NetSPI Blog

Jake Reynolds
September 26th, 2017

DNS Tunneling with Burp Collaborator

DNS tunneling, in my opinion, is the niftiest data exfiltration method there is. For those not familiar, check out Section 3 from SANS’s “Detecting DNS Tunneling” whitepaper here. Our Mobile Application Practice Lead, Aaron Yaeger, recently taught me how easy it is to use Burp Collaborator for DNS tunneling. Exfiltrating data like that was a bit […]

Gabriel Cogar
August 15th, 2017

dataLoc: A POC Tool for Finding Payment Cards Stored in MSSQL

In this blog I’ll be introducing dataLoc, a tool for locating payment cards in MSSQL databases without requiring the presence of keywords. dataLoc would be useful for anyone that would like to check their database for payment card numbers in unexpected places. This could include; DBAs, pen-testers, auditors, and others. dataLoc Overview At its core, […]

Gabriel Cogar
August 2nd, 2017

Identifying Payment Cards at Rest – Going Beyond the Key Word Search

In this blog, I’ll be discussing an approach for locating payment card numbers stored in MSSQL databases without relying on key words for data discovery. To overcome the impracticality of pulling an entire database over the wire for advanced analysis, we’ll focus on using MSSQL’s native capability to filter out items that can’t contain cardholder […]

Scott Sutherland
July 13th, 2017

Attacking SQL Server CLR Assemblies

In this blog, I’ll be expanding on the CLR assembly attacks developed by Lee Christensen and covered in Nathan Kirk’s CLR blog series. I’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence.  I’ll also share a few new PowerUpSQL […]

Eric Gruber
July 5th, 2017

Anonymous SQL Execution in Oracle Advanced Support

A little over a year ago I was performing a penetration test on a client’s external environment. One crucial step in any external penetration test is mapping out accessible web servers. The combination of nmap with EyeWitness make this step rather quick as we can perform port scanning for web servers and then feed those […]

Alexander Polce Leary
June 13th, 2017

Targeting RSA Emergency Access Tokencodes for Fun and Profit

A few months ago, one of my RSA soft token was on the fritz. It refused to work, and I was not able to remote into the client’s network to do an internal project for them. In fiddling with the RSA self-service console, and playing around with the troubleshooting section, I came across this feature called the Emergency Access Tokencode.

Steve Kerns
June 6th, 2017

Application Self Protection – A New Addition to the OWASP Top 10

OWASP has just released their release candidate of the Top 10 most critical web application security risks. While no major changes were included, they added two new ones. This blog discusses the first one in the list: A7 – Insufficient Attack Protection

Thomas Elling
May 30th, 2017

Dynamic Binary Analysis with Intel Pin

Intro to Intel Pin Dynamic Binary Instrumentation (DBI) is a technique for analyzing a running program by dynamically injecting analysis code. The added analysis code, or instrumentation code, is run in the context of the instrumented program with access to real, runtime values. DBI is a powerful technique since it does not require the source […]

Scott Sutherland
May 23rd, 2017

How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL

In this blog I outline common techniques that can be used to leverage the SQL Server service account to escalate privileges from a local administrator to a SQL Server sysadmin (DBA).