Hack the Box "Zephyr is an intermediate-level red team simulation environment, designed to be attacked as a means of learning and honing your engagement skills and improving your active directory enumeration and exploitation skills. Zephyr includes a wide range of essential Active Directory flaws and misconfigurations to allow players to get a foothold in corporate environments."

When running phishing campaigns, I use a number of tools.  For the mass, quarterly, security awareness training, I use the platform in Proofpoint.  For a more dynamic situation, I might use GoPhish.  For something quick and dirty for snagging credentials, I might use Evilginx2.  

From their Github:  "Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection."

The terms vulnerability assessment and penetration test are often used synonymously but they are not the same thing.  This post is a perfect example of something that would not get identified during a vulnerability assessment and showcases the difference between it and a penetration test.  

During a recent penetration test, I discovered a Microsoft SQL Server.