Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re: Normal women... (Score 2) 765

Its not a workplace...its a guthub repo. Also you implied its not okay to have an unpopular opinion outside of the workplace...why wouldnt the "cant have an opinion brigade" jump on you?

What happens when you have a dissenting, unpopular opinion? In you're ideal world you wouldnt be able to express it. Wouldnt that bother you?

Comment: Re: Is he dangerous? (Score 1) 163

by Redmancometh (#49239437) Attached to: Man Claiming Half Ownership of Facebook Is Now a Fugitive

People shouldn't be punished for sleeping it off in their car. I was under the impression that it wasn't a DUI if the keys weren't in the ignition though.

The issue I was getting at in response to the person I responded to was pretty simple: alcohol destroys your judgement. So you may care about the license being lost when sober, but then your inhibitions are gone, and you don't.

Some of the folks responding got a little crazy with it o-o

Comment: Re: NMAP (Score 1) 205

by Redmancometh (#49239425) Attached to: Ask Slashdot - Breaking Into Penetration Testing At 30

I've actually gotten to the point where I think WAFs are absolutely useless. As far as WAFs go though I would recommend against mod_security, as fingerprinting it via it's helpful errors is a cakewalk.

The upside to WAFs is that they prevent automated attacks...buuut snort's dynamic preprocessors seem to do this FAR better.

Either way an IDS/IPS/WAF just isn't enough. In a non-automated attack bypassing them is trivial. Half the time I can simply use URL encoding for an attack string. Some poor WAFs don't even do recursive checking, so things like nested XSS code works.

On one pen-test a client had WAFwoof, and I was doing union injection, and iterating 20 requests a second. Not one. Single. Alert.

Rules-based filtering with regexes/etc just won't keep a determined attacker out. It's a good idea to have, but fixing the underlying applications is far more important. If I have PUT permissions on a directory it doesn't matter how good the ruleset is.

It just pisses me off the the PCI council, and similar rules for HIPPA, say "oh hey vulnerable apps? Don't worry about it you've got a WAF!"

Comment: Re:Get certified (Score 1) 205

by Redmancometh (#49239399) Attached to: Ask Slashdot - Breaking Into Penetration Testing At 30

It may not enable you to command respect from everyone, but GSE is an insanely difficult certification to get.

You have to have 5 provable years in IT security just to take the exam, the exam is extremely difficult, and the 48 hour lab is ridiculously hard. If you can't read packet dumps, you won't pass, if you can't write exploits won't pass.

You get nmap, nessus, wireshark, metasploit, the SNORT source, and some low-level command-line tools. The boxes are pretty hardened so nessus and metasploit are basically a waste of time. Some of the nmap scripts were very useful, but alot of it involved very, very low level vulnerabilities.

No custom tools...that was a big problem for me.

Most pen testers wouldn't be able to identify OR exploit them. So having the certification means you are better than 90% (or more) of the pen testers you'd run into. On it's own it may not garner respect, but it should certainly hint that the GSE knows what he/she is doing.

Comment: Re:Depends (Score 1) 205

by Redmancometh (#49238083) Attached to: Ask Slashdot - Breaking Into Penetration Testing At 30

Most pen testers are there to fulfill pen test requirements in standards like PCI where something like Metasploit would be a sufficient "best effort", and actually pretty decent if you have someone who really knows how to use it.

Pentester: "Authentication bypass, and remote code execution were found in your joomla installation, and SQL injection in just..every..field."

Admin: "So...what you're trying to say is put a WAF up?"

Pentester: "No..god no. Fix the issues, just run a couple patches and convert to prepared statements"

Admin: "But we don't have to do that for PCI compliance right? The PCI council said a WAF and/or SNORT is enough"

Pentester: "Sigh..."

Comment: Re: NMAP (Score 2) 205

by Redmancometh (#49238047) Attached to: Ask Slashdot - Breaking Into Penetration Testing At 30

We still run nmap scans with sN and sV flags up, but it's more of a formality for the assessment report. The most useful portion of nmap these days are the NSE scripts.

We also run generally run metasploit (particular for web crawling), and nessus, but they will only find (very) low hanging fruit. We also use metasploit to generate shellcode for payloads, because that's a huge pain in the ass.

By necessity everything is indeed automated, but the tools you are using is the most important part. We have our own (mostly) custom toolkit. So we may be fuzzing a target, but we aren't just sending "A" a bunch of times. Further, we don't even bother fuzzing well-known applications. Proprietary applications typically are going to "blow up" when they are fuzzed properly. Note that this isn't always the case..I once fuzzed a skype node (by accident) and figured out that A) it was the supernode and B) It was leaking usernames when given an arbitrary 4 bytes over TCP.

Most of our footholds are gained at layer 7. We have a ton of scanners we've written for wordpress, joomla, drupal, custom metasploit modules for advanced SQLi (order 2 SELECT injection, multi-byte character injection, etc.) Also custom implementations of existing scripts/modules we've modified for WAF/SNORT/Nagios evasion.

The most important thing is simply having a bunch of unique tools at each phase of the engagement. A bunch of fancy post-exploitation tools are useless if you can't get in...likewise discovery/enumeration tools help tremendously, but if you can't write an exploit for real-world-slightly-not-perfect-to-exploit're firm is sub-par.

That being said we do IT consulting...vulnerability assessments are just one of our services, and we only have 2 people that handle it. That being said..we will find something to gain a foothold. Every. Time. CIOs, admins, devs, and engineers aren't perfect. Like one poster here said being able to think maliciously is half the battle.

"Oh what wouldn't I give to be spat at in the face..." -- a prisoner in "Life of Brian"