Controlled Chaos

Published on 10 March 2021

Major outages in major public cloud providers such as Azure and AWS are rare, but they do happen. Today OVH had a major incident: “OVH datacenter burns down knocking major sites offline” and they’re not the only ones to experience these issues, for example Amazon had a major outage in November and Microsoft had one in September.

This prompted me to write up an article on Akimbo’s recent work building resilience into our platform, so today I’m going to talk a little bit about a couple of the features of AWS that allow for significant resilience and I’m going to do that by running you through my recent experiments on our platform which can be roughly summarised as “Turning things off to see what breaks.”

Read More...

SQL Injection Exploitation: Out-of-Band

Published on 26 January 2021

Out-of-band exploitation refers to exploits where the extracted information is received over a connection other than the one the payload was delivered over. It can be used to bypass defensive technologies as well as complicating the detection and response capability.

SQL Injection can be exploited out-of-band through protocols such as DNS in order to extract database contents. This is particularly useful as an alternative to Time-based exploitation where it can allow for faster extraction.

Read More...

Strong Passwords

Published on 23 January 2021

When performing security tests, we very often come across weak passwords. We often see dictionary words with suffixes such as Welcome1, Password123, or Lockdown2020. We also see "leet" substitutions, such as P@55w0rd, 3l3ph@nt, or L0ckd0wn.

In this post, we break down options for choosing more secure passwords.

Read More...

Preventing Windows Accounts Being Bruteforced

Published on 23 January 2021

In a previous article we discussed how bruteforcing Windows accounts is often easier than people expect. In this post - we'll cover some steps to harden these accounts.

Read More...

Securing Wi-Fi Networks

Published on 23 January 2021

We recently discussed how to break WPA2 keys very quickly using cloud computing. We've also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).

In this article we'll look at hardening Enterprise wireless networks from these attacks.

Read More...

Fixing SQL Injection

Published on 22 January 2021

SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query.

We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection.

Read More...

Fixing LLMNR and NetBIOS-NS Spoofing

Published on 21 January 2021

In our article LLMNR and NetBIOS-NS Spoofing with Responder we stepped you through how to exploit a very common issue on Windows networks. In this one, we’re going to cover how to fix it.

LLMNR and NetBIOS-NS are both a fallback for DNS and can be used to perform interception attacks, leading to credential theft or even command execution. However, these two articles are not commonly needed on networks and can therefore be safely disabled.

Read More...

Fixing DOM-Based XSS

Published on 25 October 2020

Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.

Read More...

Fixing Cross-site Scripting (XSS)

Published on 25 October 2020

This issue comes about where user supplied input is included within server responses without filtration or encoding.

One very effective method of preventing this attack is to use an allow-list (sometimes called a whitelist) which will allow only known good content. For example if your expected input is an integer and the user supplies anything other than an integer you can simply reject that input – and perhaps supply a message to inform the user what the issue is, without including the original payload.

Read More...

Extracting Domain Hashes: VSSAdmin

Published on 19 October 2020

We covered extracting domain hashes with Mimikatz  previously, but that's not always the best approach - for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we'll take a look at using Vssadmin, a built-in Windows tool.

Read More...