This week, I dusted off my reading list and saw that I’d previously bookmarked an interesting article about the introduction of SMB over QUIC. The article from Microsoft showed that Windows was including support for SMB to be used over the QUIC protocol, which should immediately spark interest for anyone who includes SMB attacks as part of their kill chain. With support for this technology baked into Windows 11 and Server 2022, I thought that it was probably a good time to look and answer some of the questions I had about how useful this technology is going to be during an engagement. So, in t ..read more

There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the-Hash is not an option. You don’t have their NT hash or plaintext password, but you do have permissions to modify those. This can allow for lateral movement or privilege escalation. Both of these use cases have been covered in the past by taking advantage of Mimikatz’s lsadump::setntlm and lsadump::changentlm functions. While Mimikatz is one ..read more

So I Received a Phishing Email… I recently received an email indicating my credit card number had potentially been stolen and used for fraud. At this point, I am used to both having my credit card number stolen and receiving messages telling me it’s been stolen when it has not. My attempt to determine whether I was a victim of fraud or the target of a phishing attack may help shed some light on how marketing, fraud prevention, and anyone else who sends an automated corporate email can do better. The supposed fraud alert email I received wasn’t anything special. It contained the bank’s name, my ..read more

Technology changes and defenses get better, but some things stay the same—like human gullibility, which can be easily exploited through social engineering. Figure 1 – Not Representative of Actual Social Engineering EngagementWhat is social engineering? Social engineering, at its core, is taking advantage of human nature. Humans are innately trusting, often try to help, and want to avoid confrontation. A big facet of social engineering is taking advantage of our social trust in order to further some type of malicious goal. Figure 2 – Your Employee who Held the Door Open for us Social Engineerin ..read more

Proactive Measures to Thwart Unemployment Fraud In the past few months, the TrustedSec Incident Response team has responded to several incidents of unemployment benefit fraud. Due to the pandemic and nationwide lockdowns, there has been an extremely high volume of unemployment claims submitted across the United States, and with greater instances of fraud making it difficult for states to investigate, there is high confidence that the fraudulent unemployment claims are due to increased crime group activity. Issues that stem from this form of fraud can include employee information ..read more

1.1      Intro I spent my early IT career working for a Cisco partner that specialized in Cisco phone systems. My work wasn’t directly with the phone systems, but it was usually in an adjacent field like route/switch and security. I did, however, get to see my share of networks that used Cisco phone systems. Today, I work as a Penetration Tester. Instead of designing and troubleshooting networks, now I get to break into them to test their strength. Usually, the first task of an Internal Penetration Test is to try and gain access to a low-privileged account. Since the p ..read more

THIS POST WAS WRITTEN BY @NYXGEEK I decided to write this blog because I’ve seen a lot of articles mentioning that attackers will use a malicious OAuth web app with Azure AD, but I hadn’t actually seen much in the way of good examples of doing so. I’m sure I will find a dozen fantastic examples as soon as this is published, but as of now, I haven’t. I should mention that my teammate Scot Berner has written up a great blog post on a similar topic — Phishing Users with OAuth and DeviceLogin. Practical OAuth Abuse for Offensive Operations – Part 1 Overview Deploying a malicious web app can ..read more

Original post:  https://www.trustedsec.com/blog/the-defensive-security-strategy-what-strategy/ Massive exposures and attacks, such as recent SolarWinds and Exchange exploit issues, have been common news lately. While the security landscape has advanced and changed, these massive exposures are continuing to occur. The question is why, and how, are they occurring? While common issues are often leveraged, the mentality around them is still often, “These types of attacks will not happen to us; our data is not valuable enough.” Even if your organization isn’t dealing with information typically ..read more

Today, we are releasing iHide, a new tool for bypassing jailbreak detection in iOS applications. You can install iHide by adding the repo https://repo.kc57.com in Cydia or clicking here on an iOS device with Cydia installed. Additionally, you can check out the code and build/install it yourself if you prefer. Once installed, iHide will add a new entry in the iOS settings pane that can be used to enable/disable bypassing common jailbreak detection methods. Simply enable iHide, select any applications to enable it for, and iHide will attempt to bypass common jailbreak detection techniques. This ..read more

During a recent engagement, I found a cross-site scripting (XSS) vulnerability in a legal document management application and created a quick and dirty document exfiltration payload. Unfortunately, this discovery and coding happened on the final day of the engagement (*cough* reporting bonus hacking day), and I didn’t have a chance to actually put the exfiltrated data back together into documents for demonstration to the client. I saved that code snippet, hoping to come back to it someday. Fast forward to a recent engagement, and again I had an application with highly sensitive data and an XSS ..read more