The Best Hacking Tool of 2017

“What is the best Hacking Tool of 2017?”

I see this question posted daily on Quora, and many CyberSec Facebook groups I belong to, so I thought I’d clear it up, hopefully (doubtfully) once and for all.?

The very best Hacking tool you will ever have (drum roll please…) is YOU. Please allow me to repeat that;

The Very Best Hacking tool you will ever have is YOU.?

No, Contrary to Popular Belief, It’s not Kali Linux, or BackBox, or ParrotOS, or what ever else distribution or tool set you could imagine. It’s Simply You.

Let me explain;?

Anyone, and I mean anyone, can open an application, type some commands or click some buttons and still miss their target almost every time. Why? Because they aren’t using Logical approaches. Out of shear and random luck, sometimes you will get some results, but then again, you’re playing the guessing game taking what you THINK is the next step.

You see, without using Logic and a firm Understanding of the “Phases of Penetration Testing”, you’ve already lost the battle. You’re just going to wind up Frustrated, and burned out from wasting so much valuable time. You might even break some stuff unintentionally.?

The use of Logic with the Phases of Penetration Testing?is something we very much go over in-depth at Pentester University

And listen, this is usually not any fault of your own. Other training Platforms like Udemy and the like simply don’t teach these two simple principles. How can they? Most of them don’t understand this or even how important it is in Penetration Testing.

I tested this theory and signed up for a few Popular Ethical Hacking courses on udemy for my research. And I have literally never been so disappointed with what I watched. But really, this should be it’s own topic in of itself.. so I will spare you for now :-)?

 

 

Sign up for our 14 Day Trial

 

 

Sharing is Caring:

Trumps Cyber-Security Executive Order

No matter if you love Trump, or hate Trump, he’s serious about the future of Cyber Security

Last week President Donald Trump issued an Executive order outlining his plans for Strengthening Americas Cyber Security Infrastructure. ?You probably haven’t heard much about it though, since it was immediately eclipsed by other news events like the Firing of FBI Director Comey, and then the super outbreak of the WannaCry super bug.?

According to TechCrunch’s Article one key thing that is important for us in the Cyber Security Private sector is this;

The EO?s call for federal government agencies ??especially civilian agencies ? to seek opportunities to share cyber technology makes a great deal of sense.”

And that couldn’t make me any happier, especially since Fridays Super Bug WannaCry kept SecOps up well over the entire weekend. Also, that is GREAT NEWS if you are seeking to start your own Cyber Security Firm.?

In Fact, since this news broke, I have received a ton of emails and calls regarding our Cyber Security Career Coaching services.

Do you remember the dot com boom of the late 90’s, early 2000’s? This is very similar, expect, unlike the dot com boom, there is no bubble or crash insight in the foreseeable future. So, roll up your sleeves folks, Cyber Security is going to be strong, no scratch that, Super Strong in terms of Budgets and Earnings. Are you ready for it?

So if you have been contemplating a Career in Cyber Security, and have questioned the validity and the future of the field, you now have your answer. Timbuk 3 (an 80’s Band said it best: “The future is so bright, I gotta wear shades”

 

 

 

Sign up for a 10 Day Ethical Hacker?Training Trial?

Sharing is Caring:

WannaCry Ransomware

WannaCry – The Latest Ransomware Romancing The Internet

 

The latest Ransomware to hit the market is called WannaCry and has already stricken over 12 nations already. Everything from hospitals to governments, to police stations. Their computers are now all being held hostage.?

This quite reminds me of when the ILoveYou Virus came out, and the Melissa Bug. Ahh, good times.?

All of this was made possible by two things; A Vulnerability that exists inside of Microsoft Windows, and was ONLY Found by the leaked NSA hacking tools and code.

The Hacker in control of this Ransomware is demanding 300 Bitcoin which as of today is worth roughly $511,869.00 U.S. Dollars.?That’s quite a bit of money to get their machines and data back. And sadly, some people like Hospitals and Banks will be forced to pay it. Effectively making the Ransomware creator a millionaire over night.?

So It’s been spreading via email in a zip file. So, don’t open any files from anyone, especially not a zip file. Turn off SMB/Cifs inside of your windows 10 machines, and keep good backups. Oh and stay current with Updates 🙂

Personally, I hope this is a wake up call for the global community that Cyber Security is important, as well as other areas of IT, like backups, system monitoring, fault tolerance, etc.?

 

 

 

www.PentesterUniversity.org

Sharing is Caring:

News: Vi Editor Course is Now Open

I am very pleased to announce that we just released a new course specifically on the terminal based vi(m) Editor.

vi or otherwise known as vim is a very powerful UNIX based terminal text editor. You can quickly create, modify, save and edit configuration and text files inside of a Linux/Unix shell. You can even write programming code with vi/vim.?

In this course we discuss how to properly use vi/vim to create, edit, and save files. We also talk about how to navigate files inside of vi/vim, how to search for text and replace text, and much more.

It’s completely FREE for Members of PentesterUniversity.org and ONLY?$27 for non-members.

You can check out the course right here: Learning The vi Editor in Linux

Shaun James

Sharing is Caring:

5 Things You Need to Know Before Becoming a Penetration Tester

Are you looking to become a Professional Penetration Tester? Here are the Top 5 Things You need to know before becoming a Professional Penetration Tester: Number 5 is the most important.

Download our FREE Fast-Track Cyber Security Career Guide HERE

College Doesn’t matter:

Over the years I have worked with a lot of people. And in that time, I have found that Traditional College degrees do not matter. Some of the smartest and most talented people I have had the pleasure of working with were merely High School Graduates. They never spent a single day in a Traditional College. On the flip side, some College Graduates I have worked with that had their computer science degrees were very book smart, but when it came to putting those book smarts to their hands to action their skills, they were clueless.?

 

Certifications do Matter:

While Traditional College degrees are falling by the wayside, even less required by employers, industry certifications however, are taking place of that. Let’s be honest, I think even that is going to be phased out in the next decade. Why? Just take a look around, there are a myriad of Professional Certifications these days. CEH, LPT, CISSP, OSCP, Sec+, to just name a few. And for the most part, they all test basically the same skills. And here’s the thing about these Certifications. Most of them have a re-test period, in which that Certification you worked so hard for expires in a period of time. Now, don’t get me wrong, this industry of Penetration Testing and Information Security does change rapidly, so it’s not really a bad thing to re-test. But think of the amount of money and time you have to devote to a re-cert every 2 or so years. It ads up quickly.

 

Knowing Linux:?

This is a MUST in my experience. Most of the tools we use in every day Penetration Testing tasks simply do not exist in the Windows Space, and only about half of them exist in the Apple/Mac space. There are many reasons for this. The most important reason is because Linux is open source, and the networking stack is very much more robust than its windows counterpart. So, while you do not need to be a Master Linux Super Guru, you do need to understand the basics of how it works, and some simple commands before you can pentest from a Linux Environment.?

 

 

Networking:?

This is another must. You must know the basics of how a Network and it’s basic protocols work in order to be successful at Penetration Testing. Now again, you don’t need to be a network engineer here, but you should have a basic understanding of TCP/IP, Packet Structure, and other protocols such as HTTP, UDP, ICMP, OSI Model, just to name a few. The more you know in this area, the better and faster you will be.

 

Social Engineering:?

The weakest link in any security environment is the human element. And that is a fact. Now you don’t need to be a psychology major here, but you should understand how people tend to think.

For instance, lets say that you ?Pentester a Company called XYZ Widgets International, and you simply can not find a way in. They are super secure. So, in your Information Gathering phase, you find a company directory, full with names, numbers, and most importantly email addresses. You have also managed to stumble upon a portion of their website, where you can see their “Partners” i.e. other companies they deal with. You pick the partner ABC Widget Wholesalers, Inc, who has a manager of partnerships named Michael Dawson.

So, in the company directory of XYZ Widgets?you find Mary Adams. She’s a secretary for the office. You also found in that list a higher level employee, such as a manager of partner relations named James Matthews.?

So you craft yourself a pdf with a reverse_tcp meterpreter shell, pack it with your packer of choice, and craft a spoofed email from [email protected] In this email, you put a subject line of: “URGENT – Partner Application”. In the body of the email you put something like “Mary, I need your help. My boss Michael Dawson is having issues with his email or something. Ugh, you know how that is. He’s screaming at me about it, like I know anything about computers! Anyway, I am trying to help him, so he asked me to email this Partner Application to you. Could you please download it and print it out. It needs to be signed by James Matthews, and returned by email to me by no later than 2pm today. Thanks! – Sam Smith – Assistant to Michael Dawson”

Lets talk about this for a minute.?

Mary Adams, being just a secretary probably doesn’t know much about computers, and to be honest, she’s probably on some shoe shopping site, browsing for a new set of heels or something. Bing, email pops up. She quickly glances at the subject line and see’s “URGENT – Partner Application”, looks at the sender, and it comes from abcwholesaler.com – one of their partners. Mary doesn’t want to get in trouble, so she quickly opens the email, see’s her first name which builds validation of legitimacy. Then she sees her name again, this time followed by “I need your help” — she’s a secretary, she’s always doing something for bosses. This set’s her mind back into work mode, and away from shoe shopping mode. You mention your boss, so that immediately lets her know that you are a lower level person in the company, just like her. You then follow by saying that your boss is having email problems (tells her why you are emailing her instead of Mr. Dawson), and throw in the UGH at the end. This gets her mind into a place of compassion, because likely she’s been there too. You heighten the sense of urgency saying “He’s screaming at me about him email problems”, builds on the URGENCY clause you had in the subject line, and followed up with “Like I know something about computers”, which builds trust again that you are a low level employee just like her, and how bosses can be unreasonable. Now, you give her the Call To Action with sincerity – “Can you please download this, and print it out?” The Call To Action tells her brain that she needs to do this. You then follow with “It needs to be signed by James Matthews” – probably one of her many bosses. This one sentence alone does 3 things here: ?Again another sense of Urgency by mentioning her bosses name, Persuades her not to be lazy and forward it, since it needs to be printed, to be signed. You give her a dealine, sealing the urgency deal.?

 

You should now have a shell on Mary’s machine. Social Engineering is one of the most important things to know in becoming a Penetration Tester.?

Download our FREE Fast-Track Cyber Security Career Guide HERE

 

 

 

 

Sharing is Caring:

Kali Linux Really Sucks

Ok, so maybe it doesn’t totally suck, BUT

Kali Linux is one of the few go to operating systems for Penetration Testers and Hackers alike. And it does do a really good job at giving you a mostly full set of tools used in Penetration Testing, but it still totally sucks! Here’s why;

Kali Linux, above anything else is really just a tool, like any other “hacking” tool. But the problem is, just that. It tends to mislead potential users into a false sense of thinking that Kali Linux itself is all they need to “hack the planet”. In fact is the furthest thing from the truth. YouTube is to blame for this epidemic also, but that’s for another topic all together.

Here’s the thing that us Professionals already realize; and that’s “The Very best tool you will ever have in your tool kit is YOU.” Yes, YOU. I’ll explain

Everyone thinks because they saw some guy/gal on YouTube fire up their Kali Linux install, and hack a website, or hack another computer with such ease, that of course they can do it just like what they saw. And often times they become super frustrated, and ultimately discouraged, and defeated. I wrote a blog post about that?HERE

Many users lack the firm understanding of the core principles of a Proper Penetration Test. Including the very important Phases of Penetration Testing. Unfortunately, most online resources rarely teach the Phases of Penetration testing. Nor do they encourage?would-be Penetration Testers to apply a simple, yet powerful tool within themselves called Logic. Usually the reason they don’t teach these important things, is because they are boring.?One of our Flagship ideals here at Pentester University is teaching these methods very much in-depth, while making it fun and interactive.

You are the BEST Computer You will ever use.

And I truly mean that. By understanding the core fundamentals, such as the Phases of Penetration testing, and applying LOGIC, you are now able to build a better case against your target, a clear road map of the best method of attack. This will lead to a higher success rate of compromising clients systems, less frustration, and ultimately a lower chance of Defeat.

In closing, You could have the very best of the best tools in the entire world, but without using Logic, and Understanding the important Phases of Penetration Testing in-depth, you are just clicking buttons, and making yourself frustrated, and perhaps looking foolish in front of your client, bosses, or colleagues.

Sharing is Caring: