Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
pen-test logo
Penetration Testing Mailing List

While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

List Archives

JanFebMarAprMayJunJulAugSepOctNovDec
200920413615620376175125158115215100
200825416616816919380168156167217135301
2007141168194171276207225290166157140159
2006330462417318325552447421247317198282
20051811231277896328391379445271277278
20042961782061081411799933933357114208
20036015918911612614424137105131
200211611382521461181487467234947
200118213921413130619513628920415086
2000232501379449411

Latest Posts

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)
Derek:

"an hour or two" is not going to give you a sufficient assessment.
Going through your 200K word dictionary a single time will probably take
longer than that. I would recommend a couple of things based on your
latest note, as well as this comment - without first an enforceable
policy in place; this is really like putting the cart before the horse.
However; I understand the reason why you are doing this so good luck -
but you...

Firewall Type Fingerprinting Zaki Akhmad (Nov 19)
Hello,

Can we do firewall type fingerprinting? With what tools? I want to
know the type of the firewall in front of the web server.

Pentest lab box 16 gigs of ram macubergeek (Nov 19)
All

I'm thinking of building a vmware target box for a pentest practice
lab consisting of:

cheap Dell server with 16 gigs of ram PowerEdge T105
vmware workstation

My question is with the host OS.
I was contemplating the home version of Windows 7 to give me a 64 bit
OS to support the amount of ram I'm planning on
Does anyone have any experience with the latest version of VMware
workstation and if it will run properly on Windows 7?

would...

Re: password auditing Anders Thulin (Nov 19)
Derek Robson wrote:

Be careful: don't fall into the all too common trap that any password that JtR
can crack must be a weak password.

And don't fall into the other trap that any password that contains upper and
lower case letters, digits and spcial characters and is at least 8 characters long
necessarily is a strong password. (This is the 'password policy' fallacy).

And don't assume that password strength alone is the entire truth....

Windows Internationalization? Jon Kibler (Nov 19)
Hi,

I have been approached about doing a pen test job that would involve a target
organization whose native character set is not ASCII. So, I have a few questions
and would appreciate some pointers to help me decide if I really want this
assignment.

Questions that immediately come to mind are:
1) On a Windows system that uses a non-ASCII character set (Chinese, Arabic,
Russian, etc.), how does that effect Windows?
-- Are registry key names...

VideoJak 2.0 Released Abhijeet Hatekar (Nov 19)
Sipera VIPER Lab has released VideoJak 2.0:

http://videojak.sourceforge.net

VideoJak is an IP Video security assessment tool that can target a video stream and/or video call in progress to play a
targeted malicious video clip, resulting in a DoS.
Some key features of the new VideoJak:

* IP Video Replay (as presented at ToorCon 11, DefCon 17)
* Media Blackhole attack.

We welcome all suggestions and feedbacks.

Thanks and Regards,

Abhijeet...

Re: password auditing JoePete (Nov 19)
A few observations:

One of the big reasons for password complexity is the ability to crack
them offline. Essentially, password policy reflects more on the
vulnerability of poorly secured systems (i.e. the ability to get at the
password store) than the feeble-mindedness of employees.

If your Internet facing services (email, intranet, VPN, etc) are a
concern, your best protection is not password complexity but account
lockout. Without account...

Re: Possible Milw0rm replacement? J.Hart, Elec.Eng.Tech. (Nov 19)
Nice.
Yes - it is a learning experience - I never expect the code to be
perfect - that wouldnt be any fun

Elle

CEH or OSCP? Vaibhav Kaushal (Nov 19)
Hi all,

I am really interested in hacking. I know I can learn on my own but I
would like to have a course guiding me properly rather than wandering
here and there for some stupid material.

I think C|EH is great but the OSCP is way better (I prefer being
practical). I went through the websites of both and as far as I have
understood, CEH is only for the professionals working in organizations.
Since I am just an undergraduate student as of...

Re: password auditing Derek Robson (Nov 17)
thanks to everyone for such a big responce.

many of you have pointed me to questions of our policy...
many of you have talked about haveing password quality inforced when
they are set....

we have no real policy around passwords, we have no standards, we do
no quality testing.
we dont force users to change passwords, some have had the same
password for many years.
some still have the default password.

this project is to get some real data about...

Re: password auditing Derek Robson (Nov 17)
as per my last post....

we have no policy for passwords, we plan on getting some policy and
inforcing it.
before we do this we want to get an overview of just how ugly things are.
we want to get real facts about how many users are using the default password.

in many of the meetings we have un-educated managers quoting "facts"
that they cant know until we do this project.

many of the IT staff are keen to get good password policy in...

Re: password auditing Tracy Reed (Nov 17)
On Tue, Nov 17, 2009 at 08:59:29AM -0600, Harris, Michael C. spake thusly:

Probably a good idea. Especially in a big corporation where things can
easily get out of control when the lawyers get their hands on
things. Learn the lesson of poor Randall Schwartz and his felony
convictions due to his work with Intel. In a smaller company (such as
mine) I wouldn't worry so much.

Might be a bit overkill but ok... Seems like all of the servers should
be...

Re: password auditing R. DuFresne (Nov 17)
Yes, this box needs to be locked down as tightly as possible. Afterall
that data it contains is delicate to say the least.

Secondly though, why do passwd's in this env not expire? And why are
there now requirements to force users to choose secure passwd's in the
first place?

Thanks,

Ron DuFresne

Re: Possible Milw0rm replacement? Pedro Drimel (Nov 17)
Note that now some of the applications are available to download
directly from their repositories which is awesome.

2009/11/17 Kevin L. Shaw, CISSP, GCIH <kshaw () eeenterprisesinc com>:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]