Collaborate Disseminate
I have heard of larger companies are utilizing their own internal DNS servers to route through internal resources. And was wondering if there is any specific exploitation risks and considerations for these, especially related to loss of av… Continue reading Exploitation Risks and Considerations specific to running internal DNS servers
I’m aware that writing a file with a reserved name such as CON.txt or CON.mp3, aux.txt, lpt1.html, etc. is not allowed by Windows and can be leveraged for enumeration.
However, what about reading a file with a reserved name?
For example, i… Continue reading Is Reading Windows Reserved Filenames Through a URL Valid for OS Enumeration?
I’m having an issue trying to find decent queries that system admins and penetration testers use.
I’ve tried googling and i’ve even taken a class to try to understand it better.
Here are some of the queries I’ve used and I hope you want to… Continue reading Easy to run DSquery’s for pentesting and etc [closed]
While enumerating a DNS server for a HTB machine, I’ve tried finding a domain name for 127.0.0.1:
┌──(kali㉿kali)-[~]
└─$ dig -x 127.0.0.1 @10.10.11.166
; <<>> DiG 9.18.1-1-Debian <<>> -x 127.0.0.1 @10.10.11.166
;;… Continue reading DNS reverse lookup not finding domain name during enumeration
Using bloodhound I would like to find the list of all computers a user I.e "domain\ajohn" can RDP into.
I looked at:
match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH ‘-513’ AND NOT c.operatingsystem CONTAI… Continue reading How to get the list of computers a user can RDP into using BloodHound?
I know all baseline steps to do DNS enumeration over a domain. But my questions is: how can I enumerate a server when I do not know which domain it is managing and I only have its IP address?
My scenario: I discovered 2 DNS servers running… Continue reading DNS Enumeration by IP Address
Our organization is currently being tested by a IT security firm who have stated that while our internet facing mail gateway is not an open relay, they can connect to it on port 25 using telnet and check if an internal address is valid or… Continue reading Mail gateway allowing telnet connections
I have recently begun studying NMap. It offers a variety of options, each having clear advantages and disadvantages as to what information is disclosed and chance of being detected by possible layers of defense.
One of the options seems ra… Continue reading What does a probe packet look like and how does it interact with a server to determine services [closed]
Currently looking for a way to prevent unauthenticated user enumeration on a Domain Controller. This is a security precaution I’d like to implement, next to the existing measures taken prevent unauthorized DC access.
Kerbrute states the fo… Continue reading Is it possible to prevent Kerbrute from unauthenticated user enumation Active Directory?
When conducting an external pentest and the scope is broad covering everything owned by the client, how would you verify if the enumerated IP addresses belong to a client? Running ‘nslookup’ on the IP doesn’t always return anything and in … Continue reading Verifying IP addresses during pentest