Watch Out for UUIDs in Request Parameters

September 22, 2022

The Plugin: https://github.com/GeoffWalton/UUID-Watcher Some time ago on the TrustedSec Security Podcast, I shared a Burp Suite plugin I developed to hunt Insecure Direct Object Reference (IDOR) issues where applications might be using UUIDs or GUIDs (unique identifiers) as keys, assuming discovery attacks will not be possible. The plugin produces a report that helps identify which…

Read

I Wanna Go Fast, Really Fast, like (Kerberos) FAST

September 20, 2022

1    Introduction At TrustedSec, we weigh an information security program’s ability to defend against a single specified attack by measuring detection, deflection, and deterrence. Now while a majority of my blog posts have been concentrated around detection this post is more ‘deterrence’ focused. I first heard about Kerberos FAST from Steve Syfuhs (@SteveSyfuhs) of Microsoft…

Read

Practical Attacks against NTLMv1

September 15, 2022

1.1      Introduction This blog is meant to serve as a guide for practical exploitation of systems that allow for the NTLMv1 authentication protocol. While NTLMv1 is hardly ever needed anymore, a surprising number of organizations still use it, perhaps unknowingly. There are however some VPN products that still currently instruct their users to downgrade NLTM…

Read

Detection and Alerting: Selecting a SIEM

September 2, 2022

Summary Basic SIEM requirements should be in place to create mature detections for a variety of log sources, including network logs, system logs, and application logs (including custom applications). This focuses on Security Operations and does not include the engineering side of SIEM management, e.g., licensing, hardware/cloud requirements, retention needs, etc. Each component of the…

Read

Scraping Login Credentials With XSS

July 7, 2022

Unauthenticated JavaScript Fun In prior blog posts I’ve shown the types of weaponized XSS attacks one can perform against authenticated users, using their session to access and exfiltrate data, or perform actions in the application as that user. But what if you only have unauthenticated XSS? Perhaps your client hasn’t provided you with credentials to…

Read

A Diamond in the Ruff

July 5, 2022

This blog post was co-authored with Charlie Clark at Semperis 1.1      Background of the ‘Diamond’ Attack One day, while browsing YouTube, we came across an older presentation from Blackhat 2015 by Tal Be’ery and Michael Cherny. In their talk, and subsequent brief, WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING, they outlined something we…

Read

WMI Providers for Script Kiddies

June 9, 2022

Introduction So, this WMI stuff seems legit. Admins get a powerful tool which Script Kiddies can also use for profit. But there’s gotta be more, right? What if I want to take my WMI-fu to the next level? In the previous blog post, “WMI for Script Kiddies,” we described Windows Management Instrumentation (WMI). We detailed…

Read

Intro to Web App Security Testing: Burp Suite Tips & Tricks

May 26, 2022

A brief list of useful things we wish we had known sooner Burp Suite Pro can be complicated and intimidating. Even after learning and becoming comfortable with the core functionality, there remains a great deal of depth throughout Burp Suite, and many users may not stray far from the staples they know. However, after years…

Read

Pwnton Pack: An Unlicensed 802.11 Particle Accelerator

May 24, 2022

This past Christmas, I received a terrific gift from my in-laws: a replica Ghostbusters Proton Pack. I was thrilled. You see, growing up in the mid 80s, Ghostbusters was my jam. Fast forward 37 years and with the recent Ghostbusters: Afterlife film release, my nostalgia was hitting a fever pitch. Shortly after our Christmas dinner,…

Read

Splunk SPL Queries for Detecting gMSA Attacks

May 20, 2022

1    Introduction What is a group Managed Service Account (gMSA)? If your job is to break into networks, a gMSA can be a prime target for a path to escalate privileges, perform credential access, move laterally or even persist in a domain via a ‘golden’ opportunity. If you’re an enterprise defender, it’s something you need…

Read
  • Browse by Category

  • Clear Form