From VEEAM to Domain Administrator
On a recent Internal Penetration Test engagement, I was reviewing some Nessus scan data and came across an “Microsoft Windows SMB Shares Unprivileged Access” finding. As we can see from […]
Blog
Simple Security Fails (part 2) – Improper Input Validation
Some of you may be confused why someone other than Brett is writing the Part 2 for this series (click here for Part 1). There are two reasons for this: […]
White Oak Security Welcomes Barbara Wickoren!
White Oak Security is very excited to announce the newest addition to our sales team. Barbara Wickoren has joined the company and we are very excited to have her expertise […]
Apple iOS 13 Device Setup for Penetration Testing
[HERE’S A COMPANION POST ON SETTING UP AN ANDROID DEVICE FOR PENETRATION TESTING] One of the initial challenges of performing an iOS mobile application penetration test is getting a suitable […]
Alternative Execution: A Macro Saga (part 3)
In the last few blogs in this series (part 1 & part 2) we worked through scenarios making use of the ActiveX controls InkPicture and WMPlayer to trigger macro execution. […]
Simple Security Fails (part 1) – The Directory Listing
Overview While performing security tests against web applications or network infrastructures, I often come across web servers with directory listing enabled. What is directory listing you say? “Web servers can […]
Alternative Execution: A Macro Saga (part 2)
In the previous blog in this series, we worked through a scenario making use of the ActiveX control InkPicture to trigger macro execution. Macro execution utilizing the InkPicture object can […]
Alternative Execution: A Macro Saga (part 1)
If you have been on an internal Red Team or worked as a consultant, then you’ve probably experienced delivery or execution failure with your malicious documents (maldocs) at least once. […]
DotNetToJScript – Redux
In my previous several blog posts (here, here, and here) we covered usage of a really interesting tool released about three years ago: the DotNetToJScript project (https://github.com/tyranid/DotNetToJScript). Although it’s been […]
Android 10 Device Setup for Penetration Testing
One of the initial challenges of performing an Android mobile application penetration test is getting a suitable test environment setup. One of the easiest ways to do that is to […]