While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

List Archives

Latest Posts

Securing Citrix Adrián Puente Z. (May 16)
Hi everyone!

I am looking for a good reference to secure a Citrix server to avoid a user to gain acces to the operating system. So
far I have some ideas like restricting the execution of the cmd.exe and (maybe) explorer.exe from with a group policy
in the domain.

If you know about any document I can look at or have any experience about this that want to share I will be very
thankful. Thanks in advance.

Regards,

---
Adrián Puente Z....

Re: Question of Likelihood Pete Herzog (May 16)
Hi,

Have you looked into the OSSTMM ravs- attack surface classification
and metrics? It would help you categorize the order in the way you
want here- by what they do and not some guessed weighting or priority
system. Basically it would let you prioritize by 5 vulnerability
classifications and that way if something provides access in any way
it's classified as a higher priority than something that just gives an
exposure.

Sincerely,...

sslcaudit 1.0 released Alexandre Bezroutchko (May 15)
Hello,

I would like to announce the release of sslcaudit 1.0.

The goal of sslcaudit project is to develop a utility to automate
testing SSL/TLS clients for
resistance against MITM attacks. It is useful for testing thick clients,
mobile applications,
appliances, pretty much anything communicating over SSL/TLS over TCP.

PDF user-guide is available here:
http://www.gremwell.com/sslcaudit_files/doc/sslcaudit-user-guide-1.0.pdf
Download and...

Re: Question of Likelihood Justin Rogosky (May 14)
Hi,

Carnal 0wnage is doing a blog series about this very subject.
http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-0-intro.html

My opinion is that if you are doing a report, it would be of more
value to list the vulnerabilities separately with the reformatted tool
output (or other methodology you are applying to list them as "low").
But add a separate section that shows how the various "enabling"...

Question of Likelihood Pen Testar (May 14)
I'm testing an app with sensitive information that is full of holes. Reflected and persisted XSS, CRSF, various
injection attacks… you name it.

You also have a bunch of vulns that aren’t typically of high likelihood, but in the presence of the other vulns above
(I’ll call them the “enabling” vulns), some of these lows are easier to exploit. When you rank, do you rank each vuln
independently or in context of others?

I can see...

t2'12: Call for Papers 2012 (Helsinki / Finland) Tomi Tuominen (May 12)
# t2'12 - Call For Papers #
Helsinki, Finland
October 25 - 26, 2012

We are pleased to announce the annual t2'12 infosec conference, which
will take place in Helsinki, Finland, from October 25 to 26, 2012.

We are looking for original, preferably technical presentations in the
fields of information security. Presentations should last a minimum of
60 minutes and a maximum of two...

A survey on web application attacks Hannes Holm (May 11)
Hi pen-test subscribers,

I am researching the domain consensus regarding the effectiveness of different web application firewalls (WAF)s and
would be glad if you could spare a few minutes of your time to answer a survey on the topic.

By completing this survey you will:

  * Help build valuable domain consensus on the topic of WAF effectiveness.
  * Be able to compare your answers to the answers of others.
  * Have the chance to win a 100...

Announce: Italian Hacker Game Cracca al Tesoro - Crack A Treasure Aspy (May 04)
It is the 6 th edition of the game.

It 's very much like a treasure hunt but more... hight tech!
The team need to find five hidden access point within a city, crack
them, then find the servers behind them, hack them to find clues to
the next target ...

Next date: Genoa, Italy, May 12
Joining is free.

Web Site
http://www.wardriving.it

nullcon Delhi 2012 Call for Paper/Call for Event nullcon (May 01)
Hi All,

For the very first time nullcon now comes to Delhi - to showcase cutting
edge security technologies and discuss new attack vectors and security
threats among the  Corporate world and the Government sector. The event
brings together thought leaders,Corporates, Government and security
professionals all under one roof.

Prototype:
-------------
We are introducing a new sub-event - Prototype at nullcon Delhi 2012. The
event provides...

xSQL Scanner 1.6 - Released Rodrigo Matuck (May 01)
Hi

Everyone

New version of xSQL Scanner is available with following features:

- PostgreSQL support added;
- SQL PortScan updated;
- Exceptions fixed;
- Progressbar bug fixed;
- MSSQL 7 DoS module added.
- MSSQL Empty password exploit module added.
- Session support added
- Visual modified
- Minor Bugs fixed
- Auto-detect feature fixed

Also i uploaded the xTSCrack with bugs fixed.

http://www.4shared.com/zip/4YrGt7hG/xsqlscanner-16.html...

[Tool update] VoIP Hopper 2.04 released Jason Ostrom (Apr 29)
VoIP Hopper 2.04 security tool is released:

http://voiphopper.sourceforge.net

New Avaya, Alcatel-Lucent, and LLDP-MED spoofing support. Thanks to Nicolas Roux of France for his Alcatel source
contribution and debugging help. The Alcatel support has only been partially tested on a production network - I'm
requesting the help from anyone who has access to Alcatel-Lucent to test the three new modes of VoIP Hopper, and please
let me know....

Anti-fingerprinting techniques cr0hn (Apr 25)
Hello everybody!

I just released the slides of a course about anti-fingerprinting
techniques. The course talking about:
– A brief introduction of FreeBSD.
– How fingerprinting works.
– How defeat the fingerprinting test.
– Practical examples for evade the test for some services:
+ Web server.
+ FTP server.
+ SSH server.
- A long section dedicated for WordPress.
+ Fingerprinting methods.
+ Tools to test it.
+ Protection techniques.

I...

[HITB-Announce] HITB Magazine Issue 008 (now with print edition!) Hafez Kamal (Apr 23)
The 8th issue of the HITB Quarterly Magazine is now available for download!

http://magazine.hitb.org/

This edition is a little bit 'lighter' than previous issues as the
editorial team is busy working on an extra special release for our 10th
year anniversary conference in October, HITBSecConf2012 - Malaysia.

http://conference.hitb.org/hitbsecconf2012kul/

For the first time ever though, we're making print editions of the
magazine...

[New tool] - Exploit Pack - Web Security noreply () exploitpack com (Apr 23)
Exploit Pack - Web Security Edition

This tool allows you to take control of remote browsers, steal social
network credentials, obtain persistence on it, DDoS and more.
Demo: http://www.youtube.com/watch?v=B_AYyRFNokI

Main features:
- Hacking of Gmail, Yahoo, Facebook, Live, Linkedin
- Session persistence
- 0day exploits included
- Remote browser control
- DDoS by creating botnets
- Launch remote exploits
- Steal credentials

Questions? support...

Ruxcon 2012 Call For Papers cfp (Apr 19)
Ruxcon 2012 Call For Papers

The Ruxcon team is pleased to announce the call for papers for the 2012 annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of July.

* What is Ruxcon?

Ruxcon is the premier technical computer security conference in the Australia. The conference aims to bring...

More Lists

Dozens of other network security lists are archived at SecLists.Org.