Introduction I have conducted numerous firewall review for various types of organisations over the years. A common theme observed during these reviews is that most organisations do not have a firewall hardening procedure and/or do not conduct a regular firewall review which covers user accounts, exposed administrative interfaces, patch management and review of firewall rules. […]
Tag: infrastructure
Discovering Sensitive Information in File Shares
When carrying out internal penetration testing engagements, one of the first areas a penetration tester will focus on is identifying which shares are accessible to low privileged domain users or anonymous users in the hope of finding sensitive information such as passwords, backup files or confidential documents. What confidential information can be found depends on […]
Scanning IPv6 Networks
As a networking student I remember reading about IPv6 and its imminent introduction on more than one occasion. Articles predicting the complete depletion of the IPv4 address space were plenty and you could be forgiven for thinking that IPv4 would simply disappear overnight and be replaced with the new protocol. This didn’t turn out to […]
LogMeIn Rescue Unattended Service Privilege Escalation
LogMeIn Rescue is a well-known and widely used remote access tool, primarily designed for IT staff to provide end users with support. A typical LogMeIn Rescue session will look something like this: A user calls the support technician with a problem. The technician sends the user a link, which lets them download LogMeIn Rescue. The […]
Risk based Application Penetration Testing
It is generally accepted within the information security world that penetration testing is a good way to provide assurance as to the security of applications or infrastructures. With numerous companies offering these testing services, how do you differentiate and evaluate which company uses the best approach for your organisation? At Dionach we perform a large […]
Should I allow my pentester on my IPS?
Should I allow my penetration tester’s IP address range on my intrusion prevention system? Variations of this question have featured in numerous information security forums and mailing lists. Unfortunately, the factors and variables in play here are considerable so a worthy response is unlikely to be short or universal. This blog post aims to highlight […]
Different Ways of Transferring Files Into and Out of a Citrix Environment
During a recent engagement I was asked to perform a penetration test of a Citrix environment. One particular requirement of this test was to see whether I could transfer files back and forth between my local computer and the remote environment. The easiest way to transfer data was through their web proxy. Although it implemented […]
Splunk Web Shell
Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as “admin” and are granted the associated privileges without having to authenticate. Splunk is based on Django, and among the options it gives you when accessing the admin panel is one that is particularly attractive […]
Grabbing Microsoft SQL Server Password Hashes
Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear text credentials, password hashes, tokens and so on in order to compromise the network further. An example of these are the Microsoft SQL (MS SQL) Server password hashes. Since version 2008 […]
Integrating Hydra with Nessus
Recently I spent a little time trying to integrate Hydra (THC-Hydra) into Nessus. I thought to share this so you might save a bit of time if you are trying to achieve the same thing. I have been told by the Nessus support team that if you have installed the latest version of Nessus, which […]