SANS Penetration Testing: Monthly Archives: Apr 2013

The Bad Guys Are Winning, So Now What? Slides

By Ed Skoudis Below are the slides for my talk called "The Bad Guys Are Winning, So Now What?" It's my most requested talk ever. In my job, I write two or three new presentations per year, and deliver each of them two or three times at various conferences before retiring the talk and moving … Continue reading The Bad Guys Are Winning, So Now What? Slides


SMB Relay Demystified and NTLMv2 Pwnage with Python

By Mark Baggett [Editor's Note: In this _excellent_ article, Mark Baggett explains in detail how the very powerful SMBRelay attack works and offers tips for how penetration testers can operationalize around it. And, bet yet, about 2/3rds of the way in, Mark shows how you can use a Python module to perform these attacks in … Continue reading SMB Relay Demystified and NTLMv2 Pwnage with Python


Quick and Useful Tricks for Analyzing Binaries for Pen Testers

[Editor's Note: In the article below, Yori Kvitchko kicks off a series of brief posts about quick and dirty but very useful techniques pen testers can apply to analyze stand-alone files (such as binaries, Flash files, etc.) that they encounter in penetration tests. There is a treasure trove of info in most stand-alone files you'll … Continue reading Quick and Useful Tricks for Analyzing Binaries for Pen Testers


A Most Enigmatic Adventure

Care for a little adventure story? How about one that is rooted in the history of cryptography, involves an elaborate hack that saved millions of lives, and features a bizarre twist with brain juice at the end? We have just the tale for you, and it's all a true story. Back in August 2012, Josh … Continue reading A Most Enigmatic Adventure


Using Volume Shadow Copies from Python

[Editor's note: Volume Shadow copies on Windows completely rock. They give administrative tools (and penetration testers) access to all kinds of wonderful things on Windows, including recently deleted files, files with a lock on them, and much more. They are almost like a nifty side channel into the guts of the Windows file system, making … Continue reading Using Volume Shadow Copies from Python


Putting the MY in phpMyAdmin

[Editor's note: In this article, Tim Medin walks us through a few steps of a recent pen test he did, wherein he exploits phpMyAdmin. The best part of this write up is that he shows the mindset of a pen tester as he methodically attacks the target system step by step. In the process, he … Continue reading Putting the MY in phpMyAdmin


When Offense and Defense Become One

By Ed Skoudis Over the past month or so, I've been pondering a phenomenon and some of its implications, running the idea by some of my friends to spur some interesting conversations. I've spoken with penetration testers, security researchers, military planners, forensics experts, defensive operators, incident response specialists, red teamers, blue teamers, and a variety … Continue reading When Offense and Defense Become One


Pass-the-Hash Web Style

[Editor's Note: My goodness, there are a lot of ways to get authentication wrong in the web application world. In this article, my esteemed pants-wearing colleague, Tim Medin, describes a couple of problems we frequently find in web application penetration testing, and how to operationalize attacking them in your pen test projects. -Ed.] We all … Continue reading Pass-the-Hash Web Style


Command Injection Tips: Leveraging Command-line Kung Fu with nslookup

[Editor's Note: Tom Heffron provides some really cool tips for leveraging nslookup in web app command-injection attacks. His ideas for using environment variables is pretty nifty, and his point about how to launch this so that it doesn't require an authoritative DNS server is great. -Ed.] When I took the recent SANS SEC 560 vLive … Continue reading Command Injection Tips: Leveraging Command-line Kung Fu with nslookup