SSRF attack is becoming famous and gets a lot of attention this year. Our company has performed some research in this area, and we got some interesting results, some interesting nuances which can be used to create good attack vectors. I'll show you one of them.
Read more »
-
Posted on December 24, 2012 | Filed under Blog
-
Let's continue our talk about variants of client-side attacks and turn our attention to MS Office's documents.As it was written in last blog post, we can create crafted Office's document and send it to users (via e-mail for example). When a user opens it, an office program tries to connect our server and give us user's credential.
Read more »Posted on April 25, 2011 | Filed under Blog -
Today we will talk about client-side attacks. An attack of a network is a progressive action. Usually, we escalate our rights step-by-step from nothing to a domain administrator. Even casual un-privileged users can give us something interesting, for example access to some shared resources.But how can we get these user rights?
Read more »Posted on April 5, 2011 | Filed under Blog -
When we talk about SMB Relay attacks we describe some actions from attacker which make Incoming NTLM authentication process from server "A" possible and then relay it to server "B". Finally attacker becomes successfully authenticated to server "B" by using account from server "A". We have already described this type of actions, that initialized authentication process from server "A" by using ERP functions or RDBMS stored procedures. There are many ways for server "A" to make SMB connection to attacker.
Read more »Posted on March 14, 2011 | Filed under Blog -
Like in the previous post, we'll talk about methods which need only non-privileged rights. Because we have too many ways for SMB Relay for privileged accounts, much depends from current situation and our rights.
Read more »Posted on March 9, 2011 | Filed under Blog -
Today we will talk about practical implementation of SMBRelay attack through one of the famous software which very often becomes a part of ERP systems. This is MS SQL server. The last version is 2008 (R2), but we can see 2005 and 2000 in real life too, because they take up big part of RDBMS application area. We will touch all of them.
Read more »Posted on February 28, 2011 | Filed under Blog -
Why are these attacks so critical for business applications and ERP systems? The well known PassTheHash vulnerabilities can be used for gaining a shell or password hashes. It is known that possibilities for passing the hash exist in many software but when penetration testing ERP, this type of attack is even more useful due to three things:
Read more »Posted on January 26, 2011 | Filed under Blog -
This is the first part of our encyclopedia of pass the hash / smbrealy attacks (SMBRelay Bible). The goal of this encyclopedia is to collect all possibilities of obtaining NTLM authentication for conducting SMB-relay attacks or stealing credentials.
Read more »Posted on January 26, 2011 | Filed under Blog