SANS Penetration Testing: Category - Uncategorized

SANS Penetration Testing:

What's the Deal with Mobile Device Passcodes and Biometrics? (Part 2 of 2)

By Lee Neely

In the first installment of this 2-parter, I discussed the use of mobile device fingerprint scanners to unlock the device. As a follow-up, I'd like to discuss how a developer can integrate the scanner into their applications. This discussion may provide some insights into how to secure mobile apps, or even inspire some hacking ideas (this is a pen test related blog, after all). At the end of the article below, I'll discuss some ideas for compromising this type of environment.

In part one, I introduced the secure environment used to manage fingerprints. This environment is called by a couple of names. Most commonly it's called the Trusted Execution Environment (TEE) and Secure Enclave. In both cases, the terms describe a separate environment consisting of hardware and software, which performs


Stuck on the #SANSBrochureChallenge? It's Ending Soon! Read inside for hints!

By Jeff McJunkin

(Haven't heard about the SANS Brochure Challenge? Catch up by reading here.)

As fun as it's been, the SANS Brochure Challenge will be ending next week, on October 27th. Once it ends, an esteemed panel of judges (including Ed Skoudis, Tim Medin, Tom Hessman, and Jeff McJunkin) and their dart-throwing monkeys will pore through all the submitted challenge write-ups and select our winners!

If you've already submitted your write-up, remember that you can update it at any point before the deadline passes! Just send another email to the same address, with the same subject line.

What can I win?

There are three ways to win this contest -- submit the *first* report, submit the best technical write-up, or win the random draw. Until the challenge closes on October 27th (any time zone, before midnight), the ...

I don't normally create new accounts on Windows systems, but when I do I use a long passphrase

[Editor's Note: Here's a nice little trick by Tim Medin on setting long Windows account passwords at the command line. Very useful stuff, especially in environments which mandate and enforce passwords longer than 14 characters. --Ed.]

by Tim Medin

Ever have a Meterpreter session with shell access on a Windows system and try to create an account with long password/passphase? We have this same problem with any sort of command injection or a netcat shell. It goes something like this...

C:\\> net user tim 15CharacterP@ss /add
The password entered is longer than 14 characters. Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

At ...

Setting up Backdoors and Reverse Shells on VMware Hypervisors

[Editor's Note: In this article, Dave Shackleford talks about how penetration testers can take advantage of some really useful capabilities of the Linux-derived and Linux-like structure of VMware's virtualization infrastructure to set up backdoors to access a VMware hypervisor machine. He covers some classic ESX stuff along with some techniques for the VMware ESXi hypervisor. It's a great application of some incredibly useful ideas. Thanks, Dave! --Ed.]

By Dave Shackleford

While many pen testers will undoubtedly come across virtualized systems, most will only encounter VMware hypervisor platforms like ESX and ESXi when testing internally or after pivoting internally from an external compromise. Another great way to come in contact with VMware hypervisors is to target the administrators themselves, usually through social engineering tactics.

But, as a professional penetration tester, why would you care to attack this virtual stuff? Well, aside from


Part 3: Quick and Useful Tricks for Analyzing Binaries for Pen Testers

[Editor's Note: In part 3 of this series on techniques penetration testers can use to analyze executable files, Yori Kvitchko takes a look at reverse compiling code, with specific tips for Python and Java. They are often chock full of useful stuff in pen testing, and Yori provides a bunch of helpful tips in teasing out their secrets! --Ed.]

By Yori Kvitchko

In the first part of this series, I discussed analyzing binary files and looking for hints about their communications streams. In the second part of the series, I delved into the data files that binaries often create. For the third and final blog post in this series about analyzing binaries, I'll be discussing some quick and easy techniques for