Saturday, April 29, 2017

Hacked!

When people get hacked, they often asked me if I hacked their system (because I work as a profession hacker)? The answer is NO. I don't have time to hack stupid stuff.  I don't hack for free.  And I don't hack illegally. That's what losers do.

Most often the causes of people being hacked are:

1. they received an email that says they've won $10 million. "Please click here to receive." lol
2. they click on a popup that says their computer is hacked and to install the "anti-virus" software from the popup to clean. often the free "anti-virus" software is the trojan. even if it's not free, it's a scam for people to buy unnecessary software.
3. people are downloading software, music, and movies illegally. STOP IT. that's how people most often get hacked. they often use some kind of torrent software
4. people visiting risky websites and clicking on them.

5. opening an attachment from a friend that contains a funny joke

People should have 

a. a restrictive firewall up
b. anti-virus software running
c. update the software on their system to patched versions
d. and don't do any of the silly things listed in 1-5

Tuesday, March 7, 2017

Network Pen Testers

To me it seems crazy that in this day and age, there are tons of certified network pentesters holding jobs as pentesters yet they do not know how to use metasploit command line or even modify a script on exploit db to make it run correctly.

I'm not even asking them to be able to modify or even write a custom metasploit module.  Just be able to use the tool.

The amazing thing is there are many self-proclaimed "elite hacking teams" at companies out there who don't even know how to use port forwarding when testing a remote closed network.


Network Vulnerability Scanners

There are many network vulnerability scanners out there.  Many of them are poor quality.  For instance, one particular tool lists hundreds of vulnerabilities for a service running on the network simply based on the fact that version banner states it is a certain version.  These tools do not check for a vulnerability.

That's right.  Many of these tools do not check for a vulnerability.  Instead they look at version the number on an Apache web server or a MySQL server and then list hundreds of false positives.  The version number could be incorrect and/or patches may have been backported.  This is no different than static code analyzers that try to impress users with thousands of findings in fancy demonstrations that are false positives.

These tools are a waste of time and energy.  Get yourself a real tool that actually does a vulnerability check.