recentpopularlog in

whip_lash : dotnet   9

.NET Internals Cookbook Part 0 — Table of contents – Random IT Utensils
In this series I answer various .NET questions. Some of them are asked during interviews, some of them I see on the internet, some of them are completely made up. The goal is to provide short answer with links to references if needed. This is by no means a .NET tutorial or experts reference, this is just a bunch of useful answers to refresh your knowledge.
4 weeks ago by whip_lash
Running a .NET Assembly in Memory with Meterpreter
For this article we will attempt to execute Seatbelt on the target box to help identify various PrivEsc routes. This guide will walk through the steps necessary to execute the Seatbelt assembly in-memory with our current Meterpreter foothold, much like we would do if our C2 framework was Cobalt Strike.
dotnet  metasploit  exploit  memory  pentest  windows 
6 weeks ago by whip_lash
Favorite tweet:

There has been some really awesome .NET research done recently, this whitepaper is a great reference when you come across .NET deserialization bugs/when code auditing. Machines running .NET have just become so much easier to own:

— shubs (@infosec_au) April 4, 2019
dotnet  webapp  pentest  deserialization 
7 weeks ago by whip_lash
SharpPack: The Insider Threat Toolkit – MDSec
Most of our favourite tools in the red team arsenal are developed in DotNet or PowerShell and there exists numerous ways to execute these from memory when operating from your implant such as CobaltStrike’s powerpick and execute-assembly methods. In our use case, we were operating without an implant but still wanted to reap the benefits of GhostPack, Internal Monologue et al and therefore we had to get a little more creative with our tradecraft. As previously noted, we were operating in an environment with tight application whitelisting so recompiling and obfuscating our chosen tools was just not an option. We did however observe two notable opportunities to get code execution as the environment made heavy use of VBScript (thanks Tanium :)) and locally created Office Macro enabled documents.
dotnet  malware  pentest  vbscript 
december 2018 by whip_lash
Injecting .Net Assemblies Into Unmanaged Processes - CodeProject
.Net is a powerful language for developing software quickly and reliably. However, there are certain tasks for which .net is unfit. This paper highlights one particular case, DLL injection. A .net DLL (aka managed DLL) cannot be injected inside a remote process in which the .net runtime has not been loaded. Furthermore, even if the .net runtime is loaded in a process one would like to inject, how can methods within the .net DLL be invoked? What about architecture? Does a 64 bit process require different attention than a 32 bit process? The goal of this paper is to show how to perform all of these tasks using documented APIs.
dotnet  exploit  programming 
september 2018 by whip_lash
0xd4d/dnSpy: .NET debugger and assembly editor
dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available.
debugging  decompiler  dotnet  tools 
january 2018 by whip_lash
ILSpy is the open-source .NET assembly browser and decompiler.
dotnet  tools  decompiler  assembly 
august 2017 by whip_lash

Copy this bookmark:

to read