Getting Started with WMI Weaponization – Part 4
Stealing the NTDS.dit File Remotely using the WMI Win32_ShadowCopy Class Dumping password hashes is a pretty common task during pentest and red team engagements. For domain controllers, it can be done a number of different ways including, but not limited to, DCSync (drsuapi), lsadump, and parsing the ntds.dit directly. Sean Metcalf has already covered how […]
Getting Started with WMI Weaponization – Part 3
Substantive changes to the configuration of a system can be made with WMI. These are often overlooked, as there are other and less obscure methods to accomplish the same goal. That said the ability to run these commands remotely through a different medium make these classes quite capable.
Getting Started with WMI Weaponization – Part 2
A WMI class, such as Win32_Process is a grouping of like properties and methods. Using SQL as an analogy, a property is like a SQL column and a method is similar to a stored procedure.
Getting Started with WMI Weaponization – Part 1
Windows Management Instrumentation (WMI) is a Microsoft management protocol derived from the Web-Based Enterprise Management (WBEM) protocol. WMI is a web service that can perform management operations on the host operating system. It has also been a part of Windows since Windows 95 where it was available as an optional feature.
SQL Server Link Crawling with PowerUpSQL
Quite a while ago I wrote a blog regarding SQL Server linked servers and a few Metasploit modules to exploit misconfigured links. Using the same techniques, I wrote a few functions for Scott Sutherland’s excellent PowerUpSQL toolkit to allow linked server enumeration after initial access to a SQL Server has been obtained.
Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
In this blog I’ll share some pointers that can be used when testing Single Sign-On (SSO) solutions that utilize SAML. The centralized nature of SSO provides a range of security benefits, but also makes SSO a high-profile target to attackers. The majority of SSO implementations I have seen in the past year pass SAML messages as […]
Cisco ASA Remote Code Execution – Verifying CVE-2016-1287
Remote Code Execution on Cisco ASA A year ago ExodusIntel disclosed a vulnerability affecting the IKE implementation in Cisco’s ASA products. The error is due to an overflow in the checking of reassembled IKE fragments, and allows remote code execution from an unauthenticated attacker. More information on the technical aspects of this can be found […]
Defeating CSRF Protections Through Expired cross-domain.xml Domains
When someone buys a domain name the usual purchase length is one year, with certain DNS providers allowing multi-year purchases. Large entities can quickly lose track of all their domains and keeping track of when those domains expire can be an even bigger hassle. When you add Flash integration into the mix it starts becoming […]