Using Nmap to find Local Admin
While conducting penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials. If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.
I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges. Sure I could fire up metasploit’s msfconsole and psexec across the network. Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network. That’s when I started to utilize Nmap’s smb-enum-shares NSE script. I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others. Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do. The syntax is pretty straightforward as seen below:Read More
SQL Injection: Stealing the Keys to the Kingdom
Recently I was conducting a penetration test for a very large high profile client. The last thing I was expecting to find was SQL Injection . The network itself had over 5500+ nodes and nearly 400 subnets. I started out using one of my new tactics by utilizing Nmap’s new http-screenshot.nse script. If you haven’t had a chance to check it out; I highly suggest you do, its the new hotness. The NSE script essentially allows you to scan a network with nmap and take a screenshot of every webpage at the same time. Tutorials on how to use the script can be found on Pentest Geek here, or on Trustwave’s site here.
SQL Injection – Initial Identification
Normally when looking over all of the webpage screenshots I’m typically conscious of items like Apache tomcat servers with default creds, Jboss servers that expose the jmx-console, printers that have internal document servers holding confidential data, etc, etc…Read More
Using Nmap to Screenshot Web Services Troubleshooting
Recently a member from the Trustwave SpiderLabs team created an nmap NSE script that could be used to take a screenshot of webpages as it scanned the network. Working for a top 10 accounting firm, I conduct a lot of internal penetration tests for clients that operate on very large networks, and sometimes I’m required to audit entire counties. Having the ability to view all the webpages on the internal network without being required to manually type in each addresses into the browser sounded amazing. This was very exciting news now that there was a way to automate this process and have the ability to scale. I dove in right away to get started by installing the script based on the instructions in the link listed below:
http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
I highly suggest you look over the article above as I wrote this article in hopes that it would help assist anyone when having issues getting the http-screenshot NSE script to function properly with the latest version of nmap.
Enumerating URLs from IP Addresses Using Bing’s Search API
Hey guys, just a quick post here. I wanted to share with you a simple ruby script I wrote that identifies web server URLs (if any) from a specified list of IP Addresses. I wrote this script for a recent Information Security Assessment where my client was unaware of all the URLs that were pointing to their external infrastructure (It happens more then you would think…) and provided me with only a list of IPs.
The script uses Bing’s Search API as well as the rbing ruby gem which has some prety self explanatory usage examples on the GitHub repository. Literally all it does is run the search ip:ipaddress for every host in the specified input file.
Run the script without any arguments or view the source code below for proper syntax and usage. Not much else to say about this tiny little guy accept that it proved to be quite useful during my last pen test. Hopefully someone else will find it handy too, as always code improvement suggestions are more than welcome.
Read More
Stealing Servers Through Directory Traversal
Recently I was conducting an internal penetration test for a client that is part of the financial industry. Since this client is a financial institution they are required to have an independent 3rd party company audit their security once a year per NCUA and FDIC requirements. That’s where I come in, I get paid to hack companies like banks and credit unions. Internal penetration testing is probably one of my favorite engagements to conduct because of the wealth of information you can obtain on an internal network. Devices on the internal network typically do not have firewalls so you have unrestricted access to every port a network device will serve up. There are so many devices on the internal network, and each one tells a story.
During this recent assessment I had brought out my typical attack vectors but was striking out. I typically run Nessus as my primary vulnerability scanner, but like every tool I don’t trust it to be the holy grail. Understanding how a tool works is the best way to get a better understanding of how to find more vulnerabilities in the case that your tools don’t find anything, or malfunction. I’ve met penetration testers that will see zero high risk findings in Nessus and throw up their hands thinking there is no way to penetrate this network. When I see a scan that comes back clean with zero high risk findings, I get excited thinking this one’s gonna be a challenge.
Sitting on this internal network the Nessus scan had completed and came up pretty clean. I brought out my typical arsenal of attacks including but not limited to brute forcing mssql accounts, searching for Apache Tomcat servers that had weak or easily guessable password, sending medusa after the built-in local Administrator account since I enumerated it via null sessions along with the fact this account cannot be locked out by default, nbns_spoofing harvested network hashes but the netLM was disabled leaving me only with netNTLM which is difficult to crack, numerous metasploit auxiliary modules were run along with various other scripts and tools.
Incident Response in Trinidad
Sometimes when you fill the role of a consultant you never know what type of engagements will be thrown your way. How can you train someone to expect the unexpected with computer security. The topic is so huge, and there is so much to learn in this gigantic sea of knowledge.
Recently I was sent on an engagement in Trinidad while it’s country was in a state of emergency. I had never traveled international before so I was required to get a passport. I had to expedite my passport since I was supposed to be in Trinidad in less than a week. Once the passport arrived, I was smooth sailing; so I thought.
I missed my flight to Trinidad which was supposed to leave Minnesota around 9am CST. I panicked and thought I would never find a flight to Trinidad in time. I called my travel agent and was very surprised to find there was an afternoon flight heading to Trinidad. The only catch was that it had a six hour layover in Newark, New Jersey and the connecting flight to Trinidad was between 12am – 6am EST. I didn’t have any other options at this point, so I took it.
Read More
Share This
Recent Posts
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
Penetration Testing
Categories
- AWBS
- Burp Suite
- Definitions
- Forensics and Incident Response
- Information Gathering
- Metasploit
- Penetration Testing Tutorials
- Phishing
- Presentations
- Tools
- Web Applications
- Wireless