Home

At the beginning of the last year, Dmitry EvTeev Ha raised the issue of post-exploitation in a Microsoft Active Directory domain. The brought forward approach addressed the variant aimed mostly at the case of the loss of admin privileges rather than their exploitation. Additionally, the action of regaining the privileges itself involved conspicuous events and visually evident manipulations in the directory. In other words, to regain admin privileges one had to become a member of the appropriate security...

Great howto on SQL backdooring, WordPress & PHBB3 Examples here: http://www.blackhatacademy.org/security101/SQL_Backdoors worth the read

Google hacking is a time honoured tradition that goes back many years. There are specific Google searches that will allow users to directly download documents that the company might not want to have publicly available. This kind of attack takes on a number of different Google searches that will be covered in this post The one thing to remember about this is that security engineers within companies should continue to Google search their companies URL’s all the time to ensure that confidential...

This article is the first in a series covering, step-by-step, the practical attacks that can be performed against various common network servers. This week’s victim is Blackberry Enterprise Server. Compromising this service allows the attacker to impersonate users, access stored e-mail, and send arbitrary messages to users on the Blackberry system. Overall, the process involves the following steps: Identifying a Blackberry Enterprise Server Identifying the BES Administrator Account Gaining...

The latest version of nmap was released earlier this month, and if you haven’t already downloaded it, get on it, it has some awesome new features. Probably the most interesting of the new features is the web spidering feature. To improve the user experience, the Windows installer now installs various browser toolbars, search engine redirectors, and associated adware. Feature breakdown: a spidering library and associated scripts for crawling websites. 51 new NSE scripts, bringing the total to...

Hey Guys, If you are looking for your next IT security cert, CASP might be the right one for you. It is run by Comptia and is basically a direct competitor to the CISSP certification. It will definitely be on my list to work towards. The CompTIA Advanced Security Practitioner certification is an international, vendor-neutral exam that proves competency in enterprise security; risk management; research and analysis; and integration of computing, communications, and business disciplines. The exam covers...

SP Toolkit is available now and is basically an alternative to the awesome SET (Social Engineering Toolkit). The software was designed to help companies test the phishing awareness of their employees, but as with most security tools, this one could be abused by miscreants to launch malicious attacks. The spt project is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. Organizations spend billions of dollars annually in an effort to...

H ashcat Gui v.0.5 is now out. (released 14th January 2012). By far hashcat is the best password cracker for GPU based password cracking. Download it here: http://hashcat.net/hashcat-gui/

The Social-Engineer Toolkit (SET) v2.5.3 has been released on Jan 9th. Changelog is below: fixed a bug that would not let you in the custom exploits menu within fasttrack * fixed a bug that would cause _mssql not to be defined when attempting to custom connect to a SQL server * fixed a bug that would cause mssql custom connect once finished to go straight into the exploit menu * fixed a looping issue with the fasttrack menu Most importantly in these bug fixes were when using the straight mssql connector...

First up, to all of my readers, happy new year to you and your families! this is my first post for 2012 and yes unfortunately after too short a break, I am back to business. As a pentester, I have lost count of the amount of wireless networks I have tested. When it comes to password attacks against wireless, it is usually always the same gameplay, wep, capture your IV’s, bust the key, (in about 5 mins ), WPA/2 Capture handshake’s, dictionary the handshake’s using GPU cracking etc...

So as we draw to a close of 2011, we draw to close of the biggest year yet for data breaches, here in Australia data breaches doubled in 2011 on the previous year. In the year up until August alone, we endured through over 100 very high profile breaches. This doesn’t include all the breaches that didn’t make the news. Data Breaches.xlsx See the above spreadsheet for details. This week alone, Chinese hackers gave the US a Christmas present by penetrating the US Chambers of commerce via...

Bernado Damele has put out some great posts of late regarding tools for dumping hashes. I have combined his post with some of my favourite techniques and have described them below. Enjoy.. Windows Security Account Manager Slightly modified definition from Wikipedia : The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7 . It stores users’ passwords in a hashed format (in LM hash and NTLM hash) . Since a hash function is one-way...

There’s an ever increasing number of products and solutions available to combat advanced attackers, modern malware, and mis-behaving employees. These solutions do some really cool things and the technology they use is awesome. However, there are some controls that everyone can and should be doing on their networks before they run out and procure such high-end technologies. As with nearly everything in our industry, the list below isn’t a silver bullet. Rather, it represents the foundation...

  Introduction After the sequencing process of applications through the Application Virtualization Sequencer , you can import them into the App-V Management Server and manage them through the Application Virtualization Management Console . To do that, open the Application Virtualization Management Console in Start> Administrative Tools . Before you start to import the applications, you can create groups for better organization. In the example in Figure 1 were created three groups: Office...

It’s amazing how too often as part of VPN assessments I find that Aggressive mode is enabled in VPN’s. With most later setup’s and in particular Microsoft TMG based VPN’s it is off by default, but it is still prevalent and poses a major risk to your business. In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted...

Great story on a Hacker who legally robs a bank, a great watch… http://www.youtube.com/watch?v=RJVHTQSvUIo&feature=player_embedded

I do a good number of internal penetration tests, and I have found one particular series of techniques that tend to be very quick and efficient at gaining Domain Administrator-level access. Of course, the viability of this depends on the environment and the configurations, and since this technique depends on default configurations, it is usually very effective because defaults aren’t usually changed. This article is provided to help our clients proactively assess their own networks and provide...

I’m finally back in action, been a hectic few weeks with the Ruxcon conference over 2.5 days and away on client pentests…. Today’s tool, Windows-privesc-check, is a standalone executable that runs on Windows systems (tested on XP, Windows 7 only so far). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written in python and converted to an executable using pyinstaller...

Source : http://www.erdalozkaya.com/post/2011/11/20/How-To-enable-Hyper-V-Configuration-on-Windows-8-client.aspx In this article I am going to show you how easy is to enable Hyper-v Client on Windows 8. As you might already know, Windows 7 had only “Windows XP Mode” or “App-V” available as “virtualization” platform, but running different OS’s in a single platform was not really possible. If you are a trainer or IT enthusiastic like me who likes to try many...

I am teaching for the last 3 years ISO 27001 classes Australia wide, and wanted to put together some resources that can be used by my students or blog followers. Below you will find the the main domains which is covered under ISO27001 and please look for more in other posts. Enjoy: ISO/IEC 27001, part of the growing ISO/IEC 27000 series of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and...

More of you are getting used to Windows PowerShell and realizing its advantages. With that in mind, this month’s column is going to be a long one. This is a lightning overview of Windows PowerShell scripting, including how to build parameterized scripts. Over the next few months, I’ll focus on specific topics that build on this foundation. If you’re not used to running Windows PowerShell commands in the console, you might find this too advanced, but try to plow through anyway. You...

Fore more details please visit : www.erdalozkaya.com or www.yourmct.com Pre-Inspection Visit - template Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to...

Introduction To submit applications via the virtual Server App-V or other existing methods is necessary to perform a procedure called Sequencing . This is literally the case to "virtualize" the software components such as files, registry keys, services and components in a special package. After that the application will run through this package and all its components are extracted from it, creating a kind of bubble for application use and execution. Files created during the sequencing Listed...

Oftentimes during a penetration test engagement, a bit of finesse goes a long way. One of the most effective ways to capture the clear-text user password from a compromised Windows machine is through the “keylogrecorder” Meterpreter script. This script can migrate into the winlogon.exe process, start capturing keystrokes, and then lock the user’s desktop (the -k option). When the user enters their password to unlock their desktop, you now have their password. This, while funny and...

Astrobaby recently posted a great post on his blog about creating a metasploit payload that is completely undetectable by pretty much all AV manufacturers. You can find the original post here.. http://astr0baby.wordpress.com/2011/11/09/bypassing-antivirus-somehow/ The only problem with this was that it was not working with the latest version of backtrack (5.x).. The awesome guys at coresec have now re-engineered the code from astrobaby and we now have a metasploit payload that is fully undetectable...