Penetration Test Tip: Add already guessed or cracked passwords to wordlist

When doing a penetration test, password attacks, while they lack the "sex appeal" of using the latest exploits in Metasploit to 0wn a b0x3r, are still disturbingly effective. Additionally, those same passwords are likely to be used on other machines, whether they be initial passwords for new/unused accounts or the same individual uses the same password on different systems.

Either way, once you guess a password (using enum.exe or the like) or crack a password from an encrypted hash (using John the Ripper or the like), add that password to the beginning of the master wordlist or dictionary list that you will use for the remainder of the penetration test, so that password is checked earlier rather than later.

Want to learn more? Check out:
SANS Security 560: Network Penetration Testing and Ethical Hacking

or

SANS Security 504: Hacker Techniques, Exploits and Incident Handling

-R

SANS Rocky Mountain 2009, July 7-13, in Denver, Colorado

SANS returns to the Mile High City for SANS Rocky Mountain 2009, July 7-13, in Denver, Colorado! Now more than ever, hands-on experience will set you apart from others in the field, so don't miss this opportunity to register today for the best hands-on computer security training money can buy!

We're offering these popular SANS courses emphasizing penetration testing, computer forensics, and certifications for managers and technical staff alike:

* Security 401: SANS Security Essentials Bootcamp Style (GSEC meets DoD8570 IAT II)
* Security 560: Network Penetration Testing and Ethical Hacking (GPEN)
* Management 512: SANS Security Leadership Essentials For Managers with Knowledge Compression(TM) (GSLC certification meets DoD 8570 IAM I, II, III)
* Management 414: SANS® +S™ Training Program for the CISSP® Certification Exam (CISSP cert meets DoD8570 IAM II, III)
* Security 617: Wireless Ethical Hacking, Penetration Testing, and Defense (GAWN)

Firefox and Java for Mac OS X 10.5 Update 4 Issues and Work Around

The most recent Java update for OS X 10.5 caused some of our Java web apps to break, here's what my coworker came up with for a work around:

Open Finder > Applications > Utilities> Java Preferences.

On the General tab, in each of the 2 windows (Java Applet Plugin & Java
Applications) drag Java SE 6 to the top of the list and then close the
window.



For Firefox:

In the menu bar select Firefox > Preferences.

Click on the Applications tab. Find Java Web Start file in the list
under Content Type.

To the right in the Action collumn click on the drop down and select Use
other....

Navigate to /System/Library/CoreServices/Java Web Start and click open.

Close the Preferences window.

Click on the Link to open you SANS@Home session.

When the window opens asking to open the file click on the drop down
menu and select other and navigate to /System/Library/CoreServices/Java
Web Start and click open.