NetSPI Blog

Scott Sutherland

Scott is currently responsible for the development, and execution of network penetration testing at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. Scott has been providing IT security services to medium sized to Fortune 50 companies for over 10 years. As an active participant in the information security community, Scott also contributes technical security blog posts, whitepapers, and presentations on a regular basis through NetSPI. Published presentations can be found here. Scott's most recent project is PowerUpSQL.

Scott Sutherland
March 11th, 2013

Resources for Aspiring Penetration Testers

At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and students interested in pen testing. Usually, they’re asking because they aren’t sure where to start. There are a number of two- and four-year college programs that can provide a nice […]

Scott Sutherland
January 20th, 2013

Bypassing Anti-Virus with Metasploit MSI Files

A while back I put together a short blog titled 10 Evil User Tricks for Bypassing Anti-Virus. The goal was to highlight common anti-virus misconfigurations. While I was chatting with Mark Beard he mentioned that I neglected to include how to use Metasploit payloads packaged in MSI files. So in this blog I'll try to […]

Scott Sutherland
January 16th, 2013

10 Evil User Tricks for Bypassing Anti-Virus

  Introduction Many anti-virus solutions are deployed with weak configurations that provide end users with the ability to quickly disable or work around the product if they wish. As a result, even users without super hacker “skillz” can run malicious executables (intentionally or not) without having to actually modify them in any way to avoid […]

Scott Sutherland
December 26th, 2012

Executing SMB Relay Attacks via SQL Server using Metasploit

In this blog, I’ll provide a brief overview of SMB Relay attacks and show how they can be initiated through a Microsoft SQL Server.  I will also provide some practical examples that show how to use new Metasploit modules to gain unauthorized access to SQL Servers during a penetration test.    Below is a summary of […]

Scott Sutherland
November 20th, 2012

SQL Server Local Authorization Bypass MSF Modules

In Microsoft SQL Server versions prior to 2008, local operating system admins where automatically assigned database admin privileges. Microsoft eventually came to the conclusion that this was a bad idea, and now local operating system administrators don’t automatically get database admin privileges. However, there are a few weaknesses in the implementation that allow the local […]

Scott Sutherland
November 5th, 2012

OWASP AppSec 2012 Presentation: SQL Server Exploitation, Escalation, and Pilfering

Antti and I had a great time presenting “SQL Server Exploitation, Escalation, and Pilfering” at the OWASP AppSec 2012 conference in Austin a few weeks ago. Thank you to everyone who came out. The attendance and feedback were very much appreciated. For those of you who couldn’t make it, we’ve put together this blog to provide access […]

Scott Sutherland
August 16th, 2012

SQL Server Local Authorization Bypass

Unlike previous versions, SQL Server 2008 and 2012 don’t provide local system administrators with database administrator rights by default. This was a great idea by Microsoft to reinforce the practices of least privilege and separation of duties. However, in spite of the fact that their heart was in the right place, it was implemented in such […]

Scott Sutherland
July 23rd, 2012

How to Remote Desktop to BackTrack 5 from Windows

Introduction Managing BackTrack R2 via SSH is usually all you need. However, sometimes I like to manage BackTrack from Windows using X11 so that I can also have access to the desktop. In this blog, I’ll show you how to do the same using SSH, PuTTY, and Xming. This should be useful to penetration testers […]

Scott Sutherland
July 16th, 2012

10 Techniques for Blindly Mapping Internal Networks

Introduction Occasionally clients require that all network and system discovery is done completely blind during internal pentests (meaning no IP addresses are provided). I know that a lot of people have been exposed to ping and port scan discovery techniques, but on large networks those methods alone can be pretty time consuming. So in this […]