Whilst there is a wealth of information out there about how to build environments that can be used for training, offensive tradecraft development and blue team response detection, a vital part of these environments is hard to emulate. A computer...

A short intro to Password Spraying and an introduction to a tool built to simplify it

The seventh entry on the most recent OWASP Top 10 release (from 2013, due to the 2017 release candidate being rejected!) is "Missing Function Level Access Control", which is essentially what leads to Privilege Escalation issues. This common vulnerability related...

Brute force attacks against smartphones are not usually a viable attack vector. Manufacturers employ scaling lockouts that progress into longer and longer periods between attempts and, if the user is security conscious, the device may wipe after 10 attempts. However...

Over the years WiFi Routers have been notoriously susceptible to simple attacks. In early 2017, Trustwave SpiderLabs Researcher Simon Kenin identified 43 different models of Netgear Router to be vulnerable for Remote and Local Password Disclosure. More recently, in May...

I was recently working on an external network penetration test where I identified a new vulnerability in a file sharing web application called Serv-U by SolarWinds. This vulnerability granted me administrative privileges to the Serv-U application, and, allowed for remote...

Introduction In Part 1 of this tutorial, we have demonstrated how to find useful ROP gadgets and build a privilege escalation ROP chain for our test system (3.13.0-32 kernel - Ubuntu 12.04.5 LTS). We have also developed a vulnerable kernel...

Kernel ROP In-kernel ROP (Return Oriented Programming) is a useful technique that is often used to bypass restrictions associated with non-executable memory regions. For example, on default kernels1, it presents a practical approach for bypassing kernel and user address separation...

Looking for vulnerabilities in mobile applications and smart home devices presents multiple challenges. One of which is ability to intercept and edit encrypted communication between a device and the server it talks to. Knowing the content of communication is very...

A few weeks ago while performing a web application test for $CLIENT, I happened to run into search functionality. As one of the very first standard tests I inserted a single quote ' into the search field and clicked the search button. The SQL error message that was returned was the stuff dreams are made of (ie: a lot of info, slightly vague, not everything there, but enough in that moment to make you really, really believe). After a few quick tests to see if anything easy could be obtained (nope, no such luck), and confirming that I wouldn't be negatively impacting $CLIENT's systems if I did so, I turned it over to automated tools and went about testing other parts of the application.

Have you ever wondered if all that informal training you do with your friends & family is paying off? When you say things like "use trusted sites" or "don't give your password to anyone" you wonder if they'll remember those...

I recently disclosed a low-risk vulnerability in Linux-PAM versions prior to 1.2.1 which allows attackers to conduct username enumeration and denial of service attacks. The purpose of this post is to provide more technical details around this vulnerability. The Past...

I recently completed a social engineering gig targeting four bank locations. After a phone call and a few e-mails, I was able to grab some victims' NTLMv2 domain hashed credentials. The Approach I developed a fictitious persona to help me...

The Bug On the x64 version of Windows 20...

Since 2003, I've spent a majority of my workdays hacking systems. I've collected tons of penetration testing tips and tricks and have shared some of them on this blog. As a part of my work as a penetration tester, cracking...

I’ve always been fascinated by wireless communications. The ability to launch seemingly invisible packets of information up into the air without even the need to consider aerodynamics itself seems like some kind of magic. In my quest to become a...

PLEASE NOTE: As promised, I've published a full white paper that is now available for download: White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif. On October 2014 as part of my talk at the Black...

Over the summer, a U.K. journalist asked the Trustwave SpiderLabs team to target her with an online attack. You might remember that we did the same in 2013 by setting our sites on a U.S.-based reporter. This scenario, however, would...

Introduction As discussed in parts 1 and 2 of this series, the most common VPN endpoints (responders) found supporting Aggressive Mode negotiation are Cisco devices. However, they are also almost always supported by a second factor authentication mechanism known as...

For those of you not familiar with monkey patching, it’s a mechanism to “extend or modify the run-time code of dynamic languages without altering the original source code”. Previously, I demonstrated how monkey patching can modify the logic of a...