.1x - I haven't seen it on an assessment yet.

I'm having to hit web app, and client-side stuff to get into
the networks from the outside. Port scanning and VA tools are
damn near useless from external.

For me web app, to back end server, to the LAN is so rare it
might as well be non-existent. Web app to DB - yeah...but not
to internal LAN for me very much.

Spear phishing with or without client-side exploits is it for
me for external to internal. <-- How about you guys?

Internal networks are still a mess, riddled with old
vulnerabilities - even when the customer has patch management
solutions. I can't be as noisy trying to find them like the
good old days - but they are still there - the bigger the
company the more legacy crap they have.

Rarely I find a Linux box on the client's network that I can
use to set up shop these days so I've had to develop a
collection of command-line windows tools. Anybody else in
this boat? If so what's in your toolkit?
I started with meta.cab from Phoenix 2600 and have been
customizing it.

For wireless I pretty much just use Kisment/Aircrack-NG, but
I'm really interested in wicrawl. Anyone using it on pentests yet?

Inguma looks interesting, I run into Oracle on tests a lot.
Is anyone using it - if so what do you think?

Some attacks that look really interesting - but I don't know
of anyone doing them in assessments? Can someone shed some light?

* DNS-Rebinding
* Oracle Cursor Snarfing
* Remotely fingerprint OS Language packs
* Remote SQL/PHP Shell Injection

I look forward to hearing from you guys....let me know what
you are running into.



j0e




--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@xxxxxxxxxxxxxxxxxxxxxxx
Web: https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access

"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."

- Zig Ziglar



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------