Blog: SANS Penetration Testing: Category - Uncategorized

Blog: SANS Penetration Testing:

I don't normally create new accounts on Windows systems, but when I do I use a long passphrase

[Editor's Note: Here's a nice little trick by Tim Medin on setting long Windows account passwords at the command line. Very useful stuff, especially in environments which mandate and enforce passwords longer than 14 characters. --Ed.]

by Tim Medin

Ever have a Meterpreter session with shell access on a Windows system and try to create an account with long password/passphase? We have this same problem with any sort of command injection or a netcat shell. It goes something like this...

C:\\> net user tim 15CharacterP@ss /add
The password entered is longer than 14 characters. Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

At ...

Setting up Backdoors and Reverse Shells on VMware Hypervisors

[Editor's Note: In this article, Dave Shackleford talks about how penetration testers can take advantage of some really useful capabilities of the Linux-derived and Linux-like structure of VMware's virtualization infrastructure to set up backdoors to access a VMware hypervisor machine. He covers some classic ESX stuff along with some techniques for the VMware ESXi hypervisor. It's a great application of some incredibly useful ideas. Thanks, Dave! --Ed.]

By Dave Shackleford

While many pen testers will undoubtedly come across virtualized systems, most will only encounter VMware hypervisor platforms like ESX and ESXi when testing internally or after pivoting internally from an external compromise. Another great way to come in contact with VMware hypervisors is to target the administrators themselves, usually through social engineering tactics.

But, as a professional penetration tester, why would you care to attack this virtual stuff? Well, aside from


Part 3: Quick and Useful Tricks for Analyzing Binaries for Pen Testers

[Editor's Note: In part 3 of this series on techniques penetration testers can use to analyze executable files, Yori Kvitchko takes a look at reverse compiling code, with specific tips for Python and Java. They are often chock full of useful stuff in pen testing, and Yori provides a bunch of helpful tips in teasing out their secrets! --Ed.]

By Yori Kvitchko

In the first part of this series, I discussed analyzing binary files and looking for hints about their communications streams. In the second part of the series, I delved into the data files that binaries often create. For the third and final blog post in this series about analyzing binaries, I'll be discussing some quick and easy techniques for


Invasion of the Network Snatchers: Part 2

[Editor's Note: In this follow-up article, Tim Medin continues the discussion of pen testing network devices via the Simple Network Management Protocol (SNMP). He provides really helpful hints and tidbits throughout! Please check it out. --Ed.]

By Tim Medin

In our last episode, we attacked network gear via SNMP. We scanned for SNMP-accessible devices. Then, we developed a good, fine-tuned word-list dictionary and used it to guess a valid read-write community string (the "password" that allows access via SNMP). With this community string, we were able to retrieve the configuration from a Cisco device. We have a running configuration... now what? First: PASSWORDS!

With cipher-text password representations in the configuration file, the obvious approach is to crack them to determine the clear-text passwords. But how does Cisco store


Part 2: Quick and Useful Tricks for Analyzing Binaries for Pen Testers

[Editor's Note: In his previous blog post, Yori Kvitchko provided a bunch of tips penetration testers could use to analyze binary files, focusing on network communications. This time around, Yori looks at application data files, a hugely important source of information that could include passwords, hashes, or other sensitive stuff leaking out of an application. The techniques Yori describes here are some important building blocks for all pen testers to apply to the applications we analyze. --Ed.]

by Yori Kvitchko

This blog post is the second in a series of three blog posts dedicated to quick and useful techniques for analyzing binaries. In my first post, I talked about how penetration testers and other analysts can find and isolate network traffic generated by a binary. This time we'll look at pillaging the various data files