NetSPI Blog

Karl Fosaaen

Karl specializes in network and web application penetration testing. Karl holds a BS in Computer Science from the University of Minnesota and has over a decade of consulting experience in the computer security industry. In that time, he has worked with a variety of industries; including financial services, health care, and retail. Karl holds the Security+, CISSP, and GXPN certifications. In his spare time, Karl has volunteered at conferences including DEF CON, THOTCON, and AppSec USA. Karl has previously spoken at BsidesPDX, THOTCON, AppSec California, and DerbyCon.

Karl Fosaaen
August 20th, 2013

Parsing SVN Entries Files with PowerShell

Frequently during external and web application penetration tests, we run into SVN entries files on web servers. These files are sometimes created as part of the SVN commit process and can lead to the disclosure of files (and source-code) that has been added to the web directory. This can be especially impactful for assessments, where […]

Karl Fosaaen
July 22nd, 2013

Quick! To the HyperTerminal

It’s not every day that we run into kiosks, terminals, etc. that have HyperTerminal as one of the available applications. This may be a corner case, but it’s another example to add to Scott’s blog about break out methods. In this example, we encountered a terminal setup, where the system was a fairly locked down […]

Karl Fosaaen
June 13th, 2013

Cracking Credit Card Hashes with PowerShell

As penetration testers, we are frequently engaged to do penetration tests for PCI compliance. As a part of these penetration tests, we look for cardholder data (Card Numbers, CVV, etc.) in files, network traffic, databases, and anywhere else we might be able to catch it. Often times, we will find hashes of credit card numbers […]

Karl Fosaaen
June 4th, 2013

GPU Cracking: Putting It All Together

In the first blog of this series, we showed you how to set up the hardware for your own GPU cracking box. In the second blog of this series, we showed you how to set up the OS, drivers, and software for your own GPU cracking box. In this blog, we will simply go over […]

Karl Fosaaen
April 7th, 2013

GPU Cracking: Building the Box

Intro This winter, we decided to create our own dedicated GPU cracking solution to use for our assessments. It was quite the process, but we now have a fully functional hash cracking machine that tears through NTLMs at roughly 25 billion hashes per second (See below). While attempting to build this, we learned a lot […]

Karl Fosaaen
March 18th, 2013

Hacking High Scores in iOS GameCenter

I recently wrote a blog post about cracking email hashes from the iOS GameCenter application. During my research on the issue, I noticed that there were a number of games where users had insanely high scores. Lots of the users also had the exact same score (9,223,372,036,844,775,807) for each of the games that they played. Coincidentally this number […]

Karl Fosaaen
February 11th, 2013

Know Your Opponent – an Inference Attack Against iOS Game Center

Lately I’ve been looking at iOS. After looking into the Passbook application, I started poking around with the iOS Game Center application. The iOS Game Center allows iOS users to connect with friends, play games, and compare scores for their games. Think of it as Xbox Live for iOS. Each Game Center user has an alias (or […]

Karl Fosaaen
December 12th, 2012

Hacking Passbook, the Real Way to do Extreme Couponing

With the release of iOS 6, Apple introduced the Passbook application. Currently there are sixteen different applications that support Passbook integration. The purpose of the Passbook application is to provide a one-stop application to manage all of your coupons, loyalty/gift cards, and tickets/boarding passes. This all sounds great, but what happens when an attacker abuses […]

Karl Fosaaen
November 9th, 2012

Automating HalfLMChall Hash Cracking

Frequently during penetration tests, we will capture halflmchall password hashes from the network. These can come from a variety of sources, but common sources include NBNS spoofing and SQL queries/SQL injection. Both methods can be easy ways to get halflmchall hashes during a pen test. For those who are unfamiliar with halflmchall hashes and how […]