Five Relays and a Patch

Hey all, We hired a new pair of co-op students recently. They're both in their last academic terms, and are looking for a good challenge and to learn a lot. So, for a challenge, I set up a scenario that forced them to use a series of netcat relays to compromise a target host and […]

Defeating expensive lockdowns with cheap shellscripts

Recently, I was given the opportunity to work with an embedded Linux OS that was locked down to prevent unauthorized access. I was able to obtain a shell fairly quickly, but then I ran into a number of security mechanisms. Fortunately, I found creative ways to overcome each of them. Here's the list of the […]

Metasploit Express Beta – First Look

This post was written by Matt Gardenghi This is just initial impressions of a beta product. I've been playing with this for about a week now in an internal network.  I have a dedicated box running Ubuntu 10.04 and Metasploit Express.  I've noticed that Express loves CPU time but is much less caring about RAM.  […]

Confidential Information in the Cloud

This is another special blog written by Matt Gardenghi! My boss passed around a document about database security in the cloud.  It raised issues about proper monitoring of the DB, but offered no solutions. This got me thinking.  I hate it when that happens.  Its like an automatic "boss button" that I can't switch off.  […]

Stuffing Javascript into DNS names

Greetings! Today seemed like a fun day to write about a really cool vector for cross-site scripting I found. In my testing, this attack is pretty specific and, in some ways, useless, but I strongly suspect that, with resources I don't have access to, this can trigger stored cross-site scripting in some pretty nasty places. […]

Exotic XSS: The HTML Image Tag

There are the usual XSS tests.  And then there are the fun ones.  This is a story about a more exotic approach to testing XSS.... I was testing a company that had passed all XSS tests from their pentester.  I found that they allowed users to write HTML tags.  Of course they didn't permit <script> […]

Are you a “Real” hacker or just a skiddie?

This is yet another guest post from our good friend Matt Gardenghi! If you enjoy this one, don't forget to check his last one: Trusting the Browser (a ckeditor short story). ------------------ Often, I hear arguments that go like this: real hackers write code and exploits; everyone else is a script-kiddie. That is a dumb […]

Weaponizing dnscat with shellcode and Metasploit

Hey all, I've been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or "weaponizing dnscat", as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 […]

Trusting the Browser (a ckeditor short story)

My name is Matt Gardenghi. Ron seems to think it important that this post be clearly attributed to someone else (this fact might worry me). I'm an occasional contributor here (see: Bypassing AV). I handle security at Bob Jones University and also perform pentests on the side. (So if you need someone to do work, […]

How big is the ideal dick…tionary?

Hey all, As some of you know, I've been working on collecting leaked passwords/other dictionaries. I spent some time this week updating my wiki's password page. Check it out and let me know what I'm missing, and I'll go ahead and mirror it. I've had a couple new developments in my password list, though. Besides […]

DNS Backdoors with dnscat

Hey all, I'm really excited to announce the first release of a tool I've put a lot of hard work into: dnscat. It's being released, along with a bunch of other tools that I'll be blogging about, as part of nbtool 0.04.

smb-psexec.nse: owning Windows, fast (Part 2)

Posts in this series (I'll add links as they're written): What does smb-psexec do? Sample configurations ("sample.lua") Default configuration ("default.lua") Advanced configuration ("pwdump.lua" and "backdoor.lua")

smb-psexec.nse: owning Windows, fast (Part 1)

Posts in this series (I'll add links as they're written): What does smb-psexec do? Sample configurations ("sample.lua") Default configuration ("default.lua") Advanced configuration ("pwdump.lua" and "backdoor.lua")

Pwning hotel guests

Greetings everybody! I spent a good part of the past month traveling, which meant staying in several hotels, both planned and unplanned. There's nothing like having a canceled flight and spending a boring night in San Francisco! But hey, why be bored when you have a packet sniffer installed? :)

Nmap 5.00 released — lots of new features!

View my post on Slashdot I'm just going to quote my Slashdot post inline.. check out the links for all the nitty gritty details. The bottom line is that 5.00 is awesome, and includes everything I've written as yet -- download it! :)

WebDAV Detection, Vulnerability Checking and Exploitation

Ahoy! My name is Andrew and I've been playing with the recent IIS WebDAV authentication bypass vulnerability (CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab. Ron is in a meeting today so I thought I'd jump in where he left off and post a bit about […]