Clik here to view.
Psychological Warfare with NirCMD
One of the best ways to throw blue teamers off the scent of another host getting owned, which also has the added effect of stressing them out is a batch script that runs through some of the more...
View ArticleClik here to view.
Metasploit VNC Password Extraction
Chris Gates wrote a blog post about the ‘getvncpw’ meterpreter script. I ran into the same issue on Penetration Tests in the past but didn’t know much about the wacked out version of DES that RFB (the...
View ArticleClik here to view.
Clik here to view.
IPv6 Attacks
This is probably the most practical and applicable IPv6 talk I’ve ever seen. Amazing job. Rick Hayes - Assessing and Pen-Testing IPv6 Networks from Adrian Crenshaw on Vimeo.
View ArticleClik here to view.
Exploitable Mobile App Challenge
Original Post: http://blog.nvisiumsecurity.com/2011/04/exploitable-mobile-app-challenge-now.html You can read the details on the above link, but it boils down to you make an application for iPhone or...
View ArticleClik here to view.
Dumping Hashes on Win2k8 R2 x64 with Metasploit
When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I...
View ArticleClik here to view.
Remote DLL Injection with Meterpreter
Recently Didier Stevens wrote ‘Suspender.dll’ which is a DLL that will suspend a process and all of it’s child processes after a delay. 60 seconds is it’s default but you can rename the DLL to add a...
View ArticleClik here to view.
Remotely Suspend All Threads with Meterpreter
Just a follow up to my previous post. One of the things that sets that method apart is the fact that the suspension (once the DLL injection occurs) comes from within the process, and it suspends all...
View ArticleClik here to view.
Metasploit Payloads Explained - Part 1
Payload selection is something that rarely gets talked about in detail. Most PoCs just use calc.exe, netcat, or some kind of socket. The vast majority of Metasploit tutorials, videos and documentation...
View ArticleClik here to view.
Metasploit Payloads Explained - Part 1a
In Part 1 I gave an example I used at CCDC with the single ‘windows/download_exec’. One of the down sides of that payload is you need to host the binary, giving up an IP/host that can be blocked. Well,...
View ArticleClik here to view.
fxsst.dll persistence: the evil fax machine
Nick Harbour wrote a post on Mandiants blog about some Malware that was using a dll called ‘fxsst.dll’ to hide and stay persistent on a system. The DLL is used by Windows when it is acting as a Fax...
View ArticleClik here to view.
NoVA Hackers - 3 years old and still going strong
I missed the 3 year anniversary of NoVA Hackers but I did want to make a post about it since we are still going strong and are now at ~150 active members. Chris Gates and I started this thing together...
View ArticleClik here to view.
GPU Cracking Complaints
I’ve been cracking passwords for a while and use a myriad of tools in a certain order to get the job done. I find that Cain is still my Go-to for allowing me to visualize the process and do some basic...
View ArticleClik here to view.
Metasploit Payloads Explained - Part 1b
This series was interrupted a bit by the new Metasploit HTTP/HTTPS payloads (more info). Definitely not complaining though as the new features *(as will be discussed in part 2) are some epic new...
View ArticleClik here to view.
Minimum Password Length of 15 or more via GPO
Also known as “How to practice what we preach”. I don’t know how long I’ve been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM...
View ArticleClik here to view.
Railgun Error Checking
One important thing to note about Railgun is that you are querying the API and just as if you were using C++ the API you are calling just might not be there on the system you are trying to call it on....
View ArticleClik here to view.
IP Resolution Using Meterpreter’s Railgun
I saw a post back in June and it just recently came up again: http://www.securityartwork.es/2011/06/01/dns-port-forwarding-con-meterpreter/ It looked like a lot of hard work to set that up and I’m...
View ArticleClik here to view.
Populating Your Virtual Victim Domain
Update 1: No this doesn’t need to be in memory since you control the system but it was a fun challenge Update 2: The info from the ‘adduser’ payload says ‘Create a new user and add them to local...
View ArticleClik here to view.
IIS Search Verb Directory Listing
This: http://www.securityfocus.com/bid/1756 still works (on vulnerable hosts, this is an old vuln) and is very useful: Send this: SEARCH / HTTP/1.1 Host: target Content-Type: text/xml Content-Length:...
View ArticleClik here to view.
Wim Remes (@wimremes) for (ISC)2 Board of Directors
I am way late to the game on this, but if you have a blog, a twitter handle, or even better (in this specific case) a CISSP, please support Wim Remes (@wimremes), as he has submitted to become a member...
View Article