pen-test logo
Penetration Testing Mailing List

While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

List Archives

JanFebMarAprMayJunJulAugSepOctNovDec
201012736
20092041361562037617512515811521514289
200825416616816919380168156167217135301
2007141168194171276207225290166157140159
2006330462417318325552447421247317198282
20051811231277896328391379445271277278
20042961782061081411799933933357114208
20036015918911612614424137105131
200211611382521461181487467234947
200118213921413130619513628920415086
2000232501379449411

Latest Posts

RE: SMS Banking Craig S. Wright (Feb 07)
The solution needs to be based on risk.

Where a system uses an SMS response with a separate system (such as a web
page), the probability that the banking user is compromised and a fraud is
committed, P(Compromise), can be calculated as:
P(Compromise) = P(C.SMS) x P(C.PIN)

Where: P(C.SMS) is the probability of compromising the SMS function and
P(C.PIN) is the compromise of the user authentication method

The user can...

Tools Update - Fist week of February 2010 SD List (Feb 07)
Hello

Here is the site's newsletter "Security Database Tools Watch"
(http://www.security-database.com/toolswatch).
This letter summarizes the articles and news items published since 7 days.

New articles
--------------------------

** Acunetix WVS v6.5 build 20100203 released **
by ToolsTracker
- 3 February 2010

Acunetix Web Vulnerability Scanner (WVS) is an automated web application
security testing tool that...

NEMESIS linux packet injection command line tool - IP options file as input argument woman (Feb 07)
Hi,

NEMESIS linux packet injection command line tool:
================================================
I am looking for some document or website that explains by example the
content of the file that is used as input argument in IP/TCP OPTIONS

nemesis ip -O file

There is no details about it in the MAN pages or nemesis website.
What file format is used: text, ASCII, hex?

Thanks,
woman...

Re: pentesting voip network-please help Yiannis Koukouras (Feb 07)
Unfortunately not. Cain is basic in this category.
It's true, if you want it to be done seriously....Backtrack is the answer...

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---
The information contained in this communication is intended solely
for  the  use  of the individual or entity to whom it is addressed
and others authorized to receive...

Re: SMS Banking Markus Matiaschek (Feb 07)
Hi,

I'd just like to make some comments, i didn't think about a solution
for your problem.

First of all i think that my Budi wibowo got something wrong regarding
who is sending the PIN.

Second, GSM is cracked: http://reflextor.com/trac/a51 and can be
intercepted and decrypted. You should take this into account.

Third i think the only farely safe way to make money transfers is with
transaction numbers, TANs. German banks send mobileTANs to...

Dradis Framework v2.5 is out! etd (Feb 07)
Hi all,

We have pushed a new major release of Dradis (an open source framework
to enable effective information sharing), and it comes with a few new
features [i]:

* Improved Note editor: bigger, easier to use and supports formatting!
* New First Time User Wizard
* Keep track of all the activity with the built-in RSS feed
* More plugins:
o New HTML Export reporting plugin.
o New Burp Upload plugin so you can use Burp Scanner output....

RE: SMS Banking Thor (Hammer of God) (Feb 07)
SMS based solutions are inherently insecure; not just from the application level, but from the carrier level. You're
assuming the carrier media is secure, which is not the case as Karsten showed at the CCC when he cracked GSM.

I think you would be far better served to create a client side application (client specific of course) where you could
build security into the application itself, use SSL, etc for client-to-server inquiries and...

Re: pentesting voip network-please help Todd Haverkos (Feb 07)
Yiannis Koukouras <ikoukouras () gmail com> writes:

Does it work in Cisco environments though? I honestly don't know.

Absent a way to get onto the VOIP vlan , it's nice features would be
sadly useless. In most Cisco deployments, the phones themselves and
all the call traffic are on a dedicated VLAN.

When I've done such assessments, I've used voiphopper under Linux to
dot he CDP dissection to find the VLAN and create the virtual...

RE: Flash Web Application PortSwigger (Feb 07)
With Burp, you can get rid of the browser certificate warnings if you wish,
by installing Burp's CA certificate in your browser. Burp generates a new CA
certificate on installation, and creates a valid certificate for each domain
you visit, signed by the CA cert.

Further details, and instructions for installing the CA cert, can be found
here:

http://portswigger.net/proxy/servercerts.html

Cheers
PortSwigger

-----Original Message-----
From:...

Re: Nessus, Harmful? Kevin Shaw (Feb 05)
I'm likely preaching to the choir here; but something I would advise
with Nessus or any other vulnerability, configuration, patch or port
scanning tool: know your target environment. I work with a different
network or communications medium - satellite, microwave - every week.
You tune your assessment for the equipment you are looking at - one
setting may not break a fiber channel SAN while it will wreak havoc on a
small office worth of...

Re: SMS Banking Doug Farre (Feb 05)
Mobile phone numbers can be spoofed. My piece of advice is that all
transactions must be acknowledged by the user. For instance, user
makes a request, system asks the user if for confirmation, then the
system proceeds.

Also, keep in mind that a lost cell phone can mean the user's pin is
compromised as the sms msgs are all stored in plain text.

Re: SMS Banking Budi wibowo (Feb 05)
instead of using sms for putting the pin, please use flash sms.
Safe and will not give any log on mobile phone.

Regards
Budi wibowo
-----Original Message-----
From: "M.D.Mufambisi" <mufambisi () gmail com>
Date: Thu, 4 Feb 2010 18:20:22
To: <pen-test () securityfocus com>; <security-basics () securityfocus com>
Subject: SMS Banking

Hi All,

Im designing an SMS baking application but i need to research on the...

Re: Flash Web Application Zaki Akhmad (Feb 05)
There's no problem on the certificate. After I use webscarab as proxy,
I can't click the flash application :( So I can't proceed.

Re: pentesting voip network-please help YGN Ethical Hacker Group (Feb 05)
http://www.tacticalvoip.com/tools.html

YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified....

SMS Banking M.D.Mufambisi (Feb 05)
Hi All,

Im designing an SMS baking application but i need to research on the
security risks involved first. Im thinking of subscribing mobile phone
number along with a pin. eg Number 222-222-222 PIN 20029. So when the
individual wants to enquire his balance, he sends a text messgae like
Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin
has to come from the subscribed number and only that number. I also
want to be able to...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]