Open Source Pentesting

My talk today at Wild West Hacking Fest was about some documents that I released here. I’ll make this blog post more indepth later but for right now I wanted to get the slides out. (If you can’t access one of the documents yet, don’t ask for permission to do so, it just means either they aren’t ready yet, I’ll make posts about each one as they become available) Here is the main slide deck for the docs: https://bit.
Read more

2017 GrrCon Hiring List

Created the 2017 UNOFFICIAL GrrCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/ddfN6gHPbCJweGUw2 (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/18YEyfp3ctrCz3WgaCArKp0wLn0xWEfV99X-UDmhy4D0/
Read more

Automatically deleting old Gmail email

Like many of you I’m a gmail hoarder. I never deleting anything, just “archive” everything. I “might” need it later, or “I’ll get to it when I have time”. If we get really honest with ourselves, we never will actually get to it, and because we have this buffer, this procrastination opportunity, we grab it. We use words like “but I may need proof of X”, or “I could need to reference this”, or “I don’t really want to put this person in my contacts so I’ll just save the email”.
Read more

2017 DerbyCon Hiring List

Created the 2017 UNOFFICIAL DerbyCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/vyqVHjZkxE4WhA9X2 (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/1tf0C09Cwt6_GBinOjvI714655YdQcxi5k2g6iDzPt9I/
Read more

Dump LAPS passwords with ldapsearch

If you’ve ever been pentesting an organization that had LAPS, you know that it is the best solution for randomizing local administrator passwords on the planet. (You should just be leaving them disabled). LAPS stores it’s information in Active Directory: The expiration time: ms-Mcs-AdmPwdExpirationTime: 131461867015760024 And the actual password in clear text: ms-Mcs-AdmPwd: %v!e#7S#{s})+y2yS#( When LAPS first came it, any user in Active Directory could read it.
Read more

Security Affairs Questions

Soon after I blogged about the “Snagging Creds from Locked Machines” and it went a bit viral for a day, Pierluigi Paganini from SecurityAffairs.co asked me some great questions, that I failed to answer in a timely manner. They are probably a lot less useful to him now (8 months late), but I thought I would answer them anyways. You are one of the most respected experts on cyber security.
Read more

Dynamic DNS Update Module

“Secure” DNS updates is the default in Windows, but there is an option to allow “Nonsecure” updates. I have seen this changed when non-Windows DHCP servers are used (eg Access Points), this opens a network up to some pretty nifty attacks that a Metasploit module just hit the ground for. The module was originally written by King Sabri, with many touch ups and the spoofing capability by busterbcook
Read more

Reset AD user password with Linux

Image showing how to allow users to be able to reset user passwords Disclaimer: If you are here because you are a helpdesk person, this is a pentest blog, so it’s coming from the mindset of a pentester, but this could just as easily be used for legitmate purposes. There are a great many things you can do with rpcclient for examples outside of this blog post see these posts by Chris Gates:
Read more

Password Magic Numbers

LanManager passwords (“LM”) is a very old and well known password hashing function. Used way back in OS/2 Warp and MS-Net (networking for MS-DOS). It was great in it’s day, however how it worked was not sustainable. The hashing was performed only haver uppercasing and splitting the password into two 7 character chunks. This meant that even if your password was 14 characters long, it was still technically only two 7 character passwords, that could be cracked separately.
Read more

2017 Shmoocon Hiring List

Created the 2017 UNOFFICIAL ShmooCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/egx5Iw7M6gI67yh02 (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/1yzL7Y7TAP-b4Bu9j2pYsaB2VyTXEK0C_NJ19aezIFms/
Read more
Page 1 of 41234