Earlier this week, John Strand presented a fantastic webcast that was chock full of pen test tips. This post contains the slides as well as a link to the streaming slides and webcast audio.
Here's the description of the talk:
In this presentation, John and Ed will cover some key components that many penetration tests lack, including why it is important to get caught, why it is important to learn from real attackers, and how to gain access to organizations without sending a single exploit.
A few weeks ago, I did a presentation on Demanding MOAR from Your Vulnerability Assessments & Pen Tests. I'd like to share the slides with you now. The presentation is full of tips, some easy and others more complex, for providing extra value in vuln assessment and pen test work.
Here's the official description of the talk:
You pay good money for your vulnerability assessments and penetration tests, right? But are you getting real business value from these projects? Do you ever get the sense that your assessors and pen testers are just phoning it in, checking off boxes, and not really properly helping you improve your security stance? In this lively presentation, Ed Skoudis will provide hugely valuable tips for getting the maximum business value out of your vulnerability assessments and pen tests. With specific recommendations for people procuring such projects as well as for testers themselves, this webcast is chock full of insights for effective scoping,
Josh Wright and I presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course, SEC561: Intense Hands-on Skill Development for Pen Testers, this webcast covers numerous useful techniques, such as:
- Exploiting and automating data harvesting from iOS devices
- Extracting stored secrets from iTunes backups
- Effective Anti Virus evasion with Veil
- Windows host compromise and privilege escalation, along with UAC bypass
The slides below cover all the tools and techniques for doing all that great stuff, and more.
The SANS SEC 561 course is 80% hands-on skill development, showing how security personnel such as penetration testers, vulnerability assessment personnel, and auditors can leverage in-depth techniques to
by Ed Skoudis
This morning, I had the honor of presenting at DerbyCon. My talk focused on the ability to cause physical impact through hacking computers and networks. I call it "Kinetic Pwnage". The slides are available below, and the talk touches on several themes of the recent work my team and I have focused on, including CyberCity, a miniature city with a real power grid and other computer controlled components used to build capabilities of cyber warriors.
By the way, right after the talk, lotsa people asked me how they could do CyberCity missions. If you are interested in participating in CyberCity missions hands-on, we'll be running our first ever CyberCity missions at a public conference event during the SANS Pen Test Hackfest Summit & Training event, in Washington DC on November 7-14. If you take a full six-day class there, you can join us for one whole evening of CyberCity missions hands-on, plus four evenings devoted to NetWars. Oh,
By Ed Skoudis
Below are the slides for my talk called "The Bad Guys Are Winning, So Now What?" It's my most requested talk ever.
In my job, I write two or three new presentations per year, and deliver each of them two or three times at various conferences before retiring the talk and moving onto another topic. My butterfly attention span doesn't let me stay on a particular topic for longer than that. In the past year, I've written talks titled "Please Keep Your Brain Juice Off My Enigma" (Debuted at SANS in Sept 2012 and posted here), "Unleashing the Dogs of Cyber War" (Debuted at BruCON in Sept 2012), and "Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World" (Debuted at SOURCE Boston in April 2013 a week and a half ago).
But, of all the talks I've ever written, there is one that I get more requests for than ever: my talk titled "The Bad Guys Are Winning, So Now What". I originally wrote the talk a couple of years ago, and have