Every year the hacking community, both black and whitehat, come together in Las Vegas for the annual Blackhat and Defcon conferences. We discuss new attacks, show interesting research, release tools, and let loose a bit. Defcon in particular centers around a number of great competitions, the most prestigious of them being the Defcon Capture The Flag. Hacker teams from all over the world participate in the CTF qualifiers. This year 535 teams registered, 265 of which scored points. The top … →

Believe me when i say that we’ve used a lot of tools. We love scripts, we love things that free up our time to do the real analysis on a web application assessment. We have used w3af, nikto, Grendel Scan, etc, etc… We are really happy to see a new tool we have used in it’s pro version incarnation: Netsparker. Netsparker announced today that it is releasing a community edition, lacking only a few features of the pro version. We … →

A few weeks ago Chris Gates (ala Attack Research/Carnal Ownage) and Joshua Gauthier showed some quick snippets of Metasploit‘s Getsystem extension. Getsystem is meterpreter’s new (windows) privilege escalation extension used in the priv module. Getsystem uses several techniques for priv escalation: Windows Impersonation Tokens (fixed by MS09-012) Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway. Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run … →

Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit. Similar to the db_autopwn via fasttrack script (available in Backtrack 4), Nsploit does even more granular service level Nmap scanning to identify vulnerable software versions and map corresponding exploits. It then passes these to Metasploit and launches the pain at your target box. It Uses Nmap’s NSE’s to trigger Metasploit commands via XMLRPC. Anything we can identify with an Nmap Script we can … →

One thing you learn when you start a career in pentesting is: Never assume anything. In my experience hacks aren’t always elegant and elaborate. Sometimes something simple and effective is your avenue of penetration. Which brings us to today’s topic: directory bruteforcing. Directory bruteforcing is a favorite of mine.  I can’t tell you how many times a directory listing has broken open a pentest for me.  Whether it be that all elusive web admin panel, or a directory listing containing … →