There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the-Hash is not an option. You don’t have their NT hash or…
Read
Having spent a career working with Group Policies, I thought now might be a good time to give an overview of it and I felt like doing a little writeup about Group Policies. I especially want to highlight why having admin access to clients can be really bad. It is important that everyone understands the weaknesses…
Read
Many of our customers follow the best practice of creating separate accounts for day-to-day tasks and administrative ones. In the event of an attack, using separate accounts is often a great way to slow things down and give security teams a little extra time for discovery and identification of an attack. Because many attacks happen…
Read
IT departments around the globe spend countless hours and money ensuring that their company’s data and infrastructure are properly secured. Startup company? Install a firewall and maybe get an antivirus subscription. Past the startup phase? Upgrade your firewall to have an Intrusion Prevention Sensor (IPS) and/or maybe an Intrusion Detection Sensor (IDS). Hitting the revenue…
ReadThis blog was written by Martin Bos, Senior Principal Security Consultant – TrustedSec Unless you’ve been living under a rock for the past few months you have probably heard about the dump from the 2012 LinkedIn hack being released. TrustedSec was able to acquire a copy of the list and use it for research purposes. Our…
ReadA while back Jeremy Druin asked me to be a part of a password cracking class along with Martin Bos. I was to cover the very basics, things like “What is a password hash?”, “What types are there?”, and “What is the history of passwords, hashes and cracking them?”. This got me thinking about a…
ReadI’ve been searching quite a while now for the best way to search for domain admin tokens, once admin rights are attained on a large number of systems during a pentest. Normally, I run “psexec_loggedin_users” within Metasploit, spool the output to a file, then egrep it for users in the “Domain Admins” group. This often…
ReadThroughout years of performing penetration tests, when encountering an Internet facing password reset page, we usually find at least one opportunity for improvement with it. As humans, we generally learn from our mistakes. For that reason, we’ll revisit three examples of how we were able to use and abuse services in the past. Our first…
Read