Jump to content
Hak5 Forums


Active Members
  • Content count

  • Joined

  • Last visited

About pentestgeek

  • Rank
    Hak5 Fan
  1. I've exploited/verified struts using Burp Suite. Simply injecting a Java sleep 20 second delay versus 1 second delay will show PoC. If you want to go full compromise you can use Java System calls to execute a reverse shell
  2. pentestgeek

    oracle vm virtual box usb wifi not working

    You are trying to connect a USB card not a virtual network interface. From VirtualBox you should be able to tell the card to connect to your VM and not your host operating system.
  3. pentestgeek

    Metasploit Over Internet

    An Internet-facing box is always ideal in this situation. I find it most convient to stand up a quick VPS on Linode or BudgetVM or Digital Ocean. You can usually do this for like a dollar a day or less. I simply install Metasploit on an Ubuntu VPS server and then enter the public IP address as the server I want the reverse connection back to.
  4. This is an extremely common request among companies who hire a third party penetration tester. What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter. It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing. It usually says something like. ---------------- Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance. Our testing activities were conducted between date 1 and date 2 blah blah blah.. We adhered to the follow approved testing methdologoy - hyperlink to some pentest standard and/or framework During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including: * bullet list of OWASP Top 10 or something... ---------- You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest. Hope that helps.