Articles

Back

XXE: XML External Entity Injection

XML Entity Injection is a powerful vulnerability that can allow for confidential data theft and in rare cases command execution. It was also often overlooked for a while – but now it features in the OWASP Top 10 as A4 it’s a lot more well known. The issue comes about ...

Wireless Security: WEP

It’s well known that the WiFi security protocol WEP is broken. It’s been broken for years. However, if we’re writing a series on wireless security we should start at the beginning. Whilst it stands for Wired Equivalent Privacy, it hardly lives up to its name. WiFi comes under the IEEE ...

ASREP Roasting

AKA Kerberos Party Tricks Introduction If an Active Directory user has pre-authentication disabled, a vulnerability is exposed which can allow a threat actor to perform an offline bruteforce attack against that user’s password. This attack is commonly known as “AS-REP Roasting” in reference to Authentication Service Requests, a part of the process ...

Extracting Domain Hashes: VSSAdmin

We covered extracting domain hashes with Mimikatz previously, but that’s not always the best approach – for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we’ll take a look at using Vssadmin, a built-in Windows tool. VSSAdmin is the Volume ...

Bruteforcing Windows Accounts

Introduction A common configuration on Windows Active Directory accounts is to have an account lockout threshold of say, 5 invalid attempts, and an observation window of 30 minutes. This is likely due to the fact that the “Suggested Setting” after setting a threshold is to enable a short observation window. ...

Finding DOM-Based XSS

Introduction We’ve previously written about Reflected and Stored Cross-site Scripting, however this time we want to tackle DOM-Based Cross-site Scripting, or DOM-XSS for short. The exploitation of DOM-XSS is frequently very similar to Reflected Cross-site scripting, were the payload is stored within the URL and exploitation occurs where a user can ...

Kerberoasting

Any domain user within Active Directory can request a service ticket (TGS) for any service that has an SPN (Service Principal Name). A part of the service ticket will be encrypted with the NTLM hash of the target user, allowing for an offline bruteforce attack. This is true for user ...

LLMNR and NetBIOS-NS Spoofing with Responder

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have ...

An Introduction to IPv6

Internet Protocol Versions IPv6 is not new, RFC1883 discussed the protocol back in 1995. However, it has been updated several times, becoming a Draft Standard with RFC2460 in 1998, and an Internet Standard with RFC8200 in 2017! If you’re wondering if there was an IPv5 the answer is sort of, in the Experimental Internet Stream Protocol, Version ...

11 / 13
Play Cover Track Title
Track Authors