Penetration test: Alfa wireless card monitor mode problem

enter the description of the image hereI have a wireless card (Alfa AWUS036H) that I use for the pencil test in my test network. Due to my recent interest in network piracy, I took this card and put it in monitor mode. While it scanned the networks well and captured strong signals from neighboring networks, if I disconnected or restarted my computer the next day, I would not discover any networks using the command airodump-ng wlan0mon wlan0mon is the card interface.

For the card to work again, I would have to restart the virtual box, disconnect the device or even restart my computer several times to make it work. I don't know if it's a software problem or a hardware problem. If it were a real world situation, it would by no means be practical.

I run kali-linux 2019.1 in virtual-box 5.2. My computer works with Windows 10.

Your help would be appreciated.

penetration test – What do I do if I catch someone doing a physical pentest?

This question was mainly inspired by this (related) question, but it is the other side of the equation.

I'm a security engineer at Medium Sized Company, Inc. We recently hired John for a penetration test (without my knowing it). John successfully entered our building and reached our floor. He got someone to let him in and gained access to a relatively safe area.

Unfortunately for John, his presence in the safe area triggered an alarm that sent me to investigate. I found John in our server room, where he was about to connect something to one of our network switches.

I managed to stop him before he connected his computer to our switch, and demanded to know what he was doing there in a safe area. He presented me with a permit to attack that was not verified, followed by a real Attack permit that was confirmed with the corresponding part.

Right now, I have a hacker sitting handcuffed to a chair In the server room, I am not allowed to get out of my sight until I know what to do with them.

And that do What do I do with them? There are some options that I can think of:

  • Escort them out of the building,
  • Just politely tell them to leave the premises when the penetration test is over,
  • Let them continue to do whatever they are doing and I hope our NOC will catch them too.

My company has no policy guidelines to follow and the person on the PtA form does not know either, so I would like to know what is considered best practice in a situation like this.

Forensic analysis: what can a victim company do when it is difficult to differentiate between a physical Pentest and a criminal physical Penetration?

Hypothetical situation:

The company blue hire the company Red make a red team commitment in blue. Here, I will talk only about the physical part of the commitment, not social and cyber.

Red infiltrates successfully blue and provides detailed reports of what was done in the commitment. Example of part of the report:

In building A:

At door A101, we picked the lock. Techniques used in picking: Raking, Bump Key.
At door A102, we picked the lock. Techniques used in picking: Raking.

The report includes details of the techniques used to explode and infiltrate.

One week after the engagement, blue he is attacked by real criminals and his data was extracted from building A. They had no camera images of each exploded door. It is confirmed that the installation of the doors and locks in building A is correct and has probably been chosen. However, those doors / locks have also been reported by Red during his engagement the previous week.

The problem:

The locks being tested have been selected and exploited by both Red And the criminals. Forensic evidence would probably show traces of both or only RedThe commitment of Since the red team's commitments are to simulate real criminals as accurately as possible, it is difficult to differentiate between the evidence left by Red and those left by criminals.

blue He is very sure that those locks were chosen by the criminals, and suppose they are right about it. blue You want to investigate how exactly the criminals entered and locate those criminals. Additionally, blue He also wants to claim insurance for those locks that are being collected. (I heard that we can get insurance from the lock manufacturer if the locks are cut and we take damage from that)


How can forensic evidence be used in court locks (for insurance) and investigation? As should blue use such forensic evidence to claim your insurance and locate criminals when it is difficult to distinguish between the marks left by Red and the criminals?

penetration test: SQL injection with OR only

I am doing a practical SQL injection in a search field and I don't understand the logic of what is happening.

The following behaviors is what I noticed:

Entering ' OR '1' = '1 Show all results.

Entering ' Does not show results (sample & # 39; no results found & # 39;)

Entering test show some relevant results

Entering test' AND '1' = '1 does not show anything (not even & # 39; no results found & # 39;)

Entering test' OR '1' = '1 Show all results.

What I don't understand is that it seems that the logical OR is working but not the AND. How could this be any idea? The SQL commands I tried don't seem to work (like sleeping, etc.) and don't generate anything (not even "no results were found").

PS: When I tried a more complicated injection with UNION, WAF blocked it and omitted it with / ** / comment blocks in the statements, this is for a CTF challenge and I'm trying to learn about the injection.


Writing the results queries makes sense:

sql = "SELECT * FROM `articles` WHERE `content` LIKE '%' OR '1' = '1%'";
sql = "SELECT * FROM `articles` WHERE `content` LIKE '%'%'";
sql = "SELECT * FROM `articles` WHERE `content` LIKE '%test%'";
sql = "SELECT * FROM `articles` WHERE `content` LIKE '%test' AND '1' = '1%'";
sql = "SELECT * FROM `articles` WHERE `content` LIKE '%test' OR '1' = '1%'";

EDIT2: I just tried:% ’and% 1%’ LiKE ‘1 results for:

sql = "SELECT * FROM `articles` WHERE `content` LIKE ‘%%’ AND ‘1%’ LiKE ‘1%'";

But it doesn't show results, which means it wasn't right and the query is probably different 🙁

penetration test – Blogs and stories about Pentesting and Red Team commitments

I am learning and thriving to be Red Teamer. I would like suggestions for stories and blogs to read about real Red / Pentest (or simply realistic) Team commitments like this.

The subject can be in any area of ​​Pentesting. However, I am mainly looking for articles on physics, web application and infiltration.

penetration test: what to do if you are trapped in a physical pentest?

This is the golden rule of Red Teaming! If you don't have your permission to attack, it's like driving without a driver's license. That said, if you get caught during a compromise, I recommend the following:

  1. Submit a counterfeit Permission to attack. This way, you can see if criminals could trick a security guard into allowing them to do their thing with a fake attack permit.
  2. Present the real Permission to attack. If a guard has not purchased your fake receipt, then it is time to deliver the actual receipt. If the guard believes you, it's time to lift and leave the perimeter. A true attacker would have been stopped at this point. If the guard did no Believe you, kindly ask them to talk to their supervisor. If they insist on not believing you and calling the police, so be it. You are not a criminal, so don't worry about that.
  3. Follow the police orders. They will take you with them to the station, where you can explain to the police that you are part of a red team commitment and that you have permission to enter the company. He will verify that twice, calling the person listed as the person who signed his Permission to Attack. In the happy case, they will pick up the phone, explain that they are really hired to do that, and may leave.

    In the case not so happy, they will not answer because it is 4 in the morning and their phone has no battery. If this happens, you will probably spend the night at the police station. Worst things have happened. Call your employer in the morning and they will contact you at the client's company.

Saying "I'm a security researcher. You've got me, so I'll leave."

It won't be very helpful. In the eyes of a security guard, you are a criminal, caught in the middle of a crime. You will not have the option to "just leave."

Run away like a criminal.

A very bad idea. Probably the worst thing you can do. If the guard calls the police (they probably will), the costs could increase a lot and he would no Make the client happy to know that he now also has to pay the police for an unnecessary hunt. However, you should include absolutely in your report if moving away from the perimeter after being caught would have been a trivial effort or not.

Contact the employer to obtain a "Continue Pass".

That would lose the point of a red team commitment. Once you have a "Just continue" step, you are not simulating how a real attacker would act. You would simply review the company's things with your permission.

penetration test – Active Directory Pentesting

Active Directory Streets such as "AD" is a directory service that Microsoft developed for the Windows domain network, using it you can control domain computers and services that run on each node of your domain.

I would like to ask what steps, methodologies and tools in Active Directory Pentesting. I used tools such as responder, powerview, pingcastle and mimikatz, but maybe there are other useful tools and methods.

Thank you,

penetration test – I have only 4 hours a month to verify the security of a cloud-based application – How to use my time?

I was commissioned to take care of an application implemented in blue. I have been assigned 4 hours a month.

Basically I have half a day of work to ensure this application / keep it safe. What is an efficient use of my time?

Should I focus on:

  • Making sure all components are up to date?
  • Checking all the records to make sure nothing looks unreliable?
  • Do I try to hack the application myself?
  • Document the system in detail from a security perspective?
  • Investigating current vulnerabilities in this / related technology?
  • Ensure that backups, etc., work correctly?
  • Disaster recovery things?
  • Create a policy about "being hacked"?
  • Audit the source code with a tool to find incorrect patterns?

Or some combination / something else?

I am looking for answers based on experience, preferably from someone who does this type of security maintenance. If there is any kind of recommended guide / practice, that would also be helpful.

The technology stack is:

  • SQL Server Database (Azure SQL)
  • C # web API
  • Angular front end

There are several additional components, but I'm not really looking for specific technology responses, plus a strategy on how to address this.

penetration test: the program cannot be run with Meterpreter on the target operating system

My apologies if the question of this nature is not allowed.

I am a university student who is taking a course on cybersecurity and what I am trying to do is just to practice.

I used the exploit eternalblue to access the victim's computer. I uploaded a simple helloworld.exe program on your desktop. Now, I am trying to run helloworld.exe on your computer using the two methods below.

meterpreter > execute -f helloworld.exe


meterpreter > shell
C:usersusernamedesktop> start helloworld.exe

None of the above methods will run the helloworld program. I don't see the helloworld.exe running in the task manager of the victim's computer. But sometimes UI0detect.exe appears and disappears in the task manager. The interactive services detection window sometimes also appears.

Note that I run helloworld.exe on the target computer at the command prompt using start helloworld.exe or in powershell using ./helloworld

penetration test: how do I sell critical vulnerability information to a private company?

Here is the story. There is a private company that has a software product that thousands of its customers use. After spending a few nights without sleeping in reverse engineering of that product, I identified a critical defect in it. The reason I explored this product was purely sporty: reverse engineering is my hobby and nothing more.

But during my exploration I identified a very serious defect that I did not expect. Exploiting it will mean extracting a lot of money from the users of that software (customers of the company).

Now I am not going to exercise that idea to steal money from other people, that is beyond my moral principles. Although someone who is not really linked to such principles could earn "much" money, permanently (for months or years), without a trace.

I think it makes sense to mention that this is the company that makes money when its customers lose money, basically. Imagine financial commerce, money loans, gambling, etc., that kind of industry. So nobody really "loves" them (including their clients), and they know it, and they agree with that.

I think it would be fair, that I could sell this vulnerability information to the company for a large sum, but I'm not sure how (if it can do so). Just revealing the feat to the public, even proving (without revealing the details) that such vulnerability exists (and has always existed!) It would be a great blow to the company, as they will likely lose a large portion of the customers. However, (and even considering that the company earns millions of dollars per year), I am almost certain that they will not be willing to pay me anything unless I present a 100% proof.

The dilemma is: how to explain the magnitude of that vulnerability, without revealing clues about where to look for it. If I disclose the software product, and what kind of action contains what kind of vulnerability, I am pretty sure that they will try to investigate the particular possibility in a particular use case, and eventually they will find the vulnerability themselves. On the other hand, if I'm going to be lazy ("I found something in one of your products, which can be used to steal money from your customers"), I'm pretty sure they won't believe and won't pay anything.

If I disclose the information without demanding anything, that is, for a good faith reward, I am sure that they will not issue any reward. They are just that kind of company: they don't care about security researchers in good faith. They will fix it even without responding with a "thank you" email.

Any kind of advice will be greatly appreciated. Isn't it fair to expect some kind of payment from the company in such a situation? I have never dealt with such a situation before (as I mentioned, RCE is just a hobby for me).