Jan 212014

You can probably get by with leaving off that last part of the title and still succeed with this attack.  Today we will be making a Password Pwn Stew.  Add a little Ettercap (link), with a dash of Metasploit (link), a smidgen of password cracking with Rcrack (link) and Rainbowtables (link), and if required a pinch of Hashcat (link) to taste.  You will have yourself some tasty pwnage.

Note, your mileage may vary with this stew.  I’m not Martha Stewart.  Also the stew analogy ends here 🙂
Continue reading »

Jan 022014

When you obtain a NetLM password hash with the known challenge of 1122334455667788 you are able to utilize the HALFLMCHALL rainbowtable to identify the first seven (7) characters of the password. The second half is left to identify. Tutorials exist (including my site, as well as here and here) on how to capture the NetLM hash using Metasploit. Metasploit comes with a Ruby script in the tools folder that will bruteforce the remaining characters of the password when you provide the complete NetLM hash and the first seven (7) characters of the recovered password. However, for passwords that are 11+ characters it is time prohibitive to bruteforce the remaining characters as show below.
Continue reading »

Sep 082011

I created a tutorial on how to setup and configure the Nokia N810 Internet Tablet to conduct a wireless assessment or audit. The tools included in the tutorial include how to setup kismet (oldcore and newcore), aircrack-ng (airbase and aircrack), and btscanner. I’m still working on developing steps to install Metasploit and Karmetasploit for wireless client attacks. The tutorial also details using the internal GPS as well as adding an external wireless adapter. The latest version of the tutorial can be found here.

Jun 072011

I put together another Technical Assessment Plan for assessing the SNMP protocol.  You will use open source and freely download-able utilities to assess the SNMP protocol.  This is for auditors that do not have access to or cannot afford the Solarwinds toolset.  This is version 0.1 of the document and I plan on making updates and add new tools in the future.

Feb 242011

I put together a Technical Assessment Plan that can be used to conduct external fingerprinting using the tools and utilities that a penetration tester would use.  The assessment plans are structured in a way to help with the documentation of evidence for inclusion in a work-paper process.  The plan provides helpful information on how to install, configure, and use the tools to obtain the evidence needed for an engagement.  The Technical Assessment Plans that I have created can be found here.

Jun 042009

On a recent pentest I was able to use SQLNINJA to exploit a SQL Injection vulnerability I had identified.  I documented the steps I took so that future auditors can take advantage of this tool.  Check out the tutorial here.

Mar 062009

During an audit I had to determine whether a particular remote control service was installed on the Domain workstations and servers. It was determined during the interview process that no remote control software was in use.  I decided to obtain the evidence to the contrary.  I had already compromised a Domain Administrator account so I had the appropriate permissions.
Continue reading »

Mar 062009

Updated 7/2/2016 – yeah, I haven’t needed to parse the shitty output from this tool in 7 years. I never accounted for “special access” permissions not including the account with the access.

CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder.  This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user.  The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.

For CACLS options and how to interpret the results see this site.
Continue reading »

Dec 022008

Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http://www.coresecurity.com/content/webcast-series-with-sans).  I highly recommend listening to these web casts and downloading the slides for your reference.  I’m including the commands extracted from the slides that can be very useful for a penetration test.
Continue reading »