Impersonating The Domain Administrator via SQL Server

A recent presentation I gave for 7Safe. It demonstrates how it is possible to fully compromise the domain using a fully patched Microsoft SQL server that has a firewall enabled. Using the SQL server I impersonate the domain administrator account without any passwords or password hashes being known or extracted. It also demonstrates the risk […]


Top 5 Common Issues – Article

A recent article I wrote for 7Safe (November 2010). It is a management level summary of the top 5 most common ways into networks I find when conducting internal infrastructure testing. Click the image below to read the full article. Tweet


Own With An iPhone

Something a little bit different here… You expect to see all hackers with a laptop right….? Think again!. Tweet


Real World Pen Testing Demonstration

A recent hacking presentation I gave in London for 7Safe demonstrating client side exploits, pivot attacks using Metasploit. Tweet


Print Spooler Exploit – MS10-061

This is an interesting exploit. No client interaction is required. This exploits the print spooler on target systems by submitting a job into the schedule which then executes as SYSTEM. Microsoft ref MS10-061. Tweet


Client Side Adobe Acrobat PDF 9.3.4 Cooltype Exploit (0day)

The very latest Adobe Acrobat Reader 9.3.4 (as of today 10th September 2010) is vulnerable (plus earlier versions) to this cooltype sing exploit. No fix as yet. Tweet


DLL Hijacking Client Side Exploit

There has been lots of recent press relating to DLL hijacking. I have tested this out and created a video demonstration to help clear this up as slightly confusing. This is a client side exploit so the user must browse the SMB share or the HTTP server. There is no so called patch from Microsoft […]


Apple Quicktime Client Side Exploit (0day)

A nice little client side exploit here. Download the very latest Quicktime version from (3rd Sept 2010) and check for updates to ensure you have the latest version….It is fully exploitable!. Within Metasploit it creates a webserver that the client must browse to, once the client browses it exploits a vulnerability within Quicktime. […]


Token Kidnapping’s Revenge

Token kidnapping returns! You may remember back in 2009 a token kidnapping issue was discovered and exploited by Cesar Cerrudo. This allowed you to impersonate a service in use running as a higher service account (network service to system) and compromise the server. This was patched by Microsoft in April 2009 – MS09-012. Cesar is […]


Microsoft LNK Exploit – MS10-046

Great little client side exploit. It exploits a vulnerability in the LNK process and uses Webdav to run the exploit. Patch released (August 2nd 2010) MS10-046 – CVE-2010-2568 Affected Operating Systems: Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 […]