Clik here to view.
Free Shells with Plink and Pageant
Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here...
View ArticleClik here to view.
Old School On-target NBNS Spoofing
One of pen testers favorite attacks is NBNS spoofing. Now Wesley who I originally learned this attack from, traced this back to sid...
View ArticleClik here to view.
Old School On-target NBNS Spoofing - Part 2
So it turns out that Windows Firewall talks IP addresses just like any other firewall, so if you configure FakeNetBIOSNS to tell everyone that the IP address for whatever they looked up is YOUR IP,...
View ArticleClik here to view.
Completely In-memory Mimikatz with Metasploit
Executing WCE.exe in memory as demoed by Egypt here: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram has two issues with it. 1, you leave a file...
View ArticleClik here to view.
Clik here to view.
Meet “q” – Free Metasploit Exploit Pack
Once you’re done staring at the Star Trek deity above (it’s a staring contest you will loose since you a such a simplistic race). I pull your attention to: https://github.com/mubix/q This repository /...
View ArticleClik here to view.
Lab Setup - Windows Proxy and Egress Filtering
pfSense is an excellent free way of including a firewall / ids / proxy in your lab or VMs. It runs small and fast, but even as simple as pfsense is sometimes you need a bit less complexity and speed of...
View ArticleClik here to view.
Compiling and Release of Netview
If you haven’t caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 - we released 2 tools, Netview, and Ditto. Here I’ll walk you through compiling Netview yourself, in the next blog post...
View ArticleClik here to view.
Compiling and Release of Ditto
If you follow the exact same steps you did for Netview: /blog/2012/10/07/compiling-and-release-of-netview/ then you already have the steps needed to create a compiled version of ditto from the repo...
View ArticleClik here to view.
Pass the Hash without Metasploit - Part 2
I read this article a while back: http://fuzzynop.blogspot.com/2012/09/pass-hash-without-metasploit.html by @FuzzyNop Great article showing the use of WCE’s “-s” flag to Pass-The-Hash locally and I...
View ArticleClik here to view.
UAC AlwaysNotify Bypass-ish
UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD (MY MISTAKE FOR NOT TESTING MORE) So the “-ish” is you need to have the username and pass of another account that has...
View ArticleClik here to view.
Mounting SMB shares over Meterpreter
Ok, this is pretty straight forward no magic: Got a shell, doesn’t have to be SYSTEM Add a route to the internal range or directly to the host you want over the session you want Mosy on over to the...
View ArticleClik here to view.
Setting SYSTEM's proxy settings with Metasploit
One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged...
View ArticleClik here to view.
AXFR for DNSSEC: DNSSEC Walker
TL;DR – DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records. I like to go through slides of cons I can’t make it out to, and Hack-in-the-Box (HITB) Kul (Malaysia), was...
View ArticleClik here to view.
lm2ntlm with John the Ripper
Since I didn’t see any documentation bringing how to take an LM hash that you’ve cracked and convert it to the NTLM equivalent all in one place. And I google how to do it almost every time. I wanted to...
View ArticleClik here to view.
BypassUAC got a facelift
Dave Kennedy and Kevin Mitnick submitted the “bypassuac” post module to Metasploit a while back (last DerbyCon?). Which is awesome and they did some fantastic work, but I had a few complaints as...
View ArticleClik here to view.
Finding Admin Access
You’ve got shell, and a set of credentials but you’re coming up empty on what you can do with those credentials. This is especially problematic when you can’t get past UAC as you are either in a...
View ArticleClik here to view.
Smash and Grab: Windows Dir Lists
Looking through network shares can be slow, and waiting for individual searches to finish looking through the whole “drive” is redundant. Easier to just use some Windows voodoo to get a good list to...
View ArticleClik here to view.
EXE::Custom in Metasploit's Java Exploits
Let me say first off that this isn’t the most elegant of ways to accomplish it. It is in the “it works for me” stage. A quick primer on EXE::Custom: This is a setting just like RHOST in Metasploit...
View ArticleClik here to view.
Delete TrustedInstaller-only Files and Folders
Not very security related, but something I don’t want to forget how to do. It was a PITA. So I had a old WINDOWS directory that I needed to get rid of. And the following commands gave me the ooomph...
View Article