Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by pentestgeek

  1. I've exploited/verified struts using Burp Suite. Simply injecting a Java sleep 20 second delay versus 1 second delay will show PoC. If you want to go full compromise you can use Java System calls to execute a reverse shell
  2. You are trying to connect a USB card not a virtual network interface. From VirtualBox you should be able to tell the card to connect to your VM and not your host operating system.
  3. cURL is what you want, what do you mean not implemented?
  4. I'm sorry to be blunt here but you are chasing ghosts. There is nothing there. You have two iPhones, both with the same port open "62078". Thats it. One of your iPhones has some additional firewall or IDS system which is blocking Nmap from probing some of the ports in its default range so therefore the result is "filtered" Read this for additional understanding. https://nmap.org/book/man.html
  5. Again since this is in fact your router as you say and you know the password you can find out if sessionkey is required or not. Simply replay the POST with only the "inputUserName" and "inputPassword" parameters and see if you get a successful response.
  6. There is no difference. 1 port is open on both devices.
  7. In this instance the attack vector would not be on the specific /login.php page but instead on the user trying to access it. An attacker could potentially forge a request from the victim trying to login and instead have their request diverted to a page that they control thereby harvesting that users credentials. More info on the subject: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests
  8. For brute forcing web applications I recommend using Burp Suite. You would simply capture an attempt to login with any password (like the one you've already shared), then right click on the POST and send it to the Intruder tab. Highlight the password field and then import your password list as the payload injections. Since this is your Router I'm assuming you already know the password and are simply trying this as an exercise. You could log in with the correct password and use Burp to tell you what a correct response looks like. Then you can tailor your Intruder advanced options to check specifically for the correct response. Hope that helps.
  9. This is an extremely common request among companies who hire a third party penetration tester. What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter. It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing. It usually says something like. ---------------- Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance. Our testing activities were conducted between date 1 and date 2 blah blah blah.. We adhered to the follow approved testing methdologoy - hyperlink to some pentest standard and/or framework During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including: * bullet list of OWASP Top 10 or something... ---------- You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest. Hope that helps.
  10. Companies host IT infrastructure in AWS all the time. Its quite common. When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from. Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology.
  11. That is a good card but consider now that Wireless AC is becoming more and more popular. You might want to invest in a beefier Alfa card like The AC1200
  12. I wouldn't personally waste my time trying to get the password. 1. Boot the PC into a Kali thumbdrive 2. Mount the Windows partition 3. CD into the System32 directory on the Windows partition and create a backup of sethc.exe 4. Copy cmd.exe into sethc.exe 5. Reboot the PC and at the login prompt hit the shift key a bunch of times until your SYSTEM command prompt comes up 6. Now you can create a new user or simply change the password of an existing user.
  13. pentestgeek


    I agree, and I would never open up port 445 to the internet. My post was simply in response to the OP's question. "Hello,can someone tell me if possible to run PSEXEC on WAN?"
  14. If you want to get around any Antivirus you simply need to identify which part of the file contains a malicious signature and alter the signature. In the method described here. https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm You disassemble a binary file into raw ASM. Manually obfuscate each section of the code until all existing signatures have been changed, then repackage the binary. You could call this the point and spray machine gun method. A more surgical method would be to take each individual chunk of ASM and create individual compiled binaries off of them. Point the AV you wish to bypass at the smaller chunks and see which one triggers the malicious signature. Then you can take the original binary and simply obfuscate that code section. Hope that helps!
  15. pentestgeek


    psexec requires only an IP address to a server that has SMB listening on port 445. It then binds to ADMIN$ or C$ and makes a bunch of RPC calls to the "Service Control Manager" (SCM). It does not care if you are targeting LAN or WAN. And port forwarding works just fine provided you set it up correctly. If you want to know if psexec will work on IP address x.x.x.x simple open up a Windows explorer window and navigate to \\x.x.x.x\blah. If you get prompted for credentials psexec will work. If not, the system is not broadcasting SMB (at least as far as you are concerned). additionally you could try 'smbclient -L \\x.x.x.x -U ""' from a *nix machine to see if its broadcasting any smb shares. Have a look at these slides for additional information. http://www.slideshare.net/RoyceDavis1/owning-computers-without-shell-access-dark
  16. what is the output of the following commands: # airmon-ng # airmon-ng start [interface] # rfkill list
  17. Let me see if I understand your question. You want to do pentesting by carrying a small device with you when you travel such as a Beagleborne while you travel. You show up at your client site remote into your home network from the device and then leverage tools on your home server to conduct your assessment. Is that correct?
  • Create New...