Cool Penetration Testing Application: Cobalt Strike

CBStrike Cool Penetration Testing Application: Cobalt Strike

If you are familiar with penetration tools, then you should know Metasploit. For those that love GUIs, there is a fantastic open source GUI management for Metasploit known as Armitage (found HERE). The same developers of Armitage created a more advanced penetration testing package for a $2,500 annual cost. The tool is called cobalt Strike (CS) and can be downloaded at www.advancedpentest.com for a 21day trail. They also have a 4-hour lab that lets you try out the core cobalt Strike features. It is worth spending the time to  test the tool and get some lab time even though the lab itself is is pretty easy. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

RSA Europe talk on Emily Williams found on PCWorld, Yahoo news, Cio.com and other sources

privacy nsa security 100053240 gallery RSA Europe talk on Emily Williams found on PCWorld, Yahoo news, Cio.com and other sources

My buddy Aamir Lakhani and I performed a penetration test using social media sources (Facebook and LinkedIn) as a method to compromise users from our target. You can find more about our project aka Emily Williams HERE and HERE as well as at www.drchaos.com. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Book Complete: Web Penetration Testing with Kali Linux – Released August 2013

KaliLinux Pentest  Book Book Complete: Web Penetration Testing with Kali Linux   Released August 2013

We are done! Aamir Lakhani (www.DrChaos.com) and I have finished our book “Web Penetration Testing with Kali Linux”.

You can pre-order the book from Packt Publishing’s website at:

http://www.packtpub.com/web-penetration-testing-with-kali-linux/book Continue reading

VN:F [1.9.22_1171]
Rating: 4.4/5 (5 votes cast)

My Article in PenTest Magazine – Backtrack Compendium July 2013

pentestmagimage My Article in PenTest Magazine   Backtrack Compendium July 2013

PenTest Magazine just released a issue focused on BackTrack titled BackTrack Compendium. I wrote a piece on compromising passwords using tools available in Kali Linux. An image from the introduction of my piece can be found below. I haven’t had a chance to review the entire magazine however glancing over it and found many interesting topics such as “Improve your Firewall Auditing”, “Building a SQLI Test Lab”, “How to Set Up a Software Hacking Lab”, “Multiphase Penetration Testing with Metasploit, Backtrack and Armitage”, “Metasploit Primer”, and many many more. I have a lot of good reading to do this week icon smile My Article in PenTest Magazine   Backtrack Compendium July 2013 Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

 Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security AuditThe terms Penetration Test, Vulnerability Assessment and Security Audit are often blended together when requested by clients or offered by security service providers. All three terms have security aspects however are very different regarding what purpose they serve as well as the expected deliverable. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

PART 2 “The Attack” – THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

 PART 2 “The Attack”   THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Last year Aamir Lakhani and Joseph Muniz developed a fake identity known as Emily Williams with the purpose of compromising a specific target using social media. We created Emily Williams based on research from Robin Sage, which showcased how a fake identity could obtain sensitive information from social media resources. We wondered if a similar approach could be used for targeted attacks and developed Emily Williams for that purpose. More information on developing Emily Williams via Part 1 of this project can be found HERE. Continue reading

VN:F [1.9.22_1171]
Rating: 4.6/5 (7 votes cast)

THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Disclaimer: This post has been modified to exclude specific subjects not approved for public viewing


emily1 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Emily Williams and Robin Sage

Emily Williams and Robin Sage don’t exist in the real world. They are fake social network accounts designed to obtain sensitive information. Robin Sage was created in late 2009 to obtain information from intelligence on US military personnel. Her story was presented at the Black Hat hacker conference upsetting many people by exposing the type of sensitive data provided over social networks. Joey Muniz and Aamir Lakhani decided to go one-step further and ask the hard question: “what else can happen outside of data being leaked over social networks”. We decided to find out using Emily Williams. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (6 votes cast)

How To Educate Your Employees About Social Engineering

 How To Educate Your Employees About Social EngineeringA common saying is ” Amateurs Hack Systems, Professionals Hack People”.  Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (3 votes cast)

Cool Book : Nmap 6 – Network Exploration and Security Auditing Cookbook

Screen Shot 2012 12 06 at 3.29.13 PM Cool Book : Nmap 6 – Network Exploration and Security Auditing Cookbook

I get invited to review things from time to time. My latest invite was reviewing a cookbook style guide designed to be a reference for beginner and advance Nmap users. For those that are not familiar with Nmap, it’s an open-source tool built for network exploration and security auditing. Nmap users range from ethical penetration testers to evil hackers. There are dozens of tools that perform automated assessment functions however nothing beats a very skilled Nmap user. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)