During a recent penetration test I was able to gain access to a PostgreSQL 9.0 service. While the process for executing system commands from PostgreSQL 8.1 and before is straightforward and well documented – there is even a Metasploit module to make the process very simple – this was slightly more complex for PostgreSQL 9.x. […]
Dionach Admin
Discovering Sensitive Information in File Shares
When carrying out internal penetration testing engagements, one of the first areas a penetration tester will focus on is identifying which shares are accessible to low privileged domain users or anonymous users in the hope of finding sensitive information such as passwords, backup files or confidential documents. What confidential information can be found depends on […]
Active Directory Password Auditing Part 1 – Dumping the Hashes
One of the recurring issues in our internal penetration tests is inadequate password management, which in most cases leads to a fast takeover of the Active Directory (AD) domain. Most system administrators consider that just enabling password complexity and setting a sensible password length are enough. However, since “Password1” can pass the default Windows complexity […]
Scanning IPv6 Networks
As a networking student I remember reading about IPv6 and its imminent introduction on more than one occasion. Articles predicting the complete depletion of the IPv4 address space were plenty and you could be forgiven for thinking that IPv4 would simply disappear overnight and be replaced with the new protocol. This didn’t turn out to […]
Changes to the Cyber Essentials Questionnaire
A new version of the CREST Cyber Essentials questionnaire (part of the Cyber Essentials assessment) has been made available by CREST, with a grace period of until September the 28th 2017 for using the older version for submissions. There are several changes which are summarised as follows. Passwords A major change relates to the ongoing […]
Do You WannaCry? A Taste of SMB Exploitation
On Friday, 12th May 2017, an unprecedented ransomware attack, named WannaCry infected more than 230,000 computers in 150 countries and a number of large organisations such as the NHS, Telefónica, FedEx and Deutsche Bahn were among them. WannaCry spreads across local networks and infects systems that have not been updated with recent Windows security updates […]
Analysing Java Stack Traces and Determining the Open Source Software Version
Stack traces are commonly used for debugging purposes by software developers in order to find what went wrong in the application they are developing. The traces contain useful information and only occur when something goes wrong, unless someone intentionally causes an error. These errors should be gracefully handled by their code, logged, and safely served […]
Reposcanner
Reposcanner is a Python script designed to scan Git repositories looking for interesting strings, such as API keys or hard-coded passwords, inspired by truffleHog. Sensitive information like this often gets included in the earlier stages of the development process (or accidentally), and is generally removed before the application or source code is released. However, since […]
Umbraco Forms Local File Inclusion
In a recent engagement, I was working on a fairly secure website and I came across an interesting Umbraco content management system (CMS) package called Umbraco Forms. Umbraco Forms version 4.1.5, 4.2.1, 4.3.2 and earlier minor versions are vulnerable to local file inclusion (LFI) in the “GetExport” web API endpoint within the administration section. Umbraco […]
An Overview of OWASP Top 10 2017
The release candidate (RC1) version of OWASP (Open Web Application Security Project) Top Ten Web Vulnerabilities for 2017 has recently been published and it is currently undergoing a public comment period. OWASP Top 10 2017 has several changes and I deemed this a good chance to discuss the changes as well as reiterate some concepts. […]