Simulated Password Cracking with the NTDS.DIT Export – Part 2

Now we have a copy of the hashes we can sling them through John. There are several approaches to this, but for the purposes of simulating an attack its best to use 2. They are: A default JTR crack A company specific wordlist crack Basically JTR has certain options for rules. I’ve found that if you’re … More Simulated Password Cracking with the NTDS.DIT Export – Part 2

Simulated Password Cracking with the NTDS.DIT Export – Part 1

In order to check to see if passwords can be cracked or guessed by the evil-doers we have an advantage that we rarely use. By performing a simulated password crack on our existing AD users we can obtain the upper hand by finding the failing passwords before the bad guys do. Firstly we need to … More Simulated Password Cracking with the NTDS.DIT Export – Part 1

Creating a password list from a company website with WLGen

I recently came across CeWL as a tool for spidering websites to gather keywords into a dictionary list relevant to their fields of expertise. This can aid password attacks by having words relevant to the field of expertise that the companies have. Only issue was that CeWL cant seem to get behind Cloud Flare sites. … More Creating a password list from a company website with WLGen

Performing an Internal Phishing Audit – Metrics (Part 2 of 2)

When it comes to reporting on GoPhish metrics there’s a fair bit you can do to justify the exercise. Once you’ve exported all the CSV data from your campaign. Load it up in a spreadsheet and use these as guides for metrics. Total amount of emails sent: Count all occurrences of text using =COUNTIF(A:A<>””)-1 Total … More Performing an Internal Phishing Audit – Metrics (Part 2 of 2)

Bypassing Mechanical Locks With Lemon Juice

Mechanical locks normally require 4 digits and a single character in order for the lock to function. This normally excludes the “C” character as that is reserved for cancelling an input. Here’s the catch, they don’t have to be pressed in any particular order! We only need to figure out which buttons are being pressed, not … More Bypassing Mechanical Locks With Lemon Juice

IoT – Stopping Your Toasters Plot For World Domination

So now we don’t just have to be worried about politics and financial issues… we have to be concerned that our toaster will want to take part in world domination and that our vacuum cleaners will spy on us in an attempt to provide better advertising. So how do we control these wild little things … More IoT – Stopping Your Toasters Plot For World Domination

Office 365 – Change Free/Busy Status On A Shared Calendar

So by default when you create a shared mailbox within 365 the permissions for authenticated users by default is to be able to view the Free/Busy time. Now this normally causes issues as people want to see a few more details so they can see who has booked the room or what for. So to … More Office 365 – Change Free/Busy Status On A Shared Calendar