Among the coolest features in metasploit is the ability to pivot through a meterpreter session to the network on the other side. The route command in msfconsole sets this up but requires a bit of typing to get right. [*] Meterpreter session 1 opened …
Read more ...Exploiting the Samba Symlink Traversal
Filed under Articles
Tagged as but, CIFS, directory, flaw, Kingcope, root, samba, traversal, vulnerability
Tagged as but, CIFS, directory, flaw, Kingcope, root, samba, traversal, vulnerability
Last night, Kingcope uploaded a video to youtube demonstrating a logic flaw in the Samba CIFS service (this was followed by a mailing list post). This bug allows any user with write access to a file share to create a symbolic link to the root filesyste…
Read more ...Wireless WEP (in)security
Filed under Articles
Tagged as aircrack-ng, aireplay-ng, airodump-ng, ARP, b43-phy0, BCM 4306, Broadcom, crack, injection, key, password, security, WEP, wireless, WLAN, WPA, WPA2
Tagged as aircrack-ng, aireplay-ng, airodump-ng, ARP, b43-phy0, BCM 4306, Broadcom, crack, injection, key, password, security, WEP, wireless, WLAN, WPA, WPA2
There is no question that wireless networks are notoriously unsecure – it is difficult to protect something that you can’t see, that goes through walls and that everyone close enough can eavesdrop. Some corporations are still brave enough (or stupid) to allow wireless access to their corporate network, and more often than not, they chose to utilize the deprecated wireless encryption protocol WEP to avoid compatibility issues. In this article we will demonstrate why allowing wireless access to the corporate network is not a good idea, especially if an old encryption algorithm like WEP is used.
Read more ...DHCP starvation – quick and dirty
The DHCP starvation attack is quite simple to implement and therefore quite dangerous. It can be used to implement a denial of service attack in the local network, thus preventing legitimate clients from accessing network resource. In this article we will demonstrate how this attack can be deployed and later we will go through the steps necessary to mitigate it on Cisco equipment.
Read more ...DTP – Share it!
Filed under Articles
Tagged as Cisco, DTP, firewall, internal network, Internal Pentests, Layer 2, network protocols, specific protocol
Tagged as Cisco, DTP, firewall, internal network, Internal Pentests, Layer 2, network protocols, specific protocol
The one thing that is always overlooked, when someone tries to secure a network, is the user side. It is rare to see a DMZ network, that is protected by a firewall from the users. The general idea is that if you are an internal user, you have legitimate access to the servers, so there is no need to protect them from you. In this article we will discuss a frequently overlooked feature of Cisco switches called DTP, we will explain why is it dangerous and what are the steps to disable it.
Read more ...Capturing Logon Credentials with Meterpreter
Filed under Articles
Tagged as capture, credentials, Explorer.exe, GetAsyncKeyState, logon, meterpreter, MS08-067, Winlogon
Tagged as capture, credentials, Explorer.exe, GetAsyncKeyState, logon, meterpreter, MS08-067, Winlogon
In my previous post, I described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case…
Read more ...Remote Keystroke Sniffing with Meterpreter
Earlier this afternoon, I committed some code to allow keystroke sniffing through Meterpreter sessions. This was implemented as set of new commands for the stdapi extension of Meterpreter. Dark Operator, author of many great Meterpreter scripts, alread…
Read more ...IP over DNS
Filed under Articles
Tagged as covert channel, DNS, firewall, free wireless access, IN NS, Internet access, isolated network, NSTX tunnel, tunnel, Ubuntu, wireless access
Tagged as covert channel, DNS, firewall, free wireless access, IN NS, Internet access, isolated network, NSTX tunnel, tunnel, Ubuntu, wireless access
Sometimes while you are performing a penetration test, you need to break out from a supposedly isolated network like an internal VLAN in a bank, or a network full of SCADA equipment. Such networks should be completely isolated from the Internet, so there is no chance that someone who has network access can implant a backdoor and either sneak out information or allow access from the outside. This article demonstrates how the often overlooked DNS service can be used to achieve these malicious goals and why when you configure an isolated network, you shouldn’t allow even name resolution of external hosts.
Read more ...