Brandon McCann - 2/3 - Pentest Geek

Posted By:Brandon McCann - 2/3 - Pentest Geek

standard

Pwn all the Sauce with Caller ID Spoofing

2013/05/01 - By 

If we’re going to perform some pre-text phone calls we have a couple different options when it comes to the caller ID. We really only have 3 possible options which are: we do nothing to the phone number, we block our phone number, or we spoof our phone number.

Doing nothing to the caller ID will sometimes work depending on the area code you call from versus the area code that your client is located in. In my experiences, sometimes not blocking the number yields better results than blocking the number. I always feel like users are more suspicious when the caller ID says ‘blocked’or ‘unavailable’. Not only are they on heightened awareness, but I feel like they are less likely to even answer the phone thinking it’s most likely a telemarketer.

Read More


standard

Track User Clicks when Email Phishing

2013/03/26 - By 

When performing email phishing engagements my clients often ask or want to know what users actually clicked on the phishing email. There are many ways to accomplish this task, but I’m going to discuss the method I use to track each unique visitor to my phishing website.

I prefaced this article in one of my previous blog posts “How do I phish” where I discuss using a ruby script I call sendmail.rb. There is nothing special or magical about the script, it just offers an alternative way to send phishing emails that will assist in tracking each unique visit to your phishing website. There is also value in knowing the CIO or some other C-level executive was just phished.

Read More


standard

How do I phish? – Advanced Email Phishing Tactics

2013/01/30 - By 

I’m often times asked how I perform email email phishing attacks.  Email phishing attacks are very compelling, and unique to each situation. The process of creating a successful email phishing campaign is very methodical, and most of the time and effort goes up front into the planning phase.

Understanding that good security is a multilayer approach and we will have many layers of security that could potentially destroy our email phishing campaign. Some of these layers may include Email Gateway Spam Filters, Outlook ‘Junk Email’ Filters, Host based Antivirus, Intrusion Prevention Systems, Web Proxy Servers, Egress filtering, and the list goes on and on.

Read More


standard

WordPress Pingback Portscanner – Metasploit Module

2013/01/03 - By 
Metasploit Module Wordpress Pingback Port Scanner

The latest version of WordPress, version 3.5 was recently released on December 11, 2012. This latest version of WordPress comes pre-packaged with the XML-RPC interface enabled by default. This is just the type of configuration that us pentesters love to see during an engagment. This additional attack surface may be just the little extra that a pentester needs.

Read More


standard

Recover Spark IM Stored Passwords with Metasploit

2012/12/26 - By 

Metasploit Module [1]

I recently added a post exploit module to the metasploit framework. The module will extract and decrypt passwords that are stored by the Spark Instant Messenger client. The passwords are stored in a file on the local HDD (spark.properties) using Triple DES encryption. This sounds all fine and dandy, but this all goes out the door when they hardcoded the key and made it publicly documented.

The vulnerability isn’t that new since it was documented by Adam Caudill back in July 2012 when he disclosed the details and PoC code in .net that illustrates how the attack can be completed.  Mubix recently submitted a  request to add this post exploit module into the framework. Well, SmilingRacoon and myself decided to answer the call and work up a module to accomplish this task.

Read More


standard

NetLM Downgrade Attacks with Metasploit

2012/11/30 - By 

Metasploit Module [1]

Recently I added a post exploit module to the metasploit framework  that will help automate the NetLM Downgrade attack.  If you are not familiar with the  attack, I highly suggest you read the following article by Dave Howard before continuing.

The purpose of this article is not to describe the NetLM attack, but rather demonstrate how the post exploit module functions and how it can save  time on a pentest or even get you that next step in order to take over the network.

Read More


standard

Find Local Admin with Metasploit

2012/11/03 - By 

Metasploit Module [1]

When conducting email phishing engagements I often run into situations where I gain a meterpreter session on the internal network, but I don’t have local admin privileges. Often times many penetration testers give up on the assessment because they have already illustrated access to the internal network and consider that adequate on an external engagement. I like to go that extra mile and really make an impact by showing what a malicious user can do once inside.

I feel many penetration testers ignore the fact that a user executed the payload. A user that is most likely part of a domain, and may have access to many additional resources on the internal network that we wouldn’t otherwise have access to.

Read More


standard

Using Nmap to find Local Admin

2012/08/23 - By 

While conducting  penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials.  If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.

I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges.  Sure I could fire up metasploit’s msfconsole and psexec across the network.  Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network.  That’s when I started to utilize Nmap’s smb-enum-shares NSE script.  I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others.  Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do.  The syntax is pretty straightforward as seen below:Read More


standard

SQL Injection: Stealing the Keys to the Kingdom

2012/08/15 - By 

Recently I was conducting a penetration test for a very large high profile client. The last thing I was expecting to find was SQL Injection . The network itself had over 5500+ nodes and nearly 400 subnets.  I started out using one of my new tactics by utilizing Nmap’s new http-screenshot.nse script. If you haven’t had a chance to check it out; I highly suggest you do, its the new hotness. The NSE script essentially allows you to scan a network with nmap and take a screenshot of every webpage at the same time. Tutorials on how to use the script can be found on Pentest Geek here, or on Trustwave’s site here.

SQL Injection – Initial Identification

Normally when looking over all of the webpage screenshots I’m typically conscious of items like Apache tomcat servers with default creds, Jboss servers that expose the jmx-console, printers that have internal document servers holding confidential data, etc, etc…Read More


Share This

Recent Posts

Subscribe To Our Mailing List

The Ultimate Burp Suite Training Program

Learn Network Penetration Testing

Penetration Testing

Categories

Metasploit

Web Application Hacking


Brandon McCann

Copyright 2024

css.php