NetSPI Blog

Karl Fosaaen

Karl specializes in network and web application penetration testing. Karl holds a BS in Computer Science from the University of Minnesota and has over a decade of consulting experience in the computer security industry. In that time, he has worked with a variety of industries; including financial services, health care, and retail. Karl holds the Security+, CISSP, and GXPN certifications. In his spare time, Karl has volunteered at conferences including DEF CON, THOTCON, and AppSec USA. Karl has previously spoken at BsidesPDX, THOTCON, AppSec California, and DerbyCon.

Karl Fosaaen
March 18th, 2013

Hacking High Scores in iOS GameCenter

I recently wrote a blog post about cracking email hashes from the iOS GameCenter application. During my research on the issue, I noticed that there were a number of games where users had insanely high scores. Lots of the users also had the exact same score (9,223,372,036,844,775,807) for each of the games that they played. Coincidentally this number […]

Karl Fosaaen
February 11th, 2013

Know Your Opponent – an Inference Attack Against iOS Game Center

Lately I’ve been looking at iOS. After looking into the Passbook application, I started poking around with the iOS Game Center application. The iOS Game Center allows iOS users to connect with friends, play games, and compare scores for their games. Think of it as Xbox Live for iOS. Each Game Center user has an alias (or […]

Karl Fosaaen
December 12th, 2012

Hacking Passbook, the Real Way to do Extreme Couponing

With the release of iOS 6, Apple introduced the Passbook application. Currently there are sixteen different applications that support Passbook integration. The purpose of the Passbook application is to provide a one-stop application to manage all of your coupons, loyalty/gift cards, and tickets/boarding passes. This all sounds great, but what happens when an attacker abuses […]

Karl Fosaaen
November 9th, 2012

Automating HalfLMChall Hash Cracking

Frequently during penetration tests, we will capture halflmchall password hashes from the network. These can come from a variety of sources, but common sources include NBNS spoofing and SQL queries/SQL injection. Both methods can be easy ways to get halflmchall hashes during a pen test. For those who are unfamiliar with halflmchall hashes and how […]

Karl Fosaaen
October 29th, 2012

Exploiting Trusted Hosts in WinRM

Introduction – What is WinRM? Windows Remote Management (WinRM) is a SOAP based protocol that can be used to remotely administer machines over the network. This is a handy tool for network admins that can also be used to automate tasks securely across multiple machines. However, it is fairly easy to misconfigure the service and/or […]

Karl Fosaaen
October 22nd, 2012

Testing Applications for DLL Preloading Vulnerabilities

DLL preloading (also known as sideloading and/or hijacking) is a common vulnerability in applications. The exploitation of the vulnerability is a simple file write (or overwrite) and then you have an executable running under the context of the application. The vulnerability is fairly easy to identify and even easier to exploit. In this blog, I […]

Karl Fosaaen
October 9th, 2012

UPEK + Lenovo = Insecure Password Storage

Recently Adam Caudill and ElcomSoft identified vulnerabilities in the way that UPEK fingerprint readers store Windows passwords in the registry. Adam has released a great proof-of-concept tool to decrypt these poorly encrypted passwords. I have access to a Lenovo T420 ThinkPad that features a UPEK fingerprint reader. The ThinkVantage Fingerprint Software is also vulnerable to […]

Karl Fosaaen
May 24th, 2012

Facebook message spoofing via SMTP

In November of 2010, Facebook introduced their “” messaging option that gave users the opportunity to create their own email address. Currently, all Facebook users have the ability to claim their own email address. It’s easily accessible from the “messages” page, if your account has not already been set up for it. While […]