Penetration Testing mailing list archives
I want the PT list back....
From: Joseph McCray <joe () learnsecurityonline com>
Date: Tue, 11 Dec 2007 00:51:22 -0500
Guys, I've been on this list for years. And for the last few years I've done a healthy amount of quiet complaining about the questions and the posts on this list. So I'm gonna go out on a limb here.... 1. For the record this is not me trying to post for glory and fame or to try and show how smart I think I am. This list is full of people that have forgotten more about pentesting than I could ever hope to learn. 2. This is not me saying the skill level of the members is declining, or anything negative about the list members, or new pentesters on this list for that matter. We were all where new to pentesting, or new here once. I remember several years ago when I wished I had skill to understand some of the questions people asked on this list. I remember when people on this list would ask questions about situations they were facing while on a assessment. The person asking the question would list all of the references he'd already read, what he'd already tried and the error message he'd received. And amazingly - people would actually help.... Are people afraid to post that kind of stuff anymore or what? Have our NDAs pushed us to just talking with our buddies in SILC servers, or just posting stuff in blogs? There are a ton of really smart people on this list. I see occasional replies from some big names in the industry - really smart cats. I'm doing 3 pentests a month now, and when I'm not working I live on security blogs, and silc servers with my buddies - I don't really follow the security lists and closely as I used to because it just doesn't seem like people are sharing as much information as they used to on here. I don't know if anyone else is feeling this way about this list, if you disagree with me say so.... Guys here is what I'm dealing with out there - what about you? * NAC Solutions (tricky, but not as tough as Host-based IPS - MAC/IP spoofing still gets by of the stuff I've run into) * Host-Based IPS Solutions (really tough to beat - at least for me) * Wireless IPS Solutions (a joke) * 802.1x - I haven't seen it on an assessment yet. I'm having to hit web app, and client-side stuff to get into the networks from the outside. Port scanning and VA tools are damn near useless from external. For me web app, to back end server, to the LAN is so rare it might as well be non-existent. Web app to DB - yeah...but not to internal LAN for me very much. Spear phishing with or without client-side exploits is it for me for external to internal. <-- How about you guys? Internal networks are still a mess, riddled with old vulnerabilities - even when the customer has patch management solutions. I can't be as noisy trying to find them like the good old days - but they are still there - the bigger the company the more legacy crap they have. Rarely I find a Linux box on the client's network that I can use to set up shop these days so I've had to develop a collection of command-line windows tools. Anybody else in this boat? If so what's in your toolkit? I started with meta.cab from Phoenix 2600 and have been customizing it. For wireless I pretty much just use Kisment/Aircrack-NG, but I'm really interested in wicrawl. Anyone using it on pentests yet? Inguma looks interesting, I run into Oracle on tests a lot. Is anyone using it - if so what do you think? Some attacks that look really interesting - but I don't know of anyone doing them in assessments? Can someone shed some light? * DNS-Rebinding * Oracle Cursor Snarfing * Remotely fingerprint OS Language packs * Remote SQL/PHP Shell Injection I look forward to hearing from you guys....let me know what you are running into. j0e -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- I want the PT list back.... Joseph McCray (Dec 12)
- Re: I want the PT list back.... Pete Herzog (Dec 13)
- Re: I want the PT list back.... Peter Wood (Dec 13)
- Re: I want the PT list back.... Didi (Dec 17)
- RE: I want the PT list back.... Shenk, Jerry A (Dec 13)
- RE: I want the PT list back.... Ken . Carty (Dec 13)
- Re: I want the PT list back.... Petr . Kazil (Dec 13)
- RE: I want the PT list back.... Erin Carroll (Dec 13)
- Re: I want the PT list back.... Andre Gironda (Dec 17)
- <Possible follow-ups>
- Re: I want the PT list back.... krymson (Dec 13)
- RE: I want the PT list back.... Bob Radvanovsky (Dec 14)