Archive for January, 2009
Associative Wordlist Generator (AWLG.org)
by seth on Jan.14, 2009, under SANS, Security
Stumbled upon AWLG over at Darknet: http://www.darknet.org.uk/2009/01/the-associative-word-list-generator-awlg-create-related-wordlists-for-password-cracking/
This seems to follow nicely with the previous post referencing, CeWL. Also dovetails nicely with me currently listening to Day 4: Password Attacks of SANS 560: Network Penetration Testing and Ethical Hacking …
So what does AWLG do?
“The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.”
The about page indicates that MySpace pages, Wikipedia articles, etc. are searched. That etc. is pretty important, but it is a fun tool to play around with. Although the same Darknet article makes mention also of Wyd, but I think AWLG is a nice addition as you don’t have to have already downloaded the files to be searched, and can instead rely on internet search engines. Likewise this tool has some facility beyond CeWL also, again because you don’t have to already know where the associated content can be found. All in all a nice addition to my kit.
Also worth mentioning is that the stated privacy policy for AWLG to “not record any transmitted search strings or user information”
Definitely check out the cute stick figure animated explanation of AWLG – pretty funny: http://www.awlg.org/whatis.gen
SANS Training 25% off discount extended
by seth on Jan.09, 2009, under SANS
Full disclosure: I serve as a Technical Director and Virtual Mentor for SANS OnDemand (as well as Community SANS Instructor in general).
SANS OnDemand online training has extended the 25% off discount promotion that was being run at the end of 2008. This is one of the steepest discounts I’ve seen for SANS training of any kind. In the current economy, training without travel can certainly be amenable to those signing the checks for ongoing education.
This is, of course, a limited time deal. You must register before 01/22/2009.
Use discount code: ODEY_08E
Please let me know if you have any questions about SANS training in general or SANS OnDemand in particular.
SANS Log Management Survey
by seth on Jan.09, 2009, under SANS, Security
SANS posted their log management survey the other day. If you/your company deals with enterprise log management, then please participate in the survey. Results will be detailed in April at SANS Log Management and Analysis Summit in DC (http://www.sans.org/logmgtsummit09/).
Here is the link to the survey:
https://www.surveymonkey.com/s.aspx?sm=FCwjvfHzkGml4stgnYQ7rg_3d_3d
CeWL for Pen Testers
by seth on Jan.08, 2009, under Security
Shortly after flipping through Ed’s slide deck for Secrets of America’s Top Pen Testers yesterday, I noticed a fortuitous tool annoucement come across the SANS GIAC Alumni mailing list. Robin Wood emailed to announce the release of a tool called CeWL: Custom Wordlist Generator (which is of course pronounced ‘cool’).
http://www.digininja.org/cewl.php
CeWL “spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper” (from the website).
Very nice. This tool dovetails nicely with Ed’s first tip from SATPT, “Build Password Guessing and Cracking Dictionaries”. In fact, it turns out that the tool was based on a PaulDotCom discussion, http://pauldotcom.com/2008/11/creating-custom-wordlists-for.html, which was in turn based upon content provided in Ed’s SEC560: Network Penetration Testing, which I will be teaching in Atlanta in February, https://www.sans.org/atlanta09_cs/description.php?tid=1717.
Wshew…did you follow all that. Regardless of its origins, CeWL definitely looks like something I will be adding to my tool arsenal. Check it out.
Ed Skoudis’ “Secrets of America’s Top Pen Testers”
by seth on Jan.08, 2009, under SANS, Security
Ed Skoudis sent a tweet yesterday announcing the immediate availability of his presentation from SANS CDI: Secrets of America’s Top Pen Testers. Obviously you will not get the full effect without Ed’s contagious excitement, but the 38 slides do stand on their own well. He is quick to point out (via the subtitle) that he did not name the presentation…
10 nicely presented tips (with Ed’s signature black hat red screened goodnes) at no charge…
http://www.inguardians.com/research/docs/Skoudis_pentestsecrets.pdf
-
Subscribe
You can also subscribe by email by filling the field below:
Context Security- Maybe those DLP $$$/record breached stats aren’t so far off… 09/03/2010I have often scoffed at some of the numbers used to cost justify Data Leakage Prevention (DLP) purchases. While I agree there is a pretty serious need for redoubled efforts at preventing (and moreover detecting) sensitive data leaving an organization’s control, I haven’t found myself persuaded by most of the “studies” that show crazy […]seth
- 25% off SANS SEC401 vLive format (offer ends 1/8) 09/03/2010Just wanted to let everyone know that SANS has provided me with a 25% discount code for the upcoming vLive class that I will be co-teaching with Dr. Eric Cole. The code to be used is: IN401 Here is the link to the class particulars: http://www.sans.org/info/52819 If you aren’t already familiar, the vlive format is an online delivery [...] […]seth
- Quick synopsis of Cybersecurity Act of 2009 09/03/2010Just wanted to let everyone know that Stephen Northcutt has a quick section by section 1-3 sentence review of the Cybersecurity Act of 2009 legislation (a.k.a Rockefeller-Snowe Bill) that was recently proposed. http://www.sans.edu/resources/musings/1439.php I just got my hands on a copy of the bill, and am gonna try to read through it while waiting at the do […]seth
- 20% Off All SANS OnDemand Classes 09/03/2010Received an email this morning notifying me that SANS OnDemand is running a special for the month of March. 20% off of any SANS OnDemand class. As an added bonus, you could have me as your OnDemand Virtual Mentor (ODVM) Please feel free to leave a comment or email me at seth combined with [...] […]seth
- w3af Technical Segment on PaulDotCom Tonight 09/03/2010Just wanted to let you all know that I will be a guest on the PaulDotcom Security Weekly podcast tonight. I will be leading a technical segment on w3af, which is a very nifty free/open source tool for web application scanning/exploitation. Should be loads of fun! The live stream should go up around 1845 EDT with [...] […]seth
- SANS Protecting Your Web Apps 09/03/2010SANS Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them Not sure when this was released, but I am sure that it was pretty recently. From the title I wasn’t really expecting much, but was pleasantly surprised by the clarity with which the tips were explained. Frank Kim and Ed Skoudis [...] […]seth
- SANS 542 Webcast: Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit 09/03/2010Below is information regarding a webcast I will be leading for SANS on 03/18/2009 at 10 AM EST. Should be fun. Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit Featuring: Seth Misenar In this preview to the newly updated SEC542 Web Application Penetration Testing course being offered in Amsterdam, you will learn how build [...] […]seth
- SANS/Ed Skoudis Releases 3 Pen Testing Cheat Sheets 09/03/2010Thought some of you might be interested… Ed Skoudis (of InGuardians and SANS 504/517/560 fame) twitted about the release of 3 new cheat sheets this morning. The sheets are hosted on SANS website and links to them can be found on InGuardians (http://www.inguardians.com/pubs/articles.html). Here is the description from InGuardians: “Ed Skoudis rel […]seth
- Associative Wordlist Generator (AWLG.org) 09/03/2010Stumbled upon AWLG over at Darknet: http://www.darknet.org.uk/2009/01/the-associative-word-list-generator-awlg-create-related-wordlists-for-password-cracking/ This seems to follow nicely with the previous post referencing, CeWL. Also dovetails nicely with me currently listening to Day 4: Password Attacks of SANS 560: Network Penetration Testing and Ethical […]seth
- SANS Training 25% off discount extended 09/03/2010Full disclosure: I serve as a Technical Director and Virtual Mentor for SANS OnDemand (as well as Community SANS Instructor in general). SANS OnDemand online training has extended the 25% off discount promotion that was being run at the end of 2008. This is one of the steepest discounts I’ve seen for SANS training of any [...] […]seth
- Maybe those DLP $$$/record breached stats aren’t so far off… 09/03/2010
