Our first son has arrived, and I have had a little more spare time than I expected recently. There are only so many diaper changes and feedings one baby needs in a day! With my time off from work these next few weeks, I am working through some Unity 5 tutorials, starting with this one.
The first two days were interesting. The instructor, Eric Conrad, has done an excellent job tailoring the class to both newcomers and experienced pen testers alike. Also, he has a lot of interesting stories. If you are looking at taking a SANS course, he would be a good instructor to take it with.
Continue reading “SFO: SANS SEC542 Day 1 and 2”
Along time ago in a galaxy far, far away… HTTP was born. After a while, somebody decided they wanted to use the Internet to buy things. Someone else decided they wanted to send secret business emails. Another person went online and didn’t want people seeing what they browse in their spare time. So someone decided to add the letter S to the end of HTTP and everyone was happy.
Nowadays, everything takes place online. Bank accounts can be accessed, taxes can be filed, one quick click and you’ve sent a message to all your friends or co-workers. All that power behind a password. If you are like year-ago me, you have a roster of 3 or 4 passwords that you use on all these sites. No one can manage 30 different passwords for 30 different sites (unless they use management software like LastPass), so we are often left with our bank account having the same password as our email, or our Facebook password identical to our work password. Securing these passwords suddenly becomes priority #1.
Today I will go over how to build a simple SMTP Message Client, which can be used to send emails. This one is fun if your organization’s SMTP server does not require authentication (many don’t) and you would like to impersonate your boss. Note: Don’t impersonate your boss.
Every company will be slightly different on what they expect, but as a Tester there is a certain standard you should hold yourself to regardless of where you work. This can cut down on turn over time by giving developers/support teams the information they need to fix issues quicker as well as giving stakeholders the right information to decide if they ‘care’.
When testing systems, it can be useful to see what’s hidden behind a base64 string. Maybe we are running a secuirty audit and come across an HTTP endpoint using Basic Authentication :O and we want to illustrate to those that don’t understand the risk and why it should be changed (well, it looks encrypted to a non-technical person…). You might need this for any number of reasons. Maybe you just want to try it for knowledge’s sake. Lucky for us, .NET has wonderful built in methods for working with base64.