recentpopularlog in

whip_lash : pentest   278

« earlier  
WSH Injection: A Case Study – Posts By SpecterOps Team Members
Some environments use whitelisting to prevent unsigned Windows Scripting Host (WSH) files from running, especially with the rise of malicious .js or .vbs files. However, by “injecting” our malicious code into a Microsoft signed WSH script, we can bypass such a restriction.
whitelist  pentest 
3 days ago by whip_lash
How to Bypass Application Whitelisting & AV - Black Hills Information Security
Here, we will show you one method of bypassing some application whitelisting products.
3 days ago by whip_lash
Gambler - Hacking and other stuffs
Recently I posted how to get ssh password using strace, but it’s no 100% effective, because the strace output changes on different distros, so searching for another approach I found this site ChokePoint where they show how to create a PAM module using python to log failed attempts on ssh, now all I have to do, was change where they log the password.
ssh  pentest 
3 days ago by whip_lash
cloudtracer/paskto: Paskto - Passive Web Scanner
Paskto will passively scan the web using the Common Crawl internet index either by downloading the indexes on request or parsing data from your local system. URLs are then processed through Nikto and known URL lists to identify interesting content.
webapp  pentest 
5 days ago by whip_lash
Replicator helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file which contains the findings in the report. Each finding includes a request, associated session rules or macros, and logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report. Developers can then open the file within Burp and replicate the issues. When vulnerabilities have been fixed, Replicator provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in case alternative attack vectors remain exploitable.
burp  webapp  pentest  report 
5 days ago by whip_lash
If you haven't already killed Lotus Notes, IBM just gave you the perfect reason to do it now, fast • The Register
All that's needed to reproduce the bug, Borup wrote, is to compile his proof-of-concept code and give it a static link as MSIMG32.dll; copy that file to C:\windows\temp; and run sc control lnsusvc 136 at the command line.
ibm  lotusnotes  security  pentest 
5 days ago by whip_lash
VENOM 1.0.15 - Metasploit Shellcode Generator/Compiler/Listener - KitPloit - PenTest Tools for your Security Arsenal ☣
The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ) injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recive the remote connection (shell or meterpreter session).
malware  pentest 
6 days ago by whip_lash
Feature, not bug: DNSAdmin to DC compromise in one line
We will shallowly delve into the protocol’s implementation and detail a cute feature (certainly not a bug!) which allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin.
dns  domain  activedirectory  exploit  privesc  pentest  security 
6 days ago by whip_lash
SSH Hijacking for lateral movement | xorl %eax, %eax
By setting MaxSessions to 1 you can disable ControlMaster/session multiplexing and each new session will require a complete new connection that includes the authentication step. However, if you don’t, then regardless of how strong authentication method you are employing for your users, an attacker only has to get code execution to one of your user’s endpoints and wait for that user to SSH somewhere. The attacker can look for the open connections by inspecting the directory specified by ControlPath directive on the client’s side or just using common tools like netstat. Then, if the attacker attempts to open an SSH session to a host that it is already in the ControlMaster, it will require no authentication or establishing a new connection as it is re-using the existing one.
pentest  ssh  security 
12 days ago by whip_lash
Public Release of Hate_Crack - Automated Hash Cracking Techniques with HashCat - TrustedSec
Martin Bos covered several of these attacks in a previous post, describing his methodology for cracking the LinkedIn hash dump of 2012. If you don’t know Martin (formerly known as pure_hate), he is a long-standing member of Team Hashcat, has competed in several hash cracking contests, and has an unhealthy obsession with cracking hashes. The sharing of his methodology inspired the creation of this script, so that our team could up their hash cracking game.
hash  hashcat  hashes  pentest 
15 days ago by whip_lash
Enumdb - MySQL and MSSQL Brute Force And Post Exploitation Tool To Search Through Databases And Extract Sensitive Information - KitPloit - PenTest Tools for your Security Arsenal ☣
Enumdb is brute force and post exploitation tool for MySQL and MSSQL databases. When provided a list of usernames and/or passwords, it will cycle through each looking for valid credentials.
database  sql  MySQL  bruteforce  pentest 
25 days ago by whip_lash
CNIT 127: Exploit Development -- Sam Bowne
Learn how to find vulnerabilities and exploit them to gain control of target systems, including Linux, Windows, Mac, and Cisco. This class covers how to write tools, not just how to use them; essential skills for advanced penetration testers and software security professionals.
Advisory: CS 110A or equivalent familiarity with programming
pentest  exploit  development  programming  security  learning  class 
26 days ago by whip_lash
smb2-vuln-uptime NSE Script
Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.

SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.

Remember that a rebooted system may still be vulnerable. This check only reveals unpatched systems based on the uptime, no additional probes are sent.
smb  pentest  nmap  nse  vulnerability  scanner 
4 weeks ago by whip_lash
http-form-brute NSE Script
Performs brute force password auditing against http form-based authentication.
namp  nse  pentest  webapp  bruteforce 
4 weeks ago by whip_lash
GitHub - dzonerzy/winescalation: Python based module to find common vulnerabilities which lead to Windows privilege escalation
This is a Python based module for fast checking of common vulnerabilities affecting windows which lead to privilege escalation
python  windows  privilegeescalation  privesc  pentest  security 
4 weeks ago by whip_lash
evilsocket/bettercap: A complete, modular, portable and easily extensible MITM framework.
bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.
github  security  pentest  mitm 
4 weeks ago by whip_lash
mitm6 – compromising IPv4 networks via IPv6 | Fox-IT International blog
Running the attack itself is quite straightforward. First we start mitm6, which will start replying to DHCPv6 requests and afterwards to DNS queries requesting names in the internal network. For the second part of our attack, we use our favorite relaying tool, ntlmrelayx. This tool is part of the impacket Python library by Core Security and is an improvement on the well-known smbrelayx tool, supporting several protocols to relay to. Core Security and Fox-IT recently worked together on improving ntlmrelayx, adding several new features which (among others) enable it to relay via IPv6, serve the WPAD file, automatically detect proxy requests and prompt the victim for the correct authentication. If you want to check out some of the new features, have a look at the relay-experimental branch.

To serve the WPAD file, all we need to add to the command prompt is the host is the -wh parameter and with it specify the host that the WPAD file resides on. Since mitm6 gives us control over the DNS, any non-existing hostname in the victim network will do. To make sure ntlmrelayx listens on both IPv4 and IPv6, use the -6 parameter. The screenshots below show both tools in action, mitm6 selectively spoofing DNS replies and ntlmrelayx serving the WPAD file and then relaying authentication to other servers in the network.

hash  relay  ipv6  mitm  pentest  security 
5 weeks ago by whip_lash
10 common mistakes aspiring/new pentesters make – PentesterLab
Reversing and writing exploits are amazing things to do and you should definitely look into these two domains. However, if you want to break into infosec and score your first job, you need to be good at web (and mobile and network to a lesser extend) security. Most pentesting companies have a lot of their workload composed of web testing and this is not going to change in the next few months. Furthermore, they also have seniors people who are dying to do more research and will probably have priority on all the reversing/exploit writing jobs. So if you want to increase your likelihood of getting hired, you need to become a gun at web pentesting.

pentest  jobs  career 
5 weeks ago by whip_lash
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
The attackers arsenal consisted of modified publicly-available tools as well as six undocumented custom-built tools, which Cybereason considers the threat actor’s signature tools. Among these tools are two backdoors that exploited DLL sideloading attack in Microsoft, Google and Kaspersky applications. In addition, they developed a novel and stealthy backdoor that targets Microsoft Outlook for command-and-control channel and data exfiltration.

apt  security  pentest 
5 weeks ago by whip_lash
Who can add workstation to the domain – Dubai Security Blog
So taking into consideration above 2 items, by default any authenticated user can join up to 10 machines to the domain.
activedirectory  security  pentest 
5 weeks ago by whip_lash
Web Application Firewall (WAF) Evasion Techniques – secjuice™ – Medium
Why using ? instead of *? Because the asterisk (*) is widely used for comment syntax (something like /* hey I’m a comment */) and many WAF blocks it in order to avoid SQL Injection… something like UNION+SELECT+1,2,3/*
waf  hacking  pentest  security 
5 weeks ago by whip_lash
Top 32 Nmap Command Examples For Sys/Network Admins - nixCraft
The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:
nmap  pentest 
6 weeks ago by whip_lash
Abusing Microsoft Word Features for Phishing: “subDoc” - Rhino Security Labs
In the above configuration, we’re telling Word to open a sub-document over the network using a UNC path which points external to their network. The destination IP address, in this case, is a VM instance that we control, hosted by a cloud provider which allows incoming SMB requests.

At this point, we’re able to load which allows us to listen for incoming SMB requests and collect the respective NTLMv2 hashes.
hashes  Microsoft  office  vulnerability  pentest  responder  security 
6 weeks ago by whip_lash
Cracking Encrypted PDFs – Part 1 | Didier Stevens
In this series of blog posts, I’ll explain how I decrypted the encrypted PDFs shared by John August (John wanted to know how easy it is to crack encrypted PDFs, and started a challenge).

Here is how I decrypted the “easy” PDF (encryption_test).
pdf  hacking  pentest  security 
6 weeks ago by whip_lash
Relayer - SMB Relay Attack Script - KitPloit - PenTest Tools for your Security Arsenal ☣
Relayer is an SMB relay Attack Script that automates all the necessary steps to scan for systems with SMB signing disabled and relaying authentication request to these systems with the objective of gaining a shell. Great when performing Penetration testing.
smb  pentest  windows 
7 weeks ago by whip_lash
Responder -> MultiRelay -> Mimikatz -> Crackmapexec ->Windows PWNage - GameOfPWNZ
For this post, we’re going to do a scenario-based usage of the following tools: responder,, mimikatz, and crackmapexec.
windows  pentest 
8 weeks ago by whip_lash
GOWPT - Go Web Application Penetration Test - KitPloit - PenTest Tools for your Security Arsenal ☣
GOWPT is the younger brother of wfuzz a swiss army knife of WAPT, it allow pentester to perform huge activity with no stress at all, just configure it and it's just a matter of clicks.
webapp  pentest 
8 weeks ago by whip_lash
Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
tl;dr Evade network detection during a penetration test/red team exercise by using a protocol that existing tools aren’t equipped to understand or inspect. Merlin is post-exploitation tool that is easily cross-compiled to run on any platform to achieve command and control of a host.
pentest  security  c2  c&c 
8 weeks ago by whip_lash
Hacking the Hackers: Leveraging an SSRF in HackerTarget
I created another PHP file on my server that would redirect the API to the internal SMTP server and issue the valid SMTP commands!
ssrf  hacking  pentest 
8 weeks ago by whip_lash
This is a compressed, really SHORT guide to assist you in navigating your way through the SANS Holiday Hack CTF based on their past challenges and my observations over time. Whether or not you are successful (completing all the challs) is not the point of this exercise. The idea is to have fun, hopefully learn new techniques and grow as a security researcher, pentester, hacker, whatever you identify as.  
holidayhackchallenge  sans  ctf  pentest 
9 weeks ago by whip_lash
net-creds - Sniff Passwords From Interface or PCAP File
net-creds is a Python-based tool for sniffing plaintext passwords and hashes from a network interface or PCAP file – it doesn’t rely on port numbers for service identification and can concatenate fragmented packets.
pcap  pentest 
9 weeks ago by whip_lash
XPN InfoSec Blog
For many pentesters, Meterpreter's getsystem command has become the default method of gaining SYSTEM account privileges, but have you ever have wondered just how this works behind the scenes?

In this post I will show the details of how this technique works, and explore a couple of methods which are not quite as popular, but may help evade detection on those tricky redteam engagements.
pentest  security  privesc  privilegeescalation 
12 weeks ago by whip_lash
Application Threat Modeling using DREAD and STRIDE
DREAD Risk = (Damage + Reproduciblity + Exploitability + Affected Users + Discoverability) / 5. Calculation always produces a number between 10. Higher the number means more serious the risk is.
risk  webapp  pentest  report 
november 2017 by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:

to read