LLMNR and NetBIOS-NS Spoofing with Responder

Published on 12 April 2020

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.

Therefore, an attack can take place where an attacker responds to these requests with illegitimate requests. For example, directing the requesting user to connect to the attacker's machine where an authentication attempt will be made – disclosing hashed credentials for the targeted user.

Read More...

PrivEsc: Extracting Passwords with Mimikatz

Published on 08 April 2020

We recently published an article on using Incognito for privilege escalation as part of a short series on using Metasploit. In this article we’ll cover an alternative approach for privilege escalation – extracting plaintext credentials. Whilst incognito is generally easier to use, Mimikatz is powerful and flexible.

Read More...

Using Metasploit

Published on 06 April 2020

Metasploit is an exploitation framework. It’s a core tool of the penetration tester’s toolset and we use it for several of our vulnerability demonstrations, so it makes sense to write a quick “introduction to” for Metasploit. We’re going to look at the module system, navigating around, setting variables and running payloads.

Read More...

PrivEsc: Token Impersonation with Incognito

Published on 06 April 2020

Incognito is a tool which can be used for privilege escalation, typically from Local Administrator to Domain Administrator. It achieves this by allowing for token impersonation. As a local administrator can read the entirety of memory, if a domain administrator is logged in their authentication token can be stolen. We'll investigate its use here.

Read More...

Network Mapping with Nmap

Published on 03 April 2020

Before being able to determine if systems are vulnerable, it’s critical to first find as many active systems within the scope as possible and to accurately determine what services those systems expose. A common tool for use in network mapping is Nmap.

Read More...

Content Security Policy

Published on 18 March 2020

In our post on Finding and Fixing Cross-site Scripting, we recommended the use of Content Security Policy (CSP) to mitigate the effects of this vulnerability. It does this by allowing you to set up an allow list of resource locations (such as scripts) for your web pages, and therefore inform the browser to block any scripts that do not come from an authorised source. The problem is, you have to set up an allow list of resource locations, or the resource will be blocked.

Read More...

Extracting Domain Hashes: Mimikatz

Published on 17 March 2020

We previously covered how to perform incredibly fast hashcracking with AWS. In this post we’ll take a step back, and look at one simple method to extract the hashes from a domain controller. To be clear, this is a post exploitation step and to perform these steps a domain administrator account will be needed.

Read More...

Hash Cracking with AWS

Published on 09 March 2020

In a previous post, I showed the steps to capture a WPA handshake and crack it using Hashcat. On my tiny travel laptop I achieved 416H/s, which is…slow.

AWS offers “GPU Optimized” EC2 instances:

  • g4dn.xlarge – $0.53 per hour
  • g3s.xlarge – $0.75 per hour
  • p3.16xlarge – $24.48 per hour (that’s ~$18,000 per month!)
Read More...

Breaking Enterprise Wireless

Published on 08 March 2020

In our previous posts we discussed how WEP is completely broken, known weaknesses with WPA, and bruteforcing WPA using AWS. This time around it’s time to look at “Enterprise” Wireless security. These are networks protected with EAP – Extensible Authentication Protocol.

Read More...

Wireless Security: WPA

Published on 07 March 2020

We previously spoke about WiFi security and how utterly broken WEP is. Now it’s time to take a look at WPA and WPA2 bruteforcing. This isn’t the only weakness of these protocols – but weak keys are common.

Read More...

Wireless Security: WEP

Published on 07 March 2020

It’s well known that the WiFi security protocol WEP is broken. It’s been broken for years. However, if we’re writing a series on wireless security we should start at the beginning. Whilst it stands for Wired Equivalent Privacy, it hardly lives up to its name.

WiFi comes under the IEEE 802.11 family. WEP was part of the original standard and was quickly superseded by WPA – WiFi Protected Access.

Read More...

Finding and Fixing DOM-XSS

Published on 05 March 2020

We’ve previously written about Reflected and Stored Cross-site Scripting, however this time we want to tackle DOM-Based Cross-site Scripting, or DOM-XSS for short. The exploitation of DOM-XSS is frequently very similar to Reflected Cross-site scripting, were the payload is stored within the URL and exploitation occurs where a user can be tricked into clicking the link, such as through a phishing email – but we’ll break it down step by step.

Read More...

Finding and Fixing Cross-site Scripting (XSS)

Published on 04 March 2020

Cross-site Scripting (XSS) is a vulnerability that occurs where an attacker could cause a scripting language to execute within another user’s view of a web application. There are three types: Reflected, Stored, and DOM-Based. Finding and exploiting DOM-Based XSS is quite different to stored or reflected, so we’ve separated it into its own article: Finding and Fixing DOM-XSS.

Read More...

SQL Injection Exploitation: Time-based

Published on 03 March 2020

Exploitation

There are several methods for exploiting SQL Injection vulnerabilties depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place.

These methods are generally broken down into: Error-based, Blind-Boolean, Blind Time-based, Union-Based, and Out-of-Band. Here we’ll be looking at Error-based exploitation.

Read More...

SQL Injection Exploitation: Blind-Boolean

Published on 03 March 2020

Exploitation

There are several methods for exploiting SQL Injection vulnerabilties depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place.

These methods are generally broken down into: Error-based, Blind-Boolean, Blind Time-based, Union-Based, and Out-of-Band. Here we’ll be looking at Error-based exploitation.

Read More...

SQL Injection Exploitation: Union-Based

Published on 02 March 2020

Exploitation

There are several methods for exploiting SQL Injection vulnerabilties depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place.

These methods are generally broken down into: Error-based, Blind-Boolean, Blind Time-based, Union-Based, and Out-of-Band. Here we’ll be looking at Error-based exploitation.

Read More...

SQL Injection Exploitation: Error-based

Published on 02 March 2020

Exploitation

There are several methods for exploiting SQL Injection vulnerabilties depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place.

These methods are generally broken down into: Error-based, Blind-Boolean, Blind Time-based, Union-Based, and Out-of-Band. Here we’ll be looking at Error-based exploitation.

Read More...

TalkTalk Breach (2015)

Published on 01 March 2020

TalkTalk suffered a series of security issues in 2015. Right from the start of the year people were discussing an increased number of scam calls[1]. On 26 February 2015 TalkTalk emailed customers to inform them of a data breach in which account numbers, addresses, and phone numbers were taken. The email detailed that a third-party contractor was believed to be responsible, and that TalkTalk was taking legal action against them[2]. It was believed that “a few thousand” customers were affected[3].

Read More...

Finding and Fixing SQL Injection

Published on 29 February 2020

SQL Injection is an old vulnerability; first published on Christmas Day 1998 in Phrack Magazine 54. The issue occurs where user supplied input is insecurely concatenated into an SQL query. It generally allows an attacker to perform any of the operations that the database user can execute – such as extracting, changing, or deleting database contents. Rarely, where the database user is highly privileged, this can allow for command execution through features such as the MSSQL xp_cmdshell system stored procedure.

Exploiting the issue manually is often trivial, but there are freely available public exploitation tools available – such as SQLmap.

Read More...

Target Breach (2013)

Published on 27 February 2020

Target were breached in 2013. The story was initially broken by Brian Krebs in a post published on 18 December 2013 and titled “Sources: Target investigating Data Breach”[1]. This was followed up by a statement from Target announcing the breach on 19 December[16]. The target confirmation stated the breach lasted between November 27 and December 15.

Read More...

Bruteforcing Windows Accounts

Published on 24 February 2020

A common configuration on Windows Active Directory accounts is to have an account lockout threshold of say, 5 invalid attempts, and an observation window of 30 minutes. This is likely due to the fact that the “Suggested Setting” after setting a threshold is to enable a short observation window. As shown:

Read More...

Bruteforcing Kerberos

Published on 21 February 2020

It is possible to brute-force Windows accounts directly, using tools like Metasploit using modules such as smb_login, which will target port 445 (SMB). However, it’s also possible to brute-force the Active Director authentication protocol Kerberos directly.

Read More...

An Introduction to IPv6

Published on 17 February 2020

IPv6 is not new, RFC1883 discussed the protocol back in 1995. However, it has been updated several times, becoming a Draft Standard with RFC2460 in 1998, and an Internet Standard with RFC8200 in 2017!

If you’re wondering if there was an IPv5 the answer is sort of, in the Experimental Internet Stream Protocol, Version 2 (ST-II) which used the IP version number 5 within its packet header, that’s RFC1190. IPv7 was sort of RFC1475, IPv8 was sort of RFC1162, and for an April fools joke we go IPv9 in RFC1606.

Read More...

Kerberoasting

Published on 17 February 2020

Any domain user within Active Directory can request a service ticket (TGS) for any service that has an SPN (Service Principal Name). A part of the service ticket will be encrypted with the NTLM hash of the target user, allowing for an offline bruteforce attack.

Read More...

ASREP Roasting

Published on 16 February 2020

If an Active Directory user has pre-authentication disabled, a vulnerability is exposed which can allow an attacker to perform an offline bruteforce attack against that user’s password.

This attack is commonly known as “AS-REP Roasting” in reference to Authentication Service Requests, a part of the process of authentication with Kerberos. An attacker who is able to find a user with pre-authentication disabled can request an AS-REP ticket for that user and this will contain data encrypted with the user’s password.

Read More...