You are not logged in. Please login or register.
Good morning guys,
Wanna share with you some videos on how pen-testing is done.
Part one: http://www.ethicalhacker.net/content/view/227/24/
Part two: http://www.ethicalhacker.net/content/view/238/24/
Hopefully one of the members will give us a session on how this is done and how we can learn more about it.
Damn, it's 3:45am 
... I better go get some sleep!!!
Cheers,
Zak
I'm curious what people use to conceal themselves while using these tools. tor?
Also interesting http://www.youtube.com/watch?v=GVmLUODNyvo [DefCon]
Tor is a must I guess. I love the idea of rerouting your connection trough other users/volunteers.
And I'm sure there are other ways, probably disabling Java, JavaScript, cookies, Changing Mac Address, physical location like doing it from an internet cafe, clearing logs after the hack is complete leaving a back door.
I'm not sure if this is correct but maybe someone can add more stuff.
And thanks for the video. I love it.
Are you into security? Linux? Programing?
Well, I'm into learning more... of everything.
I use GNU/Linux in various flavors at work and at home, and I end up touching a bit of everything - programming, networking, admin, a bit of hardware.
I've found that it has a very strange learning curve - it takes a really long time to understand how simple it is 
Dude, you must be lucky. I wish they implement open source in my company. I just use it at home (sometimes).
I'll see ya in the next meet-up ... You can tell me more about your experience 
Let's not forget Iron Geek, guys. That guy makes security as easy as counting the number of limbs you have. Course, Etisalat blocks that, but any Linux user with a tiny chunk of common sense can bypass those incompetent idiots.
It's amusing, once Etisalat sponsored hack.ae, but blocked all the links required as resources. How amusing is that? Hypocrisy, much?
Also, Zak, 3:45 AM is the time hackers are UP, man ;D It's the time to be awake, not sleeping.
Last edited by AdmiralA (31-May-2009 02:31:04)
I agree with you man... Iron Geek is just amazing ... and yeah about all Etisalat stuff but I would suggest not to put in public ... 
I've got 2 questions:
1/ Since you are an expert, why don't you elaborate on the anonymity part and what we should do to be 110% anonymous
You can also be kind to post a new topic about it.
2/ What do you think of below, do they make any difference in security?
Tor is a must I guess. I love the idea of rerouting your connection trough other users/volunteers.
And I'm sure there are other ways, probably disabling Java, JavaScript, cookies, Changing Mac Address, physical location like doing it from an internet cafe, clearing logs after the hack is complete leaving a back door.
AdmiralA
Course, Etisalat blocks that, but any Linux user with a tiny chunk of common sense can bypass those incompetent idiots.
You don't need any linux knowledge for it. And where do you get the right to say they are incompetent idiots? I don't say they are smart and clever, but what do you want to do against e.g. a VPN tunnel? Blocking 1723? Well, what if I remap to another port? The whole "security" concept is gone. There is no chance to prevent against malicious stuff like that my friend. No matter if it is Etisalat or any other telecommunication provider.
linuxhat
1.) There is and will be no 110% or even 100% anonymity. As hard as you try to cover your tracks, you cannot make it. There are good chances with some kind of software like TOR.
2.)
linuxhat
probably disabling Java, JavaScript, cookies
This is just security by obscurity and won't help you anyhow.
linuxhat
Changing Mac Address
What for? Just works in LAN/WAN environments. But if you are in there anyway, you are already tracked.
MAC is nothing working for Internet (have a look at ISO/OSI) and how routing works.
linuxhat
physical location like doing it from an internet cafe
Same. Security by obscurity.
linuxhat
clearing logs after the hack is complete leaving a back door.
If you expect amateurs doing the after-hack research you might be successful. But (advanced) forensic techniques will own you.
/xai
Thanks for your input Alexander. That's interesting and appreciate if you explain these ideas with more details.
There is and will be no 110% or even 100% anonymity. As hard as you try to cover your tracks, you cannot make it. There are good chances with some kind of software like TOR.
What other software can be used?
I would imagine that a combination of different technologies will make it even better. If you agree, what do you recommend?
linuxhat
Probably disabling Java, JavaScript, cookiesThis is just security by obscurity and won't help you anyhow.
I don't get you here. Check number 2 & 3 in the warning section: https://www.torproject.org/download.html.en#Warning
What do you think?
Same. Security by obscurity.
I don't get this either. As far as I know, location is very important. Can you explain why you don't agree?
If you expect amateurs doing the after-hack research you might be successful. But (advanced) forensic techniques will own you.
Why these advanced gurus didn't "own" those Blackhats who screw around without being tracked?
Are you going to blame the gurus for not being as guru as they should be or it’s just that the hackers/crackers were really good?
Thanks.
Hi Zak,
What other software can be used?
I would imagine that a combination of different technologies will make it even better. If you agree, what do you recommend?
For example JAP[1]. There are couple of those projects, some more or less well working.
To be on the safe site, make sure you are datapiping through lots of servers under your control - which don't implies they are owned by you. And would be an advantage if those servers are in countries which are not that famous for their legal actions like Panama, etc.
I don't get you here. Check number 2 & 3 in the warning section: https://www.torproject.org/download.html.en#Warning
What do you think?
It is "helpful" somehow. I didn't deny. But they just blur your tracks. The connection to the server itself is still established. And *this* is the bad and dangerous part in the story.
I don't get this either. As far as I know, location is very important. Can you explain why you don't agree?
Same as above. I don't disagree completely. But there are couple of things you must have in mind. CCTV, registrations, etc. It is not helping you by 100% in achieving your goal in which you are interested. And this is to cover your tracks completly.
Why these advanced gurus didn't "own" those Blackhats who screw around without being tracked?
Are you going to blame the gurus for not being as guru as they should be or it’s just that the hackers/crackers were really good?
It is a mixture of both. I think we agree that you can hide your ass very well if you want.
And thoose forensics "gurus" seem not be one that good, if they don't get you. There are just a few people around who make *real* expert forensics. In the Netherlands is a company for example which is extremly good.
On the other side, there are extrem good guys out there, anyway.
I hope it is more clear now what i meant.
Rgds,
Alex
You don't need any linux knowledge for it. And where do you get the right to say they are incompetent idiots? I don't say they are smart and clever, but what do you want to do against e.g. a VPN tunnel? Blocking 1723? Well, what if I remap to another port? The whole "security" concept is gone. There is no chance to prevent against malicious stuff like that my friend. No matter if it is Etisalat or any other telecommunication provider.
I never stated Linux was a required pre-requisite. I merely implied that the average Linux user is bound to be aware of that option. I publicly claim they're incompetent just to tick them off, but they're generally stupid anyway. There are a lot of exploits that are capable of being used against Etisalat, but those that do take such kinds of action usually are never apprehended unless they do something serious because they have too many people to go after. Etisalat messes up a lot with proxy caching and such, and we all remember that incident where people could log into other Gmail accounts.
Of course, no ISP, hacker, programmer, corporation, or any such entity is without fault, it just happens that we conveniently blame Etisalat because we hate them for blocking completely rational sites and being the most expensive telecommunications company in the world.
I agree with xaitax on most of his points about anonymity. Strictly speaking, there's no need to bother with anonymity unless absolutely required. Often, being paranoid in situations that don't require paranoia are the situations that trip you up.
Uh, yeah, and most of these 'gurus' that you claim aren't really gurus at all, just living, breathing textbooks. The second they encounter a situation they haven't studied about before, they hyperventilate.
There are very few people, as xaitax said, who are actual experts at hacking and/or forensics, and they tend to get the majority of their knowledge from practical experience. The best way to learn is by doing, not by imprinting photocopies of the book in your head. Seriously, very few of white hats that you encounter, regardless of the stack of certificates they possess are actually *knowledgeable* in their field.
Remember, folks, the number of books you study and certificates with your name branded of them are *not* a measure of knowledge.
Call me CISSP ... *sing* *jump around*
For example JAP[1]. There are couple of those projects, some more or less well working.
To be on the safe site, make sure you are datapiping through lots of servers under your control - which don't implies they are owned by you. And would be an advantage if those servers are in countries which are not that famous for their legal actions like Panama, etc.
That's very interesting, I should learn more about these ... Guess I should move to Panama lol
I hope it is more clear now what i meant.
Yes it is, thanks. But it's never enough
If I keep asking, I won't stop lol
Call me CISSP ... *sing* *jump around*
Can I be called CISSP as well? 
Damn, I wish lol
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 8 official extensions. Copyright © 2003–2009 PunBB.