Sans Core Netwars Tournament of Champions Europe

Sans Core Netwars Tournament of Champions Europe

By Red Siege | August 9, 2021

From Justin Palk, Security Consultant: I’ll be honest, it feels good to win. Popping a shell sends a shiver down my spine. But getting into a duel with another team […]

Learn More
Sans Core Netwars Tournament of Champions Europe

User Enumeration Part 3 – Windows

By Mike Saunders | April 16, 2020

This is the third installment in a series of blogs on user enumeration. In Part 1 – Building Name Lists, I talked about ways of building usernames from OSINT and […]

Learn More
User Enumeration Part 3 – Windows

User Enumeration Part 2 – Microsoft Office 365

By Mike Saunders | March 10, 2020

It’s not uncommon on external pen tests and red team engagements to find very little attack surface on the customer’s internet-facing networks. Customers have started shifting services to cloud providers, […]

Learn More
User Enumeration Part 2 – Microsoft Office 365

User Enumeration Part 1 – Building Name Lists

By Mike Saunders | January 30, 2020

A common part of pen tests – both network and web app – is password spraying. In order to do that, you need usernames. But how do you find out […]

Learn More
User Enumeration Part 1 – Building Name Lists

Finding the silver lining in getting your teeth kicked in

By Mike Saunders | March 27, 2019

Lots of pen test and red team blogs follow the same model: we came, we saw, we conquered, blue team tears flowed. This is not one of those blogs. TL/DR; […]

Learn More
Finding the silver lining in getting your teeth kicked in

SQLi Data Exfiltration via DNS

By Mike Saunders | November 30, 2018

Did you know you can use DNS queries to exfiltrate data from a database via SQLi? No? Then continue reading! I’ll walk through some techniques you can use to enumerate […]

Learn More
SQLi Data Exfiltration via DNS

Capturing SQL Server User Hash with SQLi

By Mike Saunders | September 5, 2018

On a recent external web app pen test, I found a possible SQL injection vulnerability using the Burp Scanner. One of the tests triggered an A record lookup for the […]

Learn More
Capturing SQL Server User Hash with SQLi