Update 02/07/2011: Arian Evans recently clarified he is really “Arian Evans” and not “Adrian Lane”, so I fixed that in the post below. Arian Evans gave the talk on the Six Application Security Metrics. Apologies for confusing the names :). Update 23/06/2011: Dreyer just clarified to me that int3pids were really third and not first …
Update 02/08/2011: This post tends to receive spam in the comments. I am sorry about that and I try to remove it as soon as I see it. You can read about where the spam is coming from here. Summary: I recently got word that I passed the CISSP exam. It took exactly 1 month …
Update 13/06/2011: Replaced “this guy” by “Kacper Szcześniak”, I was given his name today, thanks Marek! NOTE: Thank you to the Confidence team for letting me link to many of their images directly. Please note that there are more photos than I can use in a blog post, for the full listing of official photos …
Update 19:00 – Also related to this is this post by Carlos Perez, Unfortunately the script is not yet in the metasploit trunk today. But you can download it and copy it to the appropriate folders in the meantime. So, I compromised a Win2k8 R2 x64 host during a pen test and wanted to dump …
SSH provides shell access and as such it is one of the services that must be secured as well as it is possible. Step 0a – Change the default password IMPORTANT!: The first thing to do with Backtrack is to change the default password: To start the SSH service having the default password enabled is …
Do you still believe input validation is enough to fix Cross Site Scripting (XSS)? Billy Hoffman said it best at Schmoocon 2007 (4 years ago!!!) in his talk “JavaScript Malware for a Grey Goo Tomorrow” (fast forward to Q & A, minute 51:45): Person in the audience asks: “You said that AJAX doesn’t really change …
Update 01/08/2011: The videos are now up here. Thank you Tomasz! Update: Thanks to Jamie Duxbury (@w1bble) for hosting most of the pictures linked to from this page. I thought it was Soraya for some reason, sorry :). As I mentioned earlier: I was really honoured to attend BSides London and DC4420, aka Defcon London …
NOTE: This will work in backtrack, ubuntu and pretty much any Linux distro as far as I know There are times where you would like to open a service to the internet and it is ok to only allow one host/IP address to connect to you, for example: – Host-to-host transactions – During a pentest …
I recently got an interesting question via email: Hi Abraham, I was just wondering if you’ve ever used a tool called Angry IP scanner? Is it safe to use? Is there any risk of it crashing a host you are scanning? Regards, Short answer: Q: I was just wondering if you’ve ever used a tool …
Introduction When you setup the VNC server you can connect remotely with GUI access to Backtrack, for this reason, it is best to start the VNC server BEFORE you enter the GUI, that will save a little bit on resources such as RAM. The VNC server service will provide no encryption, so make sure you …