Clik here to view.
phDays in Moscow
A friend of mine is presenting at phDays in Moscow at the end of May. If you are in the area, or can be, I would highly recommend you attend, and in particularly his talk. His blog is here:...
View ArticleClik here to view.
Jasager - Past, Present and Future
If you haven’t heard already about Jasager.. well you probably don’t read this blog, but for those who want to know a bit more about the history of Jasager - Karma on the Fon, where the project is now,...
View ArticleClik here to view.
DerbyCon Training (Sep 27-28 2012)
@egypt and I have teamed up this year to teach at DerbyCon at the end of September. Here is the very basic outline of the class and subject to change: (Sign up here:...
View ArticleClik here to view.
Sticky Keys and Utilman against NLA
At CCDC, Sticky Keys via RDP was a very successful re-entry point for the Red Team. You can read more about how this works here:...
View ArticleClik here to view.
Post Exploitation with PhantomJS
If you have never heard of PhantomJS ( http://phantomjs.org/ ) before, it’s a “Full Web Stack with No Browser Required”, basically it a GUI-less browser. One of the magical “example” files that it has...
View ArticleClik here to view.
SUDOERS Commented Includes used for Evil
I found a number of things interesting when reading the following post: http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ Too bad that nmap’s interactive mode was taken out, but...
View ArticleClik here to view.
Integration of Mimikatz into Metasploit Stage1
One of the powers of Metasploit is it’s ability to stay memory resident. Through the use of reflective DLL injection even keeping new functionality the attack loads from ever touching disk. Well, the...
View ArticleClik here to view.
Companies that give back with free tools
Penetration Testing / Red Teaming requires the use of a lot of tools. I don’t mind getting called a “script kiddie” because I can accomplish more and faster when I don’t have to code every single task...
View ArticleClik here to view.
Evidence of Compromise - Metasploit's PSEXEC
Was messing with the Windows service binaries in Metasploit today and I noticed something unique I hadn’t noticed before. For the PSEXEC module, the service name (actually just the display name,...
View ArticleClik here to view.
Netstat Post Module for Meterpreter
Submitted it to MSF via pull request here: https://github.com/rapid7/metasploit-framework/pull/538 Added to trunk:...
View ArticleClik here to view.
Presence, Persistence, and Pivoting
Everyone does things differently, and explaining what goes through an attackers head when they get a shell is virtually impossible and even more so to generalize into a methodology, but I’ve tried to...
View ArticleClik here to view.
Bypassing Trend Micro's Service Protection
@jabjorkhaug posed the following question on Twitter today: I figured I could solve this and it would be an interesting challenge. Here is what it gets detected as: The service binary that is used as...
View ArticleClik here to view.
Cross-Protocol Chained Pass the Hash for Metasploit
Every so often someone writes a Metasploit Module that is pretty epic. Today is one such day: Twitter Link: https://twitter.com/webstersprodigy/status/222529916783169536 Which has a link to here:...
View ArticleClik here to view.
Raising Zombies in Windows: Part 1 - Passwords
With the use of Mimikatz and WCE, clear text passwords are much more common. What isn’t always there is the user. They take lunches, go home at a reasonable time and generally aren’t really...
View ArticleClik here to view.
Free Ticket Contest - Metasploit Mastery at DerbyCon
Egypt and I have decided to give away a spot in our training event at DerbyCon. This won’t come easy though, you have to submit an essay to us with one of the following topics: Essay Topic Options: 1....
View ArticleClik here to view.
LetMeOutOfYour.NET – Intro
Something that is often useful is a known-good. Something out of the control of your adversary or outside modifiers. But back to that in a sec, egress ‘busting’ or getting your...
View ArticleClik here to view.
LetMeOutOfYour.NET – Server Build
In the previous post: http://www.room362.com/blog/2012/8/11/let-me-out-of-your-net-workndashintro.html I told you about letmeoutofyour.net, but how does it work? Things we need to accomplish on the...
View ArticleClik here to view.
Post Exploitation Command Lists - Request to Edit
The post exploitation command lists: Linux/Unix/BSD Post Exploitation: https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit Windows Post Exploitation:...
View ArticleClik here to view.
Free Shells with Plink and Pageant
Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here...
View ArticleClik here to view.
Old School On-target NBNS Spoofing
One of pen testers favorite attacks is NBNS spoofing. Now Wesley who I originally learned this attack from, traced this back to sid...
View Article