.svg){kind=small}
.svg){kind=small}
When a company is in the process of proactively improving security posture, there are various services and standards that comes into help. Performing a penetration test of a production website or a vulnerability assessment of the internal network are valid methods to identify material security issues. Despite the advantages of this approach, organisations are still […]
Category: researchblog
Fun with SQL Injection using Unicode Smuggling
During a recent test, I ran into a curious SQL injection vulnerability that required some old but still valid tricks to bypass certain restrictions, and then some imagination to fully exploit it and get command execution on the vulnerable server. First off, identifying the SQL injection was trivial, our good old friend, the single quote, […]
What is the difference between ISO 27001 and ISO 27002?
In short, ISO 27001 is the standard for implementing an Information Security Management System (ISMS) that companies are certified against. It details what organisations must implement in order to have an ISMS that meets the requirements of ISO 27001. To broadly generalise, ISO 27002 and a number of other standards in the same 27000 family, […]
OWASP Top 10 2017 Final Release Review
Back in May 2017, I reviewed the release candidate (RC1) version of OWASP (Open Web Application Security Project) Top Ten Web Vulnerabilities for 2017, which as stated within the previous blog entry, has been eventually rejected.To quote my previous OWASP introductory description for new readers: OWASP has been founded back in 2001 and since then it […]
Active Directory Password Auditing Part 2 – Cracking the Hashes
In part 1 we looked how to dump the password hashes from a Domain Controller using NtdsAudit. Now we need to crack the hashes to get the clear-text passwords. Hash Types First a quick introduction about how Windows stores passwords in the NTDS.dit (or local SAM) files. If you’re not interested in the background, feel […]
How to Spot Phishing Email Attacks
Social engineering attacks are becoming increasingly popular amongst attackers, as a strategy to breach companies. Verizon carried out a study on social engineering attacks and found that over 43% of breaches that were documented involved some form of social engineering attack. There is a reason why social engineering attacks are becoming an increasingly common attack […]
Quick Comparison Between iOS and Android Encryption
Encryption in mobile devices is tricky and often developers do not fully understand the mechanisms that iOS and Android, the most common operating systems for mobile devices, provide to ensure data stored on the devices remains relatively secure. In this blog post I will briefly discuss the current status for both operating systems and highlight […]
PostgreSQL 9.x Remote Command Execution
During a recent penetration test I was able to gain access to a PostgreSQL 9.0 service. While the process for executing system commands from PostgreSQL 8.1 and before is straightforward and well documented – there is even a Metasploit module to make the process very simple – this was slightly more complex for PostgreSQL 9.x. […]
Discovering Sensitive Information in File Shares
When carrying out internal penetration testing engagements, one of the first areas a penetration tester will focus on is identifying which shares are accessible to low privileged domain users or anonymous users in the hope of finding sensitive information such as passwords, backup files or confidential documents. What confidential information can be found depends on […]
Active Directory Password Auditing Part 1 – Dumping the Hashes
One of the recurring issues in our internal penetration tests is inadequate password management, which in most cases leads to a fast takeover of the Active Directory (AD) domain. Most system administrators consider that just enabling password complexity and setting a sensible password length are enough. However, since “Password1” can pass the default Windows complexity […]