Practicing hacking and penetration techniques

dhill said:
I've been involved with a couple of pen tests at where I work in the last couple of years, mainly the old iL2 & 3 accreditation's and Cyber Essentials Plus accreditation.
Click to expand...

Cyber Essentials Plus, bleugh essentially a glorified nessus scan, one of the more boring pen testing tasks, almost as bad as ASV scans and Vulnerability scans.
 
Thanks for the links.

I never thought of looking into this. It will make me a lot more confident in setting up a public facing server if I know what holes people look for :)
 
Sliver said:
I think I should be the person who decides that my systems are secure. I DO NOT WANT un-autherised people hacking my accounts. Even if they have no malicious intent. It's like pooping through my letterbox, I did not ask for it and DO NOT WANT IT !
Click to expand...

Sure, because malicious hackers wouldn't hack your systems if you asked them politely not to.

If my system was vunerable I think I'd like to know about it and if possible how to fix it.
 
I can give you some sites if you want? It depends on your experience and the level of penetration your after though?

Are you looking for a quicky in and out job. Not really looking to go too deep and are happy with just the tip, of the iceberg type sites.

Or are you looking for the more hardcore backdoor penetration upto your elbows in it type thing, where if you make the wrong move the **** might hit the fan
 
sanaxe1 said:
I can give you some sites if you want? It depends on your experience and the level of penetration your after though?

Are you looking for a quicky in and out job. Not really looking to go too deep and are happy with just the tip, of the iceberg type sites.

Or are you looking for the more hardcore backdoor penetration upto your elbows in it type thing, where if you make the wrong move the **** might hit the fan??
Click to expand...

:D :p
 
Leprechaun312 said:
Cyber Essentials Plus, bleugh essentially a glorified nessus scan, one of the more boring pen testing tasks, almost as bad as ASV scans and Vulnerability scans.
Click to expand...

Oh I couldn't agree more, but needs must for that tick in the box. Was very surprised to hear how many companies fail it though :eek:
 
dhill said:
Oh I couldn't agree more, but needs must for that tick in the box. Was very surprised to hear how many companies fail it though :eek:
Click to expand...

Yeah, a lot tend to need 2 goes at it, one to see whats wrong, then they fix the issues and then round 2 is usually the passing one. Most of the issues tend to be server 2003 boxes and fixing that takes some time, one of my colleagues is doing a standard Cyber Essentials this week and the client has 8 server 2003 boxes.... yeah we'll see them again in a good few months.
 
About 70% of the penetration testers I have come across have been completely incompetent (I get oversight on the reports we receive a lot of the time when a test has been performed against our Customers systems).

The amount of time where you end up face palming at some of the things that they come up with which are just wrong because they don't actually understand what they are doing or the systems they are trying to scan. The number of people who have read an article on nessus, installed it and think they are a pen tester is scary ....
 
On a slight tangent, should large companies be required to run penetration testing and security audits by law. Its seems like more and more companies (absolutely monsterous companies) are being hacked and customers information is being stolen.

When you read about some of the largest hacks in history or at least the highest profile ones they are quite often ridiculously simple. These are companies worth billions who are not taking the security of their customers data seriously and there seem to be little in the way of consequences.

The knowledge of the average person is almost non-existent so all the information for site X is stolen and they say "oh its ok I don't have my credit card on there".

They don't realise that your address, name, date of birth, password, security questions have all been compromised. All your other sites that use the same password could now be accessed. If they get access to your email account then suddenly they don't even need your password anymore. Security these days for most companies is as good as "forgot your password, we'll just send an email to you and you can choose a new one".
 
memyselfandi said:
About 70% of the penetration testers I have come across have been completely incompetent (I get oversight on the reports we receive a lot of the time when a test has been performed against our Customers systems).

The amount of time where you end up face palming at some of the things that they come up with which are just wrong because they don't actually understand what they are doing or the systems they are trying to scan. The number of people who have read an article on nessus, installed it and think they are a pen tester is scary ....
Click to expand...

What's worse is when companies gloss up a Nessus scan as a pentest. Customers would buy this thinking they're getting a proper pentest when what they are getting is far from it.....
 
Sliver said:
Noob question. Why do people want to hack?
Click to expand...

Because it's a problem, and I like solving problems.

never take something apart to see how it works or to try and make it better?

it's kind of like asking why pharma companies create diseases, so they can cure them.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom