Author's posts

Covid-19 / Covid 2021 Wordlist

Sorry but…..I’ve been seeing a lot of Covid-19 / Pandemic related words being used as passwords on internal tests recently. As a result the wordlist that should never have been needed…is here! covid2021-final.txt 173 MB file (50 MB .zip) The Torrent wasnt working too well, so migrated to here: https://github.com/attackdebris/wordlists sha1: 33b78622298a2cf2f59363a61cf6f6a4cb887e8a

Parallels RAS Username Enumeration Flaw (CVE-2017-9447 Strikes Again?)

Earlier in the year I was assessing a network that contained a Parallels Remote Application Server (RAS). Parallels RAS is a remote working solution that provides access to virtual desktops and applications. It can run on both Windows and Linux and is typically seen on the standard HTTPS port. The platform has previously been affected …

Continue reading

SSLurry – A Nessus SSL Issues Parser

SSLurry – A quick and dirty .nessus file parser to extract hosts/services affected by SSL related issues. I’ve been testing on a large number of heavily populated internal subnets recently. Accurately reporting SSL protocol/cipher and certificate related issues can be time consuming in such scenarios, time that can be utilised more effectively identifying issues not …

Continue reading

Troubleshooting Empire and PoshC2_Python HTTPS Connections

I’ve experienced a bit of trouble of late with both Empire and PoshC2_Python payloads failing to call back to their corresponding Empire and/or PoshC2 listener/server. This brief post detailing the fixes/workarounds I’ve used may be helpful to someone else. I understand the issues are a result of the OpenSSL configuration in Kali Linux (The Kali …

Continue reading

Low Privilege Active Directory Enumeration from a non-Domain Joined Host

Scenario You have recovered Domain User credentials for a domain but have  no privileged or interactive access to any targets i.e. no Domain Admin account or any account that is capable of establishing an RDP session. Introduction On a recent engagement I was performing an internal assessment against several untrusted Windows domains. Using Kerberos Domain …

Continue reading

Cracking Cisco ASA SHA-512 Hashes with Hashcat

I haven’t seen too much detail around about how to crack Cisco ASA PBKDF2 (Password-Based Key Derivation Function 2) SHA-512 hashes, which I believe have been supported in some ASA versions from as early as March 2016.   As always the hashes can be recovered from the appropriate Cisco ASA config file.   Here are some examples of how …

Continue reading

Kerberos Username Enumeration – Top 500 Common Usernames

Kerberos Username Enumeration – Username Wordlists I’ve been having a fair bit of joy with the auxiliary/gather/kerberos_enumusers metasploit module on internal engagements, however you do need to provide the module with a good quality username wordlist or wordlists. On a recent engagement, using only the top 50 male and female userlists, I was able to guess 70 …

Continue reading

Auto-sslscan (Automatic SSL Scanning)

Auto-sslscan As I mentioned in the previous post whilst Nessus and Nmap do a reasonable job of enumerating SSL protocols and ciphers I often find myself utilising other 3rd party SSL scanning tools. One I find myself turning to on a regular basis is sslscan, I like the output it provides and issues become immediately …

Continue reading

Nmap-ssl-parser

Nmap-ssl-parser Nessus and Nmap both do a decent job of enumerating supported SSL protocols and ciphers from remote servers. However, I usually find myself also utilising other 3rd party SSL scanning tools. To that end I wanted an easy way to quickly parse out SSL services to an output file for input into other tools. …

Continue reading

Kerberos Domain Username Enumeration

Kerberos Domain Username Enumeration Over recent years enumerating valid operating system level user names from up-to-date and well-maintained Windows environments, even from an internal test perspective, has become increasingly unlikely. Where RID cycling once provided us with a full list of domain users from an unauthenticated perspective, this is generally no longer the case. However, …

Continue reading