Recently I've gotten back into penetration testing, mainly with Metasploitable 2, rooted Android and Pentoo. The reason I like to encourage people into running pentests is because if you souly rely on intrusion detection software such as Snort then you're making a big mistake. Penetration testing is fun, and of course everyone knows fun rules.
>Discuss penetration testing
>Post references
securitytube.net
computersecuritystudent.com
RTFM & BTFM
>>54358410
The last time someone mentioned penetration testing, I woke up in naked a bathtub full of lube.
Seriously, nobody here is into penetration testing? You don't audit your networks and test them for vulnerabilities?
BTFM?
finding software exploits is funner
>>54358686
The Blue and Red Team Field Manual, for capture the flag.
Have you guys every played CTF?
>>54358661
I pentested ur mom :^)
>>54358827
My mom's not a pen, ya' asshole
>>54358767
>The Blue and Red Team Field Manual, for capture the flag.
I assume you were joking with "for capture the flag". Googled it and found out it's a book and it looks like a great one. And it's cheap as fuck, only $9. Thanks, any other good books?
>>54358928
Dude CTF is a really thing. Red team are pentesters and blue team are security. Sometimes these matches last for days.
>>54358928
>>54358998
Also Gray Hat Hacking looks like a good one. Other than that I have a pocket reference for Python. They have other pocket references for InfoSec, shell ect.
>>54358998
oh damn, pardon my stupidity.
>>54359058
You're all good man. Look into it. It's good shit.
>>54359091
Will do.
Do you get paid to do pen testing?
>>54359229
Not really. I mean I'm still going to school but sometimes I'll audit my friends networks for them. There is good money in the security field if you are considering that.
Get the shellcoders handbook
>>54359302
>There is good money in the security field if you are considering that.
Maybe, would knowledge of ARM assembly ever help me?
>>54359442
Yup, remember that security has to do with a different fields, so knowledge in operating systems themselves can go a long way, kernel source code, Assembly, Python, C/C++ ect. It's good to have a basis on all aspects.
>>54359438
This looks like a good one. Does it also go into binary injection apposed to just command injection as well?
>>54358410
web application hackers handbook
art of software security assessment
the hackers playbook v2
that should get you started kid
>>54358410
Also if you want to compete in ctf or war games let me know. I do them occasionally. I would start with the first few levels of microcorruption.com though
>>54359595
Don't act like a pompous ass. Usually it's people like you who really don't know all that much. Security "Experts" Who don't know a damn thing about kernel source code.
>>54359635
Yeah cause the art of software security assessment wont help him with c vulns...
I'll post some of my favorite pentesting apps for rooted Android.
>Terminal (Obviously)
>Intercepter-NG (Kind of like Ettercap)
>WiFinspect
>ChameleMAC for MAC spoofing
>Wifi Analyzer for RF scanning
>AndroDrumper
>DNS Hostname for quick host spoofing
>>54359765
*Also
>Ddos
I thinks Interceptor-NG is my favorite for auditing networks because of the SSL stripping
>>54359635
Also the op wants to talk about penetration testing. I gave him the best books on the subject for pen testing. I gave him the best books for network/web/embedded (microcorruption.com) I guess the only other books that would be good for starting pentesting is nmap networking scanning and metasploit unleashed
Reading the art of exploitation and some book about metasploit RN
How the hell do people find exploits in like browser plugins?
>>54359856
Your on the right track that book is good for starting exploit dev. When you want to learn to exploit browsers you need to learn about fuzzing and open source auditing. Learning about rwx exploit primitives and what they look like in source and visualizing the way the stack and heap will look and how to chain these bugs together to bypass aslr/dep/emet etc. Theres was a pwn2own write up in phrack that's good. Let me see if I can find it.
>>54359625
That sounds good. Thanks man.
>>54359931
http://www.phrack.org/papers/shockwave_memory_disclosure.html
Also lookup work by people like dino dai zovi, charlie miller and team vulpen. Also gotta start hanging out in irc and attending cons like defcon bsides schmoo etc.
>>54358661
the largest portion of /g/ doesnt even know how to sql inject, the remaining folks are probably not that keen on sharing what they do
sure pentest is fun, but if you are expecting ppl to share their findings in here you are out of luck (no respectable white hat will disclose in here). besides that sort of info dont belong in public pyramid schemes design boards like this (scriptkiddies lurk here), or are you expecting just a list of cve's?
Any torrents? I got a nice one with ML books from the AI general that was up a while back.
>>54359950
I didn't know they still held Defcons. My friend gave a few talks at Notacon.
>>54359953
Well, I wasn't expecting people to post their findings and/or sensitive information. Mainly just a discussion in pentesting, generally. Getting more people into pentesting, post references like good books they've read recently and sites they've visited.
>>54359931
I would recommend reading the books i outlined above first though maybe replace the hackers playbook with a reverse engineering book or fuzzing book though. You have to really understand the way the web and web applications works and the way the browsers are programmed to interpret them to start exploiting them.
Just focus on trying to get a crash with Address Sanitizer or peach fuzzer/custom fuzzer or start auditing the source code using the techniques in the art of software security assessment. Also "a bug hunters diary" is good if you want to go that route. Once you start getting crashes or finding bugs then you want to start learning how to exploit them.
Also check out the https://www.mozilla.org/en-US/security/advisories/ for good bug classes to look for and see what other researchers are finding. Rember each tech is different and will be exploited different ways. For instance these are for firefox so they wont focus on JIT where as flash exploits and other plugins will likely focus on abusing the JIT.
>>54359545
hearing that excites me since I think I would get quickly bored in just one field.
>>54359905
But how the hell do Malware authors do this stuff?
Are exploitkits really that simple? Is it just checking for which version of plugin the victim is running and then serving them with the correct CVE?
>>54360260
To add, I've been reading all of xylitol and others blogs but it's still kind of confusing and an air of unknowing around it
>>54360324
You would be surprised how f'd everything is. A lot of old java browser exploits are enough to pwn fortune 500s because they cant update due to some tech they have running. You dont have to be l337 in todays world to pwn almost everything. In summary yes it can be that simple to pwn a lot of people. Get out the mind set as fast as possible though. The companies and security communities dont wont to admit this so they want the best of the best doing network and web app pen tests and its rarely in scope to actually send browser exploits. Even though the majority of breaches occur that way.
>>54360324
Actually its even easier than that. A lot of breaches occur by registering some lame domain name that looks like the company and sending a phishing link to 1k people at the company. Dont even need an exploit. If you want to go down this route read phishing dark waters and the art of human hacking by chris hagnagy
>>54360392
True.
>You would be surprised how f'd everything is. A lot of old java browser exploits are enough to pwn fortune 500s because they cant update due to some tech they have running
Seems that way for sure... Like some ATM malware is just ridiculous. Aren't they running usually Windows XP or some shit?
But then stuff like Gameover Zeus is crazy, still strange to think that one guy wrote it all
>>54358410
> pentesting
> average income is about 40k
> fun
>>54358410
> penetration testing
watching stupid videos made by indians on how to use white hat hacking tools without having any in depth knowledge, sounds really fun right m8
>>54360503
https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/
Yeah cause 7k a bug is such shitty money. Also the majory sites pay 5k for good bugs and lets not forget pwn2own where researches walk away with 100k+ in a day. But yeah if your a complete shit skiddy then i'm sure you'll make 40k.
>>54360567
Or you could, you know, LEARN
>>54360567
>watching stupid videos made by indians on how to use white hat hacking tools without having any in depth knowledge,
And how do you think people learn?
Do they just jump in and begin releasing Proof of Concept's and creating their own majorly used pentesting tools?
First you copy - then you understand material - then you begin actually becoming knowledgeable
>>54360586
>Yeah cause 7k a bug is such shitty money. Also the majory sites pay 5k for good bugs
Just wondering but why would someone report these bugs and exploits when they can sell/use them on underground forums and make FAR more than $7k.
The reason I've been pentesting metasploitable is because I'm trying to find new things to learn. I know wireless cracking, MitM, some basic SQLinjection, forensics ect. I'm trying to find good books on reverse engineering, stress testing, programming. There's always something to learn.
>>54360689
that's a choice you have to make yourself, black hat or white hat
>with great power comes great responsibility
>real strength is having the power and the knowledge and choosing not to abuse it
>if there were no gun manufactures in the world, would there be any school shootings?
>yada yada yada
Tools for Pentesting (only GNU/Linux)
General Password Cracking: John the Ripper
Remote Password Cracking: THC Hydra
Windows Password Cracking: Ophcrack
BIOS Password Cracking: CmosPwd
WiFi Password Cracking: Aircrack-ng
Wordlist Generator: CUPP, crunch
General Network Tampering: Netsed, cryptcat (Netcat)
Traffic Generator: Mausezahn
Traffic Replay: Tcpreplay
Packet Crafting: hping, Ostinato
Man-in-the-middle Attack: Ettercap, sslstrip
Web Application Vulnerability Scanner: Nikto
Network Vulnerability Scanner: Yersinia, OpenVAS
Host Vulnerability Scanner: Lynis
Exploit Famework: w3af
Backdooring: Evilgrade, Backdoor Factory, Veil-Evasion, Cymothoa
Windows Registry Editor: Offline NT Password & Registry Editor
Social Engineering: Social Engineering Toolkit
SQL Injection: sqlmap
Cross-Site-Scripting: xsser
SSH Denial: screwSSH
Exploitable Distros: Damn Vulnerable Linux, Metasploitable, Kioptrix
Exploitable Web Apps: WebGoat, hackxor, Mutillidae
Network Link Scanner: Linklint (+ linklint2dot), LinkChecker
Packet Sniffer: Tshark (Wireshark TUI), tcpdump, tcpflow
Network Mapping: arping, Ping, MTR, tracepath, Paris Traceroute, Traceroute, Open Visual Traceroute, EtherApe
Traffic Flow Scanner: PRADS, tcptrack, nfdump, Xtract, weathermap4rrd, traceroute@home
WiFi Scanner: Kismet
Network Enumeration: WhatWeb, p0f, xprobe2, SSLScan
DNS Client: dig, host, whois, nslookup
Network File Retrieval: Driftnet, tcpxtract
OSINT: Netglub, Creepy
Reconnaissance Framework: ngrep, Nmap, DMitry, dsniff (urlsnarf, filesnarf, webspy, Tcpkill, macof, arpspoof), Recon-ng
