Showing 114 results for: Penetration Testing ×

Linux Kernel ROP - Ropping your way to # (Part 2)

Introduction In Part 1 of this tutorial, we have demonstrated how to find useful ROP gadgets and build a privilege escalation ROP chain for our test system (3.13.0-32 kernel - Ubuntu 12.04.5 LTS). We have also developed a vulnerable kernel...

Linux Kernel ROP - Ropping your way to # (Part 1)

Kernel ROP In-kernel ROP (Return Oriented Programming) is a useful technique that is often used to bypass restrictions associated with non-executable memory regions. For example, on default kernels1, it presents a practical approach for bypassing kernel and user address separation...

Data Extraction via String Concatenation in a Blind SQL Injection Vulnerability

A few weeks ago while performing a web application test for $CLIENT, I happened to run into search functionality. As one of the very first standard tests I inserted a single quote ' into the search field and clicked the search button. The SQL error message that was returned was the stuff dreams are made of (ie: a lot of info, slightly vague, not everything there, but enough in that moment to make you really, really believe). After a few quick tests to see if anything easy could be obtained (nope, no such luck), and confirming that I wouldn't be negatively impacting $CLIENT's systems if I did so, I turned it over to automated tools and went about testing other parts of the application.

Mom Spies a Hack

Have you ever wondered if all that informal training you do with your friends & family is paying off? When you say things like "use trusted sites" or "don't give your password to anyone" you wonder if they'll remember those...

Adventures in Social Engineering: The Evil Reference

I recently completed a social engineering gig targeting four bank locations. After a phone call and a few e-mails, I was able to grab some victims' NTLMv2 domain hashed credentials. The Approach I developed a fictitious persona to help me...

Building my own personal password cracking box

Since 2003, I've spent a majority of my workdays hacking systems. I've collected tons of penetration testing tips and tricks and have shared some of them on this blog. As a part of my work as a penetration tester, cracking...

Reflected File Download - A New Web Attack Vector

PLEASE NOTE: As promised, I've published a full white paper that is now available for download: White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif. On October 2014 as part of my talk at the Black...

Hacking a Reporter: UK Edition

Over the summer, a U.K. journalist asked the Trustwave SpiderLabs team to target her with an online attack. You might remember that we did the same in 2013 by setting our sites on a U.S.-based reporter. This scenario, however, would...

Cracking IKE Mission:Improbable (Part3)

Introduction As discussed in parts 1 and 2 of this series, the most common VPN endpoints (responders) found supporting Aggressive Mode negotiation are Cisco devices. However, they are also almost always supported by a second factor authentication mechanism known as...

Monkey Patching the Matrix

For those of you not familiar with monkey patching, it’s a mechanism to “extend or modify the run-time code of dynamic languages without altering the original source code”. Previously, I demonstrated how monkey patching can modify the logic of a...

Baby's first NX+ASLR bypass

Recently, I've been trying to improve my skills with regards to exploiting memory corruption flaws. While I've done some work in the past with exploiting basic buffer overflows, format string issues, etc., I'd only done the most basic work in...

An Intro to NetSupport Manager Scripts

On a recent gig I was hit with hundreds of hosts running a service on port TCP 5405, the NetSupport remote management application. Running a version port scan on them revealed nothing more than: 5405/tcp open netsupport NetSupport PC remote...