When running phishing campaigns, I use a number of tools.  For the mass, quarterly, security awareness training, I use the platform in Proofpoint.  For a more dynamic situation, I might use GoPhish.  For something quick and dirty for snagging credentials, I might use Evilginx2.  

From their Github:  "Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection."

The terms vulnerability assessment and penetration test are often used synonymously but they are not the same thing.  This post is a perfect example of something that would not get identified during a vulnerability assessment and showcases the difference between it and a penetration test.  

During a recent penetration test, I discovered a Microsoft SQL Server.  

There's a function in Windows, Accessibility Options, which is available for the visually impaired.  Basically, at the login prompt, we can hit the Shift key five times and that will activate sethc.exe.  But let's say we want to abuse this prelogin function, we could copy cmd.exe in its place which would launch a command prompt, as SYSTEM, prior to login.  From there, we would create an account or perform any other privilege command prompt function.