Recently I was interviewed about WNL by Jay Turla from the InfoSec Institute. If you are new here and wanna read about the beginnings of WNL, check it out:

~Douglas

Today WeakNet Labs has accepted a partnership with Hakin9 Magazine! Wikipedia

Hakin9 is payable weekly magazine totally devoted to IT security. It covers techniques of breaking into computer systems, defense and protection methods, tools and latest trends in IT Security.

Back when I was a technician for my university, I was following hakin9 magazine closely and would pick it up in the local book store. Their articles on malware analysis were the absolute most technical and thorough at the time. Disassembling exe files, network analysis of running malware, and much more, their articles took me on a long never ending adventure. It was a sad day when I couldn’t find the latest issues any longer in the store. Along with this partnership, I will be writing something for them in the future as well.

~Douglas.

One of my Beta testers hosts his own infosec training course called “Ninja Security.” I had the pleasure of taking some of the course materials (Real world Penetration Testing) and, even though they were in Arabic language, the OS, presentations, and configuration files were all in English, so it wasn’t hard to follow along at all. He attacks vulnerabilities very creatively and his presentation is very clear. He even uses WEAKERTHAN 3.6 for the WPA(2) Phishing Attack, and WiFiCake-ng! :D The Ninja Security Teams Penetration testing to the Max course is completely in English and his their latest course release.

http://ninja-sec.com/

Ninja Security Syllabus

Information Intelligence Techniques

• Open Source Intelligence Gathering
• Stealth Auditing and Network Scanning
• Advanced Network Reconnaissance
• Enumerating Internal Network From Outside

Web Exploitation Techniques

• Advanced SQL Injection Exploitation (MYSQL + MS-SQL + ORACLE )
• Advanced Blind SQL Injection Exploitation (MYSQL + ORACLE )
• Exploiting File Uploads to Full System Access
• Exploiting Remote File Include to Full System Access
• Exploiting Local File Include to Full System Access
• Exploiting XSS Reflected to Full System Access
• Exploiting XSS Stored to Full System Access
• Exploiting Command Injection to Full System Access
• Exploiting CSRF to Full System Access

Attacking and Owning Techniques

• Owning FULLY PATCHED systems with ( un-guessable/un-crackable passwords and OS protections like ASLR and DEP )
• Owning Windows Domain Controller from Outside
• Owning Windows Domain Controller from Inside
• Owning MS-SQL-Oracle-MySQL Databases
• Attacking and Owning VOIP Systems

Privilege Escalation Techniques

• Privilege Escalation in Windows ( from Guest to System )
• Privilege Escalation in Linux ( from nobody to Root )

Tactical Post Exploitation Techniques

• Tactical Windows Post Exploitation
• Tactical Linux Post Exploitation
• Tactical Mac OS X Post Exploitation

Bypassing and Defeating Techniques

• Bypassing and Escaping Restricted Environments
• Bypassing Group Policy
• Evading Anti-Virus ( 100% clean )
• Defeating PHP security
• Defeating (XSS , Sql Injection , File Upload ) Protections
• Defeating Web Application Firewall (mod security)
• Bypassing Port Security and NAC solutions
• Prerequisites: Students should be familiar with Metasploit, and VMWARE.
• Pricing: 1,500 USD
• what is included : Course Guide , Videos , Tools and Vmware Images are provided.

I’d fully recommend it, [Real World Penetration Testing] even to those who do not speak Arabic, simply for the clear demonstrations, huge amount of hard work planted into the course materials, and for his support. And again, the latest course by the Ninja Security team is completely in English: Penetration testing to the Max. :)

Thank you Ninja Security Team!!

~Douglas.

Well, I made an entry into the contest and some people actually liked it! So head over to: http://blog.rapid7.com/?p=6156 and make a vote! You don’t necessarily have to vote for my entry (Which is #44) but it would be nice! If I win, for some reason, I am giving the winnings over to http://johnny.ihackstuff.com/ :)

It’s so fitting, I mean think about it! To vote you can post it to your Twitter account with the hash tag: I’m voting for Metasploit T-shirt design #[number]! http://bit.ly/e4wsPt #metasploitswag

I Tweeted about this article this morning. My brother emailed me the link from slashdot about a Dutch judge ruling that routers are not computers, and that hacking them is legal. Hrrmm. His definition of a computer is so:

A computer in The Netherlands is defined as a machine that is used for three things: the storage, processing and transmission of data. A router can therefore not be described as a computer because it is only used to transfer or process data and not for storing bits and bytes.

Awesome. But my router stores bytes. In fact, the web-based administration panel contains images and css styles that exist in the router’s firmware. Also, most routers since 2009 have USB ports on them, just like computers do. These can be used for anything if you have liberated the router by using OpenWRT, but the main purpose, according to the manufacturers, are for “USB storage ports.”

If you think about this scientifically, there are in fact nanoseconds in which the data exists within the router even while passing through. Sure this could be close to the speed of light, but if I were running a packet sniffer on the router, I would definitely see the data being transferred and can store it just the same.

The judge also said this, according to this article (which I really believe is a really early April Fools joke from the Netherlands.):

He said that unsecured networks you can say that no security is broken.

So, when can expect the same liberty here in the states? I’d like to not have to pay for my internet connection too! :P