RE: I want the PT list back....

See comments below...


----- Original Message -----
From: Erin Carroll [mailto:amoeba@xxxxxxxxxxxxxx]
To: 'Joseph McCray' [mailto:joe@xxxxxxxxxxxxxxxxxxxxxxx], 'pen-test' [mailto:pen-test@xxxxxxxxxxxxxxxxx]
Subject: RE: I want the PT list back....

Thank you for this post Joseph. It's posts like this discussing the more
esoteric and non-technical aspects of pen-testing as a community of
professionals where I get the most bang for my buck. Tools releases and
various techniques are always useful and illuminating and in the almost 3
years since taking over moderation of the list from Al Huger I've lost count
of the number of posts asking "What tool does X" questions. And you're
right, it does take some restraint to not only refrain from the inevitable
"just google it" but to also allow posts from members along the same vein go

(clapping hands) Here, here. But, we shouldn't discount Google as a valuable tool and asset, either. ;)

I'm somewhat on the other end of things as the moderator for the list. I try
to be as hands-off in discussions as possible and let members contribute
rather than answer questions myself. It's too easy to cheat and write up a
nice thorough reply to a submission while I'm processing posts and steal all
the thunder... though it'd let me look all-knowing :)

Is this where the 'Happy-Fun Ball' comes into play? 8)))

Jerry Shenk also brought up a good point regarding not knowing a particular
area of security very well and being hesitant to ask for fear of flames.

Y'know....I've always had the attitude as a student, as a teachers aide, and as the teacher himself, which is: "the only stupid question is the question never asked". The problem with that is that this statement was made pre-Internet, pre-Google. Nowadays, *everybody* has access to *everything*, everywhere, anytime. Outside of giving the starting "duh" statement, how should we treat novices (er..."newbies") who don't know how to look for the answer? Then again....*DUH*, right? nice to 'em, guys. No "FRESH MEAT" signs, OK?

I've been in the IT sector and security in particular for a long time and I
still run into areas where I need assistance or don't have enough depth. A
recent case in point: I was looking for a enterprise multi-user password &
authentication solution (Password Safe and similar too limited/more
single-user oriented) and my google-fu was pulling up a lot of fluff.

Google-Fu???'d be Master Phong??? ;)

Aside from Cyber-Ark's solution I was wandering in the dark for other options
to explore. Luckily I was able to ping some contacts and was turned on to a
wealth of other tools. For some list members, a lot of the questions &
discussions I let through are basic or prompt responses of "maybe someone
else who knows wtf to do should be doing it". However, even some of the
"dumb" questions can uncover something new and interesting.

To be honest with you (and everyone else on this list), the *BEST* "resource" are yer friends, pals, bud, bros (whatever 'ya wanna call 'em)...they represent the "hidden knowledge" that Google doesn't have. Essentially, they have the *experiences* that Google can't replace. ;)
BTW, I am NOT bashing "Google". Just that personal networking has a much better strength than a machine -- any day, any time.

When I have some more time, I'll follow up with some of the challenges &
areas I'm running into.

Erin Carroll
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Joseph McCray
Sent: Monday, December 10, 2007 9:51 PM
To: pen-test
Subject: I want the PT list back....

Guys, I've been on this list for years. And for the last few
years I've done a healthy amount of quiet complaining about
the questions and the posts on this list.

So I'm gonna go out on a limb here....

1. For the record this is not me trying to post for glory and
fame or to try and show how smart I think I am. This list is
full of people that have forgotten more about pentesting than
I could ever hope to learn.

2. This is not me saying the skill level of the members is
declining, or anything negative about the list members, or
new pentesters on this list for that matter. We were all
where new to pentesting, or new here once.

I remember several years ago when I wished I had skill to
understand some of the questions people asked on this list. I
remember when people on this list would ask questions about
situations they were facing while on a assessment. The person
asking the question would list all of the references he'd
already read, what he'd already tried and the error message
he'd received. And amazingly - people would actually help....

Are people afraid to post that kind of stuff anymore or what?
Have our NDAs pushed us to just talking with our buddies in
SILC servers, or just posting stuff in blogs?

There are a ton of really smart people on this list. I see
occasional replies from some big names in the industry -
really smart cats.

I'm doing 3 pentests a month now, and when I'm not working I
live on security blogs, and silc servers with my buddies - I
don't really follow the security lists and closely as I used
to because it just doesn't seem like people are sharing as
much information as they used to on here.

I don't know if anyone else is feeling this way about this
list, if you disagree with me say so....

Guys here is what I'm dealing with out there - what about you?

* NAC Solutions (tricky, but not as tough as Host-based IPS -
MAC/IP spoofing still gets by of the stuff I've run into)

* Host-Based IPS Solutions (really tough to beat - at least for me)

* Wireless IPS Solutions (a joke)

* 802.1x - I haven't seen it on an assessment yet.

I'm having to hit web app, and client-side stuff to get into
the networks from the outside. Port scanning and VA tools are
damn near useless from external.

For me web app, to back end server, to the LAN is so rare it
might as well be non-existent. Web app to DB - yeah...but not
to internal LAN for me very much.

Spear phishing with or without client-side exploits is it for
me for external to internal. <-- How about you guys?

Internal networks are still a mess, riddled with old
vulnerabilities - even when the customer has patch management
solutions. I can't be as noisy trying to find them like the
good old days - but they are still there - the bigger the
company the more legacy crap they have.

Rarely I find a Linux box on the client's network that I can
use to set up shop these days so I've had to develop a
collection of command-line windows tools. Anybody else in
this boat? If so what's in your toolkit?
I started with from Phoenix 2600 and have been
customizing it.

For wireless I pretty much just use Kisment/Aircrack-NG, but
I'm really interested in wicrawl. Anyone using it on pentests yet?

Inguma looks interesting, I run into Oracle on tests a lot.
Is anyone using it - if so what do you think?

Some attacks that look really interesting - but I don't know
of anyone doing them in assessments? Can someone shed some light?

* DNS-Rebinding
* Oracle Cursor Snarfing
* Remotely fingerprint OS Language packs
* Remote SQL/PHP Shell Injection

I look forward to hearing from you guys....let me know what
you are running into.


Joe McCray
Toll Free: 1-866-892-2132
Email: joe@xxxxxxxxxxxxxxxxxxxxxxx

Learn Security Online, Inc.

* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access

"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."

- Zig Ziglar

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!