Information Security – By Offensive Security

5 09 2010

One stop infosec shop – the Offensive Security guys have thrown a whole bunch of juicy links together in one place – its worth a look:

The Future of Information Security – Offensive Security

Information Security is a vast and deep realm with many facets. Often, companies find themselves confused trying to find quality training, effective awareness programs or more meaningful certifications. In the end, many are left searching Google trying to find answers.

Offensive Security has has put together a set of resources to help your company in its mission to become more secure. Our mission statement is – “Security Through Education“. To us that is not just a statement, it is a way of life. Below is a list of resources that are at your disposal to give you some of the best security based education in the world today.

via Information Security – By Offensive Security.





The Ethical Hacker Network – Maltego 3: First Look

5 09 2010

Recently read a great review on Maltego – its a quick walk through on digging the internet for information on an individual, from just a name, to email addresses, photos to physical location & phone numbers – its worth a read, and worth a download & play with the free version.

What is Maltego?

Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

Maltego, developed by Roelof Temmingh, Andrew Macpherson and their team over at Paterva, is a premier information gathering tool that allows you to visualize and understand common trust relationships between entities of your choosing. Currently Maltego 3 is available for Windows and Linux. There is also an upcoming version for Apple users that has yet to be released.

Information gathering is a vital part of any penetration test or security audit, and it’s a process that demands patience, concentration and the right tool to be done correctly. In our case Maltego 3 is the tool for the job.

In this article we explore Maltego 3 and examine its fundamental features and a little hands-on with the newly designed version. If you haven’t already had a chance to upgrade to or pick up Maltego 3 you are missing out.

via The Ethical Hacker Network – Maltego 3: First Look.





Metasplot and social engineering toolkit SET on iphone4

17 08 2010

Having recently (1 week & counting) upgraded my iPhone 3G to a shiny new HTC Desire (more coming on that later), I was quite interested to see that someone has successfully ported metasploit & SET to an iPhone 4 … now to see if it will run on my now spare iPhone 3G ….

Metasploit 3.4 and SET 0.6.1 on iPhone 4

Posted Aug 7 2010 by muts in Offensive Security with 1 Comment

iphone4 msf 03 Metasploit 3.4 and SET 0.6.1 on iPhone 4Metasploit 3.4.2 on the iPhone 4

Just a quick update on getting your favorite tools on iOS 4 – Metasploit and SET. You need to have a Jailbroken iPhone with SSH access for this. You will also need to install nano and APT 0.7 Strict via Cydia. Getting everything up and running is a breeze now. Open a console and type in:

cd /private/var/

apt-get install subversion nano ruby rubygems wget python

apt-get clean

wget http://www.metasploit.com/releases/framework-3.4.1.tar.bz2

tar jxpf framework-3.4.1.tar.bz2

cd msf3

svn update

Remember that everything takes a bit more time on the iPhone, be patient while running msfconsole for the first time. Once that’s done, its a quick path to a shell:

iphone4 msf 02 Metasploit 3.4 and SET 0.6.1 on iPhone 4

via Metasplot and social engineering toolkit SET on iphone4.





Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack Vector | SecManiac.com Blog

17 08 2010

hehehe … it was only a matter of time. With devices such as the original yubikey that I have been using being able to be programed to auto launch a website when plugged in, its good to see the idea going to the next level:

Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack VectorPosted by relik @ 8:31 pmThe Teensy devices http://www.prjc.com are Arduino based devices that allow you to utilize onboard memory storage on a microcontroller and emulate a keyboard/mouse. In the Social-Engineer Toolkit SET, gives you the ability to choose Metasploit based payloads and drop a small download stager either through WSCRIPT or through PowerShell to download a backdoor from a remote IP/machine and execute it on the system itself. Why this attack is so useful is that it emulates a keyboard 100 percent, so you can essentially bypass any autorun protections on the system since its a keyboard, not a flash drive or CD/DVD type autorun attack. SET handles the entire creation from a webserver housing the malicious payload, to the actually Metasploit handler.

via Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack Vector | SecManiac.com Blog.

Original credit appears to be going to irongeek from his very detailed original posting – including pictures (we all like pictures) here: Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device





Social-Engineer.org Newsletter – Vol. 02 Issue 09

8 07 2010

If you read one thing linked from my blog – READ THIS. Its pretty scary how easy it is to get enough information to steal someone’s identity. Follow the link & read the rest of the story, it puts the internet into a bit of perspective.

{quote}

An Invasion of Privacy

DISCLAIMER:

This is ABSOLUTELY for informational purposes ONLY. Social Engineer.org is TOTALLY not responsible for how you choose to use this information.

This month we received a story from a person who was tired of receiving spam from a certain person. Although this focuses on how to gather real information on real people, we by no means support using this information to harm or harass anyone.

The email that I received was not the run-of-the-mill mallware/ spambot/ whatever style email. The email was coming from his email address, using his business’s name, and advertising his business. I would have never posted this had I any doubt that this may not have actually been sent, by him, in some fashion.

I happened to receive a piece of spam at the exact moment as I was going to start a post about privacy and anonymity on the Internet. I will consider this to be a sign from God that this dude needed to be set straight. Okay, maybe not. I’m not sure what the bible says about spam, but if I were God, it would be into the pits of hell for them. So, since I cannot cast people into eternal suffering in a fiery pit, I will have to settle for second best. Pwnage!

What’s even better, none of what I’m about to do is illegal. It’s a serious, serious invasion of privacy, and you definitely don’t want it to happen to you, but all of it can be harvested through public record, social networks, forum posts, etc etc etc.

via Social-Engineer.org Newsletter – Vol. 02 Issue 09.

{/quote}