Clik here to view.
Cyber Pickpocketing
Drink!! So I’ve been working on a training package that takes a bit of a different approach than what I’ve normally done. The training breaks down like this: Day 1: Local LAN based exploit (Windows)...
View ArticleClik here to view.
Intro to White Chapel
I made a slide deck to kind of explain my latest project. Basically I got fed up with having dictionaries, passwords, and cracking tools but no way to really do better collaboration in a team format as...
View ArticleClik here to view.
Metasploit Mastery meets CanSecWest
In 2012 @egypt and I taught Metasploit Mastery for a day and a half @DerbyCon . This was a lot of fun but we had to cram a TON of slides into that short period of time. PLUS we had a CTF at the end...
View ArticleClik here to view.
ShmooCon 2013 Streaming
Thanks to @spatial_d for the tweet here: https://twitter.com/spatial_d/status/302253050725298176 I’m capturing it here more of a bookmark for myself: Build It:...
View ArticleClik here to view.
Compile NFSShell on Ubuntu
This is here because I always forget how to do it sudo apt-get install libtirpc-dev libncurses-dev wget http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz tar zxvf nfsshell.tar.gz cd nfs ln -s...
View ArticleClik here to view.
Blocking Java Exploits, Malicious Signed Applets, and 0days
The following has been a concept for me for a long time and recently I tweeted the idea which really put me under the fire to prove it. (re: justanidea hashtag) And a few people came up with some very...
View ArticleClik here to view.
Suggestions on what to do when a service you use gets compromised
It seems like every week there is a new compromise of some service or another. But as a user what are you supposed to do with this knowledge? Here are some suggestions on things to do or think about...
View ArticleClik here to view.
Mounting NFS shares through Meterpreter with NfSpy
You’ve found an NFS share on a pentest, it’s sharing out your target’s home directories (/home) and some SAN with all of the Windows AD users “home” directories under /volumes/users/. You only have a...
View ArticleClik here to view.
Length Sorting Wordlists
This is one of those stupid simple things that are easy to forget so I’m posting it here. Wordlists and dictionaries are awesome for cracking password hashes, and although, thanks to things like...
View ArticleClik here to view.
Metasploit Mastery @BlackHatEvents USA 2013
Just a quick post to say that egypt and I will be giving Metasploit Mastery twice (2 x 2 day sessions) at BlackHat USA 2013. Come out and get your Metasploit on in Vegas w/ us Linky:...
View ArticleClik here to view.
Sessiondump Meterpreter Extension
Mimikatz is awesome right, so is WCE. But both have one fatal flaw, even though you can execute them in memory {link} - you still have to have the binaries, remember the command to execute it in...
View ArticleClik here to view.
Query all windows services config from the command line
This is how I did it: for /f "tokens=5 delims=" %A in ('reg query HKLM\SYSTEM\CurrentControlSet\Services') do sc qc %A Let me know if you know of a better way. If you don’t know why this could be...
View ArticleClik here to view.
Using Mimikatz Alpha or Getting Clear Text Passwords with a Microsoft Tool
Mimikatz is now built into Metasploit’s meterpreter, you can do load mimikatz from the meterpreter prompt, but if you don’t want to go through the hassle of dealing with AV, reverse or bind payloads,...
View ArticleClik here to view.
Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1
This and part 2 are mostly just an update to http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html but without the need for VSSOwn, that and we are doing it remotely without the need for...
View ArticleClik here to view.
Volume Shadow Copy NTDS.DIT Domain Hashes Remotely - Part 2
Part 2, we have the NTDS.dit file and the SYSTEM.hive file. First we need a few tools: From: http://www.ntdsxtract.com/ Download: http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip wget...
View ArticleClik here to view.
Problems with blogging software
Problems are that everyone does this whole blogging thing in so many different ways. Me, personally? I like to have a client that I can save drafts it, work on things a little bit here and there and...
View ArticleClik here to view.
Unkillable Processes
Saw this post about a kernel bug in 64 bit Windows that is a DoS, it can also create an unkillable process: Blog post: http://waleedassar.blogspot.com/2013/02/kernel-bug-1-processiopriority.html...
View ArticleClik here to view.
Changing proxychains hardcoded DNS server
If you’ve ever used proxychains to push things through Meterpreter, one of the most annoying things is its “hardcoded” DNS setting for 4.2.2.2, if the org that you are going after doesn’t allow this...
View ArticleClik here to view.
Stealing passwords every time they change
Password Filters [0].aspx”) are a way for organizations and governments to enforce stricter password requirements on Windows Accounts than those available by default in Active Directory Group Policy....
View ArticleClik here to view.
AD Zone Transfers as a user
cross posted from: http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html The tired and true method for Zone Transfers are using either nslookup: nslookup ls -d domain.com.local...
View Article