NetSPI Blog

Kevin Robertson
December 5th, 2018

ADIDNS Revisited – WPAD, GQBL, and More

A few months ago, I wrote a blog post on exploiting Active Directory-Integrated DNS (ADIDNS). This post will mainly cover some additional techniques on both the offensive and defensive fronts. I would suggest at least skimming the original post before continuing here. With that out of the way, I’d like to start by adding in […]

Lars Sorenson
November 27th, 2018

Escape NodeJS Sandboxes

In this blog post, we’re going to explore how to escape NodeJS sandboxes by understanding the internals of the interpreter. NodeJS is a JavaScript runtime built on Chrome’s V8 JavaScript engine, allowing developers to use the same programming language, and possibly codebase, for the frontend and backend of an application. Initially released in 2009, NodeJS now […]

Karl Fosaaen
November 6th, 2018

Running PowerShell on Azure VMs at Scale

Let’s assume that you’re on a penetration test, where the Azure infrastructure is in scope (as it should be), and you have access to a domain account that happens to have “Contributor” rights on an Azure subscription. Contributor rights are typically harder to get, but we do see them frequently given out to developers, and […]

Cody Wass
October 16th, 2018

XXE in IBM’s MaaS360 Platform

A couple of months ago I had the opportunity to test an implementation of MaaS360 – IBM’s MDM solution. The test was focused on device controls and the protection of corporate data, all things which the client had configured and none of which will be talked about here. Instead, during the course of the test […]

Karl Fosaaen
October 2nd, 2018

Anonymously Enumerating Azure Services

Microsoft makes use of a number of different domains/subdomains for each of their Azure services. We’ve previously covered some of these domains in a post about using trusted Azure domains for red team activities, but this time we’re going to focus on finding existing Azure subdomains as part of the recon process. Also building off […]

Alexander Polce Leary
September 27th, 2018

Tokenvator: Release 2

What is Tokenvator? Tokenvator is a token manipulation utility that is primarily used to alter the privileges of a process. In the original release we primarily focused on elevating process privileges. In this release, in addition to the usual bug fixes and improving existing features, I added several new features: The ability to display additional […]

Kevin Robertson
September 25th, 2018

Inveigh – What’s New in Version 1.4

Ugh, I can’t believe it’s been a year and a half since the last release of Inveigh. I had intended to complete a new version back in March. At that time, my goals were to perform some refactoring, incorporate dynamic DNS updates, and add the ability to work with shares through NTLM challenge/response relay. In […]

Ben Tindell
September 18th, 2018

Four Ways to Bypass iOS SSL Verification and Certificate Pinning

A couple months ago, Cody Wass released a blog on how to bypass SSL verification and certificate pinning for Android. I thought it would be a great idea to write up some techniques that I’ve found to work well for iOS. To reiterate from Cody’s blog, being able to perform man-in-the-middle (MITM) attacks is a […]

Karl Fosaaen
August 28th, 2018

Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions

During different types of assessments (web app, network, cloud), we will run into situations where we obtain domain credentials that can be used to log into Azure subscriptions. Most commonly, we will externally guess credentials for a privileged domain user, but we’ve also seen excessive permissions in web applications that use Azure AD for authentication. […]