Primary Content: Home

Kerberos PreAuthentication and Party Tricks

Back in 2016, Geoffrey Janjua of Exumbra Operations Group, presented at LayerOne about “Kerberos Party Tricks” and abusing user accounts which have Kerberos Pre-authentication disabled.

The python script he released at the time was a great proof-of-concept, but there are alternative tools available now for detecting, and exploiting, this issue.

Continue reading: Kerberos PreAuthentication and Party Tricks

ClickJacking and JavaScript KeyLogging in Iframes

This week I was asked some specific questions about the security of iframes. The questions came about from a PCI standpoint, for stores that use fully outsourced iframes for taking payment.

The question was effectively, if an attacker can inject JavaScript into the framing (store) page, what effect can they have on the security of the site and the payment page.

Short answer: The attacks are very limited.

Long answer:

Continue reading: ClickJacking and JavaScript KeyLogging in Iframes

Spoofing Packets and DNS Exfiltration

Following a successful penetration test, you may have large amounts of data to exfiltrate from an environment specifically hardened to make it difficult to exfiltrate data. For example, the network might have a firewall that explicitly blocks common exfiltration methods – such as SSH, HTTPS, HTTP.

It is common that you can still exfiltrate data from these networks by using DNS. For example you could make a request to a domain name that you control where the subdomain contains some information to be exfiltrated. Such as sensitive-data-here.attacker.example.com. DNS is a recursive system, such that if you send this request to a local DNS server, it will forward it on and on until it reaches the authoritative server. If you control the authoritative server, you can simply read the sensitive data from the DNS logs.

Continue reading: Spoofing Packets and DNS Exfiltration

Information Security Strategy, Part 1

The Problems of Security Testing and Unmanageable Reports

I’d like to talk a little bit about security testing, the problem of information overload and issue prioritisation. To do this I intend on broadly discussing some of the problems of the various options for security testing that organisations have.

I’ve written about some related things before, if you’d like a warm up:

However, I’d like to look a little at security a little more strategically today and to discuss the wider problems with security testing. To centre around the idea that, there are three main problems with the way companies approach security testing:

Continue reading: Information Security Strategy, Part 1

An Introduction to PenTesting Azure

Introduction

I recently wrote an introduction to cloud computing, and an introduction to PenTesting an AWS Environment. A sensible place to start given that I included that in Q1 of 2018 Amazon holds a 33% market share in cloud whereas Microsoft only holds 13%. However I did want to add a few notes that are specific to PenTesting within Azure environments here.

Continue reading: An Introduction to PenTesting Azure