In our previous blog posts, we demonstrated how important it is for penetration testers to get credentials that grant administrative access over hosts within the organization to escalate their permissions. This week, we will discuss a relatively recent privilege escalation technique known as Kerberoasting, which pen testers and malicious hackers can use to crack weak network service account… Read More
Tag: infosec
Navigating Clear Text Password Vulnerabilities
Accessing Clear Text Administrative Passwords In our last blog post, we showed how pen testers can use misconfigurations within Active Directory group management to escalate privileges. However, that technique is heavily dependent on having access to privileged or misconfigured accounts in the first place. This week, we discuss another finding that we frequently take advantage of… Read More
Identifying Local Admin Misconfigurations for Domain Privilege Escalation
In our previous blog, we discussed how insufficient network segmentation can be exploited by attackers and pen testers. This week, we discuss a finding that we frequently abuse during the privilege escalation phase of our penetration testing assessments, particularly for those involving public sector clients. This phase occurs after our operators have gained a foothold and… Read More
How Insufficient Network Segmentation Increases Your Security Risk
In our previous blog, we introduced our 2016 top five penetration testing lessons learned blog series. Today, in Part II of this series, we discuss our first finding: insufficient network segmentation. The Challenges of Network Segmentation Many of the clients we conduct penetration tests for are larger organizations that have thousands of hosts on a completely flat… Read More
5 External Cyber Penetration Testing Lessons Learned From 2016 Security Assessments
Every year, Delta Risk conducts hundreds of cyber security assessments, including penetration testing, for a wide range of commercial and public sector clients. Many of these organizations share similar weaknesses in their people, processes, and technology. But each assessment also presents new technical challenges for us to solve. In this five-part blog series, we’ll discuss our findings… Read More
[Opinion] Encryption and Privacy: Why the FCC Needs to Consider Legal Reform of Wireless Policies
The opinions expressed in this blog article are those of the author alone. In our previous blog, we discussed how pagers used in medical settings present an opportunity for threat actors to intercept valuable protected health information (PHI) and disrupt encryption and privacy. For malicious hackers, radio-based communications are a potential attack vector that organizations should… Read More