Search Results For ""

How To Install Metasploit Framework Ubuntu 14.04

How-to-install-metasploit-framework-ubuntu-14-04

The Metasploit Framework is an integral component to every penetration testers tool-kit. This guide will teach you how to install Metasploit Framework in Ubuntu 14.04. You will also install and configure RVM and Postgres. For additional information and troubleshooting tips please checkout some of the links in the related content section at the bottom of this tutorial.
Read More


How to Install Nmap From Source

How To Install Nmap

Nmap is a network mapping tool used during the Information Gathering phase of a network penetration testing engagement. It is completely free and open source. Click on the following link for more information about the Nmap Project. In this step-by-step tutorial you will learn how to install Nmap from source on an Ubuntu Linux machine.
Read More


Another Lap Around Microsoft LAPS

I recently landed on a client’s network with an implementation of Microsoft LAPS on a few thousand hosts. This blog post will walk through how to identify the users sysadmins delegated to view LAPS passwords, and how to identify the users sysadmins have no idea can view LAPS passwords.
Read More


How To Use Burp Suite – Web Penetration Testing (Part 2)

Burp Suite Tutorial Part 2

In our last Burp Suite Tutorial we introduced some of the useful features that Burp Suite has to offer when performing a Web Application Penetration Test. In part 2 of this series we will continue to explore how to use Burp Suite including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!
Read More


Burp Suite Tutorial – Web Application Penetration Testing (Part 1)

Burp Suite Tutorial

Burp Suite from Portswigger is one of my favorite tools to use when performing a Web Penetration Test. The following is a step-by-step Burp Suite Tutorial. I will demonstrate how to properly configure and utilize many of Burp Suite’s features. After reading this, you should be able to perform a thorough web penetration test. This will be the first in a two-part article series.
Read More


Hacking Jenkins Servers With No Password

Hacking Jenkins Servers With No Password

Here’s a fun Jenkins trick I have been using on some recent Information Security Assessments to gain an initial foothold. If you aren’t familiar with hacking Jenkins servers, it runs by default on port 8080 and also by default it has no password (Hurray!). According to their Wiki: “Jenkins is an award-winning application that monitors executions of repeated jobs, such as building a software project or jobs run by cron.” Here is what Jenkins looks like.Read More


Smbexec 2.0 released

We released smbexec version 2.0 a few days ago and it comes with some rather large differences from previous versions. For one thing it was completely rewritten in Ruby, for another it now supports multi-threading.

Read More


Pwn all the Sauce with Caller ID Spoofing

Pwn all the Sauce with Caller ID Spoofing

If we’re going to perform some pre-text phone calls we have a couple different options when it comes to the caller ID. We really only have 3 possible options which are: we do nothing to the phone number, we block our phone number, or we spoof our phone number.

Doing nothing to the caller ID will sometimes work depending on the area code you call from versus the area code that your client is located in. In my experiences, sometimes not blocking the number yields better results than blocking the number. I always feel like users are more suspicious when the caller ID says ‘blocked’or ‘unavailable’. Not only are they on heightened awareness, but I feel like they are less likely to even answer the phone thinking it’s most likely a telemarketer.

Read More


Track User Clicks when Email Phishing

Track User Clicks when Email Phishing

When performing email phishing engagements my clients often ask or want to know what users actually clicked on the phishing email. There are many ways to accomplish this task, but I’m going to discuss the method I use to track each unique visitor to my phishing website.

I prefaced this article in one of my previous blog posts “How do I phish” where I discuss using a ruby script I call sendmail.rb. There is nothing special or magical about the script, it just offers an alternative way to send phishing emails that will assist in tracking each unique visit to your phishing website. There is also value in knowing the CIO or some other C-level executive was just phished.

Read More


Share This

Follow Pentest Geek

twitterrssyoutubetwitterrssyoutube

Recent Posts

Free Course

Penetration Testing

Categories

Metasploit

Web Application Hacking

css.php