NetSPI Blog

Jake Reynolds
April 25th, 2017

SQL Injection to Help You Sleep at Night

If there’s anything to be learned from Gitlab’s recent downtime (which they handled amazingly well), it’s that production databases need to be pampered.  They aren’t something to play around with and as penetration testers that responsibility extends to us. Many companies will allow testing in production, it can be argued that it is the responsible […]

Alexander Polce Leary
April 20th, 2017

Getting Started with WMI Weaponization – Part 6

Lets look at another practical example of weaponizing WMI using PowerShell. Earlier we went over how to create a custom WMI class. Using this class along with the Set-WmiInstance command we can create a class that we can then use to store files as Base64 Encoded strings.

Alexander Polce Leary
April 18th, 2017

Getting Started with WMI Weaponization – Part 5

Establishing Persistence with WMI Like SQL, WMI can be setup with a set of Triggers. We can use these triggers to maintain persistence on a system by launching commands after a specified event is detected. These are stored in the root/subscription namespace and fall into two broad categories, Intrinsic Events and Extrinsic Events. Intrinsic Events […]

Alexander Polce Leary
April 13th, 2017

Getting Started with WMI Weaponization – Part 4

Stealing the NTDS.dit File Remotely using the WMI Win32_ShadowCopy Class Dumping password hashes is a pretty common task during pentest and red team engagements. For domain controllers, it can be done a number of different ways including, but not limited to, DCSync (drsuapi), lsadump, and parsing the ntds.dit directly.  Sean Metcalf has already covered how […]

Alexander Polce Leary
April 11th, 2017

Getting Started with WMI Weaponization – Part 3

Substantive changes to the configuration of a system can be made with WMI. These are often overlooked, as there are other and less obscure methods to accomplish the same goal. That said the ability to run these commands remotely through a different medium make these classes quite capable.

Alexander Polce Leary
April 6th, 2017

Getting Started with WMI Weaponization – Part 2

A WMI class, such as Win32_Process is a grouping of like properties and methods. Using SQL as an analogy, a property is like a SQL column and a method is similar to a stored procedure.

Alexander Polce Leary
April 4th, 2017

Getting Started with WMI Weaponization – Part 1

Windows Management Instrumentation (WMI) is a Microsoft management protocol derived from the Web-Based Enterprise Management (WBEM) protocol. WMI is a web service that can perform management operations on the host operating system. It has also been a part of Windows since Windows 95 where it was available as an optional feature.

Antti Rantasaari
March 14th, 2017

SQL Server Link Crawling with PowerUpSQL

Quite a while ago I wrote a blog regarding SQL Server linked servers and a few Metasploit modules to exploit misconfigured links. Using the same techniques, I wrote a few functions for Scott Sutherland’s excellent PowerUpSQL toolkit to allow linked server enumeration after initial access to a SQL Server has been obtained.

Jem Jensen
March 7th, 2017

Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them

In this blog I’ll share some pointers that can be used when testing Single Sign-On (SSO) solutions that utilize SAML. The centralized nature of SSO provides a range of security benefits, but also makes SSO a high-profile target to attackers. The majority of SSO implementations I have seen in the past year pass SAML messages as […]