Recently I spent a little time trying to integrate Hydra (THC-Hydra) into Nessus. I thought to share this so you might save a bit of time if you are trying to achieve the same thing. I have been told by the Nessus support team that if you have installed the latest version of Nessus, which […]
Dionach Admin
Information extracted from online documents
Hacking in the movies happens at breakneck speed. Someone needs access to some database or internal system hosting confidential data and the “genius coder” will fly their fingers across the keyboard before seconds later dropping the painfully trite and clichéd line “I’m in”. Hacking in real-life, whether performed during a sanctioned penetration test or genuine […]
Umbraco CMS Local File Inclusion
Umbraco CMS <= 7.2.1 is vulnerable to local file inclusion (LFI) in the ClientDependency package included in a default installation. Whether this vulnerability is exploitable depends on a number of configuration options, and on the exact version of Umbraco installed. The ClientDependency package, used by Umbraco, exposes the “DependencyHandler.axd” file in the root of the […]
Using Password Managers
Using a complex and unique password for each login is obviously important, however this can cause remembering all of your passwords to become very difficult and often leads to a compromise on password quality, as well as repeated uses of the same password. Using passwords that are uncommon but easily memorable also has the potential […]
CKEditor Drupal Module Cross Site Scripting
While doing a regular web application penetration test for one of our clients, I found a reflected cross site scripting in a very popular application, CKEditor, and more precisely in the module that this application has for Drupal. It was sort of curious, because the vulnerable page was actually the one in charge of checking […]
Brother MFC-J4410DW Printer Administration XSS
The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the “url” querystring parameter. This allows a user’s session to be hijacked or allows an attacker to take control of the user’s browser. For cross-site scripting to be exploited by an attacker, a victim needs to visit […]
Review of purposefully vulnerable applications to practice hacking
This post will be on the topic of exploitable testing platforms for learning how to conduct a penetration test. I will take you through a few programs I have used and give a bit of information about each and explain how they will help you increase your penetration testing skills. Before you get started There […]
Experience as a Dionach Intern: How I Was Taught
Four months ago I knew very little when it came to hacking – I had tried to look into it a little before, but had fallen into the traps of just reading about topics and not using the knowledge I had gained, or just knowing the basics about certain vulnerabilities and not properly understanding them. […]
Tips on creating and remembering a strong password
There’s one thing that I’ve learned from penetration testing, it’s that passwords need to be secure. According to recent research some of the most common passwords include ‘123456’, ‘qwerty’ and even ‘password’. These are very weak and should be avoided at all costs. However, complicated passwords can be hard to remember. If you continue reading I’ll […]
Disabling McAfee On-Access Scanning
In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run Windows Credentials Editor (WCE) because it was detected as a malicious threat in the McAfee on-access scan, as you can see below: The first thought was to disable […]