I occasionally see the terms Vulnerability Assessment and Penetration Test used interchangeably, or worse, phrases such as “Automated Penetration Test” – something that really pains me, as there are very distinct types of assessment. In this article I’d like to show the distinctions between the different types of assessment. Setting aside any argument of specific terminology, I aim to explain the different approaches that can be taken and the aims of each – regardless of what you choose to call them. I aim to assist companies engage with their security assessment providers to ensure that the service they’re getting is what they are expecting and so that they are aware of the alternatives.
On a recent penetration test I made heavy use of Sec-1 Ltd’s tool sharecheck in a way to gain Domain Administrator privileges that had previously been missed. Effectively there was a lot of ground work in horizontal propagation which I automated through Meterpreter and Sharecheck.
I’ve mentioned Sharecheck before on my Internal Penetration Testing post, but I don’t believe I’ve ever ran through the features of this tool which I make use of on almost every test. Effectively this tool allows you to do four main things:
There is a case ongoing which is known as The United States versus Love. As always when I mention the law on this site, I am not a Lawyer, therefore I will link to all of my sources inline and allow you to draw your own conclusions. I support Lauri Love and I would like to detail some reasons as to why you should too. I also wish to highlight some things you should be seriously concerned amount regardless of your opinion on Lauri or his case specifically.
This is an advanced Cross-site Scripting (XSS) post, if you’re new to XSS maybe try this one first: What is Cross-site Scripting?
During Penetration Tests I often see testers utilising Cross-site Scripting attacks, popping an alert(1) and stopping there; additionally looking through the payloads used by other testers I often find one area missing. So if you’re a tester, think of the payloads that you deploy and think how you are testing for the type of vulnerability described below:
This is an advanced SQL Injection (SQLi) post, if you’re new to SQLi maybe try this one first: Basics and Defence
Recently I had a fairly slow Time-Based SQL injection vulnerability, meaning that I could only pull a single character at a time with SQLmap and each character took around 10 seconds to retrieve. An alternative approach in this situation is to use out-of-band retrieval. This is a concept that can be used when exploiting lots of vulnerabilities such as SQL Injection, Command Injection, Cross-site Scripting and XML External Entity Injection.
The idea is fairly simple, instead of capturing the data you would like to retrieve and extracting it through Boolean-logic you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.
Getting Root Access to Web Servers
I’ve written previously about How To Become a Penetration Tester, listing things that employers would like to see out of potential junior testers. I’ve written an awful lot about many web application vulnerabilities like Cross-site Scripting and Directory Traversal; I’ve even written about the methodology behind External Penetration Testing. However – until now I’ve not tied all of the little pieces together. Plus, one of the biggest things on the list of desirables for a junior testers CV is practise.
So it’s 10:30pm on a Sunday and the wonderful Jake Davis has asked me to give my thoughts on the ludicrous movie that is “Hackers” (1995). It’s been years since I watched it, so I broke out the popcorn…
My pinned tweet got a lot of attention online, in fact it’s got more attention than probably ever one of my other tweets combined – even more than that time I had a Rap Battle over twitter! Tweets are short, you’re limited to 140 characters and it’s difficult to give depth and context in such a small message.
The period of dealing with a security breach is one of tension. If a company is not adequately prepared for the efficient handling of an incident then a time of tension becomes one of crisis.
I’m going to go ahead and open with: I am not a lawyer. If you’ve had a data breach and you need to know if you should notify an authority, or the public, you should speak to a lawyer. Don’t take legal advice from a blog post. I was researching the requirement to disclose under UK law and I thought it was interesting so here are some (probably incomplete) notes to explain (my interpretation of) the current UK Law.