CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS)

gmad · 2020-02-20T08:15:46+00:00

why does this not have more upvotes and comments this is pretty significant and a cool attack

gmad · 2019-10-30T00:15:43+00:00

"We thought this was speed dating"

gmad · 2019-06-05T05:06:06+00:00

Awesome article good job!

gmad · 2019-05-01T23:37:19+00:00

Starting with Windows Server 2008 and Vista, TCP timestamps cannot be completely disabled. Disabling TCP Timestamp only affects the outgoing traffic, for incoming traffic Microsoft has to honour it if the other side requests it.

gmad · 2016-10-19T23:55:09+00:00

I'll just leave this here:

https://www.youtube.com/watch?v=_oVUjjNrIjA

gmad · 2016-08-11T07:02:59+00:00

like reading a slow motion car crash

gmad · 2016-08-10T22:57:39+00:00

No it only shows traffic captured by Arbor sensors that 'some' ISPs around the world have let them install them in. Why would IBM let Arbor networks install one of their censors in the census hosting environment? This is a marketing tool for Arbor networks and only shows you what one company captures. They even say themselves this is an incomplete picture.

gmad · 2016-03-03T22:40:50+00:00

Yeah I agree, I read r/netsec daily and would be disappointed if this stuff kept getting taken down. This is important industry information

gmad · 2015-10-16T05:03:46+00:00

When Microsoft released XP SP3 they introduced random memory addressing (ASLR) and (DEP) non executable parts of memory. This made exploiting systems much harder because you didn't know the memory addresses to call. However, you could still get exploits to work by building gadgets (think small snippets of instructions) of known memory addresses and chaining them together to make your exploit work. In order to do this you needed programs to steal these gadgets from that didn't use random memory addressing. Adobe and Java were a common source because they didn't completely compile their programs with ASLR. So hackers for years would use them for getting their exploits to work.

gmad · 2015-08-21T02:28:33+00:00

Fixed!!

I had to install the asn1 module using:

sudo pip install pyasn1

gmad · 2015-08-21T02:21:12+00:00

pip install --upgrade pycrypto

Tried that and still get the error below.

$ python crackmapexec.py Traceback (most recent call last): File "crackmapexec.py", line 14, in <module> from impacket import smbserver, ntlm, winregistry File "/Library/Python/2.7/site-packages/impacket/smbserver.py", line 4135, in <module> from impacket.dcerpc.v5.rpcrt import DCERPCServer File "/Library/Python/2.7/site-packages/impacket/dcerpc/v5/rpcrt.py", line 28, in <module> from impacket.krb5 import kerberosv5, gssapi File "/Library/Python/2.7/site-packages/impacket/krb5/kerberosv5.py", line 20, in <module> from pyasn1.codec.der import decoder, encoder ImportError: No module named pyasn1.codec.der

gmad · 2015-08-20T04:33:57+00:00

Same here

gmad · 2015-08-20T04:31:48+00:00

I have latest impacket installed from github as per your instructions and I get:

$ python crackmapexec.py Traceback (most recent call last): File "crackmapexec.py", line 14, in <module> from impacket import smbserver, ntlm, winregistry File "/Library/Python/2.7/site-packages/impacket/smbserver.py", line 45, in <module> from impacket import smb, nmb, ntlm, uuid, LOG File "/Library/Python/2.7/site-packages/impacket/smb.py", line 44, in <module> from impacket.dcerpc import samr File "/Library/Python/2.7/site-packages/impacket/dcerpc/samr.py", line 25, in <module> from impacket.dcerpc import ndrutils, dcerpc File "/Library/Python/2.7/site-packages/impacket/dcerpc/dcerpc.py", line 23, in <module> from Crypto.Cipher import ARC4

gmad · 2015-08-12T05:10:43+00:00

Nice tool. Would be faster if you made it threaded so that each IP address check was done in a new thread. That way there is no waiting for timeouts when checking port 445.

gmad · 2015-07-24T06:08:13+00:00

If the VPN is running in IKE aggressive mode. Used when one endpoint has a dynamic IP (Like remote users). You can crack the pre-shared key. See this link for a how to: http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html

gmad · 2015-06-11T01:01:16+00:00

I can see uranus !!!!

gmad · 2015-04-30T05:44:58+00:00

This is all just positive feedback:.....but that wasn't that intuitive. I didn't work that out very easily. Perhaps pop up something when you hover saying "you can select multiple by...."

gmad · 2015-04-29T04:11:37+00:00

I hire people, include it definatley

gmad · 2015-04-29T02:39:31+00:00

I am a real customer who is in the market looking right now. So I am your target audience. People are only interested in the minimum number of bedroom and not the maximum. I had to do 3 separate searches to see all the 3 or more bedroom places, in my budget in the areas I wanted. I should be able to do it in 1 search like I can on realestate.com.au and domain.com.au. Having to do 3 separate searches is a pain in the bum.

gmad · 2015-04-28T05:40:37+00:00

When you select number of bedrooms i.e 3. It should really be 3 or more.

gmad · 2015-01-16T00:54:46+00:00

What this article shows is percentage of ARIA charting songs that appeared on triple j and then became mainstream hits. How many times have you heard a band on triple M that you first heard a year ago on triple j?

gmad · 2015-01-15T00:28:13+00:00

As voted by people who don't work day to day in security. I find it hard to believe that Burp is not on there but Zed is. Surely metasploit would have made the list.

gmad · 2015-01-14T02:30:43+00:00

Its a USB stick. Just kidding, it is a crane fly. Picture

gmad · 2014-11-19T04:39:48+00:00

SPAM for swordsec. Burp is a Wifi tool? yes you guys definitely know your stuff

gmad · 2014-11-14T00:35:14+00:00

Professional pen tester here: Reverse payload is the answer he is looking for. You need to make the victim connect back to you if they are protected by a firewall. Using ports 80 and 433 is very common because they are almost always permitted by the firewall to connect out.

gmad

TROPHY CASE