Penetration Testing mailing list archives
RE: I want the PT list back....
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Thu, 13 Dec 2007 22:14:42 -0600
See comments below... -rad ----- Original Message ----- From: Erin Carroll [mailto:amoeba () amoebazone com] To: 'Joseph McCray' [mailto:joe () learnsecurityonline com], 'pen-test' [mailto:pen-test () securityfocus com] Subject: RE: I want the PT list back....
Thank you for this post Joseph. It's posts like this discussing the more esoteric and non-technical aspects of pen-testing as a community of professionals where I get the most bang for my buck. Tools releases and various techniques are always useful and illuminating and in the almost 3 years since taking over moderation of the list from Al Huger I've lost count of the number of posts asking "What tool does X" questions. And you're right, it does take some restraint to not only refrain from the inevitable "just google it" but to also allow posts from members along the same vein go through.
(clapping hands) Here, here. But, we shouldn't discount Google as a valuable tool and asset, either. ;)
I'm somewhat on the other end of things as the moderator for the list. I try to be as hands-off in discussions as possible and let members contribute rather than answer questions myself. It's too easy to cheat and write up a nice thorough reply to a submission while I'm processing posts and steal all the thunder... though it'd let me look all-knowing :)
Is this where the 'Happy-Fun Ball' comes into play? 8)))
Jerry Shenk also brought up a good point regarding not knowing a particular area of security very well and being hesitant to ask for fear of flames.
Y'know....I've always had the attitude as a student, as a teachers aide, and as the teacher himself, which is: "the only stupid question is the question never asked". The problem with that is that this statement was made pre-Internet, pre-Google. Nowadays, *everybody* has access to *everything*, everywhere, anytime. Outside of giving the starting "duh" statement, how should we treat novices (er..."newbies") who don't know how to look for the answer? Then again....*DUH*, right? Still...be nice to 'em, guys. No "FRESH MEAT" signs, OK?
I've been in the IT sector and security in particular for a long time and I still run into areas where I need assistance or don't have enough depth. A recent case in point: I was looking for a enterprise multi-user password & authentication solution (Password Safe and similar too limited/more single-user oriented) and my google-fu was pulling up a lot of fluff.
Google-Fu??? So...you'd be Master Phong??? ;)
Aside from Cyber-Ark's solution I was wandering in the dark for other options to explore. Luckily I was able to ping some contacts and was turned on to a wealth of other tools. For some list members, a lot of the questions & discussions I let through are basic or prompt responses of "maybe someone else who knows wtf to do should be doing it". However, even some of the "dumb" questions can uncover something new and interesting.
To be honest with you (and everyone else on this list), the *BEST* "resource" are yer friends, pals, bud, bros (whatever 'ya wanna call 'em)...they represent the "hidden knowledge" that Google doesn't have. Essentially, they have the *experiences* that Google can't replace. ;) BTW, I am NOT bashing "Google". Just that personal networking has a much better strength than a machine -- any day, any time.
When I have some more time, I'll follow up with some of the challenges & areas I'm running into. -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Joseph McCray Sent: Monday, December 10, 2007 9:51 PM To: pen-test Subject: I want the PT list back.... Guys, I've been on this list for years. And for the last few years I've done a healthy amount of quiet complaining about the questions and the posts on this list. So I'm gonna go out on a limb here.... 1. For the record this is not me trying to post for glory and fame or to try and show how smart I think I am. This list is full of people that have forgotten more about pentesting than I could ever hope to learn. 2. This is not me saying the skill level of the members is declining, or anything negative about the list members, or new pentesters on this list for that matter. We were all where new to pentesting, or new here once. I remember several years ago when I wished I had skill to understand some of the questions people asked on this list. I remember when people on this list would ask questions about situations they were facing while on a assessment. The person asking the question would list all of the references he'd already read, what he'd already tried and the error message he'd received. And amazingly - people would actually help.... Are people afraid to post that kind of stuff anymore or what? Have our NDAs pushed us to just talking with our buddies in SILC servers, or just posting stuff in blogs? There are a ton of really smart people on this list. I see occasional replies from some big names in the industry - really smart cats. I'm doing 3 pentests a month now, and when I'm not working I live on security blogs, and silc servers with my buddies - I don't really follow the security lists and closely as I used to because it just doesn't seem like people are sharing as much information as they used to on here. I don't know if anyone else is feeling this way about this list, if you disagree with me say so.... Guys here is what I'm dealing with out there - what about you? * NAC Solutions (tricky, but not as tough as Host-based IPS - MAC/IP spoofing still gets by of the stuff I've run into) * Host-Based IPS Solutions (really tough to beat - at least for me) * Wireless IPS Solutions (a joke) * 802.1x - I haven't seen it on an assessment yet. I'm having to hit web app, and client-side stuff to get into the networks from the outside. Port scanning and VA tools are damn near useless from external. For me web app, to back end server, to the LAN is so rare it might as well be non-existent. Web app to DB - yeah...but not to internal LAN for me very much. Spear phishing with or without client-side exploits is it for me for external to internal. <-- How about you guys? Internal networks are still a mess, riddled with old vulnerabilities - even when the customer has patch management solutions. I can't be as noisy trying to find them like the good old days - but they are still there - the bigger the company the more legacy crap they have. Rarely I find a Linux box on the client's network that I can use to set up shop these days so I've had to develop a collection of command-line windows tools. Anybody else in this boat? If so what's in your toolkit? I started with meta.cab from Phoenix 2600 and have been customizing it. For wireless I pretty much just use Kisment/Aircrack-NG, but I'm really interested in wicrawl. Anyone using it on pentests yet? Inguma looks interesting, I run into Oracle on tests a lot. Is anyone using it - if so what do you think? Some attacks that look really interesting - but I don't know of anyone doing them in assessments? Can someone shed some light? * DNS-Rebinding * Oracle Cursor Snarfing * Remotely fingerprint OS Language packs * Remote SQL/PHP Shell Injection I look forward to hearing from you guys....let me know what you are running into. j0e -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- I want the PT list back.... Joseph McCray (Dec 12)
- Re: I want the PT list back.... Pete Herzog (Dec 13)
- Re: I want the PT list back.... Peter Wood (Dec 13)
- Re: I want the PT list back.... Didi (Dec 17)
- RE: I want the PT list back.... Shenk, Jerry A (Dec 13)
- RE: I want the PT list back.... Ken . Carty (Dec 13)
- Re: I want the PT list back.... Petr . Kazil (Dec 13)
- RE: I want the PT list back.... Erin Carroll (Dec 13)
- Re: I want the PT list back.... Andre Gironda (Dec 17)
- <Possible follow-ups>
- Re: I want the PT list back.... krymson (Dec 13)
- RE: I want the PT list back.... Bob Radvanovsky (Dec 14)