Pentoo 2012 a Penetration Testers Distro of Gentoo Linux

I’ve never seen Pentoo before, but couldn’t resist taking a peek when I saw it mentioned in the Defcon news briefs floating around. Basically Pentoo is Gentoo Linux with a bunch of security focused tweaks and additions.

I am married to Backtrack and am not interested in switching to another Linux Security Distro, but Pentoo does look enticing. It is loaded with tools that fit very well with a pentester. A quick look in the application directory and you will see the programs grouped Backtrack like under headings like:

  • Analyzer tools
  • Bluetooth
  • Database
  • Exploit
  • Forensics
  • MitM
  • SIP/ VoIP
  • Wireless

Under each group you will find a slew of programs that would make any security guru giddy.

Tools like:

  • MSF Console
  • W3af Console
  • Autopsy
  • Burpsuite
  • Nessus
  • Aircrack-ng
  • Kismet
  • Development Tools
  • and many more…

I really liked Pentoo, but as the developer mentions on his site, it is in Beta form right now. Several times I received errors when clicking on menu items. The project is very interesting though and definitely worth checking out!

Advertisements

Defcon Badge Package Pictures

As usual, I was unable to attend Blackhat/ Defcon yet again. But we did have an “official reporter” for CyberArms there this year. The only problem is a little Tornado decided to crash into our home city and screwed things up. We were without power and internet for 4 days!

Well, heck with the Tornado, here are at least some cool pics of the Defcon Badge Package:

This slideshow requires JavaScript.

Thanks HLW!

Surviving a Public Infrastructure or Energy Grid Attack

Destructive cyber-attacks against critical infrastructure are coming” – Gen. Keith Alexander said last Thursday at a public interview in Aspen Colorado.

Are you ready?

What would you do if the lights suddenly went out? If power was out for days on end? Where would you get news from? Or more importantly Water? Keep cool or get heat? Though many disregard the government’s warnings about critical infrastructure attacks what if the worst did happen, would you be prepared? All these questions and answers became much more real to me the last few days.

Last Thursday our city was hit by a tornado. “That’s not a cyber attack!” I can already hear many say. But if power did go out, along with other public utilities at the same time would it really be that much different? And what if it was a natural disaster instead of a cyber attack from China, Russia or Iran?

It may be neither, but faulty, antiquated or overtaxed equipment. Three Hundred and seventy million people in India just lost power through a power grid crash. That is more people than the US & Canada combined. So the question still stands, would you be prepared?

The night of the storm, we lost all electric and all means to communicate to the outside world. Land line phones were dead, cell phone towers damaged. Relatives and others that live outside the city also lost running water.

Here is a list of things that I found to be very helpful:

  • Matches, candles, and flashlights
  • Cash on hand (no ATM access!)
  • Battery powered radio
  • Ice to keep food from going bad
  • Non-perishable food items
  • Water (bottled is great!)
  • Camp Stove or even an outdoor grill!
  • Walkie Talkies especially if you have family near
  • Cell phone
  • iPad or Android Tablet – With car charger!

The worse is not knowing. Not knowing if friends and family are okay, if more bad weather is on the way, not knowing when utilities will be restored, not knowing when things will be returned to normal.

Not only was our ability to get local news hampered, local news stations were also knocked out, but voice cell phone communication was non-existent the first couple of days and texting was intermittent.

The cell phone became our life line. We ended up getting our local emergency news and reports forwarded from a relative that lived in Florida!

Food was a huge concern, especially not knowing how long power would be out. I found that three bags of ice (luckily a local grocery store was unharmed) stacked one on top of the other fared pretty well keeping the freezer cool. Eventually when emergency services supplied dried ice, a block of dried ice next to the bags of ice kept the freezer very cold and kept both dry ice and bagged ice from melting.

The iPad and Android tablets seem an odd addition to the list. You would not believe how helpful they were during the outage, especially when you live in a house full of 2.0 teenagers who are as addicted to tech as much as you are. Locally stored Kindle books helped pass the time, and the mobile devices acted as a helpful mini light source when navigating the house at night. The long battery life on the iPad was a god send too!

As roads cleared, getting out with these devices and connecting to public Wi-Fi’s helped to get news and tell family members that all was well.

Having firearms was also a huge peace of mind. It is an eerie feeling living in a blacked out city at night and seeing the random police car go by shinning his search light up and down the alleys.

This is not an exhaustive or expert guide by any stretch of the imagination. Just some information that may help out if the worse happens.

Are you ready?

Hakin9 Exploiting Software July 2012 Issue is out!

Pentesting with Android – new Exploiting Software Hakin9 issue is out!

Are you curious how to turn your Wi-Fi smart phone or tablet into a pentesting tool? Check out the new issue of Exploiting Software Hakin9!

WHAT’S IN THIS ISSUE?

•    Searching For Exploits, SCAPY Fuzzing
•    Weak Wi-Fi Security, Evil Hotspots & Pentesting with Android
•    An In-Depth Analysis on Targeted Attacks
•    Automated security audit of a web application
•    Reverse Engineer Obfuscated
•    Cross Site Scripting(XSS)
•    Implementing Rsylog to forward log messages
•    They Are Offline But I Exploited Them

 

Weak Wi-Fi Security, Evil Hotspots and Pentesting with Android
By Dan Dieterle

Wireless networks and mobile Wi-Fi devices have saturated both the home front and business arena. The threats against Wi-Fi networks have been known for years, and though some effort has been made to lock down wireless networks, many are still wide open. In this article we will look at a few common Wi-Fi security misconceptions. We will also see how a penetration tester (or unfortunately, hackers) could set up a fake Access Point (AP) using a simple wireless card and redirect network users, capture authentication credentials and possibly gain full remote access to the client.

Finally we will look at the latest app for Android that allows you to turn your Wi-Fi smart phone or tablet into a pentesting tool. With it you can scan your network for open ports, check for vulnerabilities, perform exploits, Man-in-the-Middle (MitM) attacks and even sniff network traffic on both your Wi-Fi network and wired LAN.

Searching For Exploits, SCAPY Fuzzing
By Craig Wright

SCAPY is a series of python based scripts that are designed for network level packet manipulation. With it, we can sniff network traffic, interactively manipulate it, and fuzz services. More, SCAPY decodes the packets that it receives without interpreting them. The article is going into some of the fundamentals that you will need in order to understand the shellcode and exploit creation process, how to use Python as a launch platform for your shellcode and what the various system components are.

And much more…

For additional article information click here or…