3 min
Video Tutorial: Introduction to XML External Entity Injection
Title: Video Tutorial: Introduction to XML External Entity Injection
Author: webpwnized [https://community.rapid7.com/people/webpwnized]
From: ISSA KY Sept 2013 Workshop (Louisville, KY)
Twitter: @webpwnized
This video introduces XML injection to achieve XML external entity injection
(XXE) and XML based cross site scripting (XSS). Please find notes used/mentioned
in video posted below the video.
1. What is XML injection
2. What is an "entity"
3. What is entity injection
4. Cross site
2 min
Video Tutorial - Installing Kali Linux on Bootable, Persistent USB
Author: Jeremy Druin (webpwnized)
Twitter: @webpwnized
Title: Installing Persistent Kali Linux on Bootable USB Flash Drive
From: ISSA KY June 2013 Workshop
Recorded By: Adrian Crenshaw (@irongeek_adc)
This video covers the installation of Kali Linux on a USB drive. Additionally,
setting up persistence on a separate partition is reviewed including how the
persistence works. A Kali Linux virtual machine is used to create the USB.
The workshop was done to support the Long family. Johnny Long
1 min
Video Tutorial: Installing Kali Linux on Virtual Box
Author: Jeremy Druin
Video Release Announcements: Twitter @webpwnized
Title: Installing Kali Linux on Virtual Box with Nessus and Metasploit
Link: Installing Kali Linux on Virtual Box with Nessus and Metasploit - YouTube
[http://www.youtube.com/watch?v=YrwOTDWLFWY]
This video is from the April 2013 workshop of the KY ISSA covering the
installation of Kali Linux 1.01 on Virtual Box . Please see notes below the
video.
Notes:
1. Kali version 1.01 64-bit was used in making the video but th
1 min
Video Tutorial: Introduction to Burp-Suite 1.5 Web Pen Testing Proxy
Author: webpwnized (Twitter: @webpwnized)
Tool: Burp-Suite 1.5 Free Edition
Length: ~1 hour
After installing Burp-Suite, this video covers how to configure the proxy to
intercept, pause, alter, and test requests and responses between a web browser
and a web server (web site).
Much of the basic functionality and some more advanced settings are reviewed
including the Target, Proxy, Sequencer, Repeater, Intruder, and Decoder tab.
While there are many more settings and features than can be covere
1 min
Tutorial: Using web command injection vulnerability to gain administrative shell on Windows web server
In this video, a Windows web server is hosting Mutillidae web application which
contains a command injection vulnerability.
Using command injection to exploit the Mutillidae web application, we gain a
root shell (Administrative Windows cmd shell). The server is fully patched with
anti-virus running and a firewall blocking port 23. Additionally the telnet
service is disabled. With the command injection vulnerability, this video
demonstrates how misconfiguring web services can have serious conseq
1 min
Video: Introduction to basic host and service discovery scanning
During the early portion of the scanning phase of pen testing, locating active
hosts and identifying the services on open ports is critical in order to
determine exposed systems.
The video was recorded at the May ISSA Kentuckiana monthly workshop in
Louisville and covers basic host discovery scanning. Port scanning and service
discovery are covered as well as reporting results. Some of the tools used are
nmap, xprobe2, hping3, tcpdump and amap.
The speaker is Jeremy Druin (@webpwnized) and was
2 min
Tutorial: How to Scan Exploit Metasploitable-2 using Metasploit, Nexpose, nessus, Nmap, and John-the-Ripper
This video tutorial covers exploiting Metasploitable-2 to get a root shell and
eventually a terminal via a valid "sudo-able" login over SSH.
Two machines; a test host (Backtrack 5-R2) and a target host (Metasploitable-2)
are set up on a VirtualBox host-only network. With this lab network set up, the
demonstration walks through a practice pen-test using the phases of recon,
scanning, exploitation, post-exploitation, and maintaining access. (Covering
tracks and reporting are not covered. Recon is