January 2nd, 2018
Microsoft Word – UNC Path Injection with Image Linking
Microsoft Word is an excellent attack vector during a penetration test. From web application penetration tests to red team engagements, Word documents can be used to grab NetNTLM hashes or prove insufficient egress filtering on a network. There has been an abundance of quality research done on Word attack vectors. If you haven’t had a […]
December 19th, 2017
NetSPI SQL Injection Wiki
As penetration testers, the tools, information, and knowledge we have available to us directly correlates to the amount of entry points we can identify and exploit in any environment. The longer we spend researching and developing individual escalation paths reduces the amount of time for digging into other parts of the network or application. Below […]
November 20th, 2017
Speaking to a City of Amazon Echoes
Amazon recently introduced messaging and calling between Echo devices. This allows Echo device owners to communicate to each other via text messages, audio recordings, and voice calls. It’s pretty handy for leaving someone a short note, or for a quick call, but as a hacker, I was more curious about the potential security issues associated […]
September 26th, 2017
DNS Tunneling with Burp Collaborator
DNS tunneling, in my opinion, is the niftiest data exfiltration method there is. For those not familiar, check out Section 3 from SANS’s “Detecting DNS Tunneling” whitepaper here. Our Mobile Application Practice Lead, Aaron Yaeger, recently taught me how easy it is to use Burp Collaborator for DNS tunneling. Exfiltrating data like that was a bit […]
August 15th, 2017
dataLoc: A POC Tool for Finding Payment Cards Stored in MSSQL
In this blog I’ll be introducing dataLoc, a tool for locating payment cards in MSSQL databases without requiring the presence of keywords. dataLoc would be useful for anyone that would like to check their database for payment card numbers in unexpected places. This could include; DBAs, pen-testers, auditors, and others. dataLoc Overview At its core, […]
August 2nd, 2017
Identifying Payment Cards at Rest – Going Beyond the Key Word Search
In this blog, I’ll be discussing an approach for locating payment card numbers stored in MSSQL databases without relying on key words for data discovery. To overcome the impracticality of pulling an entire database over the wire for advanced analysis, we’ll focus on using MSSQL’s native capability to filter out items that can’t contain cardholder […]
July 13th, 2017
Attacking SQL Server CLR Assemblies
In this blog, I’ll be expanding on the CLR assembly attacks developed by Lee Christensen and covered in Nathan Kirk’s CLR blog series. I’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. I’ll also share a few new PowerUpSQL […]
July 5th, 2017
Anonymous SQL Execution in Oracle Advanced Support
A little over a year ago I was performing a penetration test on a client’s external environment. One crucial step in any external penetration test is mapping out accessible web servers. The combination of nmap with EyeWitness make this step rather quick as we can perform port scanning for web servers and then feed those […]
June 13th, 2017
Targeting RSA Emergency Access Tokencodes for Fun and Profit
A few months ago, one of my RSA soft token was on the fritz. It refused to work, and I was not able to remote into the client’s network to do an internal project for them. In fiddling with the RSA self-service console, and playing around with the troubleshooting section, I came across this feature called the Emergency Access Tokencode.
