Clik here to view.
IIS Search Verb Directory Listing
This: http://www.securityfocus.com/bid/1756 still works (on vulnerable hosts, this is an old vuln) and is very useful: Send this: SEARCH / HTTP/1.1 Host: target Content-Type: text/xml Content-Length:...
View ArticleClik here to view.
Wim Remes (@wimremes) for (ISC)2 Board of Directors
I am way late to the game on this, but if you have a blog, a twitter handle, or even better (in this specific case) a CISSP, please support Wim Remes (@wimremes), as he has submitted to become a member...
View ArticleClik here to view.
Post Exploitation Command Lists
I’ve had a private list of commands that I run on Windows or Linux when I pop a shell, as I’m sure most pentesters do. It isn’t so much a thing of hoarding as much it is just jumbled notes that are...
View ArticleClik here to view.
Multiple Dictionaries or Wordlists Using John the Ripper
John the ripper only takes one word list at a time. There are plenty of docs out there that show you how to cat all of your dictionaries into John’s stdin function but I like to run rules against my...
View ArticleClik here to view.
Disconnect Stalled SSH Session
This doesn’t really apply to Windows users as you can just close puTTy. But for everyone else, stalled SSH Sessions suck. You are either slamming enter to get it to realize it’s been disconnected or...
View ArticleClik here to view.
Who Is Logged In? A Quick Way To Pick Your Targets
Say you go for the 500+ shells on an internal test or your phishing exersice goes way better than you thought. Well you need to get your bearings quickly and going into each shell and doing a ps, then...
View ArticleClik here to view.
#DerbyCon Approaches...
Chris Gates (@carnal0wnage) and I will be speaking at DerbyCon next week: The Dirty Little Secrets They Didn’t Teach You In Pentesting Class“This talk is about methodologies and tools that we use or...
View ArticleClik here to view.
Create a 64bit Process From a x86/32bit One
On Vista and above there is a Windows ‘Redirector’ (A redirector is basically a Symlink or fake directory that’s there but not in Windows) (more info here.aspx”)) that allows a 32bit process create a...
View ArticleClik here to view.
The Dirty Little Secrets They Didn't Teach You In Pentesting Class
Video: Slides: The Dirty Little Secrets They Didn’t Teach You In Pentesting Class [slideshare id=9530403] Code: https://github.com/mubix/Not-In-Pentesting-Class
View ArticleClik here to view.
MSFConsole Prompt Fiddling
In @carnal0wnage and my presentation at DerbyCon 2011 we talked about using SCREEN and SCRIPT to keep connections live / use them across SSH sessions, and log everything that happens. What we didn’t...
View ArticleClik here to view.
Run POST Modules On All Sessions
Jcran recently blogged about an easy way to run a post module on all sessions: http://blog.pentestify.com/simple-framework-domain-token-scanner msf> use post/windows/gather/enum_domain_tokens msf...
View ArticleClik here to view.
12 Days of No Starch Press
This Christmas I’ve decided to spread a little cheer (aka free stuff) ;-) , and I’m doing it in 2600 fashion. Now, I don’t know if I have enough readers to pull this off, but here goes: I will be...
View ArticleClik here to view.
First day of a No Starch Christmas - Winner
Our first day of No Starch winner is Russ with Room 362 right next to the Fire Hose ;-) 1st Day of @NoStarch Winner
View ArticleClik here to view.
Hash Types for John the Ripper
Pentest Monkey is a great resource for a lot of things. One of which is this: John The Ripper Hash Formats | pentestmonkey I used it, plus a bit of bash fu to try to figure out some hashes that I was...
View ArticleClik here to view.
Shared Links
When Google Reader decided to remove everything it was good for, we all scrambled to find new homes for things we wanted to share. Tumblr became a place that most of us flocked. I’ve found Tumblr to be...
View ArticleClik here to view.
Hak5 Segment Sneak Peak
Since it’s Christmas and all, I thought I’d post the code snippet from my Hak5 segment a bit early: #include <Clipboard.au3> #include <File.au3> $oldclip = "" While 1 $clip =...
View ArticleClik here to view.
(UAC) User Assisted Compromise
A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to...
View ArticleClik here to view.
A @textfiles approach at gathering the world's DNS - Slides
This is my talk that I gave at ShmooCon 2012. It was a great honor to be given the chance to speak at ShmooCon as it has been my second home since 2006 (missed the first one… havent missed one since) A...
View ArticleClik here to view.
MS08_068 + MS10_046 = FUN UNTIL 2018
*TL;DR:* SMB Relay + LNK UNC icons = internal pentest pwnage I need to touch on the highlights of two vulnerabilities before we talk about the fun stuff, but I highly encourage you to read the...
View ArticleClik here to view.
Developing the LNK Metasploit post module with Mona
I have been using the LNK trick I talked about in my last post for a while, but always needing a Windows machine to create the LNK file. When I decided to write a post about it, I wanted to put the...
View Article