lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b7a807650511230233g7b790568n40bb0af7f074d351@mail.gmail.com>
Date: Wed Nov 23 10:33:17 2005
From: unknown.pentester at gmail.com (pagvac)
Subject: Hacking Boot camps!

In my opinion penetration testing is nothing more than legal cracking.
Breaking into computers doesn't make you a hacker.

I can teach my girlfriend how to run nessus over the Internet and use
the Metasploit web interface in  a few hours. In just one day I can
teach her how to successfully find vulnerable hosts on the internet
and how to break into them gaining root access.

This doesn't mean she will become a hacker, it just means that she
learned a few techniques that allow her to break into computers.

Sadly enough, even big corporations are vulnerable to these types of
attacks because you still see machines these days not being patched
regularly.

Anyways, from my experience in penetration testing the hacking kicks
in when it seems that there is nothing left you can try to break into
a system. That's the hard part, that's when creativity and "thinking
outside the box" kicks in.

For those that think that a magic paper or lesson will teach them
everything they need, they will always be doomed to not be able to
discover new things by themselves.

I agree with the previous posts: experiment! Don't expect people to
teach you. Try techniques you read about and try to come up with new
attacks on your own, without having to go to the next chapter in a
book.

So far, the people I've met that I consider true hackers are people
that try to come up with interesting ideas and experiment with them.
That's all it's about.

IMHO hacking is not for people that believe in theory.


On 11/23/05, pagvac <unknown.pentester@...il.com> wrote:
> In my opinion penetration testing is nothing more than legal cracking.
> Breaking into computers doesn't make you a hacker.
>
> I can teach my girlfriend how to run nessus over the Internet and use
> the Metasploit web interface in  a few hours. In just one day I can
> teach her how to successfully find vulnerable hosts on the internet
> and how to break into them gaining root access.
>
> This doesn't mean she will become a hacker, it just means that she
> learned a few techniques that allow her to break into computers.
>
> Sadly enough, even big corporations are vulnerable to these types of
> attacks because you still see machines these days not being patched
> regularly.
>
> Anyways, from my experience in penetration testing the hacking kicks
> in when it seems that there is nothing left you can try to break into
> a system. That's the hard part, that's when creativity and "thinking
> outside the box" kicks in.
>
> For those that think that a magic paper or lesson will teach them
> everything they need, they will always be doomed to not be able to
> discover new things by themselves.
>
> I agree with the previous posts: experiment! Don't expect people to
> teach you. Try techniques you read about and try to come up with new
> attacks on your own, without having to go to the next chapter in a
> book.
>
> So far, the people I've met that I consider true hackers are people
> that try to come up with interesting ideas and experiment with them.
> That's all it's about.
>
> IMHO hacking is not for people that believe in theory.
>
>
>
> On 11/23/05, Barrie Dempster <barrie@...oot-robot.net> wrote:
> > On Tue, 2005-11-22 at 23:57 -0500, Valdis.Kletnieks@...edu wrote:
> > > Keep in mind that 98% of systems are nailed by either automated worms or
> > > people running canned stuff.  Just because it's not "real hacking" doesn't
> > > mean it doesn't actually work in practice.
> >
> >
> > Quite right, the majority of security incidents dealt with by
> > administrators (the guys that have a use for these courses) are the
> > automated/canned/known attacks, so for people in that position an
> > understanding of these attacks is extremely important for their own
> > network defense. These courses usually market themselves to the guy
> > looking to understand how systems are compromised. They are most useful
> > for pen-testers that rely on vulnerability scanners and the sysadmin
> > looking after his network.
> >
> > For the guys writing the exploit code and figuring out to work around
> > things like ProPolice and DEP these courses won't help - no matter how
> > in depth they are, because figuring these sort of details out doesn't
> > require any knowledge you can be taught in a classroom, it requires
> > dedication and in most cases addiction to the task.
> >
> > There definitely is a market and a value in these courses as they raise
> > the general security awareness of network administrators. A common
> > question among guys working in these sort of roles is "How do I get to
> > do that cool security stuff", the sad thing is the fact that they don't
> > already know the answer means they probably will never be any good, as
> > the most important part of it is ingenuity and initiative as well as the
> > dedication/addiction mentioned above.
> >
> > The common mantra used within this sort of training is "think like an
> > attacker". My opinion is if you have to be taught that, you can never
> > think like an attacker, because the attacker doesn't have to focus his
> > thoughts he is always, automatically, looking for a way
> > around/over/under/through. The guy trying to think like an attacker is
> > focusing on his adversary when the real focus should be his systems,
> > because that's where the attackers focus is.
> >
> >
> > --
> > With Regards..
> > Barrie Dempster (zeedo) - Fortiter et Strenue
> >
> > "He who hingeth aboot, geteth hee-haw" Victor - Still Game
> >
> > blog:  http://reboot-robot.net
> > sites: http://www.bsrf.org.uk - http://www.security-forums.com
> > ca:    https://www.cacert.org/index.php?id=3
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ