SANS Penetration Testing: Category - Uncategorized

SANS Penetration Testing:

Stuck on the #SANSBrochureChallenge? It's Ending Soon! Read inside for hints!

By Jeff McJunkin

(Haven't heard about the SANS Brochure Challenge? Catch up by reading here.)

As fun as it's been, the SANS Brochure Challenge will be ending next week, on October 27th. Once it ends, an esteemed panel of judges (including Ed Skoudis, Tim Medin, Tom Hessman, and Jeff McJunkin) and their dart-throwing monkeys will pore through all the submitted challenge write-ups and select our winners!

If you've already submitted your write-up, remember that you can update it at any point before the deadline passes! Just send another email to the same address, with the same subject line.

What can I win?

There are three ways to win this contest -- submit the *first* report, submit the best technical write-up, or win the random draw. Until the challenge closes on October 27th (any time zone, before midnight), the ...

I don't normally create new accounts on Windows systems, but when I do I use a long passphrase

[Editor's Note: Here's a nice little trick by Tim Medin on setting long Windows account passwords at the command line. Very useful stuff, especially in environments which mandate and enforce passwords longer than 14 characters. --Ed.]

by Tim Medin

Ever have a Meterpreter session with shell access on a Windows system and try to create an account with long password/passphase? We have this same problem with any sort of command injection or a netcat shell. It goes something like this...

C:\\> net user tim 15CharacterP@ss /add
The password entered is longer than 14 characters. Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

At ...

Setting up Backdoors and Reverse Shells on VMware Hypervisors

[Editor's Note: In this article, Dave Shackleford talks about how penetration testers can take advantage of some really useful capabilities of the Linux-derived and Linux-like structure of VMware's virtualization infrastructure to set up backdoors to access a VMware hypervisor machine. He covers some classic ESX stuff along with some techniques for the VMware ESXi hypervisor. It's a great application of some incredibly useful ideas. Thanks, Dave! --Ed.]

By Dave Shackleford

While many pen testers will undoubtedly come across virtualized systems, most will only encounter VMware hypervisor platforms like ESX and ESXi when testing internally or after pivoting internally from an external compromise. Another great way to come in contact with VMware hypervisors is to target the administrators themselves, usually through social engineering tactics.

But, as a professional penetration tester, why would you care to attack this virtual stuff? Well, aside from


Part 3: Quick and Useful Tricks for Analyzing Binaries for Pen Testers

[Editor's Note: In part 3 of this series on techniques penetration testers can use to analyze executable files, Yori Kvitchko takes a look at reverse compiling code, with specific tips for Python and Java. They are often chock full of useful stuff in pen testing, and Yori provides a bunch of helpful tips in teasing out their secrets! --Ed.]

By Yori Kvitchko

In the first part of this series, I discussed analyzing binary files and looking for hints about their communications streams. In the second part of the series, I delved into the data files that binaries often create. For the third and final blog post in this series about analyzing binaries, I'll be discussing some quick and easy techniques for


Invasion of the Network Snatchers: Part 2

[Editor's Note: In this follow-up article, Tim Medin continues the discussion of pen testing network devices via the Simple Network Management Protocol (SNMP). He provides really helpful hints and tidbits throughout! Please check it out. --Ed.]

By Tim Medin

In our last episode, we attacked network gear via SNMP. We scanned for SNMP-accessible devices. Then, we developed a good, fine-tuned word-list dictionary and used it to guess a valid read-write community string (the "password" that allows access via SNMP). With this community string, we were able to retrieve the configuration from a Cisco device. We have a running configuration... now what? First: PASSWORDS!

With cipher-text password representations in the configuration file, the obvious approach is to crack them to determine the clear-text passwords. But how does Cisco store