ExamNotes.net

Other IT certifications => CISSP => Topic started by: bass2k1 on March 24, 2003, 05:07:38 AM



Title: Certified Ethical Hacker?
Post by: bass2k1 on March 24, 2003, 05:07:38 AM
What are your thoughts on this Certification? Do you think it will be able to stand it's ground in the Security Arena? In short, is it worth the effort and $$$?

Regards

Sebastiaan.Rothmn@BHPBilliton.com


Title: Certified Ethical Hacker?
Post by: Hacker on March 25, 2003, 04:48:21 AM
Links?


Title: Certified Ethical Hacker?
Post by: bass2k1 on March 25, 2003, 05:08:08 AM
http://www.eccouncil.org/CEH.htm

Regards

Sebastiaan.Rothman@BHPBilliton.com


Title: Certified Ethical Hacker?
Post by: Dann on March 25, 2003, 09:46:14 PM
While, by taking the certification, does'nt mean that we will have a strong foot into the IT Security. The knowledge and exposure, gain from the course definately will help you in term in this path. Frankly speaking, do we really know how hacker hack the system, what tools are they using, how they exlore the expoilt and cover their tracks?

In US, the intenseschool is also running this course. According to them, is one of the popular hacking course so far. They are other company offering the same stuffs like foundstone.

So,even if the person is a CISSP or SSNP or something else. Do, they really know and confident to protect their organization network from the hacker. A hacker will use all means and ways to get into your network. And the CISSP dun even know how hacker thinks, how the hell is he going to protect his network.

In singapore, most of the CISSP are well rounded, they took classes on hacking, risk assessment and other courses. To fully equip their knowleges on IT Security

Go for the knowledge instead of certifications.


Title: Certified Ethical Hacker?
Post by: bass2k1 on March 26, 2003, 01:31:53 AM
Poinnt taken, but looking at it from an employment angle...isn't a company rather going to employ someone based on the formal qualifications rather than knowledge they claim to have?


Title: Certified Ethical Hacker?
Post by: Dann on March 26, 2003, 09:05:45 PM
While, i agree with you, the formal qualification is also important. Additional certifications and knowlege definately will also help in the career path in long run.

Summary, experience, qualification, knowledge and certifications are important to us, if we wish to excel in this IT industry.

Cheers !!!


Title: Ethical Hacking - Hmmmm....
Post by: comblues on July 08, 2003, 11:10:43 PM
Starting a 6-month intensive burn the brain course...

Fully Hands-on.

Goal 4 Cert in months and full y functional in at least 2 OS's (but hey why not learn a little about Novel and OS2, cause you can...)

Recon
Audit
Attack
Clean-up
Hide in Plain site
Defense

Hard Drive Forensics
Virus, Worms, and Trojans, on my...

And what about Social Engineering?  Nice trick for an interview...

After all business is war and "all's fair in love and war"... where the end justifies the means...

Ever heard of the OSSTMM...

I intend that all students use it for a bible...

Nice to have a thorough guideline to audit and to build a solid defense...

Think castle and moat...

Then think Ninja and Samuri...

Now you have an Ethical Hacker...

The Ethics of a Samuri, coupled with the skills and armament of a Ninja...


Hide in Plain site - Check
Weapons of Mass Destruction - check
Strong Armor - check
A few more secrets...

After all, it takes a Hacker to find a Hacker...

Final Exam - Find a Hacker Tool's Archive - Hack in (anyway you can) and retrieve at least 3 Gigs of the best tools you can find...

Bonus Points for 0-Day Tools...

Anyone care to ante up...

Oh yes...  I might advise that your personal PC or Palm be armored before such an undertaking into a Dragon's Hoard...

Care to live the adventure?


Title: Certified Ethical Hacker?
Post by: wirelessboy on July 08, 2003, 11:38:34 PM
dear comblues

CCNP+MCNS CCDP CCDA CCNA CSE
MCSE+I, MCSE, MCP+I, MCPS
CCEA CCA LBS ICAS RMS IMS CCSP
A+ Network+ I-Net+
Certified Internet Security Specialist
Cisco WLAN SE/FE
CCIE-Written (88%)
Cisco Global Product Support AVVID Field Engineer (VoIP, R&S, CAT 4224, and ICS 7750)

wow! boy, i am impressed and motivated with ur certs. congrats and all the best for ccie lab and other certs

regards


Title: Certified Ethical Hacker?
Post by: Delphis on July 09, 2003, 03:59:04 PM
Comblues,

You're on, save for the final.  The only way you're going to find 3 gigs of Hacking/Cracking tools from a single person is if they're nothing more then a script kiddie.

So where shall we start?


Title: Me too
Post by: Hoooooo on July 09, 2003, 07:31:23 PM
Let's go!






Hoooooo

Certified GED


Title: CEH Achieved
Post by: comblues on September 04, 2003, 12:46:36 PM
Well Guys:

I spent a week in a CEH Training Class (not a bootcamp).

Then spent the weekend reviewing the tools, their respective creators, and trying to use as many as possible (there are over a hundred) and then sweated as I waited until Tuesday to take my exam.

I passed at 92% on my first attempt.

1 Cert Completed.

A few more to go...

Looking for the following:

Security+
TICSA
Microsoft MCSA/MCSE + Security (already MCSA/MCSE) so I need either 2 or 3 exams.

CCSA/CCSA - Just because I like Checkpoint too!

But the GSEC is officially the 4th Cert.

BTW - I got to get my Sniffer Certs completed in about the same time.

As far as the trove of tools - I came about it from a sortie with a Trojan/Worm tools that I noticed seemed to visit a variety of sites but none were the same on any two of the machines hit.  (Over 30 overall).

So I tried my luck and hit paydirt.

Now I have an arsenal of viruses and worms that are immune to virii checkers.

So these troves do exist.  But it does appear they are mobile?

Good luck finding one.

Look at your worms.  Particularly ones with the sdbot or some other bot.

Seems they go and download 2 files from the trove.


Title: CEH should be named CSK
Post by: Ciaban on September 07, 2003, 08:04:34 PM
Delphis is right.  Most hacker tools are for script kiddies (the talentless and lazy).

   Any respectable "Ethical Hacker" or "Security Geek" will write their own code to bypass anti virus programs.  For example, look at NT systems.  They are the easiest systems to break into.  They are IMPOSSIBLE to secure if you have NetBIOS enabled unless you have an outside firewall blocking the port traffic.  Just research port 445 and hidden admin shares (C$).  A simple 10 line program using PSEXEC.EXE can scan and list all holes in a subnet and copy and execute any code you want.  If you really want the job done, write an additional 10 lines of code that will cycle through the 255 chr() values in increments until it gets done.  Theoretically, this is perfect for a middle man attack for IP spoofing since you don't need to see the output from the program, you just want the project to succeed.  So basically, unless you have a polymorph engine to encapsulate a script kiddie program, this level of attack is the only way to truly test the castle walls.  Anything less is a half witted way to stumble through your job

   The CEH is nothing more then a script kiddie certification.  I plan on getting it because is is something to break the ice at dinner parties.  A true InfoSec person should be comfortable with coding and networking alike, and should be able to access low level secured systems without the use for well know parlor tricks.  The industry needs more skilled Security professionals, not snake oils salesmen.  The CEH certification should be a base - low level -  novice certification with 1-3 levels of certification past it dedicated to system security at levels beyond simply knowing what the 14 year olds are using these days.

I don't mean to come accross as an arse, but this type of certs can become very dangerous very quickly when people want to show others how much they don't really know, all in the name of InfoSec when it should actually be called CSK for Certified Script Kiddie.  To know how a hacker thinks, don't use the tools.  Understand how and why the "vulnerabilities" are security risks, not memorizing the output and interface of an enumeration program.  Simple utilities like Telnet and learning how to program socket connections are more important then ǣhow to with netbus.


Title: Certified Ethical Hacker?
Post by: gat0r on September 12, 2003, 06:16:47 PM
what "real" hacker didnt out being a script kiddie.  everyone has to learn, you people with your arrogant attitudes can eat a dick.
if you can honestly say you became a real hacker without fooling around with some kiddie tools or checking out C code to see how they did that, then you are really friggin talented and should probably have something better to do that post on this forum


Title: LOL...
Post by: Ciaban on September 12, 2003, 09:49:52 PM
LOL gat0r
You didn't read the full post. "The CEH certification should be a base - low level - novice certification with 1-3 levels of certification past it dedicated to system security at levels beyond simply knowing what the 14 year olds are using these days."

It's like a nurse taking a 50 question test, passing and thinking they can do brain surgery.  

And sorry gat0r, I'm not gay.  Thanks for the offer though.


Title: Certified Ethical Hacker?
Post by: gat0r on September 15, 2003, 01:56:45 AM
yeah you are real XXXXing cool...


Title: Certified Ethical Hacker?
Post by: Dann on September 25, 2003, 10:35:07 PM
Relax brother, no need to heat it up. We are here for the same objective.

While, in fact, i have'nt really go for the CEH exam, most probarly by end of the year. Currently, taking my Oracle.

I believe the others are more willigly to share the informations and resources on this area.

Cheers dude !!!


Title: need some advice
Post by: Qrtjester0 on November 18, 2003, 01:14:05 AM
Hello my name is Greg, I just found this site. Been looking into Security for a while. Currently i am workin on my computer science major at college but i need some advice as to how i should go about breaking into the security field. Again i am only a student so i am really restricted as to what i can and cannot do. But i am totally willing to learn on my own or at least add on to the( most likely meaninless) things i do know. I have experiance with some hacking and anti-hacking tools as well as some access to them. i would just like to know maby where i should be going with this, because its so new. Maby books or software i could buy. please help me out email me or post back.
Thank you.


Title: Certified Ethical Hacker?
Post by: Dann on November 25, 2003, 06:52:12 AM
It's easy man. Just get the * Hacking Exposed * book. Download the tools, install it on 2 systems and test it out. Read more books on hacking issue and security forum. Certainly from there, it will enhance your knowledge and your pespective towards hacking.

Frankly speaking the content, what being learn from CEH is almost the same with the * Hacking Exposed * Book.

Good luck to you man :D


Title: Interesting points
Post by: macubergeek on December 29, 2003, 12:37:02 PM
Ciaban
You make very interesting points. I myself have grown weary of the "inventory of tools" approach many hacking courses like Foundstone take to teach hacking. I must confess I shy away from the "script kiddie" term simply because so many networks are still vulnerable to these types of attacks AND I figure if a system is vulnerable to such attack a "real" hacker would still use these tactics over reinventing the wheel, so to speak.

I've been reading an interesting book recently that I feel addresses the deeper issues you allude to. "Hacking, The Art of  Exploitation" by Jon Erickson, No Starch Press. Very interesting discussion of the coding of buffer overflow exploits including assembly coding.


Title: dude
Post by: macubergeek on December 29, 2003, 04:38:24 PM
comblues
yer trippin
go to Defcon
participate in their hacker wargames
get yer XXX handed to you
only way to learn

...humility

look it up


Title: Certified Ethical Hacker?
Post by: Tactician on January 09, 2004, 03:14:10 PM
Hi All...

The CEH is a good course and certification.  I have been doing Security work for many years without certifications in anything.  What is known is that foundstone is a leading secuirty company.  
But those Kiddie Scripts you guys are talking about, still work.
They do port scan.
They do Footprinting.
They find holes.
In the old days.  You would use your own script becuase it was an underground thing.
Security was not a known issue as it is today.

Tools are available today.
Why recreate the wheel.
Nothing has changed on the network.
Todays tools are BRUTAL, FREE and they work.
KIDDIE SCRIPTS.
Kiddie scripts can compromise most systems.
They were built by Ethical Hackers for test purposes.
You better know them.
Don't be in front of your Employer telling him the network you should have secured was compromised by a kidde script.
Get the drift.

The Certified Eathical Hacker Certification.
Lets you know how to read the report.
You can say it easy, but its not.
Fully understanding some reports are a task in itself.
Only by breaking into system can you undrstand how to secure.
Everything a hacker needs today is either available in applications or built into the OS.
The Cisco Security Certifications are awesome.  But they are vendor based.  You will nto get a broad picture of what is happening.

So take my word for it.
It is worth the $$$ for the Certification.
As mentioned there are not many books on the subject.
That leaves room for books, instructors, and etc.
Security in todays world is needed.
The importance of this course cannot be overlooked.
Just look at the outline.

It is true it can be done and practice at home.  But if you need the training get it.

Just my opinion.
Like everyone elses.

If you need help with CEH contact me @

muhammad54@netzero.net


Title: Defcon? - Sorry I don't hold this one in the highest regard...
Post by: comblues on November 13, 2005, 12:34:20 AM
I like Blackhats better. :)

It's usually not far away and it seems to draw a more distinguished crowd...

Defcon, when wants to check out the latest Hacker Fashions and Art Decor...

As far as hacking for hackers in concerned, the very best offense has always been a strong defense.

If you play hacking games for very long this becomes the rule.

Defend what you have, take what you can, and live to be free another day.

This is what "Hacking is about".

As far as the famous 3-Gig trove - I still have it.

Most of the tools would seem much too common and outdated...

That is until you start to realize what they really are...

You see, they are not the garden variety tools that an AV would detect, nope!

They have been modified and they are much more stealthier.

On days when I have time I try to dissect them with my Sniffer and see which ones my IDS can pick up or not...

:)

So, which convention would you like to go to, hmmm...  This would be up to your preference and budget.

Defcon is cheaper in more ways than one.

But select your choices wisely, I don't thing it would benefit someone if all they were doing was going just to be seen...

That is not what the "scene" is about...

Sorry I don't have time to wrangle words with you...

I do have qualifications to amass and Enterprise Networks to run...

:)

Gotta make the bucks you know...

Good luck!

And no real disrespect to Defcon, everyone starts somewhere...

And I guess if you like to mix your hacking with partying it would be the place...

Did I ever tell you about the guy with the green tipped pony-tail?

Well, he helped me pass my CEH, sort of...

Nice of him, a recognized security guru and Defcon attendee/speaker/"expert" to come into my domain...

Ha! Ha!

I guess we can all play games a bit can we not?


Title: Been a while...
Post by: comblues on September 22, 2007, 02:48:05 AM
To think, I, comblues, was referred to go to Defcon, and have my XXX handed to me...

Hmmm...

Interesting thought.

However, I live on the net and as such, I do what I please.  I may be a long-time script kiddie to some but I know how to use my tools to great advantage - some or most of the time at least.

It's been a while back, but it is still kind of funny - I guess the dude who said it really never heard of me at all...

Hmmm...

Still amusing.