Collaborate Disseminate
On a pentest we found that a kerberos ticket under account name administrator was cached on one of the SQL database servers, which allowed us to steal the ticket, pass-the-ticket and log onto the domain controller. The logon type was remot… Continue reading What is a secure way to log onto the domain controller?
From my understanding a typical way to achieve SEP buffer overflow (ignoring protections like DEP, SafeSEH, etc.) is to overwrite SEH with POP POP RET which goes back to nSEH which we control. nSEH will then be used to point … Continue reading Why can’t you jump from SEH straight to payload for SEH buffer overflow?
I am running an evil twin attack with eaphammer, by default it seems to capture mschapv2 authentication which contains the username and NETNTLM hashes. I have manually created a WiFi connection (on Windows) and manually selec… Continue reading Capturing cleartext authentication (EAP-TTLS/PAP) with WPA-2 Enterprise?
There are several attacks possible when embedding links with target=”_blank”. This is where rel=”noopener” and rel=”noreferrer” should help.
I am expecting that clicking the following link
<a href=”https://google.com” ta… Continue reading HTML link with "noopener" and/or "noreferrer" in Chrome/Chromium results in unexpected behaviour
I am testing an application that uses widget. These widgets are placed in the customer websites to use as some sort of tracking clicks device and returns some data too, therefore it is necessary to use CORS.
For example, in … Continue reading Cross Origin Resource Sharing null vs wildcard?
I am doing a security audit and discovered an Oracle Server pulling data from an ODS server in plaintext. I am able to sniff the traffic from one of the internal servers. Essentially, the Oracle server sends/makes SQL stateme… Continue reading How to prevent Oracle TNS protocol sending data in plaintext?
While performing a vulnerability assessment, I stumbled upon RIPv1 poisoning routing table attacks. The recommendation is to use RIPv2 with MD5 authentication. The idea is that the routes need to be authenticated by a passwor… Continue reading Is RIPv2 MD5 authentication insecure?
I am doing a verification test for a CORS issue that we discovered. When specifying an origin, the application used to respond with the allow origin to any URL. However, upon retest, the application now returns two Access-Con… Continue reading CORS returning two Access-Control-Allow-Origin headers?
I have an application that is protected by Cloudflare. The application responds with a HSTS on all of the other pages except HTTP status 403 Forbidden and 302 Moved Temporarily. It seems to be Cloudflare is responsible for it… Continue reading Does Strict-Transport Security Header (HSTS) need to be applied to non 200 response pages (e.g. 403, 302)
I’ve been tasked with an onsite engagement to see what I can find from one of their laptops. They have a policy in place to block USB access through the Active Directory, e.g. When you try to access the USB drive, you will ge… Continue reading Is it possible to bypass USB access restriction placed by the Active Directory? [closed]