By Jeff McJunkin
Are you familiar with the Konami code? The one popularized by the Contra video game?
Pictured above: Tangentially related to SSH
If not, let me fill you in. This code is a sequence of control actions for some video games that'll let you jump forward in the game (some call it a "cheat," but I'd rather not judge.). The code itself is a series of button presses as follows (from Wikipedia):
Last Thursday, John Strand and I delivered a new webcast on post exploitation, covering all kinds of tips and tricks. I focussed on some of the cool stuff you can do with the Windows netsh command, including setting up port pivots, sniffing, and gaining remote access to a target's network configuration. John Strand discussed a new tool his team released that provides a command and control channel via gmail. We covered a lot of fun and useful material.
The slides are available here.
And, if you'd like to hear the webcast itself, you can do so
Extra! Extra! Read all about it! This week, many of you will be receiving our brand-spankin' new SANS Pen Test Poster in the mail. Please be on the lookout, because it's got some really cool stuff on attack surfaces, tools, and techniques. It's included in the mailing with the SANS Security West brochure.
The poster is chock full of some really nifty pen test advice from some of the best pen testers I know, including:
The poster includes several sections. On one side, we've got a description of the SANS
By Lee Neely & Chris Crowley
Recent updates to the Android OS have changed the permission model for external storage, and these changes will likely impact the way pen testers assess the actions and corresponding risks associated with applications, both malicious and benign, particularly when analyzing how they interact with external storage.
Consider this scenario: You are provided an application from an unknown third party to assess. Your assignment is to assess both the behavior and trustworthiness of the application. Because of the permission model changes, the application behaves differently when trying to access external storage than it would have in earlier releases of the Android OS.
In this article, we'll provide information on how the permission model changed and some tips and techniques you can leverage when you are assessing an application in your next Android pen test.
There were two changes ...
[Editor's Note: Chris Andre Dale has a nice article for us about cross-site-scripting attacks, and he's found a ton of them in various high-profile platforms on the Internet, especially in sites that display or process images. He even found one in WordPress and responsibly disclosed it, resulting in a fix for the platform released just a few weeks ago. In this article, Chris shares his approach and discoveries, with useful lessons for all pen testers. Oh... and if you are going to test systems, make sure you have appropriate permission and don't do anything that could break a target system or harm its users. Thanks for the article, Chris! --Ed.]
By Chris Andre Dale
XSS Here, XSS There, XSS Everywhere!
Today Cross-Site Scripting (XSS) is very widespread. While it is not a newly discovered attack vector, we still see it all the time in the wild. Do you remember back in the days, when you would click on a website's ...