Pentesting in the Real World: Local File Inclusion with Windows Server Files
This is the 5th in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out…
Pentesting in the Real World: Going Bananas with MongoDB
This is the 4th in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out…
Pentesting in the Real World: Group Policy Pwnage
This is the third in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out…
Pentesting in the Real World: Capturing Credentials on an Internal Network
This is the second in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out…
Pentesting in the Real World: Gathering the Right Intel
This is the first in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out…
Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues
In a fight between pirates and ninjas, who would win? I know what you are thinking. “What in the world does this have to do with security?” Read on to find out but first, make a choice: Pirates or Ninjas? Before making that choice, we…
SNMP Data Harvesting During Penetration Testing
A few months back I posted a blog entry, SNMP Best Practices, to give guidance on best methods to reduce security risks as they relate to SNMP. Now that everyone has had time to fix all those issues, I figured it's time to give some…
The path to a false sense of security: Leave your security controls enabled during testing
In my work performing vulnerability assessments and penetration tests, I'm often confronted with the dilemma of dealing with a pesky intrusion prevention system (IPS) or web application firewall (WAF). Sometimes we know they're there. Other times, they rear their ugly heads and force a days-long…
Top 3 Takeaways from the & Campfire Horror Stories: 5 Most Common Findings in Pen Tests & Webcast
Penetration Tests are a key part of assuring strong security, so naturally, security professionals are very curious about how this best practice goes down from the pen tester perspective. Jack Daniel, Director of Services at Rapid7 with 13 years of penetration testing under his belt,…
It can be dangerous assuming a vulnerability is not a vulnerability
I once worked on a project where an injection vulnerability was uncovered on a web application that allowed an attacker to create special HTTP requests that can enumerate directories and see the contents of most files on the system. Everything from autoexec.bat to digital…
Top 3 Takeaways: "7 Questions to Ask Your Penetration Testing Vendor" Webcast
Penetration testing is a security best practice for testing defenses and uncovering weaknesses in your infrastructure and applications, as well as a practice required by compliances such as PCI DSS. A penetration test doesn't stop at simply uncovering vulnerabilities: it goes the next step to…
Webcast Followup: Escalate Your Efficiency
Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have…
Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast
Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood,…
Weekly Metasploit Wrapup: SQL Server Privileges, Templating New Modules
Microsoft SQL Server Pen-Tester Pro Tip This week, we've landed a trio of fun and interesting modules from long-time Metasploit community contributor Scott nullbind Sutherland which automate up a couple Pro Tips on what to do when you've scored a login on a Microsoft SQL…
PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!
This newsletter clarifies what is expected to comply with PCI DSS 11.3: Penetration testing. Why is Pen-test needed? In the same way that wellness checks support a doctor's diagnosis by determining what's wrong or not working as expected (a.k.a. an analysis) and…
