bobbyb1980

I'd consult my uncle. Uncle Sam, whether it be civilian work or in the military, can provide some great opportunities to people like us who have a hard time being 9-5 robots. You have to learn a programming language too, the more the better. This is a rewarding experience in and of itself. Study a lot, then go talk to some small business owners in your area. Tell them you do reasonably priced freelance security work (many times small companies want good infosec people but don't have the money to pay large firms) and I think you could make a living doing that. I have several people who pay me hourly who I'll check in on once a month or so, and while I don't guarantee security, I make sure that they aren't easy targets and it works. You just have to get out there and try different things.

You can find tutorials online that teach this in 20 or 30 minutes. Here is a sample script in python that should get you started that replaces all instances of 'e' with '3'. import re def replace(target_file, output_file): output_file.write( re.sub('e', '3',target_file) ) output_file.close() target_file = open('path to original file').read() output_file = open('path to new file', 'w') replace(target_file, output_file) [/CODE]

On Linux based OS's this is going to depend what exactly you want to do, you can have scripts that run at startup, every x minutes, etc. For VPN's you could look into adding a connect script into /etc/rc.local or /etc/init.d. On Windows, check out the automated task scheduler, aka "the at command". If I remember correctly, when doing this on Windows it depends on the .exe you're running and whether or not it needs to interact with the desktop. IMO, a cleaner and more simple way to do this on Windows would be just to make a .exe that connects to a VPN, then put that .exe in the "All Users Startup Folder" and you wont have to worry about following any Windows coding norms. There are more fancy ways, like making it a system service or putting the address of the .exe into one of the many startup registry entries, but all of those require the .exe to be coded in a way which allows it to wait for other system signals from Windows, and IMO it can get complicated coding these processes because many of them wait in a loop. Startup folder might be your best bet for windows.

I don't think it's anything secret, there was a public conference about this in Texas last year.

I'd like to get a direct answer on the origin of the internet, or at least TCP/IP or client/server connections. I've heard some people say the internet was invented at Bell Labs, some say it was a post WW2 invention of the military, some say it was a way that academics communicated with one another in the 60's and 70's, I even saw a documentary not long ago about some guy at Google claiming he invented it (though I think that no one person can take responsibility). I even remember when Al Gore tried to take credit for it (lol).

Next time I would keep it to yourself, wait untill you graduate then approach the school as a pen tester offering your services. Your classmates, the people you'll be working with in the future, might find it hard to trust someone who reports everything, but good initiative on your part.

Mandarin is a simple language for native English speakers to learn, the difficult part is learning the new script and learning the tones, ie the difficult part is training your vocal chords to replicate their tones and memorizing their script, not learning the structure of the language and how they express ideas. I actually argue that while English is not as structurally simple as many Asian languages, it's one of the more simple European languages and the Cryillic and Romance languages are generally more difficult and complex than English. While I believe psychology to be nothing more than a racket, many people in that field would argue that due to the expressive and descriptive nature of most indo European languages, it encourages ideas of creativity and art. I think it's hard to disagree with this. We have many irregular verbs? I don't understand, but I will say the English verb conjugation scheme is one of the pitfalls of English. We leaned towards the Germanic conjugation scheme (2-4 conjugations), when it should have been the more efficient Latin conjugation scheme (6) and our vocal chords pay the price. This is also probably the primary reason that native English speakers have a difficult time with Romantic languages. The examples I can think of for this show just how primitive the languages are. Like the pronouns in Arabic. We have 5 commonly used pronouns in English (well, 6 depending on your dialect) . In Arabic there are 13. Ours is definitely more efficient, but they feel the need to separate genders to a whole new level that doesn't exist outside of Arabic. Imagine every time you used a pronoun, to specify it's gender. So if you want to say "they", they use their own pronouns to imply whether "they" is a group of males or females. I think your paragraph on morphology pointed out in a broader scheme the lack of rules that English follows as a "mut" language. I say that while some languages are more efficient than others, none are perfect, and we need to optimize our language. Of course, this is much easier said than done.

I think some of the languages you mentioned are primitive in nature when compared to English and maybe because of this not widely taught in the States. I have however heard Navajo is quite difficult to learn, regardless of your native language and in a class of its own. I disagree. Certain languages require a lot more sounds to express a point than others. For example, both Mandarin and Arabic rely heavily on "the if's" to negate conditionality (idda, inn, low in Arabic and jiaru and ruguo in Mandarin) whereas in English and other European languages, we have our own verb tense for that (in addition to the word "if"), resulting in less words being spoken to the same point. Another example that applies to both Mandarin and Arabic is how they differentiate their conceptions of time. They generally use only 3 different verb tenses, where we use about 12 in English (IMO it should be more). They can obviously say everything that we can, they just use more sounds to do it and rely much more on context to imply meaning. There are many examples like this. On the flip side, the Mandarin alphabet is much faster to read/write than a Latin alphabet, resulting in a more efficient spread of information, so I suppose you have to pick and choose whether you want your language to be spoken/interpreted more efficiently or read/written more efficiently. Which do you do more, speak/listen or read/write?

"R U COMN OVER?" I think this phrase highlights several of the negative features of the English language. 1. Phrasal verbs. Why use the phrasal verb "to come over" when you can use the verb "to come"? Both have nearly the same meaning and can be used interchangeably, but we often resort to the use of phrasal verbs when their base verbs can give the same meaning with less phonetics. Some would argue it's one of the unique features of English, others would say (including myself) that it's the slang that has been integrated into English over the centuries. That's not to say that phrasal verbs don't have their place, but many are overly redundant and under expressive. 2. The use of the verbs "to be" and "to do" to start a sentence. Why say "ARE you coming over?" when you can just say "You coming over?" We don't need to be reminded of existence every time a sentence is started, and I think this is one of the many over complications that English has inherited from French (like the extreme difference between written and spoken English, as Sitwon noted). 3. English's constant use of pronouns. This highlights one of the more primitive concepts of English. Why say "are YOU coming over?" when you can just say "coming over?"? We have to denote the listener, but had the creators of English followed in the footsteps of all of our other Romantic/Latin language speaking brethren, we would have 6 different conjugations for the different pronouns, as opposed to the current 2 that we have and wouldn't have to tack on an extra word every time we used a verb. Instead we leaned towards the Germanic/Greek concepts of conjugations. This could save the English speaker hundreds of consonants per day and extend the life of our vocal chords, or hands if you write/type a lot. My theory is that the farther you got away from the city of Rome, the more over complicated and less effective Latin based/Romance languages (and languages in general) got. The original Romans hit the nail on the head with Latin, that's why it's replicated in so many other languages, even massively spoken today, and English should have more of the original Latin influence and less Germanic/Greek influence. I think teachers should encourage students to optimize our language, so that tomorrow's speakers not only will be able to learn other languages with far greater ease, but they will be able to speak to the same points with far less words and less room for misinterpretation.

.... did it work?

C/C++ can get confusing like you say, but my philosophy is that it's best to start with the hard stuff, that way it will only get easier. I also find that when programming for Windows, it doesn't matter what language you use because most of the code is going to be based around the win32 api and each language will have their own unique support for that.

Use the apache server instead of the python server, IMHO python isn't the best language to have a http server in and could be problematic. All due respect to the creators of SET and python, I never understood why they didn't just default that attack to an apache webserver.

If I hear you right, the meterpreter listener sends the first stage of the payload, but never completes? Meterpreter staged payloads are pretty big and lots of stuff has to happen right for it to work right. I've had av's, particularly avira (if I remember correctly) that somehow magically blocked everything past stage 1 of the meterpreter payloads inside of java apps but never flagged anything as malicious. Try turning your av off, then try the attack again. You can also try to switch to a smaller payload like a simple shell. You should also go to your victim machine, and run a reverse shell from a .exe to see if that executes as it should, so you can further narrow down if it's a java issue, network traffic being blocked somehow, etc. You'll have to elaborate on "the page doesn't" load, but it'd be helpful if we know what server you're using (apached, httpd, etc). You might also want to look at the config file for the server to make sure everything is in place, although most are out of the box. However, you should create a basic test page, see if your victim can view that, if so, move onto the next step, if not troubleshoot why... I also recommend you not use SET, it won't help you learn anything and will probably confuse a beginner. Try to manually setup the attack, learn how to clone the webpage, learn how to get what you want inside of a java app, etc. SET is written in python and generally speaking it's easy to read if you know basic linux commands, even with no programming background, so if you browse through the set source directory you can "trace" through exactly what's happening and that should give you more insight as to why you are not having success.

No I sure didn't look at the site buddy. However I do go to several sites, one being tuts4you.com, which is a tutorial site and it's blocked by Kaspersky. I also have a friend who recently who wrote a completely legitimate packer, he posted it on his blog, and 2 days later every piece of software using that packing is blocked and flagged as a trojan because the av developers are too lazy to figure out how to unpack it and would rather just block all software using it, legit or not. Flip side to that coin, is that I've built .exe's that while they were packed and had a small level of obfuscation, they had very transparent and known malicious windows API calls and they were undetected. Most av's don't even verify DNS integrity which would take like 10 lines of code and stop tons of attacks. Many don't verify hosts file entries either. Who knows, maybe the site you went to did get pwned, but I don't trust in av's so much.

I think being accepted on a sub conscience level is more important for getting laid than it is infosec. Companies today are starting to pump a lot resources into making sure their people don't fall for the cookie cutter SE attacks that are common in the wild. I'm sure Chase and Wachovia have their phone's ringing off the hook with rich, eager, investor's who want you to click their link to "review their investment plan". Old trick. It's a necessary evil, and unfortunately a small amount of SE is required for most decent attacks, but programming and networking skills will carry you much further than any SE will.

Believe nothing you hear and half of what your av sees.

Lack of other technical hacking skills : P Many attacks require SE to a small degree, but it should be used as a method of last resort, I think a lot of other concepts are more important than SE. Besides, there are probably more 'social engineers' hanging out in the front of your local liquor store than there are here!

The "evil hackers" are the ones like Assange, these entitled kids with this new age whistle blower mentality who think they're one of a kind. These kids endanger the lives of the people who protect their upper middle class existences, and not for money, but just to laugh as it happens. Back to the topic... sending spoofed emails w/attachments isn't that difficult if you know a scripting language. Google 'perl smtp tutorial' or 'c++ smtp tutorial' or whatever language you use and you'll find tons of code that you can easily and quickly edit to your liking.

I remember you mentioning that you coded in python, I was just going to say that if you're using smtplib on versions earlier than 2.7 the client will experience authentication issues (happened to me on win32).

What language?

slipstream drivers to an xp image and boot it from USB.

Age old question. I've seen people throw a lot of money at this problem, myself included, to settle on an alpha in the end.

If security is as high as a priority for them as getting people packages on time, I'd guess it's pretty low!

I'll have to check out pure-ftpd in the future. I do however currently use vsftpd to do what you're trying. Just create a new user that isn't a sudoer. From there you can issue a ps -ef | grep *new user* to verify that the server is running as the new user. You should still see one process of the server running as root though, as to my understanding every server has to have one instance of root to bind to the socket. You can also create a new user for logins, but I'd make sure that it's not root or a sudoer as it isn't good to allow remote root/sudo logins. This user should be able to have download/upload privs safely. I personally don't use this feature, but vsftpd also supports virtual users with the PAM module.

While I'm sure there are those who do it to benefit financially, I'd say the vast majority of reverse engineers do it for the challenge and to be able to say that they did it.