recentpopularlog in

whip_lash : pentest   558

« earlier  
Confessions Of a VOIP Hacker - The Cisco Learning Network
Folks are looking for quicker ways to get the VOIP system to start paying for itself. VOIP savings are really like trying to justify the savings of being more secure. Oh sure we tech type folks know the real savings and true **** saving grace that security and in house managed VOIP provides. The problem is the Poindexter in Accounting doesn’t see it. Using the Internet as a trunk provider really provides some serious cash savings on the back end. The problem is many SIP/H323 trunks a...
voip  hacking  voice  pentest  sip 
7 days ago by whip_lash
Attacking QA platforms: Selenium Grid -
If it is possible to subscribe to the Selenium Grid a new node controlled by the Red Team it could be used to obtain the test parameterizations. In certain cases such are test cases where a valid session is needed, it becomes likely to obtain credentials or other authentication methods.

In a scenario in which a node instance can be setted, if that node has Google Chrome browser avaliable, Remote Command Execution becomes trivial through it’s command line flags.
selenium  pentest  exploit 
11 days ago by whip_lash
GitHub - evilmog/ntlmv1-multi: NTLMv1 Multitool
NTLMv1 Multitool

This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
hash  hashcat  ntlm  cracking  pentest 
11 days ago by whip_lash
Running a .NET Assembly in Memory with Meterpreter
For this article we will attempt to execute Seatbelt on the target box to help identify various PrivEsc routes. This guide will walk through the steps necessary to execute the Seatbelt assembly in-memory with our current Meterpreter foothold, much like we would do if our C2 framework was Cobalt Strike.
dotnet  metasploit  exploit  memory  pentest  windows 
11 days ago by whip_lash
SecuritySynapse: Wireless Pentesting on the Cheap (Kali + TL-WN722N) - WPA-PSK
In our previous article we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network to showcase the abilities of this inexpensive and flexible setup.  In this article we will continue to test our setup by attacking our home router running WPA (Pre-Shared Key) PSK--walking you through the attack from start to finish.
cybersecurity  kali  pentest  wireless 
12 days ago by whip_lash
GitHub - Coalfire-Research/DeathMetal: Red team & penetration testing tools to exploit the capabilities of Intel AMT
dm_pickles - Duckyscript interpreter that communicates over AMT KVM (vnc) and injects keystrokes.
dm_toki - IDE-R implementation - lets you attach floopy and CD images remotely to the target computer.
dm_nathan - Is a cli that allows for configuring AMT via authenticated channel
dm_rockso - Presence and version scanner, can help you find AMT capable systems regardless of provisioning status. (works even if explicitly not-enabled)
intel  amt  scanner  pentest  hardware  bmc 
12 days ago by whip_lash
Finding Weaknesses Before the Attackers Do « Finding Weaknesses Before the Attackers Do | FireEye Inc
Mandiant consultants posed as helpdesk technicians and informed employees that their email inboxes had been migrated to a new company server. To complete the “migration,” the employee would have to log into the cloned OWA portal. To avoid suspicion, employees were immediately redirected to the legitimate OWA portal once they authenticated. Using this campaign, the red team captured credentials from eight employees which could be used to establish a foothold in the client’s internal n...
redteam  socialengineering  pentest  osint 
14 days ago by whip_lash
nmap/lu-enum.nse at master · nmap/nmap · GitHub
When connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell
the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to
give you an LU from a pool of LUs. They can also have LUs set to take you to a specific
application. This script attempts to guess valid LUs that bypass the default LUs you are
assigned. For example, if a TN3270E server sends you straight to TPX you could use this
script to find LUs that take you to TSO, C...
mainframe  pentest  telnet  nmap  scanner 
15 days ago by whip_lash
Windows Command Line cheatsheet (part 2): WMIC | So Long, and Thanks for All the Fish
Favorite tweet:

Windows Command Line cheatsheet (part 2): WMIC

- Bookmark this! Saved my day several times 😉#infosec #pentest #redteam https://t.co/POPWbdZqU3

— Florian Hansemann (@HanseSecure) April 6, 2019
windows  wmic  pentest 
16 days ago by whip_lash
www.nccgroup.trust
Favorite tweet:

There has been some really awesome .NET research done recently, this whitepaper is a great reference when you come across .NET deserialization bugs/when code auditing. Machines running .NET have just become so much easier to own: https://t.co/xdo5YYgYto

— shubs (@infosec_au) April 4, 2019
dotnet  webapp  pentest  deserialization 
18 days ago by whip_lash
GitHub - PaulSec/awesome-windows-domain-hardening: A curated list of awesome Security Hardening techniques for Windows.
Favorite tweet:

Awesome Windows Domain Hardening. A curated list of awesome Security Hardening techniques for Windows, by @PaulWebSec https://t.co/XLlqLjMWKV

— DirectoryRanger (@DirectoryRanger) March 28, 2019
domain  hardening  security  windows  list  pentest 
25 days ago by whip_lash
GitHub - SadProcessor/CypherDog: PoSh BloodHound Dog Whisperer
Favorite tweet:

🐶 Uploaded latest CypherDog
[BloodHound2.1+#PowerShell]
& Demo Code from @WEareTROOPERS https://t.co/cHRO0vPUqt

— Walter.Legowski (@SadProcessor) March 25, 2019
bloodhound  powershell  activedirectory  pentest 
27 days ago by whip_lash
Freevulnsearch - Free And Open NMAP NSE Script To Query Vulnerabilities Via The cve-search.org API - KitPloit - PenTest & Hacking Tools for your CyberSecurity Kit ☣
This NMAP NSE script is part of the Free OCSAF project - https://freecybersecurity.org. In conjunction with the version scan "-sV" in NMAP, the corresponding vulnerabilities are automatically assigned using CVE (Common Vulnerabilities and Exposures) and the severity of the vulnerability is assigned using CVSS (Common Vulnerability Scoring System). For more clarity, the CVSS are still assigned to the corresponding v3.0 CVSS ratings:
Critical (CVSS 9.0 - 10.0)
High (CVSS 7.0 - 8.9)
Medium (CVSS 4.0 - 6.9)
Low (CVSS 0.1 - 3.9)
None (CVSS 0.0)
nmap  scan  pentest  cve  cvss  script  lua 
29 days ago by whip_lash
Update PoC code to try /sbin/ip if /sbin/ifconfig is not available. Tested with Ubuntu 18.04, 4.8.0-34-generic #36~16.04.1-Ubuntu and Docker 18.09.3 · GitHub
// This exploit combines exploitation of two vulnerabilities:
// - CVE-2017-18344 (OOB read in proc timers)
// - CVE-2017-1000112 (OOB write due to UFO packet fragmentation management)
// Both original exploits were written by Andrey Konovalov.
linux  kernel  privesc  privilegeescalation  pentest 
5 weeks ago by whip_lash
wp_the_ropemaker_email_exploit.pdf
People commonly expect the content of Web pages to be dynamic - able to change
moment-to-moment - but do not expect their email to do so as well. Email in many cases is treated more like
a snail mail letter – once sent never changing - whereas Web pages are understood to be more like TV stations
with a continuously changing flow of visual, audio, and text content. The techniques behind ROPEMAKER are
thus another potential email-based attack vector that we expect attackers to leverage as they continually
evolve from one technique to the next.
phishing  ropemaker  pentest 
5 weeks ago by whip_lash
Penetration Testing Active Directory, Part II – root@Hausec
Privilege escalation in Windows can of course come from a missing patch or unquoted service paths, but since this is pentesting AD, we’re going to exploit some AD things in order to elevate privileges.
activedirectory  privilegeescalation  windows  pentest 
5 weeks ago by whip_lash
GitHub - TH3xACE/SUDO_KILLER: Script written in bash to exploit sudo misconfigurations and vulnerabilities
Script written in bash to assist in the exploitaton of sudo (Misconfiguration + Vulnerabilities)
sudo  vulnerability  pentest 
6 weeks ago by whip_lash
GitHub - stevenaldinger/decker: Declarative penetration testing orchestration framework
Decker is a penetration testing orchestration framework. It leverages HashiCorp Configuration Language 2 (the same config language as Terraform) to allow declarative penetration testing as code, so your tests can be versioned, shared, reused, and collaborated on with your team or the community.
pentest  devsecops  security  tools 
6 weeks ago by whip_lash
GitHub - nikallass/sharesearch: Samba, NFS shares spider and grepper
Favorite tweet:

Need privilege escalation? Have access to SMB and NFS shares? Automate looking for credentials!

1) pip3 install -r requirements.txt
sudo apt-get install cifs-utils
2) git clone https://t.co/oG040moAQT
3) python3 https://t.co/PiA2r24vU4 -p all -w -v -H hosts.lst -C creds.lst pic.twitter.com/7kvsSeNs1D

— Paul Seekamp (@nullenc0de) March 2, 2019
smb  windows  pentest  shares  recon 
7 weeks ago by whip_lash
data: URI image encoder
This form will allow you to generate a valid data: URI from a file on your computer or from a web site.
data  html  image  datauri  webapp  pentest 
9 weeks ago by whip_lash
GitHub - proxycannon/proxycannon-ng: A private botnet using multiple cloud environments for pentesters and red teamers. - Built by the community during a hackathon at the WWHF 2018 security conference
We've created a on-demand proxy tool that leverages cloud environments giving a user the ability to source (all) your traffic from an endless supply of cloud based IP address. Think of it as your own private TOR network for your redteam and pentest engagements.
proxy  pentest  cloud 
9 weeks ago by whip_lash
GitHub - sysdream/chashell
Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.
dns  shell  reverseshell  pentest 
9 weeks ago by whip_lash
Run any app from Ease of Access button on Windows 10 login screen
To open Command Prompt using the Ease of Access button from the Windows 10 login screen, set the Debugger value data to the following value
windows  pentest  debug  registry 
9 weeks ago by whip_lash
impacket/wmiexec.py at master · SecureAuthCorp/impacket · GitHub
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages
# in the event log that smbexec.py does when creating a service.
wmi  psexec  pentest 
9 weeks ago by whip_lash
GitHub - FortyNorthSecurity/WMImplant: This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImpl
This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
wmi  c2  windows  pentest 
9 weeks ago by whip_lash
Hybrid Cobalt Strike Redirectors · Zach Grace
Working for an organization with a strict data security policy puts a few challenges on a Red Team, especially when it comes to building robust infrastructure. m0ther_ and I set out to build a robust, multi-redirector infrastructure similar to what Raphael Mudge described in his blog post, Cloud-based Redirectors for Distributed Hacking, except we wanted to host the team server on-prem. The post below describes two iterations of infrastructure we built to meet our needs.
cobaltstrike  c2  pentest 
10 weeks ago by whip_lash
GitHub - secabstraction/PowerCat: A PowerShell TCP/IP swiss army knife.
Favorite tweet:

PowerCat : A PowerShell TCP/IP swiss army knife : https://t.co/xIrOZmZxER

— Binni Shah (@binitamshah) February 9, 2019
cli  netcat  powershell  windows  pentest 
10 weeks ago by whip_lash
Introducing Armory: External Pentesting Like a Boss
We are introducing Armory, a tool that adds a database backend to dozens of popular external and discovery tools. This allows you to run the tools directly from Armory, automatically ingest the results back into the database and use the new data to supply targets for other tools.  
pentest  tools 
10 weeks ago by whip_lash
Abusing Exchange: One API call away from Domain Admin - dirkjanm.io
In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Ex...
exchange  windows  security  pentest  activedirectory 
10 weeks ago by whip_lash
GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit tools
The default Active Directory ms-DS-MachineAccountQuota attribute setting allows all domain users to add up to 10 machine accounts to a domain. Powermad includes a set of functions for exploiting ms-DS-MachineAccountQuota without attaching an actual system to AD.
dns  exploit  pentest  powershell  activedirectory 
10 weeks ago by whip_lash
XXE that can Bypass WAF Protection – Wallarm
Unfortunately, bypasses exist for the WAFs of both categories.

Below we show several methods the bad guys can use to fool a WAF and get XXE through.
xxe  waf  webapp  pentest 
11 weeks ago by whip_lash
Webinar #1 | GoToStage.com
Learn the basics of post-exploitation from advanced infosec professionals

Join Carlos Perez (@darkoperator) as he shares some of the post-exploitation methodology used by TrustedSec security consultants performed during actual attack simulations. Each of the four individual webinars will focus on specific aspects that will build upon each other to give a complete picture of the post-exploitation process. New tools will also be released during each individual webinar.
pentest  postexploitation  video 
11 weeks ago by whip_lash
Pentesting Cheatsheets - Red Teaming Experiments
Convenient commands for your pentesting / red-teaming engagements, OSCP and CTFs.
pentest  cheatsheets 
11 weeks ago by whip_lash
Sh00T - A Testing Environment for Manual Security Testers - KitPloit - PenTest & Hacking Tools for your CyberSecurity Kit ☣
Sh00t
is a task manager to let you focus on performing security testing
provides To Do checklists of test cases
helps to create bug reports with customizable bug templates
pentest  security  tool  notes 
11 weeks ago by whip_lash
GitHub - TBGSecurity/splunk_shells: Weaponizing Splunk with reverse and bind shells.
This app is to help with penetration testing and Red Teaming within environments that have a Splunk deployment.

This app will allow the engineer to spawn a Reverse of Bind Shell from a Splunk server to allow the engineer to interact with the server and expand influence within the environment.
splunk  pentest 
january 2019 by whip_lash
Linux Privilege Escalation – Using apt-get/apt/dpkg to abuse sudo “NOPASSWD” misconfiguration – Logan S Diomedi – lsdsecurity
There are many well known and documented attack vectors for the sudo command that exist. Please see my Useful Resources page for the Windows & Linux Privilege Escalation piece that contains a ton of helpful knowledge in this category. Today, we’re going to be using a very poorly documented feature in apt-get when a normal user is allowed to execute apt-get as a root user. Let’s dive in!
linux  privesc  privilegeescalation  sudo  pentest  security 
january 2019 by whip_lash
us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf
Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely
embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is
extremely easy to mistake for Cross-Site Scripting (XSS), or miss entirely. Unlike XSS, Template Injection can be used to
directly attack web servers' internals and often obtain Remote Code Execution (RCE), turning every vulnerable
application into a potential pivot point.
templateinjection  webapp  pentest 
january 2019 by whip_lash
owasp_SSTI_final
Occurs when invalid user input is embedded into the template
engine
• Often XSS attack occurs but SSTI can be missed
• Can lead to a remote code execution (RCE)
• Developer error or intentional exposure
templateinjection  webapp  pentest 
january 2019 by whip_lash
PRETty - "PRinter Exploitation Toolkit" LAN Automation Tool - KitPloit - PenTest & Hacking Tools for your CyberSecurity Kit ☣
PRETty is useful when a large number of printers are present on a network. Instead of scanning, logging, and manually running PRET againt each individual printer, PRETty will automatically discover and run choosen PRET payloads against all printers on the target network. Additionally, PRETty can be used to automate command/payload delivery to any given list of printers (See the "Lists" section)
printer  pentest 
january 2019 by whip_lash
www.agarri.fr
Favorite tweet:

If you like this kind of @Burp_Suite tips, here's ~100 pages of them. That was published in 2013 but most of it is still valid. https://t.co/2UNQEtQZHV https://t.co/j1LUyEo0lD

— Nicolas Grégoire (@Agarri_FR) January 16, 2019
burp  proxy  pentest 
january 2019 by whip_lash
Kubernetes: unauth kublet API 10250 token theft & kubectl Carnal0wnage - Attack Research Blog Carnal0wnage & Attack Research Blog
do a curl -s https://k8-node:10250/runningpods/ to get a list of running pods

With that data, you can craft your post request to exec within a pod so we can poke around.
kubernetes  pentest  security  vulnerability 
january 2019 by whip_lash
Kubernetes: unauth kublet API 10250 basic code exec Carnal0wnage - Attack Research Blog Carnal0wnage & Attack Research Blog
Unauth API access (10250)

Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.


Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.
kubernetes  security  pentest  vulnerability 
january 2019 by whip_lash
us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor-wp.pdf
As technology is introduced and subsequently deprecated over time in the Windows operating system,
one powerful technology that has remained consistent since Windows NT 4.01
and Windows 952
is
Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is
comprised of a powerful set of tools used to manage Windows systems both locally and remotely.
powershell  wmi  pentest  postexploitation 
january 2019 by whip_lash
GitHub - epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation Tool
Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.
injection  template  pentest  webapp 
january 2019 by whip_lash
GitHub - Bashfuscator/Bashfuscator: A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.
Favorite tweet:

Introducing Bashfuscator : A fully configurable and extendable Bash obfuscation framework : https://t.co/vOjDFzSQmF cc @capnspacehook

— Binni Shah (@binitamshah) January 14, 2019
bash  obfuscation  pentest 
january 2019 by whip_lash
Attacking Kubernetes through Kubelet
Favorite tweet:

Attacking Kubernetes through Kubelet : https://t.co/wMmGlTJZv6 pic.twitter.com/avPhhMNXMI

— Binni Shah (@binitamshah) January 14, 2019
kubernetes  pentest  vulnerability  security 
january 2019 by whip_lash
Bypassing Crowdstrike Falcon detection, from phishing email to reverse shell - Malware - 0x00sec - The Home of the Hacker
When I say bypassing, I mean completely bypass detection, from the phishing email received by the user to the reverse shell. Something realistic, not just writing a malware and see if it gets executed.

So if we can’t use the classic techniques, about trying some new (old) trick?

Turns out, it was pretty trivial ¯\_(ツ)_/¯.
malware  pentest  antivirus 
january 2019 by whip_lash
Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade
   DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well.
dcom  windows  pentest  powershell  postexploitation  security 
january 2019 by whip_lash
Lateral Movement via DCOM: Round 2 | enigma0x3
This resulted in identifying the MMC20.Application COM object and its “ExecuteShellCommand” method, which you can read more about here. Thanks to the help of James Forshaw (@tiraniddo), we determined that the MMC20.Application object lacked explicit “LaunchPermissions”, resulting in the default permission set allowing Administrators access:
dcom  security  windows  postexploitation  pentest 
january 2019 by whip_lash
Dump LAPS password in clear text – Akijosberry
By Default all the Domain Admins have view access to ms-MCS-AdmPwd attribute. Lets have a look at the following ways in which we can dump the LAPS password
account  ad  directory  pentest  postexploitation 
january 2019 by whip_lash
GitHub - malcomvetter/DnsCache
This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only.
github  dns  pentest  postexploitation 
december 2018 by whip_lash
flAWS2.cloud
flAWS 2 has two paths this time: Attacker and Defender! In the Attacker path, you'll exploit your way through misconfigurations in serverless (Lambda) and containers (ECS Fargate). In the Defender path, that target is now viewed as the victim and you'll work as an incident responder for that same app, understanding how an attack happened. You'll get access to logs of a previous successful attack. As a Defender you'll learn the power of jq in analyzing logs, and instructions on how to set up Athena in your own environment.
aws  security  pentest  pentesting  ctf  tutorial 
december 2018 by whip_lash
Laudanum download | SourceForge.net
Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.
webapp  pentest  webshell 
december 2018 by whip_lash
A common path to Domain Admin - Laconic Wolf
Many common information gathering techniques and tools require you to be a part of the domain to use them (net users, etc.), so I decided to write a few IronPython scripts (located here) to do some basic enumeration tasks. I’m not going to get into the specifics of the code, but the first two scripts I wrote were a script to get a list of users and a script to guess passwords.
ironpython  bloodhound  activedirectory  privesc  privilegeescalation  pentest  pentesting 
december 2018 by whip_lash
Inside of Danderspritz post-exploitation modules – Wojciech – Medium
Most of the scripts are in “Ops” directory, inside “Windows” catalog which deserve additional attention, you can find full list here.

How to setup lab, run Fuzzbunch and Danderspritz here.

Everything was said about this framework, so I will focus only on post-exploitation modules. At the end of article, I will show how to write your own plugin, so bear with me.
postexploitation  nsa  danderspritz  pentest  tools 
december 2018 by whip_lash
SharpPack: The Insider Threat Toolkit – MDSec
Most of our favourite tools in the red team arsenal are developed in DotNet or PowerShell and there exists numerous ways to execute these from memory when operating from your implant such as CobaltStrike’s powerpick and execute-assembly methods. In our use case, we were operating without an implant but still wanted to reap the benefits of GhostPack, Internal Monologue et al and therefore we had to get a little more creative with our tradecraft. As previously noted, we were operating in an environment with tight application whitelisting so recompiling and obfuscating our chosen tools was just not an option. We did however observe two notable opportunities to get code execution as the environment made heavy use of VBScript (thanks Tanium :)) and locally created Office Macro enabled documents.
dotnet  malware  pentest  vbscript 
december 2018 by whip_lash
BMC Patrol Agent - Domain User to Domain Admin – Securifera
After verifying that we could use patrolcli to connect to any other patrol agent client using a regular domain user, we pointed it to the domain controller and were able to successfully execute commands as SYSTEM on the DC.
patrol  vulnerability  windows  pentest  privilegeescalation  domain  bmc 
december 2018 by whip_lash
Punk.Py - Unix SSH Post-Exploitation Tool - KitPloit - PenTest & Hacking Tools for your CyberSecurity Kit ☣
punk.py is a post-exploitation tool meant to help network pivoting from a compromised unix box. It collect usernames, ssh keys and known hosts from a unix system, then it tries to connect via ssh to all the combinations found. punk.py is wrote in order to work on standard python2 and python3 installations.
ssh  postexploitation  pentest 
december 2018 by whip_lash
Windows C++ app hosts CLR 4 and invokes .NET assembly (CppHostCLR) sample in C#, C++ for Visual Studio 2010
The code sample uses the CLR 4 hosting APIs to host CLR in a native C++ project, load and invoke .NET assemblies
postexploitation  malware  pentest 
december 2018 by whip_lash
AppLocker CLM Bypass via COM – MDSec
I won’t cover the internals of this code here (I recommend you read through Microsoft’s post here if you are interested), but the end-result is that the DLL will load the .NET CLR, followed by a .NET assembly, and pass execution to the specified method.

With this completed, we now have access to .NET, and more importantly, .NET’s reflective capability. Next we need to figure out just where Constrained Language Mode’s on/off switch is.
applocker  postexploitation  windows  pentest 
december 2018 by whip_lash
Concealing Network Traffic via Google Translate | Running the Gauntlet
This translate proxying method is often used by the malware if their domain or IP is blocked. The malware uses either Google Translate, Bing Translator, or Yahoo! Babel Fish for this purpose. The malware sends HTTP GET requests using the following strings, where *URL* is the URL they wish to access
malware  pentest  proxy  google 
december 2018 by whip_lash
HTTP Proxy Authentication for Malware | Strategic Cyber LLC
The proxy username and password, when stored in the credential store, are available to any application that runs as the current user. If my target uses Internet Explorer and uses the Remember my credentials option to save retyping, then Meterpreter and Beacon get a free pass to authenticate and communicate through the configured proxy server—no code changes required. Better, these remembered credentials survive a reboot too.
proxy  pentest 
december 2018 by whip_lash
Research on CMSTP.exe – MSitPros Blog
Whenever I have a chance I use my time diving into Windows internal binaries to uncover hidden functionality. This blogpost is dedicated to things I have discovered with the CMSTP.exe binary file.
I found a UAC Bypass using sendkeys and a way to load DLL files from a Webdav server.
pentest  postexploitation  evasion  uac 
december 2018 by whip_lash
Anti-forensic and File-less Malware - Malware - 0x00sec - The Home of the Hacker
One of the most advantageous attributes for a malware to have is survival as a means to maintain persistence and to evade detection by security solutions. Since developing a full-blown piece of malware requires expensive resources, this trait becomes increasingly desireable to continuously remain unknown and undetected.
malware  pentest  tutorial 
december 2018 by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:





to read