• Home
• Archives
• About

Information Gathering

A critical step when attempting to test the security of a target company/system/network, is to gain a thorough understanding of what it is you plan to attack. While this may be handed to you in a neat little bundle if you're doing a white box test, there are a lot of situations where you may find yourself starting with little more then a web site or company name.

Note: If you are new to these concepts, then I recommend you TRY ALL of the concepts covered in this article. To be on the safe side, please try them in a lab that you have permission to run them.

With the amount of information available online, a lot of information can be generated about a target without even probing a target network (though that's definitely the next step). This includes searching publicly registered DNS names, searching forum postings, and even just googling for specific vulnerabilities. After we talk about some of the manual ways to do this, we'll look at tools to make this discovery even easier. More

Patch Scanning with MBSA

If you can’t verify a security control is in place… then don’t count on it being in place. In talking to a friend, a large part of his company’s security protections relied on their firewall, Anti-virus, and patching. As we dug deeper into it, I found that they don’t really review the firewall logs, and both the AV and OS/Software patches were pushed centrally, but that’s where their process ended. They did no verification to make sure that the patches were successfully installed. Unfortunately, this practice of not validating the company’s protection mechanisms is fairly common.

Not every company can justify running out and buying Retina, or Shavlik’s NetChk, but it’s hard to argue with just getting an initial scan done to gauge the existing patch status using a free tool like Microsoft’s MBSA (Microsoft Baseline Security Analyzer.) If you haven’t looked at this tool recently (or have never looked at it), it’s work checking out. Let’s start with... More

 

Verifying Checksums

These days, it’s not uncommon to download a known application from an unknown source.  It may be because the site uses multiple download mirrors (many Linux distributions are downloaded this way), because the software was downloaded from a torrent, given to you by a friend, or for any number of other reasons.  The good news is that it’s also not uncommon for software writers to post a checksum of the software on their website, to give users a way of validating the software. This checksum does no good if you don’t actually check it, so here are very easy steps on how to do that. More

 

Built in Windows Port Re-director

The other day I was in the situation pictured below. Basically I had a command shell with admin privileges on Server1. What I really wanted was RDP (Remote Desktop) access to Server2, but I didn’t have direct access to it due to firewall restrictions. In this particular situation, trying to install any 3^rd party tool would have been problematic. So what I needed was a built-in port re-director. More

 

What’s wrong with an LM Hash?

As we’ve already discussed it the “Obtaining Windows Password Hashes” article, when you set your password (using Microsoft Windows as an example), it hashes your password, stores the hash, and then discards the actual password you supplied.  So when user1 sets their super secrete password to “password”, the system will hash it, and end up storing the resulting hash.  The problem... More

 

Password Salts

I’ve heard that storing the LM hash is a bad idea. Why?

Hmmm, where to start... More

 

Cracking the hash

After obtaining the password hash (for ways to do this, see the article here), we have to figure out what the password actually is. Well, okay, depending on what you’re trying to accomplish, you may be able to just pass the hash, but for the sake of this article we want to find out what the password actually is. The attack types we’ll look at here are... More

 

Obtaining Windows Password Hashes

When attempting to determine the password on a windows system, the first step is to get access to the hashed version of the password. Notice that I said that you’re trying to get the hashed version of the password, and not that you’re trying to get the actual password.  This is an important distinction to make, and one that sometimes causes confusion in people new to the topic... More

 

Sidebar Menu

• Home
• About
• Archive
• External Links