post exploitation: finding passwords in haystacks

Often while conducting an internal pentest you may gain access to a user machine through some vulnerability or more commonly via social engineering. Let’s say that you pop a shell, unprivileged, and incognito only finds unprivileged domain tokens. You could move onto another target or you can try some post exploitation reconnaissance. A commonly overlooked source of sensitive information is documents that are stored on the company servers as well as staff who think they know enough to start sharing folders with their peers and end up sharing the root of ‘C’. These can be a fantastic source of juicy info if you know how to index and then search through them effectively.

using ~ to enumerate directories on IIS 6.0

Recently I was running a web application assessment for a client whose system was running IIS 6.0 on Windows 2003 server. Much foosball and coffee had already gone into this assessment yet I still didn’t have the “Oh Shit, how did you find that?” discovery that makes developers curl up in a ball and rock themselves to sleep. These developers where smarter than most and this was not their first assessment either. They had learned from previous tests to be vigilant about input sanitation and the usual bag of tricks.

I was pretty much ready to swap my Nerf Gun for Microsoft Word and start typing up my findings when I saw this article by Soroush Dalili about using a 17 year old technique to enumerate directories on < IIS 7.0 using the good old “~1” from the 8dot3 days of Windows.

A bit of history for you kids and nostalgia for us old-timers about the 8dot3 days of Windows was that in older versions of … read more