NetSPI Blog

Ken Johnson
February 28th, 2017

Cisco ASA Remote Code Execution – Verifying CVE-2016-1287

Remote Code Execution on Cisco ASA A year ago ExodusIntel disclosed a vulnerability affecting the IKE implementation in Cisco’s ASA products. The error is due to an overflow in the checking of reassembled IKE fragments, and allows remote code execution from an unauthenticated attacker. More information on the technical aspects of this can be found […]

Jake Reynolds
February 21st, 2017

Defeating CSRF Protections Through Expired cross-domain.xml Domains

When someone buys a domain name the usual purchase length is one year, with certain DNS providers allowing multi-year purchases.  Large entities can quickly lose track of all their domains and keeping track of when those domains expire can be an even bigger hassle.  When you add Flash integration into the mix it starts becoming […]

Ken Johnson
February 14th, 2017

Attacking JavaScript Web Service Proxies with Burp

JavaScript Web Service Proxies are an alternative to WSDL (Web Services Description Language) files for interacting with WCF Web Services. The proxy files function as a description of the web service methods, exposing the available service methods as well as their parameters. JavaScript Service Proxies, or JSWS (JavaScript Web Services) as I will be calling […]

Scott Sutherland
October 11th, 2016

Common Red Team Techniques vs Blue Team Controls Infographic

In this blog, I’ll share an infographic that illustrates some common red team attack workflows and blue team controls. I’ll also include some basic red & blue team tips.

Scott Sutherland
August 5th, 2016

Establishing Registry Persistence via SQL Server with PowerUpSQL

In this blog I’ll show how to use PowerUpSQL to establish persistence (backdoor) via the Windows registry through SQL Server. I’ll also provide a brief overview of the xp_regwrite stored procedure. This should be interesting to pentesters and red teamers interested in some alternative ways to access the OS through SQL Server. An overview of […]

Scott Sutherland
August 4th, 2016

Get Windows Auto Login Passwords via SQL Server with PowerUpSQL

In this blog I’ll show how to use PowerUpSQL to dump Windows auto login passwords through SQL Server via xp_regread.

Scott Sutherland
August 2nd, 2016

Finding Weak Passwords for Domain SQL Servers on Scale using PowerUpSQL

We’ll cover how to use PowerUpSQL to quickly identify SQL logins configured with weak passwords on domain SQL Servers using a standard domain account.

Scott Sutherland
August 2nd, 2016

Finding Sensitive Data on Domain SQL Servers using PowerUpSQL

In this blog I’ll show how PowerUpSQL can be used to rapidly target and sample sensitive data stored in SQL Server databases associated with Active Directory domains.

Scott Sutherland
August 1st, 2016

Blindly Discover SQL Server Instances with PowerUpSQL

In this blog I’ll show how PowerUpSQL can be used to blindly discover SQL Server instances on a system, network, or domain.