August 2012 - Pentest Geek

Posted On:August 2012 - Pentest Geek

standard

Using Nmap to find Local Admin

2012/08/23 - By 

While conducting  penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials.  If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.

I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges.  Sure I could fire up metasploit’s msfconsole and psexec across the network.  Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network.  That’s when I started to utilize Nmap’s smb-enum-shares NSE script.  I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others.  Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do.  The syntax is pretty straightforward as seen below:Read More


standard

SQL Injection: Stealing the Keys to the Kingdom

2012/08/15 - By 

Recently I was conducting a penetration test for a very large high profile client. The last thing I was expecting to find was SQL Injection . The network itself had over 5500+ nodes and nearly 400 subnets.  I started out using one of my new tactics by utilizing Nmap’s new http-screenshot.nse script. If you haven’t had a chance to check it out; I highly suggest you do, its the new hotness. The NSE script essentially allows you to scan a network with nmap and take a screenshot of every webpage at the same time. Tutorials on how to use the script can be found on Pentest Geek here, or on Trustwave’s site here.

SQL Injection – Initial Identification

Normally when looking over all of the webpage screenshots I’m typically conscious of items like Apache tomcat servers with default creds, Jboss servers that expose the jmx-console, printers that have internal document servers holding confidential data, etc, etc…Read More


Share This

Recent Posts

Subscribe To Our Mailing List

The Ultimate Burp Suite Training Program

Learn Network Penetration Testing

Penetration Testing

Categories

Metasploit

Web Application Hacking


Brandon McCann

Copyright 2024

css.php