April 4th, 2017
Getting Started with WMI Weaponization – Part 1
Windows Management Instrumentation (WMI) is a Microsoft management protocol derived from the Web-Based Enterprise Management (WBEM) protocol. WMI is a web service that can perform management operations on the host operating system. It has also been a part of Windows since Windows 95 where it was available as an optional feature.
March 14th, 2017
SQL Server Link Crawling with PowerUpSQL
Quite a while ago I wrote a blog regarding SQL Server linked servers and a few Metasploit modules to exploit misconfigured links. Using the same techniques, I wrote a few functions for Scott Sutherland’s excellent PowerUpSQL toolkit to allow linked server enumeration after initial access to a SQL Server has been obtained.
March 7th, 2017
Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
In this blog I’ll share some pointers that can be used when testing Single Sign-On (SSO) solutions that utilize SAML. The centralized nature of SSO provides a range of security benefits, but also makes SSO a high-profile target to attackers. The majority of SSO implementations I have seen in the past year pass SAML messages as […]
February 28th, 2017
Cisco ASA Remote Code Execution – Verifying CVE-2016-1287
Remote Code Execution on Cisco ASA A year ago ExodusIntel disclosed a vulnerability affecting the IKE implementation in Cisco’s ASA products. The error is due to an overflow in the checking of reassembled IKE fragments, and allows remote code execution from an unauthenticated attacker. More information on the technical aspects of this can be found […]
February 21st, 2017
Defeating CSRF Protections Through Expired cross-domain.xml Domains
When someone buys a domain name the usual purchase length is one year, with certain DNS providers allowing multi-year purchases. Large entities can quickly lose track of all their domains and keeping track of when those domains expire can be an even bigger hassle. When you add Flash integration into the mix it starts becoming […]
February 14th, 2017
Attacking JavaScript Web Service Proxies with Burp
JavaScript Web Service Proxies are an alternative to WSDL (Web Services Description Language) files for interacting with WCF Web Services. The proxy files function as a description of the web service methods, exposing the available service methods as well as their parameters. JavaScript Service Proxies, or JSWS (JavaScript Web Services) as I will be calling […]
October 11th, 2016
Common Red Team Techniques vs Blue Team Controls Infographic
In this blog, I’ll share an infographic that illustrates some common red team attack workflows and blue team controls. I’ll also include some basic red & blue team tips.
August 5th, 2016
Establishing Registry Persistence via SQL Server with PowerUpSQL
In this blog I’ll show how to use PowerUpSQL to establish persistence (backdoor) via the Windows registry through SQL Server. I’ll also provide a brief overview of the xp_regwrite stored procedure. This should be interesting to pentesters and red teamers interested in some alternative ways to access the OS through SQL Server. An overview of […]
August 4th, 2016
Get Windows Auto Login Passwords via SQL Server with PowerUpSQL
In this blog I’ll show how to use PowerUpSQL to dump Windows auto login passwords through SQL Server via xp_regread.
