home


  • Bypassing Two-Factor Authentication on OWA and Office365 Portals FULL DISCLOSURE: BLACK HILLS INFORMATION SECURITY BELIEVES IN RESPONSIBLE DISCLOSURE OF VULNERABILITIES. THIS VULNERABILITY WAS REPORTED TO MICROSOFT ON SEPTEMBER 28TH, 2016. AS OF THE PUBLICATION DATE OF THIS POST(NOVEMBER 2ND, 2016) MICROSOFT HAVE NOT RESPONDED WITH ANY UPDATES OTHER THAN TO SAY THERE ARE NO UPDATES. THE FULL TIMELINE OF THIS DISCLOSURE CAN BE FOUND IN A SECTION AT THE END OF THE BLOG POST.UPDATE as of 3pm MST 11/2/16: This blog post demonstrates a two-factor authentication bypass technique against Microsoft Outlook Web Access where the third-party 2FA vendor was DUO Security. It should be stated that this is NOT a vulnerability in DUO Security’s product. It is a problem in which ...
    Posted Nov 7, 2016, 5:52 AM by DAFT HACK
  • Attacking Exchange With MailSniper I’ve added in a few modules to MailSniper that will assist in remote attacks against organizations that are hosting an externally facing Exchange server (OWA or EWS). Specifically, the modules are Get-GlobalAddressList, Invoke-PasswordSprayOWA, and Invoke-PasswordSprayEWS.Very often on external penetration tests we perform a reconnaissance phase that might yield us some email addresses or usernames of an organization. If we can successfully find valid credentials for any one of them, and the organization has an Outlook Web Access or Exchange Web Services portal it is possible to download the entire Global Address List from the Exchange server. So, from one valid credential we can now have access to all email addresses for every employee of an ...
    Posted Oct 7, 2016, 9:15 AM by DAFT HACK
  • Introducing MailSniper: A Tool For Searching Every User's Email for Sensitive Data TL;DRMailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.MailSniper is available for download here: https://github.com/dafthack/MailSniperOverviewOftentimes, on penetration tests we find ourselves having elevated access (Domain Admin) within an organization. Some firms stop there thinking that DA is the end goal. But it’s not. “Getting DA” means nothing to most members of the C-suite level if you can’t provide a picture of what that ...
    Posted Sep 29, 2016, 6:52 AM by DAFT HACK
  • How to Build Your Own Penetration Testing Drop Box TL;DRI compared three single-board computers (SBC) against each other with a specific goal of finding which one would serve best as a “penetration testing drop box”, and maintain an overall price of around $110. Spoiler Alert: At the time I tested these Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space. If you want to skip the SBC comparison and jump right to building your own pentest drop box you can find the instructions below and also here.OverviewA few weeks ago I was scheduled for an upcoming Red Team exercise for a retail organization. In preparation for that assessment I started gathering all the gear I might need to properly infiltrate the organization ...
    Posted Sep 29, 2016, 6:48 AM by DAFT HACK
  • Storm Chasing: How We Hacked Your Cloud This is a cross-post from the Black Hills Information Security blog. You can read it here: http://www.blackhillsinfosec.com/?p=4975OverviewThe traditional methodology of a remote attacker who has no preconceptions of a target network used to be fairly static. With organizations moving to “the cloud”, the approach attackers are taking is going to change drastically if it hasn’t already. In this blog post I am going to detail why, if your organization has moved its assets to the cloud, an attacker is likely going to make that their primary attack focus. They will likely succeed, and you will likely not know that it happened.Cloud Computing PrimerScalable storage, easy collaboration between employees, and ...
    Posted Jun 2, 2016, 11:53 AM by DAFT HACK
  • Poking Holes in the Firewall: Egress Testing With AllPorts.Exposed If you have been even remotely in touch with technology in the past thirty years you have probably heard of this thing called a “firewall”. If not, a “firewall” decides what does and does not get to proceed through it. Most organizations have one of these protecting their network from the rest of the Internet. Some organizations place them in the most opportune spots to segment off specific areas of their internal network. The system you are using right now to read this blog post most likely has a firewall built-in.The general consensus about what a firewall does is that it keeps “bad stuff” from entering a protected network or system. But firewalls can also keep things from ...
    Posted May 3, 2016, 9:59 AM by DAFT HACK
  • REVIEW: Kali Linux Web Penetration Testing Cookbook I perform pentests against web applications on a regular basis amongst other types of pentesting including internal network assessments, external network assessments, phishing, wireless, C2, pivot tests and more. In the past two years I've pentested around 40 different web applications for various organizations. I read the Kali Linux Web Penetration Testing Cookbook, and wanted to share my thoughts on the book.TL;DRThis is a great book for introducing webapp attack vectors to new pentesters. There might be a section or two that seasoned pentesters find useful. I felt the author did a great job describing the tools and techniques in the book. The book lacks details into the underlying web protocols so don't expect to ...
    Posted Mar 29, 2016, 9:13 PM by DAFT HACK
  • Password Spraying Outlook Web Access - How to Gain Access to Domain Credentials Without Being on a Target's Network: Part 2 This is a cross-post from the Black Hills Information Security blog. You can read it here: http://www.blackhillsinfosec.com/#!Password-Spraying-Outlook-Web-Access-How-to-Gain-Access-to-Domain-Credentials-Without-Being-on-a-Targets-Network-Part-2/c1592/56c1f10e0cf2365fef58cce1This is part two of a series of posts (See part 1 here) where I am detailing multiple ways to gain access to domain user credentials without ever being on a target organization's network. The first method involves exploiting password reuse issues where a user might have reused the same password they used for their corporate domain account on another external service. The second method is what I think is a far more interesting way of ...
    Posted Mar 9, 2016, 5:21 PM by DAFT HACK
  • Exploiting Password Reuse on Personal Accounts - How to Gain Access to Domain Credentials Without Being on a Target's Network: Part 1 This is a cross-post from the Black Hills Information Security blog. You can read it here: http://www.blackhillsinfosec.com/#!Exploiting-Password-Reuse-on-Personal-Accounts-How-to-Gain-Access-to-Domain-Credentials-Without-Being-on-a-Targets-Network-Part-1/c1592/56c1ebf50cf247e929ac2069In this series of posts I am going to detail multiple ways to gain access to domain user credentials without ever being on a target organization's network. The first method involves exploiting password reuse issues where a user might have reused the same password they used for their corporate domain account on another external service. The second method is what I think is a far more interesting way of gathering user credentials that involves discovering ...
    Posted Mar 9, 2016, 4:55 PM by DAFT HACK
  • Stored XSS via Reflected XSS... or How Not to Fix Your Web Application This is a cross-post from the Black Hills Information Security blog. You can read it here: http://www.blackhillsinfosec.com/#!Stored-XSS-via-Reflected-XSS-or-How-Not-to-Fix-Your-Web-Application/c1592/56aa33c40cf289b6a281f44cCross-Site Scripting (XSS) is a vulnerability commonly found in web applications that allows attackers to inject scripts that will execute in a target’s browser. Often times these vulnerabilities are exploited to gain access to a target’s session tokens. There are a few different flavors of XSS that are known to exist. The most common form we find is Reflected XSS. Reflected XSS is typically found in form fields where the user’s input is reflected back to the browser. For example ...
    Posted Feb 1, 2016, 10:18 AM by DAFT HACK
Showing posts 1 - 10 of 70. View more »