Which VLAN Am I On?

Anyone doing penetration tests for PCI these days is probably aware of the requirement for segmentation scanning. Essentially the standard asks that you confirm the network boundary from various source networks. After having lots of conversations with clients where someone said "oh yeah our ACLs don't let any traffic between VLAN a and b" I've come to believe that this is a worthwhile practice for lots of environments. But I digress.

»
Author's profile picture Patrick Fussell on networking

Starting Chrome with Certificate Checking Disabled

Just a quick little tidbit I ran into during a recent penetration test. I was looking an a web application that wouldn't render correctly in Firefox (my standard browser for testing). I switched over to Chrome only to realize that the site was using HSTS. In the interest of thoroughness here is the HSTS definition from Wikipedia:

»
Author's profile picture Patrick Fussell on pentest

Pragmatic Network Scanning

The what and how of scanning and enumeration in the context of a penetration test get defined differently depending on who you ask as well as the objectives and methodologies relevant to the type of testing being done (eg. compliance driven, red team, etc.). Most of the books, blogs, and documented methodologies I've read through treat this phase as too much of a 'point -> click -> find stuff -> get ready to exploit' type process. I have two main issues with this description. Effective discovery in even a moderately complex environment requires a much more tactical application of scanning techniques. Also, in practice, it is a much more cyclical process that happens in bits as an engagement progresses rather than a one and done scan.

»
Author's profile picture Patrick Fussell

Pentesters and Decision Making

So my first post of the year is going to be non-technical and just a little bit of a rant. As the infosec industry matures, more companies have entered the market selling things from security appliances to SaaS platforms that do lots of fancy things. I worry that the high demand for services and infosec people is driving the idea of a "penetration test" much closer to the idea of "vulnerability scan" considering little if any post exploitation and that a lot of the value that can be gained from a high-value penetration test(er) may be lost due to ugly market pressures.

»
Author's profile picture Patrick Fussell on pentest

Parmap: Parsing and Utilizing Nmap Data

For the longest time, I relied on awk and grep to deal with Nmap output. While this is still a go-to method, being the lazy pentester I am, decided to automate some of the repetitive parsing tasks. Thus parmap was born. Using the wonderful ruby-nmap gem this script gives you a few options for displaying and outputting the information from an Nmap XML file. All you need to make it work is the thor and ruby-nmap gem installed.

»
Author's profile picture Patrick Fussell on pentest

Quick Webservers for Transfering Files

Ok, another little 'quick trick' of the day while I'm waiting for another task to complete. During a pentest, depending on the traffic filtering between me and a target host, I often find it useful to have several methods on standby for transferring files. One port I can usually count on being open, even between restrictive network segments, is 80/tcp.

»
Author's profile picture Patrick Fussell on pentest

Connect To A Database Using Windows Authentication With Different Credentials

A handy little 'quick trick' of the day. After pivoting several times in a network I often find myself thinking pretty hard about how to do things that might otherwise be easy, like connecting to a database.

»
Author's profile picture Patrick Fussell on pentest

DerbyCon 6.0

I know, I have been neglecting my duties to this blog. My wife recently became a full-time student and this semester has been an adjustment for us schedule wise. As things start to settle down I look forward to spending time with my projects and blog again. This post is just an update on some of the talks I look forward to attending at DerbyCon this weekend. As always, I look forward to meeting some new friends so feel free to look for me and say hi!

»
Author's profile picture Patrick Fussell on conference

Windows Hashes

So I keep hearing people talk about pass-the-hash and Windows credentials, but they are using the terms incorrectly. This leads me to believe that there is some confusion here, which is understandable. Windows stores and transmits credentials in a variety of ways that can get confusing. A good place to start is to talk about what NTLAN Manager (NTLM) is.

»
Author's profile picture Patrick Fussell on authentication

Hunting High Value Targets in Corporate Networks

Update: Made some significant changes to deliver this same talk at BsidesLV 2016

»
Author's profile picture Patrick Fussell on conference

All About Web Services

Like many gainfully employed penetration testers I test internal networks and external networks. While there are many ways to scope them, these days external network testing largely consists of web application assessments. Because I did not come from a webdev background I have taken the time to get comfortable with as many of the fundamentals of modern web apps as possible. In this blog post I would like to tackle one of these topics that took me some time to wrap my head around when I first bumped up against it. This post will be centered mostly on concepts and the next one in the series will jump into some strategies for penetration testing.

»
Author's profile picture Patrick Fussell on web and pentest

XML What is it Good For?

This will be the first post in a series about penetration testing web services. This first post will be a quick review of what XML is and then go over a brief example of interacting with some XML data. While talking about XML may seem a bit elementary it does lend itself to making you think about ways to store and share data which is perfect for our purposes, also I wanted to start this series from the ground and work my way up. Here we go...

»
Author's profile picture Patrick Fussell on web and pentest

Another InfoSec Blog

Welcome to my jekyll based blog. There are a ton of other blogs addressing a variety of topics in the infosec space. Even with all the great content being put out every day there is still a lot of room for topics, ideas, and innovation and this one place where I want to throw in my two cents. My topics will largely revolve around technical issues but I will also address some non-technical industry related things from time to time too.

»
Author's profile picture Patrick Fussell on blog