An effective internal Penetration Test – There is a difference between a vulnerability scan and a penetration test, where security is an on-going process. “My servers are all fully patched, and we’ve fixed the weak administrator password that the last guys found. So I don’t really expect you to find anything!” The previous statement, paraphrased […]
Category: researchblog
List websites on Shared Servers using Bing API
Finding websites that are hosted on a particular IP address or that are hosted on a shared web server is a very useful part of information gathering during a penetration test. Bing supports searching for websites that are indexed on a particular IP address, and there are a few websites that provide this service too, […]
Penetration Testing: A Preventative Security Control
Penetration testing should be part of a preventative approach to Information Security and Security Control to ensure that vulnerabilities are not exploited. It is still a mystery as to why a large number of organisations do not take a more preventative approach to Information Security. There has been enough information in various publications about the […]
Non-Uniqueness of Passwords
Non-Uniqueness of passwords: Cracking administrator passwords stored as an LM Hash using an appropriate set of Rainbow tables in an internal pen test. The following scenario is based on a recent internal penetration test against a large private sector company, concentrating purely on one of the mechanisms used to obtain full control over the internal […]
Payment Processing Vulnerabilities
Handling card payments yourself is complicated and expensive (requiring PCI compliance), so for many organisations it’s often more economical to use a third party payment processor, such as PayPal or Google Checkout. Generally, the vendor website will implement its own shopping cart (bespoke or off-the-shelf), and when the user goes to checkout, they are redirected […]
Vulnerability: Grapecity DataDynamics Report Library Cross-Site Scripting
Grapecity’s DataDynamics Report Library is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. CVE: N/APublished: Mar 24 2011 11:00AMVulnerable: Version 1.6.1871.61 and earlier An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may […]
Auditing Users in Active Directory
Active Directory (AD) is Microsoft’s proprietary take on the widely utilised Lightweight Directory Access Protocol (LDAP) hierarchical database engine and underpins access control and central management for any Microsoft Windows based enterprise network. It is an incredibly powerful system, but can become very difficult to administer if not handled carefully. As a result, regularly reviewing […]
Social Engineering and Phishing Email Attacks
In recent years networks have become more secure through server hardening and deployment of security devices such as firewalls and intrusion prevention systems. This has made it harder for hackers and cyber criminals to launch successful direct attacks from outside of the network perimeter. As a result, hackers and cyber criminals are increasingly resorting to […]
Active Directory Password Auditing (2012)
A customisable and straightforward how-to guide on password auditing during penetration testing and security auditing on Microsoft Active Directory accounts. Update October 2016: A more recent guide can be found in a more recent blog post here. I do a lot of password auditing during penetration testing and security auditing, mostly on Windows Active Directory accounts. There […]
Managing risks due to third party appliances and applications
During several recent penetration tests, my team and I have identified serious security vulnerabilities in systems which are fully patched, and are using reasonably secure authentication mechanisms, supported by effective session management. In many of these cases, the vulnerabilities have been identified in third-party systems and applications, often in the form of dedicated appliances, rather […]