Resources
Latest External Testing Resources
Patch Diffing CVE-2024-3400 from a Palo Alto NGFW Marketplace AMI
One of the needs during CVE-2024-3400 testing was the ability to test against a live non-production vulnerable instance. We opted for the Palo Alto NGFW AWS Marketplace AMI.
Read more
From Twitter to Exploit: The Sprocket Security Lifecycle of Exploitation
Our approach to mass exploitation of the latest and greatest vulnerability. On the chopping block, this time around: CVE-2024-3400. read more →
Introduction to the Ticketing SaaS Landscape
The shift to remote work has led to significant changes in organizational dynamics and technology infrastructure, particularly in ticketing, help desk, and management platforms. Sprocket pentesters focus on evaluating… read more →
Subdomain Takeovers - It’s Always DNS
In this article, we will look at a few different takeover methods, detail how we find them, show how they are exploited, and the easy solution to fixing this potentially severe vulnerability. read more →
Password Spraying Self-Hosted Microsoft Services
Self-hosted Microsoft services, such as Exchange and Skype for Business, are ideal targets for password spraying attacks. Learn more about how these threats work and how to protect your business. read more →
Tools for Evading External Network Security Controls
Offensive operations require evasion techniques to bypass security controls. Testers will often find that their attacks against web applications, Office 365, and other external endpoints are quickly blocked. Read our… read more →
Why no Workstation Needs Inbound SMB
Know the risks and attack vectors associated with allowing inbound SMB port connectivity to workstations with an emphasis on lateral movement tools and techniques. See how Continuous Penetration Testing is highly useful… read more →
Password spraying and MFA bypasses in the modern security landscape
Any offensive security operator will tell you that guessing employee credentials is key to compromising your customer’s network – and therefore highlighting vulnerabilities – during a cyber-security engagement. The… read more →
Crossing the Log4j Horizon - A Vulnerability With No Return
A vulnerability was recently disclosed for the Java logging library, Log4j. The vulnerability is wide-reaching and affects both open-source projects and enterprise software. VMWare announced shortly after the release of… read more →
Leading and Empowering Your Team During Log4j
The Log4j vulnerability has created havoc. The effects are serious. As we navigate the immediate and residual fall out, two important questions for non-security leaders to ask themselves are: Will an event like this… read more →
Reliable Username Enumeration: A step-by-step guide
Collecting and validating an organization’s employee base is critical for any successful offensive information security operation. read more →
Launching a pentest: How to discover related DNS records
When starting a penetration test, we first try to discover domains associated with our target apex domain. To help you navigate this part of the process, we’re going to detail it, highlighting tips and tricks for… read more →
Continuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations