Security Sift https://www.securitysift.com Sifting through the world of Information Security, one bit at a time Tue, 11 Aug 2015 22:05:46 +0000 en-US hourly 1 40265578 Phishing with Macros and Powershell https://www.securitysift.com/phishing-with-macros-and-powershell/ https://www.securitysift.com/phishing-with-macros-and-powershell/#comments Fri, 22 May 2015 17:04:57 +0000 http://www.securitysift.com/?p=2703 Over the past 6 months, it seems we’ve been experiencing a resurgence of macro-based malware, possibly because it’s such a simple and proven means of delivering a phishing payload to large organizations. If you’re performing a penetration test against an organization and you have reason to believe untrusted macro execution is enabled, they can also be a good means to test user awareness and gain a foothold via social engineering. Regardless of their popularity,...

The post Phishing with Macros and Powershell appeared first on Security Sift.

]]>
https://www.securitysift.com/phishing-with-macros-and-powershell/feed/ 16 2703
Offensive Security’s CTP and OSCE – My Experience https://www.securitysift.com/offsec-ctp-osce/ https://www.securitysift.com/offsec-ctp-osce/#comments Thu, 14 May 2015 01:02:24 +0000 http://www.securitysift.com/?p=2779 Overview I had been wanting to take the Cracking The Perimeter (CTP) course for some time but my schedule was pretty hectic. I finally forced myself to start it at the beginning of the new year and I’m really glad I did. As promised, here is my review… Prerequisites Offsec states the following: Many pre-requisites are required, such as good familiarity with a Ollydbg, and a general mastery of offensive network security techniques. Definitely sound advice....

The post Offensive Security’s CTP and OSCE – My Experience appeared first on Security Sift.

]]>
https://www.securitysift.com/offsec-ctp-osce/feed/ 8 2779
An Analysis Of MS15-034 https://www.securitysift.com/an-analysis-of-ms15-034/ https://www.securitysift.com/an-analysis-of-ms15-034/#comments Sat, 18 Apr 2015 06:21:25 +0000 http://www.securitysift.com/?p=2793 Introduction By now you’ve undoubtedly heard about MS15-034. The following is a collection of my cursory research and thoughts on this vulnerability. In addition, here is a small list of related resources, some of which I also reference in the sections that follow: Microsoft Security Bulletin MS15-034 (Microsoft) The Delicate Art of Remote Checks – A Glance Into MS15-034 (Beyond Trust) MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution. PATCH...

The post An Analysis Of MS15-034 appeared first on Security Sift.

]]>
https://www.securitysift.com/an-analysis-of-ms15-034/feed/ 12 2793
peCloak.py – An Experiment in AV Evasion https://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/ https://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/#comments Mon, 09 Mar 2015 23:29:11 +0000 http://www.securitysift.com/?p=2651 Introduction I just wrapped up the Offensive Security Cracking The Perimeter (CTP) course and one of the topics was AV evasion. Although I write a lot of custom scripts and tools, when it comes to AV evasion, I typically rely on the tools and methods of others (Veil, powershell, python, custom shellcode). That said, the great thing about courses like CTP is they give me an excuse to investigate a topic that I haven’t...

The post peCloak.py – An Experiment in AV Evasion appeared first on Security Sift.

]]>
https://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/feed/ 26 2651
EggSandwich – An Egghunter with Integrity https://www.securitysift.com/eggsandwich-egghunter-integrity/ Thu, 12 Feb 2015 22:44:11 +0000 http://www.securitysift.com/?p=2666 Introduction A while back I introduced the EggSandwich in my tutorial on Egghunting as a means to implement some basic integrity checks into the traditional Egghunter and overcome the problem of fragmented / corrupted shellcode. I recently took the opportunity to update my implementation so it could accomodate shellcode of any size. The code and a brief explanation follows. What is the EggSandwich? I ran into a situation when developing an exploit for an...

The post EggSandwich – An Egghunter with Integrity appeared first on Security Sift.

]]>
2666
Developing a Security Assessment Program https://www.securitysift.com/developing-a-security-assessment-program/ Fri, 19 Dec 2014 23:43:58 +0000 http://www.securitysift.com/?p=1185 Introduction Most organizations and are deploying new applications and technologies at a high rate and without a means to adequately assess them prior to implementation, it’s difficult to accurately gauge your organization’s risk. No matter what the size or industry, it’s imperative that an organization has a standardized and repeatable process for assessing the security of the IT solutions it implements.  My goal with today’s post is to provide some recommendations on...

The post Developing a Security Assessment Program appeared first on Security Sift.

]]>
1185
Exploiting MS14-066 / CVE-2014-6321 (aka “Winshock”) https://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/ https://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/#comments Sat, 29 Nov 2014 20:41:41 +0000 http://www.securitysift.com/?p=2470 Introduction I think enough time has passed now to provide a little more detail on how to exploit MS14-066 schannel vulnerability (aka “Winshock”). In this post I won’t be providing a complete PoC exploit, but I will delve into the details on exactly how to trigger the heap overflow along with some example modifications to OpenSSL so you can replicate the issue yourself. This vulnerability was announced while I was on...

The post Exploiting MS14-066 / CVE-2014-6321 (aka “Winshock”) appeared first on Security Sift.

]]>
https://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/feed/ 53 2470
Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) – Sandworm https://www.securitysift.com/windows-ole-rce-exploit-ms14-060/ https://www.securitysift.com/windows-ole-rce-exploit-ms14-060/#comments Wed, 22 Oct 2014 20:37:26 +0000 http://www.securitysift.com/?p=2428 This recent exploit (dubbed “Sandworm”) took advantage of a vulnerability in which a specially crafted OLE object could allow remote code execution. In the case of the live sample exploit PPSX file I examined, it automatically downloaded the payload from a remote SMB share. I won’t rehash much of the details that others have covered but if you want to read more, here are some resources: Microsoft Security Bulletin: https://technet.microsoft.com/en-us/library/security/ms14-060.aspx Original Discovery by...

The post Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) – Sandworm appeared first on Security Sift.

]]>
https://www.securitysift.com/windows-ole-rce-exploit-ms14-060/feed/ 13 2428
Drupal 7 SQL Injection (CVE-2014-3704) https://www.securitysift.com/drupal-7-sqli/ https://www.securitysift.com/drupal-7-sqli/#comments Fri, 17 Oct 2014 05:39:46 +0000 http://www.securitysift.com/?p=2404 Introduction This vuln has been getting a lot of attention, and rightfully so. The good news is an update is available (and a supplemental patch has been released as well). The bad news is that it’s pre-auth SQLi. The basic problem is the way Drupal core 7.x versions prior to 7.32 construct a SQL query. Contrary to some claims, this is not a flaw in the use of prepared statements/parameterized queries, which...

The post Drupal 7 SQL Injection (CVE-2014-3704) appeared first on Security Sift.

]]>
https://www.securitysift.com/drupal-7-sqli/feed/ 2 2404
Phishing for Shellshock https://www.securitysift.com/phishing-for-shellshock/ https://www.securitysift.com/phishing-for-shellshock/#comments Fri, 10 Oct 2014 05:24:25 +0000 http://www.securitysift.com/?p=2383 Introduction I thought I was done writing about Shellshock, but a recent discussion with some colleagues got me back on the topic. We were commenting about how organizations tend to react very quickly to patching external assets for a bug like Shellshock but many probably wait to patch internal assets due to a false sense of security. It got me thinking about how an external actor could exploit a bug like...

The post Phishing for Shellshock appeared first on Security Sift.

]]>
https://www.securitysift.com/phishing-for-shellshock/feed/ 6 2383