An excellent walk-through here on transforming your Android Phone into a Network Pentesting Device.

I was debating switching to the iPhone 5, but maybe I’ll go for the next Google phone instead.

Jay Turla of the Infosec Institute introduces us to a bunch of free tools, utilities, and resources to set up a lab where we can practice our penetration testing and elite haxxor skills:

You don’t need to pay a single penny in setting up a pentesting lab because there are a lot of vulnerable distros and web applications that are open source, free and easy to customize. All you need is virtualization software and virtual images in order to run a vulnerable lab.

Good stuff via InfoSec Resources – Noobz Guide for Setting Up a Vulnerable Lab for Pentesting.

Those Sword and Shield guys are pretty clever!

via A Series of Unfortunate Events | Sword & Shield Enterprise Security, Inc.:

First, I scanned the network with Nessus and did not find any easily exploited vulnerabilities but I did find a medium-risk vulnerability showing unauthenticated access to multiple NFS shares Nessus ID 42256. Browsing the shares I found a backup copy of the client’s public web site, which was developed using Visual Studio. Visual Studio stores database connection strings, including plaintext passwords, in .config files. Using the command grep -r connectionStrings= at the root of the source directory, I found multiple connection strings that used three different database passwords.

This could be quite useful:

Two years after Rapid7 acquired the Metasploit Project, the company has rolled out a free and more user-friendly version of the open-source tool that is aimed at less technical users.

The new Metasploit Community Edition is a combination of the popular open-source Metasploit Framework and a basic version of the user interface of Rapid7′s Metasploit Pro commercial product.

via Metasploit For The Masses – Dark Reading.

Ah, the fun of legitimate penetration…

‘Hacker’ gets kudos from his financial services victim, as in-house security cameras go rogue and steal users’ credentials

via Strange But True Penetration-Testing Stories – Dark Reading.

I have a confession to make: I don’t have a Smartphone.  I think about getting one on occasion, but the reality is, I’m nearly always near a PC, either at home or at work, and can easily look up anything I want to look up, so the cost/benefit has never passed analysis.

But now, I just might have to get one of these:

Pwnie Express :: Wired, wireless, and 3G pentesting dropboxes.

New tools!

Core Security Technologies is introducing new pen testing software that, according to the company, has robust reporting capabilities, enabling CIOs, CISOs and other executives to gauge risk to internal systems and gain greater visibility into the progress of ongoing security initiatives.

The Boston-based penetration testing firm, best known for its Core Impact Pro software for pen testers, launched Core Insight Enterprise on Monday. The new tool can be programmed to view critical systems and their connection points and then can be set to conduct multiple, automated pen tests in an attempt to find a way into the company’s most critical assets, said Mark Hatton, CEO of Core Security Technologies Inc.

via Core Security launches CISO level pen testing software.