Clik here to view.
Finding Admin Access
You've got shell, and a set of credentials but you're coming up empty on what you can do with those credentials. This is especially problematic when you can't get past UAC as you are either in a...
View ArticleClik here to view.
Smash and Grab: Windows Dir Lists
Looking through network shares can be slow, and waiting for individual searches to finish looking through the whole “drive” is redundant. Easier to just use some Windows voodoo to get a good list to...
View ArticleClik here to view.
EXE::Custom in Metasploit's Java Exploits
Let me say first off that this isn't the most elegant of ways to accomplish it. It is in the "it works for me" stage.A quick primer on EXE::Custom: This is a setting just like RHOST in Metasploit...
View ArticleClik here to view.
Delete TrustedInstaller-only Files and Folders
Not very security related, but something I don't want to forget how to do. It was a PITA. So I had a old WINDOWS directory that I needed to get rid of. And the following commands gave me the ooomph...
View ArticleClik here to view.
Cyber Pickpocketing
Drink!!So I've been working on a training package that takes a bit of a different approach than what I've normally done. The training breaks down like this:Day 1: Local LAN based exploit (Windows)Day...
View ArticleClik here to view.
Intro to White Chapel
I made a slide deck to kind of explain my latest project. Basically I got fed up with having dictionaries, passwords, and cracking tools but no way to really do better collaboration in a team format as...
View ArticleClik here to view.
Metasploit Mastery meets CanSecWest
In 2012 egypt and I taught Metasploit Mastery for a day and a half @DerbyCon . This was a lot of fun but we had to cram a TON of slides into that short period of time. PLUS we had a CTF at the end...
View ArticleClik here to view.
ShmooCon 2013 Streaming
Thanks to @spatial_d for the tweet here: https://twitter.com/spatial_d/status/302253050725298176I'm capturing it here more of a bookmark for myself:Build It:...
View ArticleClik here to view.
Compile NFSShell on Ubuntu
This is here because I always forget how to do itsudo apt-get install libtirpc-dev libncurses-devwget http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gztar zxvf nfsshell.tar.gzcd nfsln -s...
View ArticleClik here to view.
Blocking Java Exploits, Malicious Signed Applets, and 0days
The following has been a concept for me for a long time and recently I tweeted the idea which really put me under the fire to prove it. (re: justanidea hashtag) And a few people came up with some very...
View ArticleClik here to view.
Suggestions on what to do when a service you use gets compromised
It seems like every week there is a new compromise of some service or another. But as a user what are you supposed to do with this knowledge? Here are some suggestions on things to do or think about...
View ArticleClik here to view.
Mounting NFS shares through Meterpreter with NfSpy
You've found an NFS share on a pentest, it's sharing out your target's home directories (/home) and some SAN with all of the Windows AD users "home" directories under /volumes/users/. You only have a...
View ArticleClik here to view.
Length Sorting Wordlists
This is one of those stupid simple things that are easy to forget so I'm posting it here. Wordlists and dictionaries are awesome for cracking password hashes, and although, thanks to things like...
View ArticleClik here to view.
Metasploit Mastery @BlackHatEvents USA 2013
Just a quick post to say that egypt and I will be giving Metasploit Mastery twice (2 x 2 day sessions) at BlackHat USA 2013. Come out and get your Metasploit on in Vegas w/ usLinky:...
View ArticleClik here to view.
Sessiondump Meterpreter Extension
Mimikatz is awesome right, so is WCE. But both have one fatal flaw, even though you can execute them in memory {link} - you still have to have the binaries, remember the command to execute it in...
View ArticleClik here to view.
Query all windows services config from the command line
This is how I did it:for /f "tokens=5 delims=\" %A in ('reg query HKLM\SYSTEM\CurrentControlSet\Services') do sc qc %ALet me know if you know of a better way.If you don't know why this could be...
View ArticleClik here to view.
Using Mimikatz Alpha or Getting Clear Text Passwords with a Microsoft Tool
Mimikatz is now built into Metasploit's meterpreter, you can do load mimikatz from the meterpreter prompt, but if you don't want to go through the hassle of dealing with AV, reverse or bind payloads,...
View ArticleClik here to view.
Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part1
This and part 2 are mostly just an update to http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html but without the need for VSSOwn, that and we are doing it remotely without the need for...
View ArticleClik here to view.
Volume Shadow Copy NTDS.DIT Domain Hashes Remotely - Part 2
Part 2, we have the NTDS.dit file and the SYSTEM.hive file. First we need a few tools:From: http://www.ntdsxtract.com/Download: http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zipwget...
View ArticleClik here to view.
Dead Blog... for now
As you might have noticed, my blogging has all but stopped. I've become pretty fed up with the SquareSpace platform. It seems a lot more kludgy now that they are at version 6. I'm sure they will...
View Article