Five Relays and a Patch

Hey all, We hired a new pair of co-op students recently. They're both in their last academic terms, and are looking for a good challenge and to learn a lot. So, for a challenge, I set up a scenario that forced them to use a series of netcat relays to compromise a target host and […]

Metasploit Express Beta – First Look

This post was written by Matt Gardenghi This is just initial impressions of a beta product. I've been playing with this for about a week now in an internal network.  I have a dedicated box running Ubuntu 10.04 and Metasploit Express.  I've noticed that Express loves CPU time but is much less caring about RAM.  […]

Stuffing Javascript into DNS names

Greetings! Today seemed like a fun day to write about a really cool vector for cross-site scripting I found. In my testing, this attack is pretty specific and, in some ways, useless, but I strongly suspect that, with resources I don't have access to, this can trigger stored cross-site scripting in some pretty nasty places. […]

Weaponizing dnscat with shellcode and Metasploit

Hey all, I've been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or "weaponizing dnscat", as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 […]

DNS Backdoors with dnscat

Hey all, I'm really excited to announce the first release of a tool I've put a lot of hard work into: dnscat. It's being released, along with a bunch of other tools that I'll be blogging about, as part of nbtool 0.04.

Pwning hotel guests

Greetings everybody! I spent a good part of the past month traveling, which meant staying in several hotels, both planned and unplanned. There's nothing like having a canceled flight and spending a boring night in San Francisco! But hey, why be bored when you have a packet sniffer installed? :)

Zombie Web servers: are you one?

Greetings! I found this excellent writeup of a Web-server botnet on Slashdot this weekend. Since it sounded like just the thing for Nmap to detect, I wrote a quick script!

Scorched earth: Finding vulnerable SMBv2 systems with Nmap

Hello once again! I just finished updating my smb-check-vulns.nse Nmap script to check for the recent SMBv2 vulnerability, which had a proof-of-concept posted on full-disclosure. WARNING: This script will cause vulnerable systems to bluescreen and restart. Do NOT run this in a production environment, unless you like angry phonecalls. You have been warned!

Scanning for Microsoft FTP with Nmap

Hi all, It's been awhile since my last post, but don't worry! I have a few lined up, particularly about scanning HTTP servers with Nmap. More on that soon! In the meantime, I wanted to direct your attention to

Nmap 5.00 released — lots of new features!

View my post on Slashdot I'm just going to quote my Slashdot post inline.. check out the links for all the nitty gritty details. The bottom line is that 5.00 is awesome, and includes everything I've written as yet -- download it! :)

nbstat.nse: just like nbtscan

Hey all, With the upcoming release of Nmap 4.85, Brandon Enright posted some comments on random Nmap thoughts. One of the things he pointed out was that people hadn't heard of nbstat.nse! Since I love showing off what I write, this blog was in order.

WebDAV Detection, Vulnerability Checking and Exploitation

Ahoy! My name is Andrew and I've been playing with the recent IIS WebDAV authentication bypass vulnerability (CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab. Ron is in a meeting today so I thought I'd jump in where he left off and post a bit about […]

WebDAV Scanning with Nmap

Greetings! This morning I heard (from the security-basics mailing list, of all places) that there's a zero-day vulnerability going around for WebDAV on Windows 2003. I always like a good vulnerability early in the week, so I decided to write an Nmap script to find it!

Bypassing AV over the Internet with Metasploit

I performed all of this to learn more about data exfiltration, remote control, etc... over a tightly controlled corp environment. It was depressing actually.... It's far too easy to gain control of a corp network even one that is conscientious. This work is built on the info at Oh, let me just say thanks […]

Nmap 4.85beta9 released

In case you haven't heard, Fyodor released Nmap 4.85beta9 this week. This is the first release in awhile that wasn't related to my code (or, most properly, mistakes :) ). It looks like the new stable version will be here soon, so give this one a shot and report your bugs. Here's the download page.

Scanning for Conficker’s peer to peer

Hi everybody, With the help of Symantec's Security Intelligence Analysis Team, I've put together a script that'll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used: nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \ --script-args=safe=1 -T4 -p445 <host> or […]

Using PsTools in a pentest

I'm going to start off this blog by wishing a happy birthday to a very important person -- me. :) Now, onto the content! PsTools is a suite of tools developed by Sysinternals (now Microsoft). They're a great complement to any pen test, and many of my Nmap scripts are loosely based on them. As […]

nbtool 0.02 released! (also, a primer on NetBIOS)

All right, maybe 0.02 doesn't sound so impressive, but I've put a lot of work into it so eh? Anyway, I just finished putting together nbtool 0.02. It is partly a test program for myself, and partly a handy tool for probing NetBIOS networks. Here is a link to the tool itself (I've tested this […]