April 17th, 2018
Dumping Active Directory Domain Info – in Go!
I’ve used NetSPI PowerShell tools and the PowerView toolset to dump information from Active Directory during almost every internal penetration test I’ve done. These tools are a great starting point for gaining insight into an Active Directory environment. Go seems to be gaining popularity for its performance and scalability, so I tried to replicate some […]
March 27th, 2018
Please Stop Giving Me Your Passwords – Part 1
I found myself in the office on Saturday night, mainly because the frozen pizza selection is more expansive than mine at home, and I wanted to get a head start on my project for this week. It was a normal Static Application Security Test (SAST), which follows a mostly pre-defined process, with embellishments depending on […]
March 13th, 2018
Jira Information Gathering
What is Jira? Jira is a web based issue tracking and project management application that can be used to manage a wide array of information. Using Jira, organizations can design workflows to do anything from bug tracking to physical asset management. The flexibility of Jira, while great, can also lead to several issues, if it’s […]
February 27th, 2018
Take Him Away, Boys – Creating a Get-Out-of-Jail Letter
Failure is a fact of life and it’s doubly true when it comes to security. On-site social engineering is a unique beast and it carries its own issues when it comes to failure. While it’s easy enough to modify your payload to bypass a WAF or just hang-up the phone when the phish isn’t biting, […]
February 13th, 2018
Attacks Against Windows PXE Boot Images
If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods […]
January 9th, 2018
Four Ways to Bypass Android SSL Verification and Certificate Pinning
Gone are the days when mobile applications stoically ignored all manner of SSL errors and allowed you to intercept and modify their traffic at will. Instead, most modern applications at least check that the certificate presented chains to a valid, trusted certificate authority (CA). As pentesters, we’d like to convince the app that our certificate […]
January 2nd, 2018
Microsoft Word – UNC Path Injection with Image Linking
Microsoft Word is an excellent attack vector during a penetration test. From web application penetration tests to red team engagements, Word documents can be used to grab NetNTLM hashes or prove insufficient egress filtering on a network. There has been an abundance of quality research done on Word attack vectors. If you haven’t had a […]
December 19th, 2017
NetSPI SQL Injection Wiki
As penetration testers, the tools, information, and knowledge we have available to us directly correlates to the amount of entry points we can identify and exploit in any environment. The longer we spend researching and developing individual escalation paths reduces the amount of time for digging into other parts of the network or application. Below […]
November 20th, 2017
Speaking to a City of Amazon Echoes
Amazon recently introduced messaging and calling between Echo devices. This allows Echo device owners to communicate to each other via text messages, audio recordings, and voice calls. It’s pretty handy for leaving someone a short note, or for a quick call, but as a hacker, I was more curious about the potential security issues associated […]