CVE-2017-9554 – Synology DSM User Enumeration – Unspecified Vector… Yea Right…

Previously this was identified by the developer and the disclosure states “via unspecified vectors” it is possible to enumerate usernames via forget_passwd.cgi

Haven’t identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.

Per the CVE:
“An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.”
Well then… Here you go, cracked the code and figured it out.
Where XXX should be your injection point for username lists.
Several usernames I’ve found are admin, administrator, root, nobody, ftp, and more. I’m unsure of whether Synology is pulling these entries from it’s passwd file or not, but there you go.
This is now published within ExploitDB

Identified My First Microsoft Product Exploit! IIS UrlScan WAF Bypass

I’ve written up a short UrlScan bypass article, made some edits, but overall this bypass has helped me identify and exploit SQL and XSS or other attacks that are URL based.

#Paper Title: Microsoft IIS UrlScan Module Bypass Exploit
#Date: 16 AUG 2017
#Software Link:
#Author: Steven Kaun (Gh0st)
#Category: WAF Bypass


Identified after coming up with null for help with bypassing a WAF identified as UrlScan. After identifying that a web application was filtering and essentially dropping most attacks and their associated payloads a delve into how to bypass this was constructed. This is as simple as bypasses can possibly get, but at the same time is unique enough to warrant writing about.

Read More

Red Team Diaries #1 (Part 1 of 2) – Brief Synopsis? Or Obscure Dronings…

Good Morning!

So today I’ll be writing about an obscure way I managed to get Domain Admin from a pretty strange attack chain.

It was back in the winter of 2016, and here in Minnesota that was probably the coldest winter I’ve experienced in a while (to the tune of -40 degree F windchill). So there I was, working with our local news crew and fellow RedTeam members on trying to pick a client’s exterior doors… Hands completely numb, shivering so hard I felt like I might as well have been dancing… Eventually we were defeated, but never the less we persisted our efforts on attacking their networks and business at their request, and to showcase our talents to the local media.

We had been foiled in the physical attacks, however what was left was social engineering the employee’s in person… Believe it or not, SE can quite literally give you access to almost anything if you present a valid enough claim that you are with XYZ internet service provider completing a work order to perform maintenance due to connectivity issues.

To that extent after gaining the trust of the employees all it took was a few minutes in their server room and installing a Raspberry Pi with linux and a few tools from Kali with a reverse ssh connection that would phone home. Suddenly it was no longer an issue to try to phish the employees through the phone, or through email attachments… We were in…

Soon after deploying the device I got to work. Started Nmap scripts, ran Responder and started taking a look at Nmap’s output as Responder slowly gathered hashed NTLM credentials via SMB or NBNS spoofing and responding. Well turns out we didn’t need those credentials after all!

Stay tuned for Part 2! The next section will go over how a single printer gave us “Key’s to the Kingdom” for lack of better terminology beyond getting Domain Admin.

Figure it was that time…

In other words… stay tuned for some awesome blog posts regarding my experiences and what not in the world of hacking.

Personally I’m not entirely sure how much I’ll blog, but hell the main reason I made this was to show the world new things and release exploit development ideas and research I’ve done while I’ve been at RedTeam Security and on my own time.
Moreover, I’ll be showing some of the novel solutions to attacking things that not even my google-fu could find answers to. In that case you can expect some rather novel solutions to attacking obscure services and applications 😀