Category Archives: Pentest

Scanning udp port 1434 SQL Browser


On UDP port 1434 is most likely the MS SQL Browser Service listening.
You can query this service to retrieve version info and the TCP port where MS SQL Server Service is listening.


nmap -P0 -v -sU -sV -p 1434 <ip> --script ms-sql-info

Privilege Escalation


Basic Linux Privilege Escalation

Windows Privilege Escalation


No Custom Errors implemented

Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers. It’s possible to cause these errors to be displayed by using a particular requests, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.

Continue reading

Link-Local Multicast Name Resolution (LLMNR) Detection

 Nessus Output

Synopsis :

The remote device supports LLMNR.

Description :

The remote device answered to a Link-local Multicast Name Resolution
(LLMNR) request. This protocol provides a name lookup service similar
to NetBIOS or DNS. It is enabled by default on modern Windows

Reported Risk factor by Nessus: None
In my option the severity should be much higher.

Continue reading

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

Nessus Output


The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.

Continue reading

Pentest Methodologies

There are many Pentest Methodologies that all share the same basic approach but their phases are named differently:

  • Pre-engagement steps / Preparation / Scoping
  • Intelligence Gathering / Information Gathering / Reconnaissance (Recon) / Open source intelligence (OSINT) / Footprinting
  • Threat Modeling
  • Scanning / Mapping / Enumeration / Vulnerability Analysis / Discovery
  • Exploitation
  • Post-Exploitation / Maintaining Access / Covering Tracks
  • Reporting

Continue reading

Sort IP addresses


sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4


gc .\ips.txt | sort {"{0:d3}.{1:d3}.{2:d3}.{3:d3}" -f @([int[]]$_.split(‘.’)) }

Use the following formula to calculate a number which we can sort on (cell A2):

=((VALUE(LEFT(B2, FIND(".", B2)-1)))*256^3)+((VALUE(MID(B2, FIND(".", B2)+1, FIND(".", B2, FIND(".", B2)+1)-FIND(".", B2)-1)))*256^2)+((VALUE(MID(B2, FIND(".", B2, FIND(".", B2)+1)+1, FIND(".", B2, FIND(".", B2, FIND(".", B2)+1)+1)-FIND(".", B2, FIND(".", B2)+1)-1)))*256)+(VALUE(RIGHT(B2, LEN(B2)-FIND(".", B2, FIND(".", B2, FIND(".", B2)+1)+1))))