Author: doug

Quick blog, in response to a conversation I had. Where I was informed that this would be a cool thing to share. Recently, I was doing a simulated attack, playing the part of an individual who had gained access to a customer’s facilities. This customer had the usual stuff such as LLMNR spoofing etc which… Continue reading Clear Text Proxy Auth = Passwords

Password Generation Tool For most organisations one of the most prevalent security concerns remains users selection of secure passwords. Even when restricted through a reasonable password policy, users seem to continue to select passwords with some relevance to the geography of the area, the name of the business or popular sporting/hobbyist interests specific to the… Continue reading Password Generator – L337’r

Recently, well a while a go I had some vulnerabilities published. These were published elsewhere and due to extreme laziness I decided not to publish it here. Anyway, thought I would stick links in here to point back to the vulns. CVE2015-2342 7 Elements Advisory 7 Elements WriteUp VMWare Advisory 2 Others That we released… Continue reading CVE2015-2342 and Some other stuff

Recently I was testing an Web App that made use of AES encryption to generate tokens. I put together my own proof of concept code to generate the tokens and to decrypt the tokens using pycrypto. The code reads in strings from a separate file and then uses the Key and IV with the AES… Continue reading Python AES Web Token Generator

Okay so it might be a long time coming… Part 2: In part two we are again looking at Password Safe Apps but this time the App stores data in an unintelligible format (looks to be encrypted or at least encoded based on the method calls to read file in). Either way the files are… Continue reading IOS App Testing – Part 2

The first in a series of IOS app testing blogs, this blog will focus on some of the more simplistic IOS app vulnerabilities and how to exploit them. I won’t be wasting time talking/walking through the methods exactly and explaining all syntax used etc. This first blog is just to show how easy it can be… Continue reading IOS App Testing – Part 1

I decided to take two modules and crash them together to add some automation to some tasks that I seem to pick up often. I took the LSA Secrets module and the Domain Group Enum module and combined them to be one module. I then added some addition comparison functions to inform me if any… Continue reading Smart LSA Secrets Module

I was recently tasked with testing a Wake-On-LAN (WOL) solution. I haven’t done an awful lot with WOL before but so not to go into too much detail and bore you to death, a WOL packet is basically constructed by putting a DATAGRAM packet together with the data contents of a SYNC line followed by… Continue reading A Spoofing WAKE-ON-LAN Script

On a recent test I came across SNMP write access on a Windows box and really wanted to use it to lower the security posture of the server however at the time the only attacks that I could come up with were Denial of Service (change IP, name etc) or Pointless POC’s (writing a contact… Continue reading SNMP Process Sniper – Kill Windows Processes With SNMP Write Access

I came across a Mcafee EPO server not long ago and found that during an on host review it stores the SQL database connection details and encrypted password in a file within the EPO directory, “/conf/orion/db.properties”. The password is encrypted with a statically known key that is used on all EPO deployments of a similar version.

The good news is there is already a metasploit module created in which someone has kindly went to the effort to extract the encryption key.