Skip to content

Posts tagged ‘Penetration Testing’


Curated List of Penetration Testing Reports

Julio Cesar Fort has started putting together a curated list of penetration testing reports from a variety of security consultancies. While the list is new, and not exhaustive yet, it’s on the right track and I look forward to seeing it grow. It’s always interesting to see how different companies do their reporting, and there is a lot to be learned in these reports. If you’re a professional penetration tester, the layout, structure and formatting choices are probably more interesting than the actual content in this case.

The list is on GitHub, so I’m sure we’ll start seeing others contributing soon:


Hi, I’m a Pen(etration) Tester!

The first thing people think when you tell them you’re a Penetration Tester:











What people think when you tell them you’re a Pen Tester:












Protip: Go with the first one.



Reverse SSH over Tor on the Pwnie Express

The Pwnie Express (PwnPlug) is a great little tool for hackers, pentesters and social engineers alike. While I don’t advocate the use of a Pwnie for illicit purposes, I was intrigued about using it as an untraceable tap into a network. Out of the box the Pwnie allows you to configure reverse SSH connections, exfiltrated over a number of different protocols including HTTP, SSL, ICMP and DNS.

While these are great for getting out of controlled networks, they all require the Pwnie to be configured with the IP address of your SSH server, which could potentially be traced back to you. It also requires your SSH server to be able to directly receive connections at the IP/hostname configured on the Pwnie. While one could run an SSH server on a proxy box somewhere, I felt that was too primitive, so I installed Tor on my Pwnie and configured a Tor Hidden Service on my SSH server.

Note: For the purposes of this tutorial, the SSH server will be running on BackTrack 5. I’m assuming you’ve already performed the initial Pwnie Express setup steps on the server! Check out my PwnieScripts to help speed up and automate the Pwnie setup.

These instructions do not yet work on Pwn Plug software >= 1.1 as they’ve changed the layout of things! Will update this post when I get the time.

Read moreRead more


BackTrack 5 “Revolution” Released

The most popular security and penetration testing Linux distribution has been updated once again, this time built from scratch! BackTrack 5, codenamed “Revolution”, is based on Ubuntu Lucid LTS with kernel 2.6.38, and brings with it full 32 and 64-bit support, an ARM-compatible image, forensics and stealth modes, KDE (4.6) and Gnome (2.6) desktop environments, and (allegedly) over 350 updated security tools including Metasploit 3.7.0. Best of all it’s “aligned with industry methodologies”! Whatever that means ;)

It appears BackTrack 5 will only be available torrents for the time being. The torrents are available in the following flavours: Gnome ISO (32bit, 64bit, ARM img), Gnome 32-bit VMware Image, KDE ISO (32bit, 64bit). Here’s the BackTrack downloads page. Those of you wondering which flavour to get between Gnome and KDE, it’s largely dependent on one’s taste, but the BackTrack guys appear to be favouring Gnome (which was the default Ubuntu graphics environment). If you have no idea what to get, then grab the Gnome 32-bit ISO (or VMware image) using the links above. I recommend Transmission (Mac) or uTorrent (Mac/PC) for BitTorrent clients. For anyone who hasn’t used BT before, the default username and password is root/toor.

BackTrack is a great tool for network security specialists and penetration testers, but it’s an even more valuable resource for people looking at learning more about application and network security (and Linux). Although I do have an Ubuntu install, I tend to use BackTrack more often due to the convenience (when I’m not using OSX that is ;).

It’s not possible to upgrade from BT4r2 to BT5, so those of you with installations of BackTrack 4 will need to reinstall (or download the new VM).

Check out their shiny promotional video below!

[Updated] BackTrack 5 R2 is now available, and brings a new kernel and 42 new tools. You can update your existing BT5 (R1) installation by running:

echo “deb revolution main microverse non-free testing” >> /etc/apt/sources.list

apt-get update

apt-get dist-upgrade


BackTrack 5 “Revolution” in Development (Screenshots)

Click to enlarge

BackTrack 5 – codenamed “Revolution” – is currently under development, and the team is working on updating both system and tools. At the moment it’s running a 2.6.38-rc5 kernel, improved wireless drivers, and a new KDE 4 theme is being put together.

An initial release won’t be available for at least a couple months. If you have any requests or recommendations, now’s the time to make them on the BackTrack forums.

Here are a few teaser screenshots of BT5.

[Updated 10/5/2011] BackTrack 5 is out!


Pic of the Week: Real-World Penetration Testing

Can’t remember where I found this image, but it’s an amusing hyperbole of the sometimes limited or frustrating nature of penetration testing. Anyone who’s done pen testing/ethical hacking as a job will be able to appreciate the various points along the graph.

To the unknown author of this image: we feel your pain. ;)

There just one thing… I get M, T, W and F along the X-axis… wtf’s R ??


Clever Full-Site Tracking with XSS-Track

Cross-site Scripting (or XSS) is a common web application vulnerability with varying levels of severity. Generally the capabilities of a XSS are limited to the locations of vulnerable inputs and outputs, and crafting complex XSS payloads can be a time-consuming process.

XSS-Track (cached) helps simplify cross-site scripting by allowing the attacker to silently track the user across the entire site, using a single embedded XSS. It does this by cleverly creating a full-window invisible iFrame, and maintaining control of that window as the user browses the site. This also allows the attacker to look for valuable pieces of information, such as passwords or credit card numbers.

Combining XSS-Track with the older XSS-Shell script, which turns the browser into a zombie of sorts, could give an attacker a significant amount of power over infected sites and their users.

Firefox users may want to consider using the NoScript extension to protect themselves from unknowingly running malicious scripts. Despite having some limited XSS protection, and a JavaScript Blacklist extension, Safari unfortunately does not afford nearly the same protection as the whitelist-style Firefox+NoScript combination. If someone releases a NoScript-style JS Whitelist for Safari then it’ll be a big step forward.