Penetration Testing Articles (49)

Identifying ARP Request Packets with Wireshark

One of the most significant abilities of penetration testers is the ability to understand and analyze network traffic. In this blog article, we will go over what an Address Resolution Protocol (ARP) is and what messages it includes. Finally, we’ll look at how to identify the ARP request message in Wireshark by performing an ARP packet analysis. First, here is a quick refresher on ARP.

Netbios Enumeration

Most of the time, security experts/Penetration testers enumerate NetBIOS at the initial phase of the enumeration because it extracts a large amount of sensitive information about the target network, such as users and network shares. NetBIOS, which stands for Network Basic Input/Output System, was created in 1983 by Sytek, Inc. for IBM PC networking. NetBIOS is not a networking protocol but rather another one of the creations in networking that was originally designed to make life easier for us.

SNMP Enumeration with snmp-check

Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network resources, shares, and services.

MAC flooding attack

Sniffing techniques like MAC attacks, DHCP attacks, ARP poisoning, and DNS poisoning are used by attackers to collect and modify sensitive data. These techniques are used by attackers to obtain control of a target network by reading captured data packets and then exploiting that information to break into the network.


Mark Russinovich created the PS Tools Kit, a collection of 13 tools. These utilities are command-line tools that allow you to launch processes on remote computers and redirect console application output to the local system, making it appear that the applications are running locally. All of these tools are compatible with Windows NT and later versions. Because they are console applications, these tools can be used on both a local computer and a remote host.

A General Overview of Nuclei Command Line

In this blog post, we are going to make a quick introduction to Nuclei and it’s powerful components. First let’s start with explaining why we need automated tools in scanning.

Post-Exploitation: Information Collection and Persistance via Process Migration

Once we obtain the Meterpreter session, we can execute various post-exploitation commands. In this blog article, we will perform fundamental command-line actions that allow penetration testers to acquire precise information about the host and we will also learn how to migrate a process for a more reliable connection with the target system.

Common Constraints of Penetration Testing

Although penetration tests are suggested and must be performed on a routine basis, they do have some constraints. In this blog page, we will discuss the major constraints of penetration testing programs in organizations.

Kerberos Attack and Defense Techniques

Kerberos is a network authentication protocol based on client/server architecture. This protocol does not require users to provide their passwords; instead, it relies on tickets and keys for authentication. Kerberos is a commonly employed authentication protocol in Active Directory. Because of its popularity, it has drawn the attention of hackers worldwide attempting to exploit its security weaknesses and crack the protocol. This article goes over some of the most common Kerberos attacks, how to carry them out, and how to defend against them.

MAC Spoofing with MAC Changer

In this blog post, we will explain what mac spoofing is and demonstrate how a MAC address can be spoofed using “MAC Changer”.

Exploiting EternalBlue With Metasploit

In this blog article, we will exploit and utilize a vulnerable Windows machine and perform some actions such as identifying a vulnerable SMB service port and dumping SAM file credentials using Metasploit. Before beginning our Nmap scan let’s define what is a SAM file on Windows OS.

Using Metasploit to Enumerate SSH

When you find valuable information about your target machine’s SSH server, as a penetration tester you can research common vulnerabilities and exploits to compromise this service using these findings. As you might guess, today’s blog post is about SSH and how to enumerate SSH servers using Metasploit.

Password Cracking Techniques, Tools and Protection Recommendations

A password is a protected string of characters that is used to authenticate a user. Passwords are the most widely used authentication method, yet they are also the weakest. Users sometimes choose passwords that are exceedingly easy to guess or are based on personal information about the user (e.g. their birth month or the name of their pet). They may even scribble it down on a piece of paper, hide it in a location where it may be easily taken, or share it with others. Organizations that utilize passwords as the primary or one of the sources of authentication should implement proper security controls to prevent them from being compromised as it can have severe implications. This article will go over the basics of password cracking, as well as the techniques and tools used to crack passwords and password protection mechanisms.

S3 Bucket URL Enumeration

A storage service is a standard facility that cloud service providers often give to clients. And Simple Storage Service is the name of AWS’s storage facility (which is also abbreviated as S3).

A Brief Introduction to Wordlists and how to Generate them with CeWL

In this blog post, we will make an introduction to wordlists and make a quick custom word generation exercise with CeWL.

Open Redirection

Occasionally, programs must redirect visitors to a different page. The intended functionality of that would be to redirect the user to a desired website, but it’s quite easy for attackers to mess this up when their user input might impact the redirections’ outcome. In other terms, an open redirect occurs when a website allows for a redirection to an unexpected page.

Enumerating Active Directory with Powerview

In this blog post, we will practice enumerating the Active Directory using the Powershell PowerView module.

Enumerating SMTP with Metasploit

In this blog post we are going to take a quick look at what is SMTP, and how we can get information about the target system utilizing Metasploit modules.

Broken Access Control (BAC)

Users cannot behave beyond their specified privileges because access control imposes numerous policies. Hence, unauthorized disclosure of information, alteration or loss of any or all data, or executing a corporate activity outside of the user’s bounds are all common outcomes of failures and may lead to Broken Access Control.

Manual and automated password acquisition

Password attack/cracking is one crucial step in the art of system hacking. When performing penetration tests, passwords can be obtained in a variety of ways. These can range from manually obtaining them from the target to using advanced automated attacks such as packet sniffing and brute force.

An introduction to web shells

A web shell is a malicious piece of code or script that is put on a target server and written in server-side languages such as PHP, ASP, PERL, RUBY, and Python. It gives an attacker the ability to run commands on the web application’s server. The malicious script allows attackers to gain remote access to the target server’s file system as well as remote administration capabilities.

Scanning SMB, Telnet and FTP default ports

One way an attacker can obtain a better understanding of a network and its security posture is by scanning its file transfer services, this data can then be used to detect security vulnerabilities. Common protocols such as SMB (server message block), FTP (file transfer protocol), and telnet are commonly seen when performing penetration testing.

Host discovery

Host discovery is the process of identifying all the devices that are connected to your network. This can be done manually, but it’s often more efficient to use a tool like Nmap. Once you know all the active hosts that are present on your network, the next phase is to begin testing them.

Directory traversal

When an attacker gains access to a web server, they often attempt to move around the server to find sensitive information. One way they can do this is by using a technique called directory traversal. Directory traversal is when an attacker uses the directory structure of a website to their advantage.

Server-side request forgery

Server-side request forgery (SSRF) attacks are a type of attack in which the attacker tricks the server into making a request to a third-party resource on behalf of the attacker. This can be done by specifying a malicious URL in the request parameters, which the server then attempts to resolve. This can lead to sensitive data being leaked, or the attacker gaining access to internal systems that are not normally accessible from the public Internet.

Insecure Direct Object References

Insecure Direct Object References (IDOR) are a type of vulnerability that occurs when an application references an object such as a database and files using an insecure method. This can allow an attacker to gain access to sensitive data or perform unauthorized actions. IDORs can occur when an application uses user input to reference an object without properly validating or sanitizing the input.

Evading IDS/Firewall while network scanning

A firewall is a security system that monitors and regulates network traffic based on specified security rules. An intrusion detection system (IDS) is a network security tool that monitors and analyses network traffic for suspicious activity and can send out alerts if it is found. Denial-of-service (DoS), man-in-the-middle (MiTM), and network reconnaissance attacks can all be detected by IDSs. An intrusion detection system (IDS) and a firewall are used to prevent unauthorized access to a network.

What is Privilege Escalation?

Privilege escalation is a technique used by attackers to gain elevated access to resources or data that are normally forbidden to them. By exploiting vulnerabilities or misconfigurations, an attacker can escalate their privileges and gain access to sensitive information or perform actions that would otherwise be forbidden.

Content Discovery - Part 2

There are many ways to discover hidden content on websites. In this blog post, we are going to manually find valuable information about websites with the help of:

Content Discovery - Part 1

The first stage in attacking software is obtaining and analyzing critical information about it in order to acquire a better grasp of what you’re dealing with. We can find information either manually, with the help of automated tools, or with Open-Source Intelligence (OSINT).

Understanding the different types of scan you can perform with Nmap

Port scanning is the method of enumerating open ports and services by delivering a series of messages. Port scanners identify active hosts and scan their ports by manipulating transport layer protocol flags. Administrators and users may accidentally keep unnecessary open ports on their computers. An attacker can take advantage of such open ports for malicious purposes.

Common Code Injection Vulnerabilities

Injection attacks are a type of attack that allows attackers to execute malicious code on a server by injecting it into a web application. This can be done through user input, such as via a form field or URL parameter. Once the code is injected, it can be executed by the server, resulting in the attacker gaining access to sensitive data or damaging the server. Injection attacks are a serious threat to web applications and can be difficult to prevent.

DNS enumeration using zone transfer

DNS enumeration is the process of identifying all DNS servers and records for a specific domain. This information can identify potential security flaws such as unprotected DNS servers and zone transfers. DNS enumeration can also be used to collect information about a target company, such as identifying email and web servers.

Enumerating AWS S3 Buckets

S3 buckets are one of the most important aspects of Amazon Web Services (AWS). They are used to store and retrieve data and can be accessed from anywhere in the world. S3 buckets are also used to host static websites. In this article, we will look into different techniques attackers use to identify AWS S3 Buckets.

What is OS Fingerprinting/Banner grabbing?

OS fingerprinting, also known as banner grabbing, is a technique for determining the operating system that is installed on the targeted machine. Once the operating system and its version are determined, the attacker then finds the system vulnerabilities and exploits that may work on that machine to carry out further attacks. Active and passive banner grabbing are the two types of banner grabbing.

Network Footprinting

The process of gathering information about a target network, and identifying and discovering network ranges is known as network footprinting. Network footprinting helps an attacker determine the domain’s subnet mask and trace the network path between the system and the target machine. As a result, attackers can learn how the network is built and which systems are connected and are being actively used. The network ranges also help in identifying the target network’s topology, access control devices, and operating systems.

Weaknesses in default configuration settings

Hardening your configurations is one of the most important aspects of keeping your systems secure. A configuration is a collection of files and options that govern how a system operates. When you harden a configuration, you are making changes to improve the system’s security. When hardening a configuration, there are numerous factors to consider. The principle of least privilege is one of the most important. This principle states that users should only have the permissions they require to do their jobs. By limiting permissions, you can limit the damage that an attacker can do if they gain access to a user account. Another critical factor to consider is the principle of defense in depth.

Design vulnerabilities

As technology advances, so do the ways in which criminals can exploit design vulnerabilities. Design vulnerabilities can be found in both hardware and software, and can be used to gain access to systems, data, and devices. While there are many ways to mitigate the risks posed by design vulnerabilities, it is important for organizations to be aware of these risks and take steps to protect their systems and data.

Race conditions

“Race conditions” are bugs that occur as a result of the timing or order in which multiple operations are executed. This is a fairly broad category of bugs that can manifest themselves in a variety of ways depending on the problem space. Unfortunately, race conditions are notoriously difficult to solve. Exclusive access or critical sections significantly slow down application performance. They obstruct the use of computer resources and destroy our CPU cache utilization.

XML External Entity Injection

XXE (XML External Entity Injection) is a common web-based security vulnerability that allows an attacker to interfere with a web application’s processing of XML data. XXE is a common security flaw because XML is an extremely popular format used by developers to transfer data between the web browser and the server.

SQL Injection Attacks

SQL injection (or SQLi) attacks alter SQL queries by injecting malicious code through application vulnerabilities. SQLi attacks that are successful allow attackers to modify database information, access sensitive data, perform administrative tasks on the database, and recover files from the system. In some cases, attackers have the ability to execute commands on the underlying database operating system.

A Beginner's Guide to Mimikatz

Mimikatz is a popular open-source post-exploitation tool for offensive security penetration testing. Mimikatz is a collection of modules that use privilege escalation and lateral movement techniques to assist both security testers and malicious actors to get a foothold in the target network. This article looks at the features of Mimikatz and how you may protect your organization’s IT infrastructure from it.

Cross-Site Request Forgery

Cross-site request forgery (CSRF) is a type of attack that allows an attacker to do unauthorized actions on behalf of a user. A CSRF attack happens when a malicious site sends a request to a victim site, causing the victim site to perform an action intended by the attacker. This can be used to steal information, such as login passwords, or to take acts on the user’s behalf, such as moving funds from their account.

A General Overview of Penetration Testing Methodologies

A pentest, or penetration test, is a method to explore and assess security measures to safeguard these resources ethically. A penetration test, like an audit, requires using the similar tools, procedures, and processes that a hacker or any bad actor would benefit from.

Using Netcat as a Reverse Shell

In this post we will find out what a reverse shell is and look at practical implementation examples using netcat. Once we are able to execute code remotely, for example, using a known RCE-vulnerability it is important to continue further with more advanced post-exploitation phases.

The Reconnaissance Phase in Penetration Testing Engagements

Reconnaissance is the gathering of information about a target prior to launching an attack. Most attacks begin by gathering as much information as possible about the target. A wealth of useful information can be gathered using today’s vast array of information sources. This information may include specifics about the target’s network, systems, and users that can be used to plan an attack and assess risk. The internet is an excellent resource for locating any kind of information that can assist an attacker in planning an attack.

Mastering the Preparation Phase in penetration testing engagements

In our previous posts we discussed the overall penetration testing workflow that we follow here at Mossé Security. In this article we will look at the ‘Preparation’ phase in detail.

Introduction to the Penetration Testing Workflow

Implementing a standard workflow can help an organization become more efficient and productive. A standard workflow should be simple and easy to understand, so that it can be followed by everyone in the organization. It enables better communication and collaboration between team members. By having standardized procedures, employees are able to easily complete their tasks and know what is expected of them. Additionally, standard workflow can help to ensure that tasks are completed in a timely and accurate manner.

Example of a penetration testing report executive summary

A penetration test report executive summary is a document that states the findings of a penetration test in a clear and concise way. The purpose of this summary is to provide management with a high-level overview of the test, so they can decide whether or not to pursue further action.