NetSPI Blog

Karl Fosaaen

Karl specializes in network and web application penetration testing. Karl holds a BS in Computer Science from the University of Minnesota and has over a decade of consulting experience in the computer security industry. In that time, he has worked with a variety of industries; including financial services, health care, and retail. Karl holds the Security+, CISSP, and GXPN certifications. In his spare time, Karl has volunteered at conferences including DEF CON, THOTCON, and AppSec USA. Karl has previously spoken at BsidesPDX, THOTCON, AppSec California, and DerbyCon.

Karl Fosaaen
May 3rd, 2016

Using PowerShell to Identify Federated Domains

The Economy of Mechanism – Office365 SAML assertions vulnerability popped up on my radar this week and it’s been getting a lot of attention. The short version is that you could abuse the SAML authentication mechanisms for Office365 to access any federated domain.  It’s a really serious and interesting issue that you should totally read […]

Karl Fosaaen
January 19th, 2016

NetSPI’s Top Password Masks for 2015

Over the course of the last year, we’ve cracked a lot of NTLM domain password hashes. During many of our internal penetration tests, we grab the password hashes for all of the domain users and attempt to crack them. Throughout the year, we keep track of the hashes that we’ve cracked and try to gain […]

Karl Fosaaen
July 22nd, 2015

10 Places to Stick Your UNC Path

Recently there was a big fuss over the “Redirect to SMB” blog that was put out by Brian Wallace. Personally, I think that the recent scare over this vulnerability is a little overstated, but it could be a useful way to capture an SMB hash. I was already in the process of putting together this […]

Karl Fosaaen
May 5th, 2015

Running LAPS Around Cleartext Passwords

Intro Managing credentials for local administrator accounts is hard to do. From setting strong passwords, to setting unique passwords across multiple machines, we rarely see it done correctly. On the majority of our pen tests we see that most of the domain computers are configured with the same local admin credentials. This can be really […]

Karl Fosaaen
April 27th, 2015

GPU Cracking: Rebuilding the Box

A little over two years ago, we built our first GPU cracking box. At the time, there was pretty limited information on what people were doing to build a decent cracking box, especially if you were trying to do so without breaking the bank. As with any piece of technology, things go out of date, […]

Karl Fosaaen
March 2nd, 2015

NetSPI’s Top Cracked Passwords for 2014

It’s been a big year for password cracking at NetSPI. We’ve spent a lot of time refining our dictionaries and processes to more efficiently crack passwords. This has been a huge help during our pentests, as the cracked passwords have been the starting point for gaining access to systems and applications. While this blog focuses […]

Karl Fosaaen
December 15th, 2014

Cracking Stats for Q3 2014

During many of our penetration tests, we gather domain password hashes (with permission of the client) for offline cracking and analysis. This blog is a quick summary of the hashes that we attempted to crack in the third quarter of 2014 (and so far for this year). The plan is continue doing this again at […]

Karl Fosaaen
October 6th, 2014

LM Hash Cracking – Rainbow Tables vs GPU Brute Force

Lately, Eric Gruber and I have been speaking about the cracking box that we built at NetSPI. Every time we present, the same question always comes up. “What about Rainbow Tables?” Our standard response has been that we don’t need them anymore. I honestly haven’t needed (or heavily used) them for a while now, as […]

Karl Fosaaen
September 22nd, 2014

CorrelatedVM – From a Pentester’s Point of View

For those who are not familiar with it, CorrelatedVM (CVM) is a software platform created by NetSPI to manage penetration testing & security assessment processes and workflow. One component of CorrelatedVM is “CVM Assessment, the Pentester’s Workbench”; it’s a tool that has a ton of useful features that make my job easier and allow me […]