Search Results For ""

Recently I was conducting a penetration test for a very large high profile client. The last thing I was expecting to find was SQL Injection . The network itself had over 5500+ nodes and nearly 400 subnets.  I started out using one of my new tactics by utilizing Nmap’s new http-screenshot.nse script. If you haven’t had a chance to check it out; I highly suggest you do, its the new hotness. The NSE script essentially allows you to scan a network with nmap and take a screenshot of every webpage at the same time. Tutorials on how to use the script can be found on Pentest Geek here, or on Trustwave’s site here.

SQL Injection – Initial Identification

Normally when looking over all of the webpage screenshots I’m typically conscious of items like Apache tomcat servers with default creds, Jboss servers that expose the jmx-console, printers that have internal document servers holding confidential data, etc, etc…Read More

Recently I was conducting an internal penetration test for a client that is part of the financial industry.  Since this client is a financial institution they are required to have an independent 3rd party company audit their security once a year per NCUA and FDIC requirements.  That’s where I come in, I get paid to hack companies like banks and credit unions.  Internal penetration testing is probably one of my favorite engagements to conduct because of the wealth of information you can obtain on an internal network.  Devices on the internal network typically do not have firewalls so you have unrestricted access to every port a network device will serve up.  There are so many devices on the internal network, and each one tells a story.

During this recent assessment I had brought out my typical attack vectors but was striking out. I typically run Nessus as my primary vulnerability scanner, but like every tool I don’t trust it to be the holy grail.  Understanding how a tool works is the best way to get a better understanding of how to find more vulnerabilities in the case that your tools don’t find anything, or malfunction.  I’ve met penetration testers that will see zero high risk findings in Nessus and throw up their hands thinking there is no way to penetrate this network.  When I see a scan that comes back clean with zero high risk findings, I get excited thinking this one’s gonna be a challenge.

Sitting on this internal network the Nessus scan had completed and came up pretty clean.  I brought out my typical arsenal of attacks including but not limited to brute forcing mssql accounts, searching for Apache Tomcat servers that had weak or easily guessable password, sending medusa after the built-in local Administrator account since I enumerated it via null sessions along with the fact this account cannot be locked out by default, nbns_spoofing harvested network hashes but the netLM was disabled leaving me only with netNTLM which is difficult to crack, numerous metasploit auxiliary modules were run along with various other scripts and tools.

Read More