Jump to content
Sign in to follow this  
robertray

Making use of your new found skills!

Recommended Posts

robertray

Hi,

Hopefully some might find this post useful, perhaps interesting and maybe also inspiring!

Then again maybe not :-)

Anyway. Here goes:

As you probably know if you have taken the time to read my posts, you will see that I work a lot of the time discussing, researching, learning, implementing and so on.

I thought I would share an example with you of how you can make use of your new skills, if you are not lucky enough to be in your dream job of a Pen Tester just yet! The other good thing about this suggestion is it is completely legal!

So what is it already, I hear you cry out!

Take for example what I pulled off last night. Quick 20 min presentation and demo of how to get into a website nothing to fancy, using the tools and techniques you learn here.

Plus some other general security information, and some basic tips on what can be done about it, including contract me as a Pen Tester.

Small companies have security concerns as much as the big ones, they just dont have the same budgets. We are here on elearnsecurity's course, as we are small people with small budjets. Put the two together and you have a plan, you also have more projects to learn from and share experience off, with your buddies at elearn ;-) (Ofc not the actual clients details. But ideas and tools and so on)

http://www.glasgowbiznet.com/calendar/15441705/?from=list&offset=0

Anyway the event went really well, everyone there seemed to enjoy it and I even had a few business cards popped into my hand for later chasing up. (Just as always need more time, but folks on limited budjets are happy to wait!)

I have another event happening next month, this time a bit more of a challenge as I will be surrounded by developers and students, I am sure they will ask tougher questions than the business owners, but all I can do is prepare to my best and admit when I am not sure and say Ill get back to them!

http://www.glasgowtechnet.com/calendar/15676811/?from=list&offset=0

Perhaps you have business networks in your own areas? Perhaps you are ready to get out there and see what you can do? Perhaps you can't do everything yet? Tell them what you can, tell them you will be honest with them and see what happens. (I am sure someone with more experiance here, like Armando could also give us a few tips as to what to get in place (legals and so on)

Anyway just thought its worth sharing. Happy to hear your views, questions and so on.

Stick with it, a dream thats worth dreaming usually takes a fair bit of work to make it reality!

Take it easy of the holiday period, if you can! I am off for 2 weeks, cant wait!!!!

Share this post


Link to post
Bluntlee

like the idea of a short presentation, for possible clients. Exactly what did you cover and how did you present it? If you don't mind me asking. :D

Share this post


Link to post
robertray

I dont mind sharing, at the moment there is enough work out there for us all!

I covered:

The UK goverments view on cyber security issues

The ICO in the UK situation, companies being fined for failing to secure our data

A demo of a hardware keylogger, just to get them thinking

A quick demo of netcraft, find the server version, google search vupen, google search exploit db, proof of concept

A demo of using burpsuite, spider crawl a lamp server vurnerable to SQL injection and XSS, an phishing email that I created to expoilt clients in a drive by malware install type scenario. Gain access, quick think about it in terms of the accounts personal details, talk on further exploit if I had more than 20 mins and then finish with here is a list of things I suggest you do to plug as much as you can against these problems. In security there are holes, holes that yet we have yet to find!

Hope that helps, if I get the chance Ill be happy to post the powerpoint. Maybe if I really get some time together Ill put together a video of the whole thing if that is a better format for others to learn from. That stuff takes time, time for me costs money, but sometimes I feel like a small project and share when I can. For instance check my other posts on how to setup your Win2k3 domains etc. I had my money's worth out of those for what I got paid.

Cheers for asking.

Share this post


Link to post
MindOverMatter

Excellent post robertray! I couldn't agree more on how this can be an excellent idea to not only practice your skills, but use them to possibly get some business going. It's unbelievable how many people out there are clueless.. Even those that are somewhat technology adept. Just using simple tools to show them how other's can sniff their wireless data, add keyloggers to they systems or brute force their logins and passwords at the hardware level would surely open up their eyes (and get them thinking)..

So, even not being an expert hacker / security consultant, one could use easily available tools (knowing how to properly interpret the output) without having to be a scripting or programming pro. This would also prove to them how John Doe's 13yr old son who happens to stop by the office from time to time.. could easily cause problems with not much knowledge at all. Thanks for sharing!

Share this post


Link to post
robertray

No problems thanks for your comments.

Hope to see some posts on ideas from you. I know time is against us all. But I think the more we can share, the more we all learn, the more we improve and the more we all get paid for the stuff, that lets face it we love anyway and would probably and now and again we do for free anyway.

Share this post


Link to post
Armando

I've always believed that the best way to learn is by teaching.

I've been doing this since I was 11. At that time I was managing a small mailing list where I was learning->practicing->posting sharing what I had learnt, with the ability to make things much simpler to my readers.

This turned into www.hackerscenter.com, a free resource and after years of work in the field in eLearnSecurity.

Your path is definitely the right one.

I truly believe in this approach and really advise you to go on with whatever learning/teaching challege or opportunity is in front of view.

Do not be scared by the crowd. Make sure you do your homework.

Crowd wants sincerity, not (always) Adrian Lamo's skills.

Share this post


Link to post
robertray

Got another event running this week coming and hopefully I will add more from what I have learnt from this course.

Thanks to everyone here at e-learn and the folks on the forums with your contributions to my posts. I can say for sure everything going on here has really boosted my confidence

Thinking I might try to add in some beef if I can get a demo working this weekend.

Share this post


Link to post
MindOverMatter

"I've always believed that the best way to learn is by teaching."

You know the saying "Those who can, do; those who can't, teach".. Well that's IMHO is in part BS, because there is no better way to learn through constant

re-inforcement of the knowledge. Also the fact that you can learn new things you may have not picked up from those you teach.. Such as they learn how to say subnet from you, then a month later come back, hey teach.. Look at this shortcut or method I'm using.. Hmm I hadn't thought about that (maybe bad anology..)

Anyways, couldn't agree more though.

Share this post


Link to post
robertray

You do get some who teach who perhaps are not so great at practical work. I've worked with a few, but trust me teaching still takes a fair bit of prep and is a constant challenge.

I enjoy it most of the time but also enjoy hands on work. The incentive for me at the time in all honesty was the difference in pay.

I would quite like to split my time between the two now.

I got some progress with beef today. Plan to use this on Tuesday at this event I am delivering for around 40 techs.

If anyone's interested ill put together a post.

Share this post


Link to post
robertray

The event ran and had 48 people turn up.

Was a very similar session to above except this time taking a bit more time to explain what I was doing.

The responses from the folk there was very encouraging and I did manage to get Beef hooked up, though my final exploit failed. I think the browser crashed and I did not have enough time to troubleshoot the issue.

Anyway, if your testing out beef check out http://www.oldapps.com/ so you can get the older versions of browsers and plugins.

I uploaded a video for the group tonight so they could see what I was trying to do after:

http://www.youtube.com/user/robertrayMCT#p/u/0/pvQePM3conY

Share this post


Link to post
typeOne

inspiring post, spreading awareness about infosec is more important than anything right now, showing people the ease of information gathering available in something like Maltego is usually enough to get peoples attention.

Share this post


Link to post
robertray

Indeed, so many are not aware until its too late.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×