Another Lap Around Microsoft LAPS

2016/08/04 | Posted In Penetration Testing | Comments: 2
Author: Leo Loobeek
Another Lap Around Microsoft LAPS

I recently landed on a client’s network with an implementation of Microsoft LAPS on a few thousand hosts. This blog post will walk through how to identify the users sysadmins delegated to view LAPS passwords, and how to identify the users sysadmins have no idea can view LAPS passwords. Read More


Credential Harvesting via MiTM – Burp Suite Tutorial

2016/06/09 | Posted In Penetration Testing | Comments: 2
Author: Royce Davis
Credential Harvesting via MiTM - Burp Suite Tutorial

In this step by step tutorial we will discuss some of the more advanced use cases for the Burp Suite.  Credential harvesting through “Man-in-The-Middle” attack vectors can be your saving grace during an otherwise uneventful penetration test.  You can watch a video version of this tutorial Here. This guide is intended to be educational as well as entertaining.  The author does not condone or encourage illegal hacking activities.
Read More


SSL Certificate from letsencrypt.org – Setup Guide

2016/05/31 | Posted In Phishing | No comments
Author: zeknox
SSL Certificate from letsencrypt.org - Setup Guide

I’m sure many of you have heard of the new free service from letsencrypt.org which essentially offers a valid SSL Certificate for everyone. The goal of the project is to run the entire internet over HTTPS without any excuses.

I’ve been using the service since early this year when they launched the beta, and I have to tell you that it is legit and something you really should be incorporating into your e-mail phishing process. Since we are going to provide professional phishing services for our clients, doing it over HTTPS and with a valid SSL Certificate is a must whenever we harvest sensitive info.

Read More


Phishing Frenzy: SSL Support on Rails 4 with Syntax Highlighting

2014/12/04 | Posted In Phishing | No comments
Author: zeknox
Phishing Frenzy: SSL Support on Rails 4 with Syntax Highlighting

It’s been a little over a year since I started phishing full time with Phishing Frenzy and there is no looking back now. The project has really come a long way since I first started with it. I can’t thank the community enough for all the support and contributions along the way. Phishing today seems more enjoyable than ever before and I owe a lot of that gratification to Phishing Frenzy.

If you haven’t had a chance to checkout the project, I highly recommend you do and get involved. We are always seeking new templates to be added to our official gallery for the entire community to use, tweak and share.

Read More


Burp Suite Tutorial – Web Application Penetration Testing (Part 2)

2014/11/14 | Posted In Web Applications | Comments: 4
Author: Royce Davis
Burp Suite Tutorial - Web Application Penetration Testing (Part 2)

In the last article we introduced some of the useful features that Burpsuite has to offer when performing a Web Application Penetration Test. In part 2 of this series we will explore some additional functionality including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!
Read More


Phishing Frenzy: HTA PowerShell Attacks with BeEF

2014/07/22 | Posted In Phishing | Comments: 2
Author: zeknox
Phishing Frenzy: HTA PowerShell Attacks with BeEF

If you’re not currently using Phishing Frenzy, BeEF, or PowerSploit for your Phishing campaigns you’re really missing out. In this article we are briefly going to cover what I consider to be one of the “new hotness” attack vectors that every pentester should be using in their next phishing assessment.

With that said we are very pleased to announce that BeEF is now integrated in Phishing Frenzy. If you’re not familiar with BeEF or its capabilities I would highly recommend you check it out. BeEF is the browser exploitation framework and one of the major features is the ability to hook browsers and inject JavaScript into browser sessions.

With the recent addition of BeEF integration to Phishing Frenzy you can now hook and launch client side attacks easier than ever. With a simple click of the button Phishing Frenzy will instantly add JavaScript tags that BeEF requires. This means any target landing on your phishing page will instantly get hooked if JavaScript is enabled (which it usually is!).

Read More


Burp Suite Tutorial – Web Application Penetration Testing (Part 1)

2014/07/02 | Posted In Web Applications | Comments: 8
Author: Royce Davis
Burp Suite Tutorial - Web Application Penetration Testing (Part 1)

Burp Suite from Portswigger is one of my favorite tools to use when performing a Web Application Penetration Test. The following is a step-by-step Burp Suite Tutorial. I will demonstrate how to properly configure and utilize many of Burp Suite’s features. After reading this, you should be able to perform a thorough web application penetration test. This will be the first in a two-part article series.
Read More


Hacking Jenkins Servers With No Password

2014/06/13 | Posted In Penetration Testing | Comments: 3
Author: Royce Davis
Hacking Jenkins Servers With No Password

Here’s a fun Jenkins trick I have been using on some recent Information Security Assessments to gain an initial foothold. If you aren’t familiar with hacking Jenkins servers, it runs by default on port 8080 and also by default it has no password (Hurray!). According to their Wiki: “Jenkins is an award-winning application that monitors executions of repeated jobs, such as building a software project or jobs run by cron.” Here is what Jenkins looks like.

Read More


Phishing Frenzy: Increase Reporting Fu

2014/06/11 | Posted In Phishing | Comments: 2
Author: zeknox
Phishing Frenzy: Increase Reporting Fu

The development and addition of new features within Phishing Frenzy (PF) continues to grow. Some of these latest upgrades and email phishing features come from a lot of feedback that I have obtained from the community. Thank you all for the great feedback regarding PF.

Recently PF was converted and upgraded to run the latest version of bootstrap. Previously PF was running bootstrap version 2 and was missing out on some of the latest bootstrap features. The conversion was fairly long and painful, but the end result is very pleasing.

Read More


Thotcon 0x5 Phishing Frenzy

2014/05/15 | Posted In Presentations | No comments
Author: zeknox
Thotcon 0x5 Phishing Frenzy

As most of you already know, Thotcon one of the paramount security conferences took place a couple weeks ago in Chicago. I got the incredible opportunity to present on the main stage about Phishing Frenzy and show off some of the new features now available.

During the presentation at Thotcon Adam Ringwood and I gave a live demo of the new features and executed a simulated email phishing attack. Those of you who missed it I’ve summarized most of the details in this blog post. Read More


css.php