Hacking SQL Server Stored Procedures – Part 3: SQL Injection
In this blog I’ve covered how SQL injection can be identified and exploited to escalate privileges in SQL Server stored procedures when they are configured to execute with…
Scott Sutherland's Articles
Scott is currently responsible for the development, and execution of penetration testing at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. Scott has been providing IT security services to medium sized to Fortune 50 companies for over 10 years. His goal is to help them identify the risks that exist in their environment, and develop prioritized remediation plans that take into account their business constraints and requirements. As an active participant in the information security community, Scott also contributes technical security blog posts, whitepapers, and presentations on a regular basis through NetSPI.
Hacking SQL Server Stored Procedures – Part 2: User Impersonation
This blog provides a lab guide and attack walk-through that can be used to gain a better understanding of how the IMPERSONATE privilege can lead to privilege escalation in SQL Server.
Hacking SQL Server Stored Procedures – Part 1: (un)Trustworthy Databases
In this blog I’ll show how database users commonly created for web applications can be used to escalate privileges in SQL Server when database ownership is poorly configured.
15 Ways to Bypass the PowerShell Execution Policy
By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can be a hurdle for penetration testers, sysadmins, and developers, but…
Locate and Attack Domain SQL Servers without Scanning
In this blog I'll share a new PowerShell script that uses Service Principal Name (SPN) records from Active Directory to identify and attack SQL Servers…
Decrypting IIS Passwords to Break Out of the DMZ: Part 2
In my last blog I showed how to use native Windows tools to break out of DMZ networks by decrypting database connection strings in IIS…
Decrypting IIS Passwords to Break Out of the DMZ: Part 1
From the perspective of a penetration tester, it would be nice if every vulnerability provided a direct path to high-value systems on the internal network. …
Faster Domain Escalation using LDAP
If you’re a penetration tester, then you probably already know that escalating from a local administrator to a Domain Admin only requires a few steps. …
Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks
In order to meet business requirements and client demand for remote access, many companies choose to deploy applications using Terminal Services, Citrix, and kiosk platforms. …
