NetSPI Blog

Karl Fosaaen

Karl specializes in network and web application penetration testing. Karl holds a BS in Computer Science from the University of Minnesota and has over a decade of consulting experience in the computer security industry. In that time, he has worked with a variety of industries; including financial services, health care, and retail. Karl holds the Security+, CISSP, and GXPN certifications. In his spare time, Karl has volunteered at conferences including DEF CON, THOTCON, and AppSec USA. Karl has previously spoken at BsidesPDX, THOTCON, AppSec California, and DerbyCon.

Karl Fosaaen
June 9th, 2014

Malicious MobileConfigs

How much can you trust your devices? In this blog post, we will cover a practical attack that utilizes the iPhone Configuration Utility, a malicious Mobile Device Management (MDM) server, and a little bit of social engineering to get you data from iOS devices, HTTP and HTTPS web traffic, and possibly domain credentials. The Scenario: […]

Karl Fosaaen
June 2nd, 2014

Cracking Stats for Q1 2014

During many of our penetration tests, we gather domain password hashes (with permission of the client) for offline cracking and analysis. This blog is a quick summary of the hashes that we attempted to crack in the first quarter of 2014. The plan is to do this again each quarter for the rest of the […]

Karl Fosaaen
March 15th, 2014

GPU Password Cracking – Building a Better Methodology

In an attempt to speed up our password cracking process, we have run a number of tests to better match our guesses with the passwords that are being used by our clients. This is by no means a definitive cracking methodology, as it will probably change next month, but here’s a look at what worked […]

Karl Fosaaen
January 27th, 2014

Under the Door Tools – Opening Doors for Everyone

This is a bit of a departure from our technical blogs, but today we’re going to show you how to build your own door opening tool out of hardware store materials. For those who are not familiar with a “lever opener tool”, it’s a tool used by locksmiths (and others) to open doors from the […]

Karl Fosaaen
January 13th, 2014

SMB Attacks Through Directory Traversal

For some reason I’ve recently run into a number of web applications that allow for either directory traversal or filename manipulation attacks. These issues are typically used to expose web server specific files and sensitive information files (web.config, salaryreport.pdf, etc.) and/or operating system files (SYSTEM, SAM, etc.) Here’s what a typical vulnerable request looks like: […]

Karl Fosaaen
November 15th, 2013

Sky Prioritize Yourself

I’ve covered hacking Passbook files in the past, but I’ve decided that it’s now a good time to cover modifying boarding passes. To start things…

Karl Fosaaen
October 21st, 2013

Facebook Friends, Your Email Address Isn’t that Private

A Primer on Facebook Email Privacy Facebook has a long and storied history of having confusing security and privacy settings. As of lately, there are three different settings (that I can find) that you can configure to control access to your email address(es). Each of these settings control specific facets of your email address privacy, […]

Karl Fosaaen
September 5th, 2013

Identifying Rogue NBNS Spoofers

One of the easiest ways for us to capture and/or relay hashes on the network is through NBNS spoofing. We will primarily use or the Metasploit nbns spoofing module . Both of these tools can be great for attackers to use during a pen test, but remediation options for fixing the underlying issues are limited. In […]

Karl Fosaaen
August 20th, 2013

Parsing SVN Entries Files with PowerShell

Frequently during external and web application penetration tests, we run into SVN entries files on web servers. These files are sometimes created as part of the SVN commit process and can lead to the disclosure of files (and source-code) that has been added to the web directory. This can be especially impactful for assessments, where […]