April 9, 2018: 1900hrs: Third Street Stuff Coffee Shop We meet to discuss the basics of web hacking and some best practices for documentation and evidence gathering for professional penetration testing. We discuss differences between web applications, services, and things specific to mobile platforms. We discuss tools such as SQLMap, BurpSuite, Nessus, WPScan, and SSLScan & SSLStrip. However, automated vulnerability scans are merely part of the process and not always ideal. They are "loud" and should be tailored and limited in scope specific to the parameters of the job. Once scans are complete, you must still perform manual tests if you are going to deliver a thorough report to your client. For these reasons, we find it useful to filter traffic through a proxy and use programs like BurpSuite. Regarding evidence gathering and documentation, we talk about which programs to use when keeping notes (Try KeepNote if you're on Kali), color-coding listed vulnerabilities based on severity, and ensuring screenshots are user-friendly and provide with context. Consistency is key in ethical hacking, just as it is in many lines of work, so keep and use checklists to ensure you are maintaining consistent methodologies across assignments. If you are unsure where to start when building these checklists, OWASP is a great place to start building from. We closed our April meeting with discussions on community service, group project ideas, and homework for the May meeting. Create a Kali virtual machine environment and bring it with you to the meeting to participate in our labs! If you have a spare Raspberry Pi and want to make something fun or useful with it, bring that too!