Collaborate Disseminate
I am on a penetration test at the moment, where LM/NTMLv1 hashes are disabled. I have captured a number of NTLMv2 hashes via NBNS spoofing, however was unable to crack them after running them through rainbow tables.
I was ab… Continue reading Are there any ways to leverage NTLM V2 hashes during a penetration test?
I’m doing a penetration test for a client who wants me to try and target a specific server. I have managed to get credentials(hard-coded in an in-house app) to a limited account on this server that works with sftp, but won’t give a shell w… Continue reading Find the location of a hidden host [closed]
This is a Nessus finding, which is considered medium by default.
Basically it may allow for some plaintext injection which may allow for some man in the middling.
My question is, has these been exploited in the wild? Are t… Continue reading SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection- medium or low risk?
What is the best way to verify if an MSRDP server has NLA enabled or not?
My understand is that if enabled, it will not show a graphical screen when trying to connect, but ask for credentials first.
Would one way to verify this be to us… Continue reading Verifying NLA support on Remote Desktop
How can I connect to a HTTPS website using a specific SSL cipher, and view the output?
This would be useful when doing a vulnerability analysis and weeding out false positives, such as when a device advertises it supports a weak cipher b… Continue reading Force a specific SSL cipher
I have noticed during some assesments when doing a TCP port scan, Nmap will report almost every port as open for a machine.
Using for example nmap -sS -PN -T4 target -p0-65535, over 20,000 ports will be returned as open. On further invest… Continue reading Nmap reporting almost every port as open
When doing a vulnerability assessment on a large network, it seems general practice to determine which hosts on the network are live.
This can be done in various ways. From what I have read it is good to do some ICMP scans, perhaps use a … Continue reading Determining false positives when scanning for live hosts with Nmap
What is a good resource for wordlists used in auditing passwords in non english languages. I have extensive wordlists in English ranging to several GB’s, but can’t find similar resources for other languages.
As I understand it, SQL injection should only allow for the manipulation and retrivial of data, nothing more. Assuming no passwords are obtained, how can simple SQL injection be used to leverage a shell?
I have seen attacks … Continue reading Levraging a shell from SQL injection
I was browsing over this question and had some follow up questions from a practical perspective.
What tools will show the SSID of an AP with the SSID set to hidden or broadcasting disabled? I have looked at Kismet and similar tools but th… Continue reading Bypassing hidden SSID and MAC filtering "protection"