Showing 28 results for: Passwords ×

Changes in Oracle Database 12c password hashes

Oracle has made improvements to user password hashes within Oracle Database 12c. By using a PBKDF2-based SHA512 hashing algorithm, instead of simple SHA1 hash, password hashing is more secure. With this post, I'll explain some of the changes and their...

Building my own personal password cracking box

Since 2003, I've spent a majority of my workdays hacking systems. I've collected tons of penetration testing tips and tricks and have shared some of them on this blog. As a part of my work as a penetration tester, cracking...

Cracking IKE Mission:Improbable (Part3)

Introduction As discussed in parts 1 and 2 of this series, the most common VPN endpoints (responders) found supporting Aggressive Mode negotiation are Cisco devices. However, they are also almost always supported by a second factor authentication mechanism known as...

Look What I Found: Pony is After Your Coins!

In our previous episode of "Look What I Found" we detailed our discovery of a humongous instance of a Pony botnet controller that stole credentials for approximately two million websites, social networks, e-mails and other types of accounts. We recently...

What Dirty Little Secrets You Find on eBay

So I do networking (computers and wifi things) at a number of security conferences (Thotcon & DEF CON). In order to do so, I sometimes need hardware to play with. In December I decided to watch a few auctions on...

Exploiting Password Recovery Functionalities

Password recovery functionalities can result in vulnerabilities in the same application they are intended to protect. Vulnerabilities such as username enumeration (showing different error messages when the user exists or not in the database), sensitive information disclosure (sending the password...

Hey, can I use your server for spamming?

Over the last few months I have encountered two separate cases of our customers being impacted by outbound spam, i.e., spam originating from within their networks. The first sign that anything was wrong was that the customers' mail servers were...

Corporate Passwords Part 1

With the vast amount of research and content that was done by SpiderLabs for the Global Security Report, it made it impractical to include all of the content that was written for this year's password study. But instead of letting...

The Problem With Networks .....

Where do I start with this open-ended statement? I guess from a pen testing perspective, quite a lot. Internal pen test results tend to open up a can of worms for a company. There you are, managing your network, covering...

Sometimes, The PenTest Gods Shine On You

Settling down for a hacking session usually means lots of hard work and a long grind towards target data. You've got to juggle a large stack of systems and testing constraints, all while learning about the environment from the ground...

Cracking IKE Mission:Improbable (Part 2)

A couple of weeks ago I posted Part 1 of Cracking IKE, detailing some useful techniques when cracking Aggressive Mode PSK hashes. In that post we saw that a hash is not always 'crackable' and additional steps are required in...

Breaking the Authentication Chain

This little post is going to talk about how authentication goes beyond just usernames and passwords. Authentication is something we all do, in fact you probably are authenticated by some system somewhere just with the information in your browser right...

Cracking IKE Mission:Improbable (Part 1)

All too often during pen tests I still find VPN endpoints configured to allow insecure Aggressive Mode handshakes. Fortunately, gaining access to the internal network as a result of this vulnerability remains a fairly complex task. Hopefully this series of...

OS Image Wrangling

On most PenTests, alot of research goes into the things you find along the way. You find obscure software and other setups that can be a goldmine if you spend the time to do some research. On a recent test,...

New Year, New Data, Same Mistakes: Passwords

Like a late-arriving christmas, one of the gifts of the new year is the release of SpiderLabs' annual white paper, the Global Security Report. As a supplement to this year's report, we're going to share some highlights of the corporate...