Business Intelligence- A Students Perspective

January 17, 2012

This week I got to do the first module in the “Reconnaissance” module, “Business Intelligence” and I have to admit, I was blown away.

In this module we covered various ways to gather intelligence about a target (business), and I learned a lot of methods that I didn’t know previously. I knew some of the more basic techniques such as looking at LinkedIn profiles and looking at job posts, but this module took it to the next level. I had never heard of EDGAR, I had never thought about going through archived mailing lists, in my world “theHarvester” was a syslog gatherer (It’s actually a cool tool that polls search engines results to get email addresses for various social engineering schemes), and then there is Maltego. I learned a lot of great methods and tools in this module that I will have to employ against my employers to gather info (For white hat purposes obviously).

And then, there was the lab. Man, I think this was the longest lab to date. It really caught me off guard how much time it would take. The lab in this module was to do business intelligence gathering on four targets. And expect to spend 90-120 minutes minimum per target. Yeah, that’s 6 hours minimum. But, it did definitely teach me two key things: It is scary how much information you can gather on a target from just the Internet, and the importance of note taking. I can’t stress the importance of note taking enough (And neither can The Hacker Academy, as it’s come up in multiple modules). Even though the lab took some time to complete, it was a lot of fun and it was extremely eye-opening.

Looking forward to the next module: Network Intelligence!

Professional Penetration Testing

January 4, 2012

For the longest time, I’ve always wanted to be a penetration tester. That, to me, would be my dream job. This module was focused on the beginning steps of becoming a penetration tester. There was a lot of great knowledge passed down by the instructor in this module. What separates an entry level, good, and great penetration tester? The answers may surprise you because what separates good from great really intrigued me. The instructor also provided some insight into what to expect from the job (Don’t expect to only work from a basement hacking companies with techno blasting and drinking Jolt). This disclaimer was very helpful, and is pretty much what I expected.

The lab was pretty simple: Doing research and answering some questions on your career goals. While these questions are simple on the surface, they are really important questions you should be asking yourself in general. Having a concrete plan of what you wish to accomplish in your career and thinking through the steps to achieve it has served me immensely, and I recommend for anyone else to do the same.

This concludes me working through the “Hacking Fundamentals” course. These weren’t technical modules, but they were still very valuable to me because they changed the way I thought about penetration testing and my career as a whole. While browsing through the material, I can see there are plenty of technical modules I’ll get to later. But right now I’m appreciative of the difficult-yet-simple things I learned; Such as, what makes a great penetration tester? What makes you great overall? Have an insatiable curiosity, the importance of CIA++, STRIDE, different types of learning, the importance of interfacing with the customer. These are the fundamental things that will play a role no matter what facet of security you work in, and I’m glad I spent the time to reflect on them.

The Mind Of A Hacker- A Students Perspective

December 18, 2011

The next module, “The Mind Of A Hacker”, was another great module. This time we were focused on the mindset of being a hacker. The video included in this module was short and sweet, but contained some pretty powerful lessons. The difference in Convergent Intelligence versus Divergent Intelligence, and the three types of Reasoning used in Problem Solving: Deductive, Inductive, and Abductive. Convergent Intelligence is basically what we have learned in western schools of thought: Taking multiple pieces of evidence and forming a fact. Whereas Divergent Intelligence is taking a fact, and coming up with multiple ideas and solutions. Divergent Intelligence needs to be developed in order to be a great penetration tester.

When it comes to Problem Solving, there was a focus on Inductive and Abductive reasoning. Inductive reasoning is taking evidence and then forming a rule with the evidence, and Abductive reasoning is looking at a set of evidence and forming a “best guess” answer to it.

Recursion was also brought up, which was interesting. I really had only heard this term thrown around in terms of programming, but taking that next step and applying it as a method of analysis was definitely intriguing. Lead Instructor, Mike Murray mentioned that this would come up again in future modules, so I’m looking forward to what role this will play.

These are simple lessons but they are definitely challenging to put into practice. The lab with this module was also pretty interesting, just some short multiple answer quizzes with immediate feedback. This was a huge eye opener for me. I actually got a headache from the questions being asked, even though they were pretty simple. But it challenged me to think in ways that I hadn’t in a long time and it felt great. I have a lot of work to do in these areas to say the least.

My biggest takeaway from this module is to always think outside of the box and to question everything. Just because something is assumed to be secure, don’t make the same assumption. Case in point: SSL. Look at how the fabric of the SSL system has crumbled in recent months due to all of the recent hacks. These flaws surfaced due to those who continued to question and not to just simply accept that something was impossible.

-Kevin

The Hacker Academy from a student’s perspective- The set up

November 16, 2011

Today, I finally got to dig into the very first module at The Hacker Academy. I was excited to dig into the material and find my way around. The first module is appropriately titled “Introduction to The Hacker Academy” and an accompanying lab for setting up your home environment.

As I watched the introduction video I was glad to see that there would be a strong focus on penetration testing. And not just “run this command, now this command, and now this command”, but the actual mindset that it takes to conduct a great penetration test. Penetration testing is a field I want to get into, but unfortunately I was never sure how. Now I feel like through lessons learned at The Hacker Academy, I will be that much closer to getting into my dream job.

After I finished watching the video I started the lab, “Set Up Your Environment”. I read through the steps and thought to myself a few things:

1) This shouldn’t take long. Looks like I just download VirtualBox and a VM and verify the VM runs correctly. (Yeah, jinxed myself).
2) I get to learn VirtualBox, which is a virtualization technology I have never touched. So I get to learn a new tool. Cool.
3) It became readily apparent that Backtrack 5 would be the primary tool of use for my labs. I have very limited experience with Backtrack, so I’m definitely looking forward to becoming a master of Backtrack.

If you have any experience working in IT, you should know that no matter how simple something is there is always the chance that something will go wrong. I was quickly reminded of this fact.

Setting up VirtualBox was a breeze. Your typical “Next>>Next>>Finish” type of install. I downloaded The Hacker Academy’s Backtrack 5 VM as well and added it to the VirtualBox repository of VMs. I then started up the VM and was prompted with “hd0 read failure” and thrown into a “grub rescue” terminal.

Great. So much for this being easy.

I did the typical troubleshooting steps. Restarting VirtualBox, restarting my computer, running VirtualBox as an administrator, removing the VM from VirtualBox and readding it, etc. etc.

The fix ended up being simple: Downloading the VM again and extracting it to a new folder and not the folder that is created by Windows using the same name as the archive. After that it was easy, Backtrack booted right up and I confirmed the correct IP address was assigned to eth0 and startx ran properly.

Murphy’s Law is always fun to deal with. But at least it’s a great teacher. Looking forward to what unique challenges I’ll deal with in the next module.

-Kevin

The Problems with Hypnosis and Social Engineering

May 9, 2011

My newest column is up on EthicalHacker.net.  Actually, I should probably call it my newest “rant”, as I really somewhat went off about the problem with some people who are making themselves experts in social engineering using hypnosis as part of their background.

For those who know my background, you probably know that I’m not exactly one to talk here.   But, as I said in my article:

In short… if you’re learning social engineering and the person is trotting out hypnosis as the primary reason that they’re good at it, examine their other credentials VERY closely.  Expect that they can back up their work, and that they can tell you the difference between hypnosis and social engineering and how the two skill-sets translate.

In the column, I didn’t really lay out that correspondence appropriately.  Hypnosis can be a useful skill-set for someone who wants to be a social engineer in that:

• Learning hypnosis teaches you to be incredibly sensitive to the impact of your communication on another person
• Language patterns in learned and used in hypnosis CAN BE very effective in social engineering scenarios (though, if you do it wrong, you end up sounding like Ross Jeffries).
• If you can find a trainer who is aware of framing to the level that they can teach the implicit frames involved in hypnosis, you can separate out the frame related components from those that aren’t

 

 

The Key Skill-Set of Great Penetration Testers

March 24, 2011

I was reading an article entitled “Ideal Skill Set For the Penetration Testing” that I found fascinating. And while the author had some good points about the some of the more easily forgotten background skills that are required to be a great pen tester (e.g. OS and programming language skills), I think Keatron missed the majority of the real key skills that are required to become a great penetration tester.

Because, while it’s important to have all of the skills that he mentioned, one could have all of those skills and still be missing a lot.  In fact, I know a lot of people (even those who have penetration testing jobs) that have all of those skills in spades and yet have trouble executing on penetration tests.

For me, the difference between Keatron’s list and a great penetration tester comes down to one thing: intelligence types.   Specifically, the difference between convergent intelligence and divergent intelligence.  Convergent intelligence is the ability to derive a solution from the evidence available to us, while divergent intelligence is the act of taking a single thought or concept and finding multiple applications for it.

In the Western world, we have traditionally emphasized the importance of convergent intelligence – all of our schooling focuses on developing this type of intelligence. Yet, it is the ability to develop divergent intelligence that actually leads us to be great penetration testers.

Read more

Free THA Webinar- Becoming a Professional Pen Tester

December 13, 2010

The next THA free webinar is right around the corner! Mike Murray will be discussing what it takes to become a professional penetration tester. Information covered in this webinar is taken and expanded on from the first module within The Hacker Academy.

Here is a brief description of what will be covered: Mike will describe what it takes and how to become a great penetration tester.  This includes everything from showing professionalism on the job, to ethics, and everything in between.  You will understand that acquiring techniques is not the hard part, but becoming skilled at this craft is an art.

When: Wednesday, December 22, 2010
Time: 2PM EST
Length: 1 Hour
Where: Online
Cost: Free
To join us for this 1 hour free webinar, Click Here!

Note: if you’ve previously signed up for our webinars, there is no need to sign up again – you will have already received an invite via email.

The Hacker Academy FREE Trial Module is HERE!

November 29, 2010

Man – are we excited about out this, seriously. We spent a great deal of time over the summer, speaking to a lot of you at the conferences we were at like HOPE, Black Hat, and Def Con. We got some awesome feedback from a lot of you, especially on the topic of this post. So without further ado – we know this has been a long time coming…

You Asked, We Listened: Introducing…

The Hacker Academy Free Trial Module

We are now offering 30-day trial access to a FULL module, pulled right from the THA members curriculum. Not only do you have full access to the entire video lesson, but you have access to the full hands-on lab. All for you, at absolutely NO cost, what-so-ever.

If you’ve ever been interested in becoming a member of The Hacker Academy, here is your chance to experience a piece of the THA members’ site. If you’ve never been interested in becoming a member…well – you’re welcome to come get your FREE learning on.

Sign up to receive exclusive, FREE access to this trial module:

Sign Me Up!

As always – if you have any questions about becoming a member, feel free to get get a hold of us; we’d love to help out. Just send an email to hac...@thehackeracademy.com

Cheers,

The Hacker Academy Team

Our Thanksgiving Gift to You

November 22, 2010

Here in America as most know, the 4th Thursday in November each year is Thanksgiving. Traditionally, it has been a time to give thanks for a bountiful harvest and have a ridiculously big meal. The Hacker Academy thought we should celebrate Thanksgiving with a feast as well. We are serving up two new modules on Thanksgiving Day and a free webinar on Wednesday the 24th (the day before Thanksgiving). This is the best way we could think of to give thanks to our members as well as those who are thinking of becoming members. Members will be feasting their eyes and hands (hands-on labs) on Jeremy’s new module “Experimenting with the PDF Launch Action” as well as a new module from Dan Frye on “Metasploit Advanced Topics: Using Meterpreter Scripts Post-Exploit for Evasion and Connecting”.

Members and non-members alike should prepare for a pre-Thanksgiving treat, as Mike Murray will be serving up a free webinar that will cover the mindset of a hacker. Information covered in this webinar is taken and expanded on from the first module within The Hacker Academy.

Here is a brief description of what Mike will cover: Becoming a great hacker is about more than just skill. It takes a strong set of thinking and problem-solving skills as well. This webinar will teach you about the different types of intelligence and problem-solving skills that great hackers require, and will challenge your abilities on those skill sets.

• Convergent and Divergent Thinking
• Inductive and Abductive Reasoning
• Recursion

When: Wednesday, November 24, 2010
Time: 2PM EST
Length: 1 Hour
Where: Online
Cost: Free
To join us for this 1 hour free webinar, Click Here!

We wish everyone who celebrates the holiday a happy Thanksgiving and a wealth of knowledge during this holiday season.

Cheers,

The Hacker Academy

Latest installment of Advanced Metasploit released to THA Members Site

November 13, 2010

The latest in Dan Frye’s Advanced Metasploit series posted to The Hacker Academy Premium Members site!

Dan Frye has been working hard on producing a ton of cutting-edge content based on Advanced Metasploit techniques. This time around, Dan teaches about using Meterpreter post-exploit for recon purposes:

“Meterpreter offers an incredibly flexible approach to performing reconnaissance of a victim post-exploit. This module will review what scripted commands are available and how they can be used to retrieve information from an exploited Windows host..” Become a member to see the rest of the lesson.

Dan will be back near the end of the month with his next installment. Also at the end of the month, Jeremy Conway’s new lesson in his on-going series on PDF attacks will be released. Be sure to be on the look out for both of those.

Not a member? Just take a quick trip over to our membership page and sign up – you’ll have access to the whole gamut of modules available to our members, but the above are great examples.

Cheers,

The Hacker Academy Team

Next Page »

• Login

  Login:
  
  Password:
  
  Remember me
  
  
  Not a member yet?
  Sign Up Now!

• Blogroll

  • MAD Security