Scott Sutherland
Scott is currently responsible for the development, and execution of network penetration testing at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. Scott has been providing IT security services to medium sized to Fortune 50 companies for over 10 years. As an active participant in the information security community, Scott also contributes technical security blog posts, whitepapers, and presentations on a regular basis through NetSPI. Published presentations can be found here. Scott's most recent project is PowerUpSQL.
May 22nd, 2013
Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks
In order to meet business requirements and client demand for remote access, many companies choose to deploy applications using Terminal Services, Citrix, and kiosk platforms. These platforms are commonly deployed in both internal networks as well as internet facing environments. In my experience, such application deployments are rarely locked down enough to prevent an attacker […]
March 11th, 2013
Resources for Aspiring Penetration Testers
At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and students interested in pen testing. Usually, they’re asking because they aren’t sure where to start. There are a number of two- and four-year college programs that can provide a nice […]
January 20th, 2013
Bypassing Anti-Virus with Metasploit MSI Files
A while back I put together a short blog titled 10 Evil User Tricks for Bypassing Anti-Virus. The goal was to highlight common anti-virus misconfigurations. While I was chatting with Mark Beard he mentioned that I neglected to include how to use Metasploit payloads packaged in MSI files. So in this blog I'll try to […]
January 16th, 2013
10 Evil User Tricks for Bypassing Anti-Virus
Introduction Many anti-virus solutions are deployed with weak configurations that provide end users with the ability to quickly disable or work around the product if they wish. As a result, even users without super hacker “skillz” can run malicious executables (intentionally or not) without having to actually modify them in any way to avoid […]
December 26th, 2012
Executing SMB Relay Attacks via SQL Server using Metasploit
In this blog, I’ll provide a brief overview of SMB Relay attacks and show how they can be initiated through a Microsoft SQL Server. I will also provide some practical examples that show how to use new Metasploit modules to gain unauthorized access to SQL Servers during a penetration test. Below is a summary of […]
November 20th, 2012
SQL Server Local Authorization Bypass MSF Modules
In Microsoft SQL Server versions prior to 2008, local operating system admins where automatically assigned database admin privileges. Microsoft eventually came to the conclusion that this was a bad idea, and now local operating system administrators don’t automatically get database admin privileges. However, there are a few weaknesses in the implementation that allow the local […]
November 5th, 2012
OWASP AppSec 2012 Presentation: SQL Server Exploitation, Escalation, and Pilfering
Antti and I had a great time presenting “SQL Server Exploitation, Escalation, and Pilfering” at the OWASP AppSec 2012 conference in Austin a few weeks ago. Thank you to everyone who came out. The attendance and feedback were very much appreciated. For those of you who couldn’t make it, we’ve put together this blog to provide access […]
August 16th, 2012
SQL Server Local Authorization Bypass
Unlike previous versions, SQL Server 2008 and 2012 don’t provide local system administrators with database administrator rights by default. This was a great idea by Microsoft to reinforce the practices of least privilege and separation of duties. However, in spite of the fact that their heart was in the right place, it was implemented in such […]
July 23rd, 2012
How to Remote Desktop to BackTrack 5 from Windows
Introduction Managing BackTrack R2 via SSH is usually all you need. However, sometimes I like to manage BackTrack from Windows using X11 so that I can also have access to the desktop. In this blog, I’ll show you how to do the same using SSH, PuTTY, and Xming. This should be useful to penetration testers […]
