Penetration Testing

Re: password auditing

Thu, 19 Nov 2009 21:04:31 GMT

Posted by Kevin L. Shaw, CISSP, GCIH on Nov 19

Derek:

"an hour or two" is not going to give you a sufficient assessment.
Going through your 200K word dictionary a single time will probably take
longer than that. I would recommend a couple of things based on your
latest note, as well as this comment - without first an enforceable
policy in place; this is really like putting the cart before the horse.
However; I understand the reason why you are doing this so good luck -
but you...

Firewall Type Fingerprinting

Thu, 19 Nov 2009 20:53:54 GMT

Posted by Zaki Akhmad on Nov 19

Hello,

Can we do firewall type fingerprinting? With what tools? I want to
know the type of the firewall in front of the web server.

Pentest lab box 16 gigs of ram

Thu, 19 Nov 2009 20:49:31 GMT

Posted by macubergeek on Nov 19

All

I'm thinking of building a vmware target box for a pentest practice
lab consisting of:

cheap Dell server with 16 gigs of ram PowerEdge T105
vmware workstation

My question is with the host OS.
I was contemplating the home version of Windows 7 to give me a 64 bit
OS to support the amount of ram I'm planning on
Does anyone have any experience with the latest version of VMware
workstation and if it will run properly on Windows 7?

would...

Re: password auditing

Thu, 19 Nov 2009 20:46:04 GMT

Posted by Anders Thulin on Nov 19

Derek Robson wrote:

Be careful: don't fall into the all too common trap that any password that JtR
can crack must be a weak password.

And don't fall into the other trap that any password that contains upper and
lower case letters, digits and spcial characters and is at least 8 characters long
necessarily is a strong password. (This is the 'password policy' fallacy).

And don't assume that password strength alone is the entire truth....

Windows Internationalization?

Thu, 19 Nov 2009 20:43:16 GMT

Posted by Jon Kibler on Nov 19

Hi,

I have been approached about doing a pen test job that would involve a target
organization whose native character set is not ASCII. So, I have a few questions
and would appreciate some pointers to help me decide if I really want this
assignment.

Questions that immediately come to mind are:
1) On a Windows system that uses a non-ASCII character set (Chinese, Arabic,
Russian, etc.), how does that effect Windows?
-- Are registry key names...

VideoJak 2.0 Released

Thu, 19 Nov 2009 20:40:44 GMT

Posted by Abhijeet Hatekar on Nov 19

Sipera VIPER Lab has released VideoJak 2.0:

http://videojak.sourceforge.net

VideoJak is an IP Video security assessment tool that can target a video stream and/or video call in progress to play a
targeted malicious video clip, resulting in a DoS.
Some key features of the new VideoJak:

* IP Video Replay (as presented at ToorCon 11, DefCon 17)
* Media Blackhole attack.

We welcome all suggestions and feedbacks.

Thanks and Regards,

Abhijeet...

Re: password auditing

Thu, 19 Nov 2009 20:37:17 GMT

Posted by JoePete on Nov 19

A few observations:

One of the big reasons for password complexity is the ability to crack
them offline. Essentially, password policy reflects more on the
vulnerability of poorly secured systems (i.e. the ability to get at the
password store) than the feeble-mindedness of employees.

If your Internet facing services (email, intranet, VPN, etc) are a
concern, your best protection is not password complexity but account
lockout. Without account...

Re: Possible Milw0rm replacement?

Thu, 19 Nov 2009 20:30:24 GMT

Posted by J.Hart, Elec.Eng.Tech. on Nov 19

Nice.
Yes - it is a learning experience - I never expect the code to be
perfect - that wouldnt be any fun

Elle

CEH or OSCP?

Thu, 19 Nov 2009 20:06:22 GMT

Posted by Vaibhav Kaushal on Nov 19

Hi all,

I am really interested in hacking. I know I can learn on my own but I
would like to have a course guiding me properly rather than wandering
here and there for some stupid material.

I think C|EH is great but the OSCP is way better (I prefer being
practical). I went through the websites of both and as far as I have
understood, CEH is only for the professionals working in organizations.
Since I am just an undergraduate student as of...

Re: password auditing

Wed, 18 Nov 2009 02:11:12 GMT

Posted by Derek Robson on Nov 17

thanks to everyone for such a big responce.

many of you have pointed me to questions of our policy...
many of you have talked about haveing password quality inforced when
they are set....

we have no real policy around passwords, we have no standards, we do
no quality testing.
we dont force users to change passwords, some have had the same
password for many years.
some still have the default password.

this project is to get some real data about...

Re: password auditing

Wed, 18 Nov 2009 02:00:21 GMT

Posted by Derek Robson on Nov 17

as per my last post....

we have no policy for passwords, we plan on getting some policy and
inforcing it.
before we do this we want to get an overview of just how ugly things are.
we want to get real facts about how many users are using the default password.

in many of the meetings we have un-educated managers quoting "facts"
that they cant know until we do this project.

many of the IT staff are keen to get good password policy in...

Re: password auditing

Wed, 18 Nov 2009 01:55:29 GMT

Posted by Tracy Reed on Nov 17

On Tue, Nov 17, 2009 at 08:59:29AM -0600, Harris, Michael C. spake thusly:

Probably a good idea. Especially in a big corporation where things can
easily get out of control when the lawyers get their hands on
things. Learn the lesson of poor Randall Schwartz and his felony
convictions due to his work with Intel. In a smaller company (such as
mine) I wouldn't worry so much.

Might be a bit overkill but ok... Seems like all of the servers should
be...

Re: password auditing

Wed, 18 Nov 2009 01:52:31 GMT

Posted by R. DuFresne on Nov 17

Yes, this box needs to be locked down as tightly as possible. Afterall
that data it contains is delicate to say the least.

Secondly though, why do passwd's in this env not expire? And why are
there now requirements to force users to choose secure passwd's in the
first place?

Thanks,

Ron DuFresne

Re: Possible Milw0rm replacement?

Wed, 18 Nov 2009 01:44:26 GMT

Posted by Pedro Drimel on Nov 17

Note that now some of the applications are available to download
directly from their repositories which is awesome.

2009/11/17 Kevin L. Shaw, CISSP, GCIH <kshaw () eeenterprisesinc com>:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration...

Re: password auditing

Wed, 18 Nov 2009 01:40:24 GMT

Posted by Haris Pilton on Nov 17

sounds like a fun project. I would Protect it like you currently
protect the password files you are going to brute.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to...