Students from ISA 4220 Server Systems Security can download the PowerPoint presentation from here.
Linux Penetration Testing Laptop Setup v3.5
I’m now providing an updated Linux Penetration Testing Laptop Setup document to help install popular and useful vulnerability assessment tools for the Linux operating system. You can go and obtain Backtrack but I feel that you will have more understanding of the tools and Linux in general if you install the tools yourself. You will also have the most current version available. See Configuration Tutorials for the latest document.
Update: The latest version is now v4 on Ubuntu 11.4 Natty Narhwal.
External Fingerprinting Worksheet
I put together a Technical Assessment Plan that can be used to conduct external fingerprinting using the tools and utilities that a penetration tester would use. The assessment plans are structured in a way to help with the documentation of evidence for inclusion in a work-paper process. The plan provides helpful information on how to install, configure, and use the tools to obtain the evidence needed for an engagement. The Technical Assessment Plans that I have created can be found here.
Earning CPE credits in a down economy.
Earning CPE credits in a down economy for you Information Security certifications.
As we enter 2011 the financial talking heads say that our economy is recovering. While this can be debated as vigorously as Vi vs. Emacs you sit in your office with the knowledge that your company’s training budget is still next to nothing. Trips to information security conferences in Las Vegas, Miami, and Orlando are all out of the question. With all of the information security certifications that you have obtained to keep competitive in this tough economy you are required to earn Continuing Professional Education (CPE) credits. Below I will list some simple steps you can take to still keep current on the latest security trends while earning those valuable CPE credits to maintain your certification(s).
Read More
Stand-Alone Tools and Utilities
A question was raised today during a presentation about what utilities you can use without installing them. There are engagements that the auditor is not allowed to use their own laptop and must use a laptop provided by the auditee. This severely limits how effective an engagement can be but it is not impossible to obtain the information you need when you connect to the auditee’s network. I’ve made changes to the Security Tools page to highlight which tools are stand-alone and do not require installation. Also for reference see Penetration Testing Ninjitsu which I pulled from a Core Security webcast.
Web Security Dojo
NA CACS conference hosted by ISACA (18-22 April 2010)
Remote Security Testing for Web Applications
Presented by David Rhoades
Maven Security Consulting
Attending this conference workshop session introduced me to Maven Security’s Web Security Dojo. This is a virtual image, Ubuntu based, that includes several free and open source tools used for web application auditing. The image also includes web application environments that are vulnerable to many common vulnerabilities to allow you to test and learn how to use the tools. This pre-configured environment is perfect for educational purposes. They also include a BASH script that will setup your own Ubuntu environment.
Updated Linux Laptop configuration for Auditors v3
I’ve created an updated configuration tutorial for setting up your Linux laptop to conduct system and network audits. This version details how to get everything up and running on the latest Ubuntu currently at version 10.04 LTS (Lucid Lynx). See the Configuration Tutorials to download the latest pdf document (currently at version 3).
Compile John the Ripper w/ Jumbo Patch (Updated for 1.7.7 & 1.7.8)
2.5.2014 – See this blog article for compiling John the Ripper with GPU support with Nvidia CUDA.
Old Post – Now with AMD OpenCL GPU support.
9.19.2011 – Updated for latest openssl and john jumbo patch on Ubuntu Natty Narwhal 11.4
Password cracking Windows hashes on Linux using John the Ripper (JtR). If you prefer the Linux operating system JtR is the password cracking utility to use. By default JtR does not support the hashes that we are interested in cracking. See below for installation and patching instructions for JtR. Applying the patch to JtR adds the functionality to crack NTLM and MS-Cache passwords. NOTE: This install was done on Ubuntu 10.4 LTS but should work on any Linux system since we are compiling from source.
Read More
Using Perl to Parse Nmap XML
As an auditor I liked to quickly analyze my Nmap scan results by parsing the XML output produced and loading it into my favorite spreadsheet application.
From there I could sort by host, port, service, or operating system for analysis. The parsed results are a lot easier to add to reports and workpapers. Just remember to keep the original Nmap results.
I’ve developed a LAMP framework to parse and load Nmap results into a database for reporting and analysis. However if you are just looking to quickly parse the results of individual scans I’ve got a Perl script for you!
Read More
Password Length vs. Password Strength
Update: 1.1.2019 – This article is still relevant today but a little dated. I wrote another blog post about how I feel PCI-DSS Requirement 8.2.3 is failing organizations and making them less secure.
Take this hypothetical scenario (Okay, it really wasn’t hypothetical at the time). You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).
As auditors we like to have facts to back-up our recommendations. What better fact than simple math.
Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.
Read More
