Manipulating User Passwords Without Mimikatz

March 3, 2022

There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the-Hash is not an option. You don’t have their NT hash or…

mixer graphic

Local Admin Access and Group Policy Don’t Mix

January 24, 2019

Having spent a career working with Group Policies, I thought now might be a good time to give an overview of it and I felt like doing a little writeup about Group Policies. I especially want to highlight why having admin access to clients can be really bad. It is important that everyone understands the weaknesses…

Credential Re-Use in the Enterprise graphic

Credential Re-Use in the Enterprise

July 3, 2018

Many of our customers follow the best practice of creating separate accounts for day-to-day tasks and administrative ones. In the event of an attack, using separate accounts is often a great way to slow things down and give security teams a little extra time for discovery and identification of an attack. Because many attacks happen…

asterisks graphic

It Was the “Summerof2018” – Password Auditing for Windows Administrators

April 19, 2018

IT departments around the globe spend countless hours and money ensuring that their company’s data and infrastructure are properly secured. Startup company? Install a firewall and maybe get an antivirus subscription. Past the startup phase? Upgrade your firewall to have an Intrusion Prevention Sensor (IPS) and/or maybe an Intrusion Detection Sensor (IDS). Hitting the revenue…


Introduction to GPU Password Cracking: Owning the LinkedIn Password Dump

June 17, 2016

This blog was written by Martin Bos, Senior Principal Security Consultant – TrustedSec Unless you’ve been living under a rock for the past few months you have probably heard about the dump from the 2012 LinkedIn hack being released.  TrustedSec was able to acquire a copy of the list and use it for research purposes. Our…


Of History & Hashes: A Brief History of Password Storage, Transmission, & Cracking

May 29, 2015

A while back Jeremy Druin asked me to be a part of a password cracking class along with Martin Bos. I was to cover the very basics, things like “What is a password hash?”, “What types are there?”, and “What is the history of passwords, hashes and cracking them?”. This got me thinking about a…


Account Hunting for Invoke-TokenManipulation

January 30, 2015

I’ve been searching quite a while now for the best way to search for domain admin tokens, once admin rights are attained on a large number of systems during a pentest. Normally, I run “psexec_loggedin_users” within Metasploit, spool the output to a file, then egrep it for users in the “Domain Admins” group. This often…


Abusing Internet Facing Password Resets (and a 0-day)

January 7, 2014

Throughout years of performing penetration tests, when encountering an Internet facing password reset page, we usually find at least one opportunity for improvement with it.  As humans, we generally learn from our mistakes.  For that reason, we’ll revisit three examples of how we were able to use and abuse services in the past. Our first…

  • Browse by Category

  • Clear Form