Reino Mostert
Using & improving frida-trace
TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit. I often find that half of the problem is finding out what you don’t know. Take a mobile application for instance: Which class is responsible for the SSL pinning? Which class does the crypto? What method is…
NoSQL error-based injection
TL;DR How to do NoSQL error-based injection In this second blog post (read the first one here), on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything. When trying to extract information via NoSQL injection, you typically make use of Boolean conditions to figure out a character. Portswigger has a couple of examples…
Getting rid of pre- and post-conditions in NoSQL injections
TL;DR: I found a cool way to get rid of pre-conditions in NOSQL syntax injections I have been investigating NoSQL injection for a bit, trying to make it better, or at least somewhat equivalent to SQL injection. One of the things that are tricky with NoSQL injection is getting rid of pre- and post-conditions. For this post I’m focusing on MongoDB, so s/NoSQL injection/Mongo injection/g In case you forgot, most…
From BitLocker-Suspended to Virtual Machine
On a recent red-team I was given a client laptop from which I was expected to simulate an insider-threat/employee laptop compromise scenario over their VPN. I was given a normal employee user account and did not have local administrator privileges. The laptop itself was riddled with security products and snitchware, threatening to report back every action taken on the system to the SOC/SIEM. My first objective was to obtain local…
Sail away, sail away, sail away
A while back, after some live music and drinks at Railways, I made my way to another city for pleasant weather, some dubious food, the ever-wakeful seagulls, and ultimately – an assessment. After playing around for a few days, Jason and I had obtained access to a system which contained cleartext credentials, namely ihsadmin:ihsadmin. Using these credentials, we were also able to SSH into a management server of sorts. While…
A new look at null sessions and user enumeration
Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it. Over the years, I have often used the NULL session vulnerability to enumerate lists of users, groups, shares and other interesting information from remote Windows systems. For the uninitiated, Windows exposes several administrative and hidden shares via SMB by default. Some of these shares allow one…
Fixing up Net-Creds
TL; DR: I fixed-up net-creds and MITMf to solve the CHALLENGE NOT FOUND bug. A while back on an internal assessment, I was having a hard time getting a high-privileged user account. This was the third assessment SensePost has done for the client, and they have implemented several of our recommendations. In particular, Responder wasn’t providing me with any hashes even though I was connected to the same network segment…
Page 1 of 1