NetSPI Blog

Scott Sutherland

Scott is currently responsible for the development, and execution of network penetration testing at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. Scott has been providing IT security services to medium sized to Fortune 50 companies for over 10 years. As an active participant in the information security community, Scott also contributes technical security blog posts, whitepapers, and presentations on a regular basis through NetSPI. Published presentations can be found here. Scott's most recent project is PowerUpSQL.

Scott Sutherland
January 12th, 2015

Hacking SQL Server Stored Procedures – Part 3: SQL Injection

In this blog I’ve covered how SQL injection can be identified and exploited to escalate privileges in SQL Server stored procedures when they are configured to execute with…

Scott Sutherland
December 8th, 2014

Hacking SQL Server Stored Procedures – Part 2: User Impersonation

This blog provides a lab guide and attack walk-through that can be used to gain a better understanding of how the IMPERSONATE privilege can lead to privilege escalation in SQL Server.

Scott Sutherland
November 10th, 2014

Hacking SQL Server Stored Procedures – Part 1: (un)Trustworthy Databases

In this blog I’ll show how database users commonly created for web applications can be used to escalate privileges in SQL Server when database ownership is poorly configured.

Scott Sutherland
September 9th, 2014

15 Ways to Bypass the PowerShell Execution Policy

By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can be a hurdle for penetration testers, sysadmins, and developers, but it doesn’t have to be. In this blog I’ll cover 15 ways to bypass the PowerShell execution policy without having local administrator rights on the system. I’m sure […]

Scott Sutherland
May 28th, 2014

Locate and Attack Domain SQL Servers without Scanning

In this blog I’ll share a new PowerShell script that uses Service Principal Name (SPN) records from Active Directory to identify and attack SQL Servers on Windows domains without having to perform discovery scanning. I originally wrote this script to help escalate privileges and locate critical data during penetration tests. However, below I’ve tried to […]

Scott Sutherland
April 28th, 2014

Decrypting IIS Passwords to Break Out of the DMZ: Part 2

In my last blog I showed how to use native Windows tools to break out of DMZ networks by decrypting database connection strings in IIS web.config files, and using them to pivot through SQL Servers. If you’re interested it can be found at Decrypting IIS Passwords to Break Out of the DMZ: Part 1. In […]

Scott Sutherland
February 10th, 2014

Decrypting IIS Passwords to Break Out of the DMZ: Part 1

From the perspective of a penetration tester, it would be nice if every vulnerability provided a direct path to high-value systems on the internal network.  However, the reality is that we aren’t always that lucky, and sometimes we land on an application server in the DMZ network first. In this blog I’ll cover how to use […]

Scott Sutherland
January 6th, 2014

Faster Domain Escalation using LDAP

If you’re a penetration tester, then you probably already know that escalating from a local administrator to a Domain Admin only requires a few steps.  Those steps typically involve stealing Domain Admin passwords, password hashes, or authentication tokens via various methods.  However, if you aren’t lucky enough to have a Domain Admin logged into the […]

Scott Sutherland
May 22nd, 2013

Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks

In order to meet business requirements and client demand for remote access, many companies choose to deploy applications using  Terminal Services, Citrix, and kiosk platforms.  These platforms are commonly deployed in both internal networks as well as internet facing environments.  In my experience, such application deployments are rarely locked down enough to prevent an attacker […]