A Noob Installed BSD

The year is 2017, the year of BSD on the desktop…at least for me it is. Now as anyone who reads this site regularly will know, I’m pretty good with these com-puter thingies. However – plot twist, I’ve never ran BSD before. I use Mac OS X on a MacBook I have definitely voided the warranty on and for my personal computing and I use Linux, Fedora Security Lab, for the day job. So I’m not afraid of a command line, but at this stage I don’t even know what kind of command line I’ll get with BSD!

Read More

[vlog] Vulnerability Assessments vs Penetration Tests

I occasionally see the terms Vulnerability Assessment and Penetration Test used interchangeably, or worse, phrases such as “Automated Penetration Test” – something that really pains me, as there are very distinct types of assessment. In this article I’d like to show the distinctions between the different types of assessment. Setting aside any argument of specific terminology, I aim to explain the different approaches that can be taken and the aims of each – regardless of what you choose to call them. I aim to assist companies engage with their security assessment providers to ensure that the service they’re getting is what they are …

Read More

A long old way to Domain Admin: Propagating Infections

On a recent penetration test I made heavy use of Sec-1 Ltd’s tool sharecheck in a way to gain Domain Administrator privileges that had previously been missed. Effectively there was a lot of ground work in horizontal propagation which I automated through Meterpreter and Sharecheck. I’ve mentioned Sharecheck before on my Internal Penetration Testing post, but I don’t believe I’ve ever ran through the features of this tool which I make use of on almost every test. Effectively this tool allows you to do four main things:

Read More

TLS/SSL Vulnerabilities

“Which SSL ciphers should I disable?” A client recently gave me a list of their supported ciphers and asked me which SSL ciphers they should disable – effectively looking for the most secure SSL ciphers they can use. Instead of the fast answer of “disable the insecure ones”, I thought I’d try and write up something useful. o here’s a handy reference guide I’m working on. This has been time consuming to develop and no doubt will be added to over time. This isn’t intended to be read from start-to-finish, but is more of a handy SSL/TLS issue cheat-sheet.Got a vulnerability to …

Read More
Law

USA versus Love

There is a case ongoing which is known as The United States versus Love. As always when I mention the law on this site, I am not a Lawyer, therefore I will link to all of my sources inline and allow you to draw your own conclusions. I support Lauri Love and I would like to detail some reasons as to why you should too. I also wish to highlight some things you should be seriously concerned amount regardless of your opinion on Lauri or his case specifically.

Read More

Cross-site Scripting (XSS): Life After the Alert Box

This is an advanced Cross-site Scripting (XSS) post, if you’re new to XSS maybe try this one first: What is Cross-site Scripting? During Penetration Tests I often see testers utilising Cross-site Scripting attacks, popping an alert(1) and stopping there; additionally looking through the payloads used by other testers I often find one area missing. So if you’re a tester, think of the payloads that you deploy and think how you are testing for the type of vulnerability described below:

Read More

SQL Injection: Out-of-Band Exploitation

This is an advanced SQL Injection (SQLi) post, if you’re new to SQLi maybe try this one first: Basics and Defence Recently I had a fairly slow Time-Based SQL injection vulnerability, meaning that I could only pull a single character at a time with SQLmap and each character took around 10 seconds to retrieve. An alternative approach in this situation is to use out-of-band retrieval.  This is a concept that can be used when exploiting lots of vulnerabilities such as SQL Injection, Command Injection, Cross-site Scripting and XML External Entity Injection. The idea is fairly simple, instead of capturing the data …

Read More

Hacking Web Applications:

Getting Root Access to Web Servers I’ve written previously about How To Become a Penetration Tester, listing things that employers would like to see out of potential junior testers. I’ve written an awful lot about many web application vulnerabilities like Cross-site Scripting and Directory Traversal; I’ve even written about the methodology behind External Penetration Testing. However – until now I’ve not tied all of the little pieces together. Plus, one of the biggest things on the list of desirables for a junior testers CV is practise.

Read More