Network Mapping with Nmap

Published on 19 October 2020

Before being able to determine if systems are vulnerable, it’s critical to first find as many active systems within the scope as possible and to accurately determine what services those systems expose. A common tool for use in network mapping is Nmap.

Read More...

Using Metasploit

Published on 19 October 2020

Metasploit is an exploitation framework. It’s a core tool of the penetration tester’s toolset and we use it for several of our vulnerability demonstrations, so it makes sense to write a quick “introduction to” for Metasploit. We’re going to look at the module system, navigating around, setting variables and running payloads.

Read More...

PrivEsc: Token Impersonation with Incognito

Published on 19 October 2020

Incognito is a tool which can be used for privilege escalation, typically from Local Administrator to Domain Administrator. It achieves this by allowing for token impersonation. As a local administrator can read the entirety of memory, if a domain administrator is logged in their authentication token can be stolen. We'll investigate its use here.

Read More...

PrivEsc: Extracting Passwords with Mimikatz

Published on 19 October 2020

We recently published an article on using Incognito for privilege escalation as part of a short series on using Metasploit. In this article we’ll cover an alternative approach for privilege escalation – extracting plaintext credentials. Whilst incognito is generally easier to use, Mimikatz is powerful and flexible.

Read More...

LLMNR and NetBIOS-NS Spoofing with Responder

Published on 19 October 2020

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.

Therefore, an attack can take place where an attacker responds to these requests with illegitimate requests. For example, directing the requesting user to connect to the attacker's machine where an authentication attempt will be made – disclosing hashed credentials for the targeted user.

Read More...

Becoming a Penetration Tester

Published on 19 October 2020

Breaking into Penetration Testing can be a daunting career move; so in this article we talked about ways you can make your first move towards a career in this industry.


Read More...

XXE: XML External Entity Injection

Published on 19 October 2020

XML Entity Injection is a powerful vulnerability that can allow for confidential data theft and in rare cases command execution. It was also often overlooked for a whle - but now it features in the OWASP Top 10 as A4 it's a lot more well known.

Read More...

Extracting Domain Hashes: VSSAdmin

Published on 19 October 2020

We covered extracting domain hashes with Mimikatz  previously, but that's not always the best approach - for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we'll take a look at using Vssadmin, a built-in Windows tool.

Read More...