Articles

Back

SQL Injection Exploitation: Time-based

This article is Part 5 of a series; to read about detecting and fixing SQL injection in Part 1, click here. Exploitation There are several methods for exploiting SQL Injection vulnerabilities depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place. These methods ...

SQL Injection Exploitation: Error-based

This article is Part 2 of a series; to read about detecting and fixing SQL injection in Part 1, click here. Exploitation There are several methods for exploiting SQL Injection vulnerabilities depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place. These methods ...

Hashcracking with AWS

Heya! I wrote this article back in mid-2020 for Ubuntu 18.04; it’s now the future and that’s an old version and no longer supported after April 30, 2023. If you’re looking for an updated copy of this article you can find it here: Hashcracking with Hashcat and AWS Password cracking is ...

Using Metasploit

Metasploit is an exploitation framework. It’s a core tool of the penetration tester’s toolset and we use it for several of our vulnerability demonstrations, so it makes sense to write a quick “introduction to” for Metasploit. We’re going to look at the module system, navigating around, setting variables and running ...

Wireless Security: WPA

We previously spoke about WiFi security and how utterly broken WEP is. Now it’s time to take a look at WPA and WPA2 bruteforcing. This isn’t the only weakness of these protocols – but weak keys are common. The first thing to note is that the key-length for WPA is between 8 ...

PrivEsc: Extracting Passwords with Mimikatz

We recently published an article on using Incognito for privilege escalation as part of a short series on using Metasploit. In this article we’ll cover an alternative approach for privilege escalation – extracting plaintext credentials. Whilst incognito is generally easier to use, Mimikatz is powerful and flexible. In this part we’re just going ...

Breaking Enterprise Wireless

In our previous posts we discussed how WEP is completely broken, known weaknesses with WPA, and bruteforcing WPA using AWS. This time around it’s time to look at “Enterprise” Wireless security. These are networks protected with EAP – Extensible Authentication Protocol. However EAP is not just one protocol, but a collection of protocols ...

Network Mapping with Nmap

Before being able to determine if systems are vulnerable, it’s critical to first find as many active systems within the scope as possible and to accurately determine what services those systems expose. This is generally called “Network Mapping”, and a a common tool for use in network mapping is Nmap. Nmap ...

PrivEsc: Token Impersonation with Incognito

Incognito is a tool which can be used for privilege escalation, typically from Local Administrator to Domain Administrator. It achieves this by allowing for token impersonation. As a local administrator can read the entirety of memory, if a domain administrator is logged in their authentication token can be stolen. We’ll ...

10 / 13
Play Cover Track Title
Track Authors