Scott Sutherland
Scott is currently responsible for the development, and execution of network penetration testing at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. Scott has been providing IT security services to medium sized to Fortune 50 companies for over 10 years. As an active participant in the information security community, Scott also contributes technical security blog posts, whitepapers, and presentations on a regular basis through NetSPI. Published presentations can be found here. Scott's most recent project is PowerUpSQL.
July 27th, 2015
Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz
In this blog I’ll cover some Mimikatz history and share my script “Invoke-MassMimikatz-PsRemoting.psm1”, which tries to expand on other people’s work.
May 21st, 2015
A Faster Way to Identify High Risk Windows Assets
Thanks to the wonderfulness of Active Directory both red and blue teams can easily identify high risk Windows systems in their environments.
March 16th, 2015
Hacking SQL Server Procedures – Part 4: Enumerating Domain Accounts
Introduction In SQL Server, security functions and views that allow SQL logins to enumerate domain objects should only be accessible to sysadmins. However, in this blog I’ll show how to enumerate Active Directory domain users, groups, and computers through native SQL Server functions using logins that only have the Public server role (everyone). I’ll also […]
January 12th, 2015
Hacking SQL Server Stored Procedures – Part 3: SQL Injection
In this blog I’ve covered how SQL injection can be identified and exploited to escalate privileges in SQL Server stored procedures when they are configured to execute with…
December 8th, 2014
Hacking SQL Server Stored Procedures – Part 2: User Impersonation
This blog provides a lab guide and attack walk-through that can be used to gain a better understanding of how the IMPERSONATE privilege can lead to privilege escalation in SQL Server.
November 10th, 2014
Hacking SQL Server Stored Procedures – Part 1: (un)Trustworthy Databases
In this blog I’ll show how database users commonly created for web applications can be used to escalate privileges in SQL Server when database ownership is poorly configured.
September 9th, 2014
15 Ways to Bypass the PowerShell Execution Policy
By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can be a hurdle for penetration testers, sysadmins, and developers, but it doesn’t have to be. In this blog I’ll cover 15 ways to bypass the PowerShell execution policy without having local administrator rights on the system. I’m sure there are many […]
May 28th, 2014
Locate and Attack Domain SQL Servers without Scanning
In this blog I’ll share a new PowerShell script that uses Service Principal Name (SPN) records from Active Directory to identify and attack SQL Servers on Windows domains without having to perform discovery scanning. I originally wrote this script to help escalate privileges and locate critical data during penetration tests. However, below I’ve tried to […]
April 28th, 2014
Decrypting IIS Passwords to Break Out of the DMZ: Part 2
In my last blog I showed how to use native Windows tools to break out of DMZ networks by decrypting database connection strings in IIS web.config files, and using them to pivot through SQL Servers. If you’re interested it can be found at Decrypting IIS Passwords to Break Out of the DMZ: Part 1. In […]