Brian King // On a recent webapp test, I got a little frustrated with all the extra HTTP requests showing up in my Burpsuite Proxy History from connections that Firefox was making on its own. I was having to scroll around way more than I used to while trying to make sense of the traffic. […]
Sally Vandeven // OR How to Pentest with AD Explorer! Mark Russinovich’s Sysinternals tools (Microsoft) are nothing new. They have been a favorite among system administrators for many, many years. Maybe a little less known is that they are super helpful for pentesters too! One of my favorites is AD Explorer. My colleague Dave Fletcher, […]
Brian Fehrman // You’ve sent your phishing ruse, the target has run the Meterpreter payload, and you have shell on their system. Now what? If you follow our blogs, you probably have quite a few ideas! One thing that I don’t typically do is port scan other systems on the network. There are a few reasons […]
Carrie Roberts // EyeWitness is a handy tool developed by Chris Truncer for grabbing web browser screenshots from a list of URLs. Especially handy for pen-testers is its ability to create the list of target URLs from Nessus scan output files. Whenever I do a Nessus vulnerability scan against a client, I always run EyeWitness against […]
Brian Fehrman // Someone recently posed a question to BHIS about creating C2 channels in environments where heavily restrictive egress filtering is being utilized. Testers at BHIS, and in the industry as a whole, routinely run into this type of scenario. BHIS strongly encourages the use of egress filtering. As with many other security approaches, […]
Carrie Roberts // ProxyCannon is an amazing tool for automatically routing your traffic through multiple cloud servers to diversify the source IP addresses of your traffic. (Thank you #_shellIntel). As a pentester, I want to have my BurpSuite proxy traffic routed through ProxyCannon to help avoid detection of scans and attacks. Just yesterday I was […]
David Fletcher // The following techniques serve to illustrate methods for obtaining C2 communication in a particular Cylance protected environment. The configuration of the centralized infrastructure and the endpoint agents were not inspected prior to testing. The environment may exhibit configuration errors and may not conform with best practice for deployment of Cylance infrastructure. However, […]
Sally Vandeven // Back in November Beau Bullock wrote a blog post describing how his awesome PowerShell tool MailSniper can sometimes bypass OWA portals to get mail via EWS if it has not been configured with the same two-factor authentication (2FA) protection. I used that technique on a recent test and was able to abuse […]
Sally Vandeven & the BHIS Team // I was recently on an assessment where I was able to grab all the password hashes from the domain controller. When I extracted the hashes and saw that they were storing LANMAN hashes alongside the NTLM hashes I thought to myself …. Wow. I LOVE my job! There are many moments […]
