Are you over 18 and want to see adult content?
More Annotations
A complete backup of tracksupermarket.com
Are you over 18 and want to see adult content?
A complete backup of ziadmajed.blogspot.com
Are you over 18 and want to see adult content?
A complete backup of goldendreidle.com
Are you over 18 and want to see adult content?
A complete backup of music2dealblog.com
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of southsea-golf.co.uk
Are you over 18 and want to see adult content?
A complete backup of radio-online.com
Are you over 18 and want to see adult content?
A complete backup of spliffmobile.com
Are you over 18 and want to see adult content?
Text
BERNARDO DAG
A WEBLOG ABOUT ME AND MY INFORMATION TECHNOLOGY THOUGHTSMagazine
* Classic
* Flipcard
* Magazine
* Mosaic
* Sidebar
* Snapshot
* Timeslide
Pages
* Home
* About me
Jun
13
DATA RETRIEVAL OVER DNS IN SQL INJECTION ATTACKS We have recently implemented data retrieval over DNS in sqlmap. This data exfiltration technique adds up to the six existing techniques already implemented: boolean-based blind, time-based blind, full UNION, partial UNION, error-based and stacked (nested) queries. It is supported on Oracle (running either on UNIX/Linux or Windows) and Microsoft SQL Server/MySQL/PostgreSQL (running onWindows).
Jan
25
DUMP WINDOWS PASSWORD HASHES EFFICIENTLY - PART 6 Network services authentication credentials Like LSA secrets, Windows stores passwords in a reversible formatelsewhere.
When you login to a network resource like a network share, a proxy server behind NTLM authentication, a database management system, a mail server, etc, you can often instruct your client to save the password, typically by simply ticking the box “Remember mypassword”. 1
Dec
28
DUMP WINDOWS PASSWORD HASHES EFFICIENTLY - PART 5Logon sessions
Windows stores in memory information about every current and past successful logon. These are called logon session. This information includes the username, the domain or workgroup name and both the LM and NT password hashes. Every time a legitimate user logs onto a Windows system, the Local Security Authority (LSA) stores in memory this information. This happens regardless of the logon type: interactive logon to the console or remote logon via Remote Desktop Protocol (RDP). 8Dec
21
DUMP WINDOWS PASSWORD HASHES EFFICIENTLY - PART 4 Cached domain logon information Windows machines can be standalone workstations or part of a Windows domain in the role server or workstation. When a user logs onto a workstation part of a domain, technically he can either log as a local user or a domain user given that he has thecredentials.
When logging as a domain user, three information are required: username, password and domain name. The latter is usually provided as a drop-down menu listing all domains that the system is part of. 1Dec
20
DUMP WINDOWS PASSWORD HASHES EFFICIENTLY - PART 3Password history
In the previous two posts of this series, I discussed how to dump Windows local users' password hashes (SAM) and Windows domain users' password hashes from domain controllers (ntds.dit). When the password policy setting is configured to enforce password history, Windows stores a certain number of used passwords before an old password can be reused. The following screenshot shows you where this policy can be set.Dec
16
DUMP WINDOWS PASSWORD HASHES EFFICIENTLY - PART 2 Conclusions on Windows Security Account Manager In the previous post of this series, I briefly explained what the Windows Security Account Manager (SAM) is, how to dump Windows local users' password hashes from SAM having physical access to the target system or following a remote compromise of the machine,post-exploitation.
Remotely, there exist three possible techniques: legacy, volume shadow copies and in-memory dump. 5Dec
14
DUMP WINDOWS PASSWORD HASHES EFFICIENTLY - PART 1 Windows Security Account Manager Slightly modified definition from Wikipedia: The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. 12Nov
10
THE TOP 125 COMPUTER SECURITY TOOLS The security community has spoken! About 3,000 people have rated the best and most widely used computer security tools. The Nmap project has collected the results of their survey in a relaunched version of their SecTools.org project: Top 125 Network Security Tools. sqlmap has made it to place #30 overall: a great result considering that it is a two-developers only project driven by passion, developed in our own spare time and with a large community of supporters, testers and enthusiasts. 4Sep
14
REVERSE SHELLS ONE-LINERS Inspired by the great blog post by pentestmonkey.net, I put together the following extra methods and alternatives for some methods explained in the cheat sheet. There is nothing cutting edge, however you may find this handy during your penetration tests. Citing pentestmonkey's blog post: If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. 9Apr
16
MS10-070: PADDING ORACLE APPLIED TO .NET FRAMEWORK A lot has already been said about T. Duong and J. Rizzo research on Padding Oracle attacks, particularly against ASP.NET. I won't repeat any of it. I am just releasing way late my minor contribution. Microsoft replied to the research and subsequently released an initial mitigation that can be easily bypassed by tools like PadBuster - when used correctly. However, with the release of the patch, MS10-070, the issue has been correctly fixed. 2Apr
15
REVERSE CONNECTION: ICMP SHELLBackground
Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly!Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. 4Apr
14
EXECUTE METASPLOIT PAYLOADS BYPASSING ANY ANTI-VIRUSHistory
Back in 2009, a friend and I presented at SOURCE Barcelona conference a technique to inject an alphanumeric-encoded shellcode in memory and execute it, bypassing any anti virus software, amongst other features. This was part of a research lent in sqlmap as a user-defined function for both MySQL and PostgreSQL. Recently, I have slightly modified the code to leverage the technique in a clever shellcode launcher, shellcodeexec. 21Apr
13
SQLMAP 0.9 RELEASED
It has been a while since we released the previous stable version ofsqlmap.
Nov
17
SQLMAP STATE OF ART - 4 YEARS LATER sqlmap is nearly 4 years and a half old.. older than my daughters ;) In the last 12 months a lot has been going on under the hood. Miroslav and I have been working hard trying to fix as many bugs reported as possible, getting back to You as promptly as possible and scheduling the development of new shiny features, some of them proposed by You. First and foremost, I would like to sincerely thank Miroslav for all of the amazing effort that he has put into the project as well asusers' support.
Jun
30
SQLMAP AND SOAP BASED WEB SERVICES Last week a sqlmap user, Chilik Tamir, provided me with a patch to add basic support for SOAP based requests to the tool.I tested the patch, extended its functionalities and now sqlmap can also work against web services! Check it out from the Subversion repository. Follows an example against IBM's demo web application Testfire which is affected, amongst other vulnerabilities, by several SOAP based SQL injections. The credentials to login are username jsmith, passwordDemo1234.
Jun
28
GOT DATABASE ACCESS? OWN THE NETWORK! Earlier this month I attended to AthCon conference in Athens (Greece) where I gave a talk, met some very smart people, did some awesome sight-seeing of the Acropolis, had good food and better-than-UKweather ;)
My presentation was titled Got database access? Own the network! and the abstract is as follows: The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a wholeMay
25
DEFCON 18 CTF QUALS WRITEUP: PWTENT PWNABLES 200 The third Defcon 18 CTF challenge that I solved with two team mates was Pwtent Pwnables 200. Title: Running on pwn8.ddtek.biz.Enjoy File: pp200_73774703181e8703d24.bin (mirrored here). I downloaded the file and checked it's type: file pp200_73774703181e8703d24.bin pp200_73774703181e8703d24.bin: python 2.3 byte-compiled With DePython I de-compiled the byte-code and got its working Pythonsource code. 1
May
25
DEFCON 18 CTF QUALS WRITEUP: PURSUIT TRIVIAL 200 The second Defcon 18 CTF challenge that I solved was Pursuit Trivial200.
Title: sheep@pwn21.ddtek.biz:6000 sheep go baaAaaA Being it part of the trivial category I though immediately that the password for user sheep was baaAaaA and in fact, it was. I logged into the server over SSH and got a grey terminal where I could not type in any command. I thought that it was a local issue, but it wasn't. I tried to resize the terminal with no luck.May
25
DEFCON 18 CTF QUALS WRITEUP: PACKET MADNESS 200 Last week-end I played Defcon #18 Capture The Flag quals together with some friends. We made up a team of less than 10 people who worked hard, as much as we could, slept very little and had a lot of fun. We ended up in the Top 60! I am going to post a few write-ups about the challenges that I have solved. Let's kick off with the Packet Madness 200. Title: These folks speak a different language. Join their site and translate the key for us. File: pkt200_55216efa7a182fb0.pcap (mirrored here).Mar
15
SQLMAP 0.8 RELEASED
It has been a while since I released the previous stable version of sqlmap. Now sqlmap 0.8 stable is out! Some of the new features include: Support to enumerate and dump all databases' tables containing user provided column(s) by specifying for instance --dump -C user,pass.Projects
Projects
* sqlmap: Automatic SQL injection and database takeover tool * keimpx: Check for valid credentials across a network over SMB * udfhack: Database takeover UDF repository * shellcodeexec: Script to execute in memory a sequence of opcodes * unix-privesc-check: Shell script to check for simple privilege escalation vectors on Unix systems * icmpsh: Simple reverse ICMP shell * matew: Valid HTML/CSS image albums generator * dbgtool: Portable executable to ASCII debug script converter * MS08-067 security check (SMB Remote Code Execution) * Miscellaneous tools and scripts Whitepapers and Presentations Whitepapers and Presentations * Got database access? Own the network! * Expanding the control over the operating system from the database * Advanced SQL injection to operating system full control(whitepaper)
* Advanced SQL injection to operating system full control (slides) * SQL injection: Not Only AND 1=1 * More presentationsBlog Archive
Blog Archive
*
2012 2
*
June 1
* Data retrieval over DNS in SQL injection attacks*
January 1
*
2011 11
*
December 5
*
November 1
*
September 1
*
April 4
*
2010 8
*
November 1
*
June 2
*
May 3
*
March 1
*
January 1
*
2009 31
*
December 4
*
November 2
*
September 2
*
July 1
*
June 3
*
May 6
*
April 1
*
March 3
*
February 2
*
January 7
*
2008 12
*
December 2
*
November 4
*
October 4
*
September 1
*
July 1
*
2007 7
*
November 1
*
October 2
*
July 3
*
June 1
Loading
Copyright 2007 - 2012, Bernardo Damele A. G. Dynamic Views theme. Powered by Blogger .Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0