Blog

Jul 10, 2017, 8:45 PM
Telerik's ASP.NET AsyncUploader (RadAsyncUpload) is vulnerable to arbitrary file uploads. By abusing a default hard-coded key (which can be changed, but often is not), a malicious actor can decrypt a server-side encrypted parameter and modify the file upload location to any writable path of the web server user. This was verified to work through version 2017.2.503 (released May 3rd, 2017).
Apr 6, 2017, 5:00 PM
A guide explaining how to create an 'SMB Email' macro button in Outlook 2016. The purpose of this button is to generate a new email with HTML content included, specifically an SMB image tag for capturing user's credentials (as discussed in Capturing Creds through Email and HTML Image Tags).
Mar 23, 2017, 5:48 PM
A common finding in penetration tests is that clients are not properly managing egress packet filtering from their network to the internet. This post specifically talks about the dangers of allowing egress of SMB communications over port 445 to the internet, and one simple method of exploiting it to capture a user's credentials, crack them, and gain access to the network.
Feb 3, 2017, 10:57 PM
Want to phish users' credentials while tossing in a bit of irony? This is my favorite pretext for such! Find an external login portal used by the company, clone its layout, then send out an email requesting that employees complete IT Security Annual Compliance acceptance by [insert date] with a link to your fake portal.
Feb 3, 2017, 6:09 PM
Feb 3, 2017, 5:30 PM
A question I am commonly asked is "How did you get into pen testing?". This blog post goes over my educational and career path choices which led to my career in penetration testing. While there is no absolute path to becoming a penetration tester, hopefully this post provides insight for those in pursuit of such a career.
Feb 1, 2017, 11:19 PM
Welcome to my newest series of phishing pretexts (with payload generation/usage included). This page serves as an overview and table of contents for the series.