With the upcoming release of King Phisher v1.1, there will come a new way to Phish through calendar invites. "Why calendar invites?" you might ask. Well, when you get a typical calendar invite, how likely are you to thoroughly read through it? People tend to check the sender and, maybe, their availability and then accept. Only when it's time for the meeting do most ... READ MORE
No RDP, No Problem!
The Setup I conducted some phishing for a pentest this past week. My ulterior motive was to have an opportunity to familiarize myself with Empire, so I decided to go with a pretext which would allow me to use the macro stager and a malicious Excel sheet attachment to drop agents onto victim boxes. After some initial hiccups, a handful of (elevated!) agents started calling ... READ MORE
Kali 2.0: Fresh Look, Easy Updates, and Post Install Tips
Kali 2.0 was released last week which means that we get to spend some time sifting through Offensive Security's latest release looking at all the new tools and tricks. Offensive Security promised us a better, more powerful penetration testing platform, and my preliminary look at 2.0 shows that they delivered. The Look Kali 2.0 switched over to the GNOME3 interface which ... READ MORE
MasterLock Combination Lock Vulnerabilty and Exploit
A couple of weeks ago, I came across an article from Samy Kamkar on how to successfully guess a combination for a standard MasterLock combination lock. It seemed pretty interesting so I gave it a try, and to my surprise it worked! However, a big downside was having to visit his website to run the algorithm in order to get the list of eight possible combinations. On a typical ... READ MORE
Build Your Own Pentest Pi
Raspberry Pis are really a thing of beauty. They're extremely versatile and can perform multiple tasks in spite of their small size and power. I currently own three! One is currently serving as a Kodi media server at home, and the second is a portable media server for my daughter. I most recently acquired a Pi 2. The Raspberry Pi 2 debuted last month and sports a new hardware ... READ MORE
Password Filtering: Taking Bad Decisions Away from Users
(Originally published by @fluffy_bs) I recently had this conversation with a client following a pen test: Client: "What is our biggest security hole?" Me: "Your password policy is incredibly weak. We were able to brute-force passwords such as Winter14, Password1, and Company1. Client: "We just had a meeting where we reiterated our security policy. I told ... READ MORE
VoIP Penetration Testing: Introduction
I've had a number of recent opportunities to conduct VoIP-focused penetration tests. Prior to my first, I noticed that the number of tutorials, blogs and training write ups are pretty scarce. So, I figured it might be helpful to have all of it in one place. In this short blog series, I'll cover the goals, methodology, and tools needed to conduct a successful VoIP penetration ... READ MORE