Clik here to view.
When Databases Attack: Hacking with the OSQL Utility
The OSQL Utility is a command-line client for SQL Server that has shipped with every version since SQL Server 2000 was released. Many database administrators like it because it’s lightweight, makes...
View ArticleThe value of multi-layer / comprehensive pen testing
For the past five years it seems like almost everything in information security has focused on application security and, for the NetSPI consulting practices, our application security business (app pen...
View ArticleWhen Databases Attack: SQL Server Express Privilege Inheritance Issue
SQL Server Express is commonly used by database hobbyists, application developers, and small application vendors to manage their application data. By default, it supports a lot of great options that...
View ArticlePentesting the Cloud
Several months ago, I attended an industry conference where there was much buzz about “The Cloud.” A couple of the talks purportedly addressed penetration testing in the Cloud and the difficulties...
View ArticlePenetration Testing – Deception through Vocabulary
For those of you who have followed the NetSPI blog, you will (hopefully) have noticed that we do try to make our posts useful and informative. We’ve kept the rants to a minimum and the speculation...
View Article5 Ways to Find Systems Running Domain Admin Processes
Introduction Migrating to Domain Admin processes is a common way penetration testers are able to impersonate Domain Admin accounts on the network. However, before a pentester can do that, they need to...
View Article10 Techniques for Blindly Mapping Internal Networks
Introduction Occasionally clients require that all network and system discovery is done completely blind during internal pentests (meaning no IP addresses are provided). I know that a lot of people...
View ArticleClik here to view.
Pentesting Java Thick Applications with Burp JDSer
Recently I stumbled upon a Java Rich Client pentest project. Fortunately, the communication was made via HTTP, so it was possible to manipulate requests and response with our favorite tool, Burp....
View Article10 Evil User Tricks for Bypassing Anti-Virus
Introduction Many anti-virus solutions are deployed with weak configurations that provide end users with the ability to quickly disable or work around the product if they wish. As a result, even...
View ArticleResources for Aspiring Penetration Testers
At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and students interested in pen testing. Usually, they’re...
View ArticlePentesting Java Thick Applications with Burp JDSer
Recently I stumbled upon a Java Rich Client pentest project. Fortunately, the communication was made via HTTP, so it was possible to manipulate requests and... The post Pentesting Java Thick...
View ArticleHappy New Year – Have you made your application testing resolution yet?
Now that we have come upon the new year, it is time to resolve to statically test (code review) and dynamically (penetration test) test your... The post Happy New Year – Have you made your application...
View Article10 Evil User Tricks for Bypassing Anti-Virus
Introduction Many anti-virus solutions are deployed with weak configurations that provide end users with the ability to quickly disable or work around the product... The post 10 Evil User Tricks for...
View ArticleResources for Aspiring Penetration Testers
At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and... The post Resources for Aspiring Penetration...
View ArticlePatching Java Executables – The Easy Way
The process of patching a Java executable (.jar files) without the original source code has been known for a while. As I know of, currently... The post Patching Java Executables – The Easy Way appeared...
View ArticleBreaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks
In order to meet business requirements and client demand for remote access, many companies choose to deploy applications using Terminal Services, Citrix, and kiosk platforms. ... The post Breaking...
View ArticleDecrypting IIS Passwords to Break Out of the DMZ: Part 1
From the perspective of a penetration tester, it would be nice if every vulnerability provided a direct path to high-value systems on the internal network. ... The post Decrypting IIS Passwords to...
View ArticleLocate and Attack Domain SQL Servers without Scanning
In this blog I'll share a new PowerShell script that uses Service Principal Name (SPN) records from Active Directory to identify and attack SQL Servers... The post Locate and Attack Domain SQL Servers...
View ArticleHacking SQL Server Stored Procedures – Part 1: (un)Trustworthy Databases
In this blog I’ll show how database users commonly created for web applications can be used to escalate privileges in SQL Server when database ownership is poorly configured. The post Hacking SQL...
View ArticleMaintaining Persistence via SQL Server – Part 1: Startup Stored Procedures
In this blog I show how to use SQL Server startup stored procedures to maintain access to Windows environments and share a PowerShell script to automate the attack... The post Maintaining Persistence...
View Article