Penetration Tester Quotes

be creative, adapt quickly, and rely on your wits instead of automated tools.

Johnny Long wrote a famous book called Google Hacking for Penetration Testers and really opened up many people’s eyes to the amazing amount of information that Google holds.

Courses from the SANS Institute that prepare you for the Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN) exam are a good starting point.

This concept can be applied to penetration testers as they need to determine how long it will take to complete a penetration test for a customer and present the report with the findings and security recommendations.

Engineers at Toyota joke that the only reason they put wheels on a vehicle is to keep the computer from scraping the ground.

Storm’s Fast-Flux and Conficker’s Domain-Flux In 2007, security researchers identified a new technique used by the infamous Storm botnet (Higgins, 2007). The technique, named fast-flux, used domain name service (DNS) records to hide the command and control servers that controlled the Storm botnet. DNS records typically translate a domain name to an IP address. When a DNS server returns a result, it also specifies the TTL that the IP address remains valid for before the host should check again. The attackers behind the Storm botnet changed the DNS records for the command-and-control server rather frequently. In fact, they used 2,000 redundant hosts spread amongst 384 providers in more than 50 countries (Lemos, 2007). The attackers swapped the IP addresses for the command-and-control server frequently and ensured the DNS results returned with a very short TTL. This fast-flux of IP addresses made it difficult for security researchers to identify the command-and-control servers for the botnet and even more difficult to take the servers offline. While fast-flux proved difficult in the takedown of the Storm botnet, a similar technique used the following year aided in the infection of seven million computers in over two hundred countries (Binde et al., 2011). Conficker, the most successful computer worm to date, spread by attacking a vulnerability in the Windows Service Message Block (SMB) protocol. Once infected, the vulnerable machines contacted a command-and-control server for further instructions. Identifying and preventing communication with the command-and-control server proved absolutely necessary for those involved with stopping the attack. However, Conficker generated different domain names every three hours, using the current date and time at UTC. For the third iteration of Conficker, this meant 50,000 domains were generated every three hours. Attackers registered only a handful of these domains to actual IP addresses for the command-and-control servers. This made intercepting and preventing traffic with the command-and-control server very difficult. Because the technique rotated domain names, researchers named it domain-flux. In the following section, we will write some Python scripts to detect fast-flux and domain-flux in the wild to identify attacks.

Next, it opens the dictionary and iterates through each word in the dictionary, creating an encrypted password hash from the dictionary word and the salt. If the result matches our encrypted password hash, the function prints a message indicating the found password and returns. Otherwise, it continues to test every word in the dictionary.

t = Thread( target = extractFile, args =( zFile, password)) t.start()

for x in range( 1,255): ... print “192.168.95.” + str( x)

With the ability to iterate through IP addresses and ports, we will update our vulnerability-checking script. Now our script will test all 254 IP addresses on the 192.168.95.0/ 24 subnet with the ports offering telnet, SSH, smtp, http, imap, and https services.

if len( sys.argv) = = 2: filename = sys.argv[ 1]

In order to allow a function to have complete control of the screen, we will use a semaphore. A simple semaphore provides us a lock to prevent other threads from proceeding.

In 1988, RSH provided an excellent (although not very secure) method for a system administrator to remotely connect to a machine and manage it by performing a series of terminal commands on the host. The Secure Shell (SSH) protocol has since replaced RSH by combining RSH with a public-key cryptographic scheme in order to secure the traffic.

With our program modularized into separate functions, we can now increase our performance. Instead of trying each word in the dictionary one at a time, we will utilize threads of execution

We will use the Metasploit framework in order to quickly create a malicious server and page hosted at http:// 10.10.10.112: 8080/ exploit.

Any vulnerable client that connects to our server at http:// 10.10.10.112: 8080/ exploit will now fall prey to our exploit. If it succeeds, it will create a reverse TCP shell and grant us access to the Windows command prompt on the infected client. From the command shell, we can now execute commands as the administrator of the infected victim.

In the wave of several high profile attacks, hackers have released password dumps onto the Internet. While the activities resulting in these password attempts are undoubtedly illegal, these passwords dumps have proven interesting research for security experts.

Pexpect has the ability to interact with programs, watch for expected outputs, and then respond based on expected outputs. This makes it an excellent tool of choice for automating the process of brute forcing SSH user credentials.

Found = False Fails = 0 def connect( host, user, password, release): global Found global Fails try: s = pxssh.pxssh()

Embedded in the Microsoft proprietary Rich Text Format (RTF), the file contained the first name of the BTK Killer and the physical location at which the user had last saved the file. This narrowed the investigation to a man named Denis at the local Wichita Christ Lutheran Church. Mr. Stone verified that a man named Denis Rader served as a church officer at the Lutheran Church (Regan, 2006). With this information, police requested a warrant for a DNA sample from the medical records of Denis Rader’s daughter (Shapiro, 2007). The DNA sample confirmed what Mr. Stone already knew—Denis Rader was the BTK Killer.

With the advent of wireless networking, the Windows Registry stores information related to the wireless connection. Understanding the location and meaning of these registry keys can provide us with geo-location information about where a laptop has been. From Windows Vista on, the Registry stores each of the networks in subkey under HKLM\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ NetworkList\ Signatures\ Unmanaged.

With the MAC address of a wireless access point, we can now also print out the physical location of the access point as well. Quite a few databases, both open-source and proprietary, contain enormous listings of wireless access points correlated to their physical locations.

As opposed to a database that maintains a client/ server relationship, SQLite stores the entire database as a single flat file on the host.

Finally, to determine the specific service running on the port, we will send garbage data and read the banner results sent back by the specific application.