I meant to blog about this a while ago, but never got round to it. Here’s a brief post about very cool feature of a tool called mimikatz. I’m very grateful to the tool’s author for bringing it to my attention. Until that point, I didn’t realise it was possible to recover the cleartext passwords [...]

A long time ago, I started writing a tool to look for local privilege escalation vectors on Windows systems – e.g. weak permissions on files, directories, service registy keys.  I never quite got round to finishing it, but the project could still be useful to pentesters and auditors in its current part-finished state. I’d suggest giving it a [...]

The scenario for this post is that you’re connected to the local LAN of the systems you’re pentesting – possibly in a DMZ or multi-tiered architecture.  If you’re on an externally-facing LAN, you may find that there aren’t many network services to explore. As your pentest starts to look more like a vulnerability assessment, you [...]

Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet. This can be useful during Internal pentests when you want to quickly check for unauthorised routes to the Internet (e.g. rogue wireless access points) or routes to other [...]

During pentests you’re often allocated an IP by the client or can get one via DHCP. There are times, however when the client might expect you find a free IP on your own. Or you might want to check that the client hasn’t assigned you an IP address that’s already in use. I’m sure we’ve [...]

timing-attack-checker is a simple PERL script that helps you check for timing attacks. The most common form of timing attack I’ve noticed while pentesting is that the server may take longer to respond to a valid username than to an invalid username.  This can be handy for bruteforcing a list of valid usernames.  I’ll work [...]

Ken Johnson gives a useful tip on his blog about limiting access to your local drives when you make a Terminal Services connection.  This is not new, but it’s useful enough to be worth summarizing here. When I audit a system via Terminal Services, I usually map a drive to or from the system depending on [...]

There are some excellent tools and techniques available to pentesters trying to convert their local admin rights into domain admin rights.  This page seeks to provide a reminder of some of the most common and useful techniques as well as rating their effectiveness to suggest which ones to try first. The premise of all the [...]

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding [...]

This is a quick post to draw attention to the request for donations from Hackers for Charity. They need to raise about 785 USD / month to fund the good work they’re doing in Uganda. Netsparker recently tweeted that they’re donating 785 USD.  Rapid7 are giving 5000 USD.  There are many more on the Donate [...]

SSH has several features that are useful during pentesting and auditing.  This page aims to remind us of the syntax for the most useful features. NB: This page does not attempt to replace the man page for pentesters, only to supplement it with some pertinent examples. SOCKS Proxy Set up a SOCKS proxy on 127.0.0.1:1080 that lets [...]

I just stumbled across Rosetta Stone for Unix, a brilliant page that lists how to do a large number of tasks in a variety of unix-like operating systems.  I wish I’d found this years ago. It should be very handy for pentesting or auditing those less familiar unix flavours. I’ll definitely taking a copy with [...]

Like many pentesters, I’m a fan of sqlmap.  It’s often the first and last tool I reach for when exploiting boolean or time-based SQL injection vulnerabilities. I wanted to briefly document a slightly tricky SQL injection issue I encountered recently and a few of the sqlmap features that impressed me most. I initially noticed that [...]