null

BLOG

Understanding HIPAA: Starting with the Rules

Medical community challenge: In a business environment where resources are limited, compliance requirements abound, and budgets are constantly struggling to meet cost containment targets, the complexity of the regulations your business is required to comply with can present a challenge. This challenge becomes even more difficult within the dynamic environment of hospitals, doctors’ offices, and…

Read more

Framework or Crash, the Choice is Yours!

Are you using a framework to establish your information security program? If not, I get it; it’s complicated. On a second thought, have you lost your mind? I’ve been there. A number of years ago, while taking up a resolution to better document and organize a network that was developing rapidly, I began researching frameworks,…

Read more

Characteristics of a Relevant Information Security Program: Communications

In a business environment where resources are limited, compliance requirements abound, and budgets are constantly challenged to meet cost containment targets, this article will explore a strategy to align information technology (IT), information security (IS) (note: one is not necessarily inclusive of the other – a topic for another article), system and data owners (SDO), aka: your business units, and leadership.

Read more

Why 14 Characters?

While experts have agreed for decades that passwords are a weak method of authentication, their convenience and low cost has kept them around. Until we stop using passwords or start using multi-factor authentication (for everything), a need for stronger passwords exists. And as long as people create their own passwords that must be memorized, those passwords will remain weak and guessable. This blog/article/rant will cover a brief background of password cracking as well as the justification for SynerComm’s 14-character password recommendation.

Read more

OpenSSH < 7.7 - Username Enumeration Exploit

On August 15th, 2018 a vulnerability was posted on the OSS-Security list. This post explained that OpenSSH (all versions prior to and including 7.7) is vulnerable to username enumeration by sending a malformed public key authentication request (SSH2_MSG_USERAUTH_REQUEST with type “publickey”) to the service. Read more at our #_shellntel blog.

Read more

How to Build a 8 GPU Password Cracker

This build doesn’t require any “black magic” or hours of frustration like desktop components do. If you follow this blog and its parts list, you’ll have a working rig in 3 hours. These instructions should remove any anxiety of spending 5 figures and not knowing if you’ll bang your head for days. Read more at…

Read more

Luckystrike: An Evil Office Document Generator.

Luckystrike is a PowerShell based generator of malicious .xls documents (soon to be .doc). All your payloads are saved into a database for easy retrieval & embedding into a new or existing document. Luckystrike provides you several infection methods designed to get your payloads to execute without tripping AV. Read more at our #_shellntel blog.

Read more

Weaponizing Nessus

Once in a blue moon we come across a client that has truly done security right (or at least, tried really hard to do so). All the low hanging fruit has been trimmed: Responder doesn’t work, no passwords in GPP, all systems patched up to date, no Spring2016 passwords, etc. As frustrating as this is…

Read more

VPN over DNS

For some time now, we’ve been using DNSCat as a means to covertly transmit data during engagements where clients IDS’s or Firewalls might otherwise block us.  The DNS protocol is often overlooked by system’s administrators and as a result this tool has been immensely useful. Read more at our #_shellntel blog.

Read more

Websocket Based Egress Buster

It is common during a penetration test that a tester may run into the problem of figuring out which ports and maybe even which protocols are allowed out of an environment.  This is due to the need for a payload to successfully establish command and control.  With the adoption of layer 7 inspection for firewalls…

Read more

Abusing Exchange Web Service – Part 1

Outlook Web Access (OWA) has been one of the consistently viable attack vectors for pentesters and bad guys alike for many years. Frequently, an attacker will obtain valid credentials by brute forcing OWA portals exposed to the internet. Once credentials are obtained an attacker can then access the target network via any other single factor…

Read more

Why Security Awareness Training Fails

First, let’s talk about what “failure” is and is not in the context of Security Awareness Training (SAT). Failure is not when a company gets breached due to social engineering. Wait, what?? All the outstanding training in the world does not guarantee that an individual will follow it when the moment of testing occurs. Soldiers are trained…

Read more

Assisted directory brute forcing

Very frequently during a web application assessment a pentester may begin by fingerprinting what web frameworks and libraries are used by a given application.  Possibly by running a tool such as blindelephant or whatweb.  Commonly though the tester may just notice a unique identifier in the web traffic or URL.  Consider the following:  Read more…

Read more

crEAP – Harvesting Users on Enterprise Wireless Networks

With the demands of a mobile workforce, wireless networks in enterprise environments are quite common.  Typically, enterprise wireless networks employ WPA-Enterprise security features, which removes the need for preshared keys (WPA2-PSK) that float around between employees creating security concerns of sharing or unauthorized access upon termination, etc. Read more at our #_shellntel blog.

Read more

PowerShell Memory Scraping for Credit Cards

During the post exploitation phase of a penetration test, I like to provide the client with examples of what could happen if a breach were to take place.  One of the most common examples of this is credit card theft. To demonstrate this threat, I created a PowerShell memory scraper against whatever application (many times…

Read more

Intro To Active Directory Delegation

One of the most frequent questions I get from my CircleCityCon/DerbyCon Active Directory talk goes something like “You recommend that we delegate permissions in AD (as opposed to just dropping everything in Domain Admins), but I just inherited this domain and have no idea what delegation is. Help?“ Read more at our #_shellntel blog.

Read more

Using PowerShell & Unicorn to Get Persistence

Recently I was on an engagement where I received a meterpreter shell only to have it die within minutes before I could establish persistence. Talk about frustration! I’ve never had the best of luck with Metasploit’s s4u_persistence module. Just to make sure, I did a quick test. I established a shell over tcp/53 on my Windows 7…

Read more

Creating your own private botnet for scanning.

[ UPDATE]  The tool has been re-written.  New details can be found here: http://www.shellntel.com/blog/2015/9/9/update-creating-your-own-private-botnet-for-scanning Often while scanning a network with nmap or other similar tools, at some point a NIDS or firewall will detect and block me.  This is irritating.  I wondered, what would happen if I could route my scans/attacks through a series of proxy…

Read more

Validating the Effectiveness of Your Controls

About six years ago, social engineering penetration tests became the norm for the A-Team.  In many of these tests, our team would attempt as many as 10-20 unique exploits against various applications and operating system functions.  This often included exploits against Flash, Java, Adobe Reader, MS Office and IE.  While one or two exploit attempts…

Read more