Ask a Pentester - Recent questions

metasploit remote computer and network portforwarding

Sat, 19 May 2012 07:38:12 +0000

I am using metasploit and I tried to use hail mary with armitage to expose a remote computer on a different network than the one I am using with metasploit. I downgraded to metasploit 3.7 and tried the same thing with db_autopwn. It still did work. I was not getting any meterpreter sessions, however there where several exploits I could use. My question is do I need to portforward to exploit a remote computer with meterpreter or any other metasploit exploits. Also how do I do this. I know how to portforward.

Must sulley be run on a windows system?

Sat, 14 Apr 2012 15:39:40 +0000

Hi,

so far I have only seen configurations with windows fuzzing-host and windows guest.

Has anyone here had success with a linux fuzzing-host and windows fuzzing-target?

where to find Microsoft HTTPAPI httpd 2.0 exploits

Wed, 04 Apr 2012 10:33:42 +0000

im using metasploit and i need to know what are the exploits related to HTTPAPI httpd 2.0 exploits

What are some methods you can do to exploit a computer behind a router?

Mon, 02 Apr 2012 18:42:45 +0000

I have always practiced remotely exploiting computer over the lan but I have never reallly tried exploiting computers over the internet. What methods could you use to remotely exploit a computer over the internet and have the session connect back to you over the internet. Also is it even possible to attack from outside the router without pivoting from the inside?

Hi. We are looking or pentesters to writte to Pen Test Magazine. April issue.For more info. please contac: renata.polish@yahoo.com

Thu, 29 Mar 2012 08:42:38 +0000

I am editor of Pen Test Magazine. We are looking for specialists who are able to write articles for InfoSec Institiute on a behalf of Pen Test Magazine. Mentioned article must be written on advanced technical level as well as attractive and must give practical tips for readers. Note that the article should consist of at least 2000 words.
Apart from the material profit [the publisher pays 40 USD net (50 USD gross)], you are going to benefit from possibility to put your eg. business advertisement on world wild known Pen Test Magazine site. Moreover when cooperating with the Magazine you have privilege to title yourself “researcher at InfoSec institute”. Further, no doubt that gained experience is going to pay in your future careers.
Summarizing it is worth to write to the Pen Test Magazine, so do not hesitate to contact me directly for more details.

How do you determine which exploit to use in metasploit?

Thu, 15 Mar 2012 16:33:57 +0000

I am about to go to college for computer/systems security and I have been studying computer security for a while now and I know a lot about the metasploit framework and how to use the different modules. Although I know how to utilize these tools and do a remote exploitation on programs I already know are vulnerable, like icecast, how do you determine which remote exploit to use in metasploit? Do you need to code one yourself for most computers? Also can you exploit programs not on a tcp/udp port remotely?

p.s. I know how to use nmap and the standard scans like nmap -sSV -A -O x.x.x.x and the rest, so you dont have to explain how they work

OSCP - omg can i pay this myself ?

Tue, 13 Mar 2012 10:52:06 +0000

I am addicted to IT, i work with computers all my life, in my last job i did technical support for a software company, plus administration of windows based domain. Currently I work as full-time admin.

I have MSCE 2k, MCSA 2k3 and LPIC-1 certificate. My linux distrib at home is Ubuntu and BackTrack and i want to get serious training and certification as a pentester.

The online training+30 Days labs access+ certificate is a little bit to short i think. What is your optinion ? Is there a way to get more training ? Any online/offline courses, books you would suggest ?

I have to pay the 750$ by myself, so i better not fail on these tests/trainings.

How to know which CVEs affect my application?

Wed, 25 Jan 2012 13:42:26 +0000

Let's say I have an old version "V" of an application X.

I would like to know if there's a *simple* way to know all CVEs that affect that application, that is, all CVEs concerning version >= V for the given application.

Thanks in advance! :)

Do you have any classes online you could recommend? Also, is there any certain degree in college I should get if I want to be a pentester?

Thu, 10 Nov 2011 00:22:50 +0000

I'm sorry if this has been asked before but I am a high school student(sophomore) and am interested in becoming a pentester or something of the like. I live in a small rural town so there's not much of anything for computer courses here.

Entry level to Pen tester help

Fri, 21 Oct 2011 09:47:14 +0000

Which path to take , im very interested in security (the pentesting part) , never had a job thats IT related , but i do have some broad knowledge . im about to finish my comptia a+ course and i was planning to take netwok+ --> security+ --> CCNA --> CEH , but since i heard that CEH is pretty much all theory and useless i changed my plan to netwok+ --> security+ --> CCNA --> OSCP and maybe more advanced well see how it goes from there . Since im just an entry level student i was wondering if someone can give me gudience or help in which courses to take , since money is kinda an issue here , i mean does network+ and security+ worth it? , should i just skip to CCNA-->OSCP and take something networking related. i have some knowledge in linux,networking,wireless and some security (after playing around with backtrack). althought not advanced just basic. and btw im a long way from uni so time is something that i have on my side. thx for all the help

LFI exploration files

Thu, 20 Oct 2011 11:57:47 +0000

Hi,
i'm studding LFI issue due to a pratical test for a job.
So i'm trying to find key files to inject my commands.
Until now, i can enumerate this:

Files to inject:
- default webserver logs
- default daemons logs if world readable
- environ file at /proc

Files to get helpfull information
- locatedb file (no slocate, no mlocate) to get vhost and more logs
- some proc files

Some one could help me about more key files ? Injectable or not, maybe tricks to get vhost infos (without httpd.conf and localedb, course).

thanks friends.

Could you recommend a ressource for images which have weak spots to learn more about Pentesting?

Tue, 06 Sep 2011 18:48:15 +0000

I am looking for prepared OSes (Linux, Windows, maybe Macintosh) which contains security holes to train my skills in pentesting. My plan is to start a VirtualBox instance, use the common tools (e.g. Nmap, Metasploit, Wireshark) and finally find out, which programs or components contain security holes or maladjusted services. Could you recommend a site which provides such preconfigured images?

What lab setup do you recommend real machines or virtual ones?

Sun, 04 Sep 2011 10:08:15 +0000

Hi,

I want to teach myself some skills the legal way by working in my own lab.

However I am not sure what to use. Can you give me some first hand accounts

about your lab environments?

Does Scapy support the LDAP protocol?

Thu, 07 Jul 2011 14:42:30 +0000

I'm new to Scapy and I can't find support for the LDAP protocol on it. Does anybody know if it's supported?

Maybe I need to install another package?

Thanks in advance!

Do pentest tools slow down internet

Thu, 07 Jul 2011 13:12:58 +0000

I use alot of tools such as nessus, nexpose, nmap, metasploit, sqlmap which all use internet. and my internet is weird. my phone runs of it my sky channels run off it so my dad isn't happy when its slow. he sais that when I use these tools it is screwing up the internet? am I the only person that has this problem?

what can we do with Local file download/ File download vuln. Windows ?

Sat, 02 Jul 2011 08:17:41 +0000

hi i want to know what are the security files which are imp. which lead it to hack the Server and get acess to CMD its on Server=Apache-Coyote/1.1

and i am able to download all files but not admin locked files so can anybody help me ?

Vulnerable Ports?

Sun, 26 Jun 2011 22:09:06 +0000

Im reently getting into nmap and such. and i want to know can ports be hacked? or attacked? anyone have some articles for me to see about it? and if so anything wrong or vulnerable about these ones:

21/tcp    open     ftp
25/tcp    open     smtp
53/tcp    open     domain
80/tcp    open     http
110/tcp   open     pop3
111/tcp   open     rpcbind
143/tcp   open     imap
443/tcp   open     https
587/tcp   open     submission
993/tcp   open     imaps
995/tcp   open     pop3s
2222/tcp open     unknown
3011/tcp open     unknown
3306/tcp open     mysql
8888/tcp open     sun-answerbook
12000/tcp open     cce4x

What to learn first?

Sun, 26 Jun 2011 21:44:27 +0000

first off im new so this may already have been answered before.

Whats the best programming language to learn? I want to be a pentester with stuff like servers, web apps, websites and to code exploits.

So what languages should i learn? and in what order?

Can any one help me to how to exploit windows 7?

Tue, 21 Jun 2011 05:39:46 +0000

hi cany any body help me how to exploit windows 7 ? i have tried it for last 3 months but no luck, i am new bee to metasploit pls help

thanx in advance!!

Can u suggest good exploit for Windows 7, like "ms08_067_netapi " in xp?

Fri, 10 Jun 2011 08:51:48 +0000

hi, i am working on finding a good exploit for windows 7. i am new bee to metasploit but succeded to hack windows xp with "windows/smb/ms08_067_netapi"

now trying to do same in windows 7 in LAN.. pls help me on this..

thanx in advance!!

What if you pentest someone who unkowingly to you lies that they have authority?

Sun, 22 May 2011 23:34:17 +0000

Client A signs a contract stating that he owns or is authorized to represent the owner of a Network. He asks a penetration testing company to crack it. After they crack it, recover the pass, tell him how to make it more secure; they find out it's not actually his network and now he has the password. Who is liable?

The contract they signed, says , among other things:

The client does hereby retain the provider for the purpose of providing Penetration Testing services on the client’s computers and/or Networks.

The client has provided the provider with certain required information regarding the scope and range of the tests and the client hereby warrants that all information provided is true and accurate and that the client owns or is authorized to represent the owners of the computers systems and networks described in Form A. The client further warrants and represents that he/she is authorized to enter into binding legal agreements.

Defensive Programming--Second Steps?

Sat, 30 Apr 2011 17:59:02 +0000

My company is paying for me to get the GSSP-J certification as it aligns with where I see myself going in the long run. (Just started my master's in CS.)

I'm already aware of OWASP top 10, and SANS top-25, and I wanted to know after I learn mitigation techniques for those, would it be advisable to seek training in pentesting in order to deepen offensive knowledge, or should I look down a different path??

The implicit argument is of course, that I will learn better defense by learning better offense.

There is little chance I will be able to find work in the Red Team at work, but at least the company I'm in recognizes the value I'll have by learning defensive programming. The core of my long-term plans is this: I don't want to be a PenTester. I want to be a developer. Any advice on straddling that line would also be appreciated.

Identify HTTP or SSL running on non-standard ports

Tue, 05 Apr 2011 21:17:35 +0000

Let's say I'm scanning both IPv4 (4 /8 e.g. all of RFC1918, plus 1 more) and IPv6 (a few /48) networks.

How do I come up with a list of HTTP and SSL ports that I can connect to when they are running on non-standard ports quickly and easily?

What if I also want to grab their banners? What if I wanted to partially customize the URI, HTTP methods, or HTTP headers? What if I wanted to send a follow-up request depending on the HTTP response from the first request?

What is the most optimized way to do this?

Wget download ONLY PHP file

Mon, 07 Mar 2011 14:41:10 +0000

Hi everyone,

this is a lame-ass question but I couldn't find an answer easily just googling around.

I want to download a .PHP file from a webserver but the original file, not the file once interpreted by the web browser.

What happens when I just do

wget http://the.webserver.com/file.php

is that the server processes the PHP code and I end up with the result instead of the original code.

Is there even a way to do this?

Thanks in advance!

Greg

THE question: CEH or OSCP?

Sat, 19 Feb 2011 09:34:22 +0000

Hi guys,

I want to make a career in offensive security/pentesting (name it as you want). I know that apart from real experience it's important to be certified, but I can't make up my mind between those two (CEH or OSCP).

Any suggestions?

Thanks in advance!

What methodology you use in a pentest?

Wed, 16 Feb 2011 18:56:52 +0000

I mean, do you follow some standard (like OSSTMM, to mention one) or do you just do like me in the hospital, that is, whathever the fuck I want? ;)

Thanks in advance!

Greg

SVN update via a web proxy?

Wed, 09 Feb 2011 09:57:54 +0000

Hello.

When on site pen testing you often have to use a web proxy to get internet access.

If you have forgotten to 'sharpen your tools' before arriving on site is there a way to 'svn update' using a web proxy?

I have tried edditing the '/Users/username/.subversion/servers' file however this didn't seem to do anything.

Thanks,

Ryan

hey guys....is their any documentation on XSSF for metasploit?

Thu, 20 Jan 2011 15:54:25 +0000

SAP security research, first steps?

Tue, 18 Jan 2011 08:17:46 +0000

Hi everyone,

I would like to start learning and experimenting with SAP security because... well, because one can do a lot of money in the field, I've heard ;)

Unfortunately I find it quite difficult to get either SAP software or documentation.

Could anyone please give me some advice?

I would appreciate it very much!

Rey Misterio

Which guide would you recommend to understand Backtrack

Fri, 14 Jan 2011 10:56:31 +0000

Should i take a general guide about linux and specific ones for the different applications

or a general guide about backtrack ?

Club Mate or Jolt Cola for Pen Testing?

Fri, 14 Jan 2011 06:23:09 +0000

Tool / Method for unknown network binary protocol analysis?

Thu, 13 Jan 2011 10:53:14 +0000

Hi everyone,

I want to perform some analysis on a propietary network protocol in order to identify *some* structure. The purpose behind this is to fuzz the packets and... well you know, pwn it ;)

Is there any tool /script which I could feed with different packet captures and identify constant fields, etc. ?

Or do I need to put this coding fingers to work?

Thanks in advance!

Best (and updated) fuzzing tools?

Fri, 07 Jan 2011 07:45:28 +0000

Hi everyone,

what are the best file format fuzzing tools out there?

I've checked for example FileFuzz but it's bit simple and outdated.

What do you use?

Thanks in advance!

Rey Misterio

Could anybody explain me how does a "bit flipping" attack work?

Wed, 05 Jan 2011 12:29:11 +0000

Hi,

I'm auditing a custom web application for a customer, concretely the crypto part of it. I've managed to get some encrypted data in transit from a client browser to the webserver. Since I know the format of the cleartext (it's documented) a colleague suggested that we could try a "bit flipping" attack.

I've read about it online but I don't quite grasp it.

Could anybody please explain it to me (with as little algebra as possible? ;))

Thanks in advance!

Rey Misterio

has anyone ever done some sort of "Active Directory" forensics?

Mon, 13 Dec 2010 18:17:00 +0000

Does it make sense to think about Active Directory forensics? For example if i change a password,will there be a timestamp?

About "NOP" slides in JS Heap Overflows

Sun, 12 Dec 2010 13:55:06 +0000

I don't understand how 0x0c0c can be used as a "NOP" slide in Javascript's Heap Overflows. Can anybody please explain it to me?

Thanks in advance! :)

How can I protect myself against Firesheep?

Thu, 25 Nov 2010 12:02:26 +0000

I have read about Firesheep and it scared the hell out of me ;)

Is there anything I can do to protect myself?

Thanks!

What is the best book for learning Malware RE?

Mon, 15 Nov 2010 12:24:17 +0000

I mean, is there something like "The Shellcoder's Handbook", that is, a bible of...?

Can I scan for vulnerabilities with nmap?

Sat, 13 Nov 2010 12:43:11 +0000

Is there any integrated support for automatic vulnerability finding?

Thanks!