recentpopularlog in

whip_lash : windows   293

« earlier  
How to Run PowerShell Commands on Remote Computers
PowerShell Remoting lets you run PowerShell commands or access full PowerShell sessions on remote Windows systems. It’s similar to SSH for accessing remote terminals on other operating systems.
powershell  remote  windows  microsoft  winrm 
21 days ago by whip_lash
Zeek Blog: Detecting CVE-2020-0601 with Zeek
In this blog post, I will provide a high-level overview of some of the basics of the exploit,and how Zeek can be used to detect it.
security  windows  zeek  dfir 
4 weeks ago by whip_lash
Mr-Un1k0d3r/PoisonHandler: lateral movement techniques that can be used during red team exercises
This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.

This cmdlet create a protocol handler that will call your payload. Then execute it over WMI using explorer.exe.
windows  pentest  redteam  wmi 
5 weeks ago by whip_lash
matterpreter/DefenderCheck: Identifies the bytes that Microsoft Defender flags on.
Quick tool to help make evasion work a little bit easier.

Takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on, and then prints those offending bytes to the screen. This can be helpful when trying to identify the specific bad pieces of code in your tool/payload.
antivirus  pentest  redteam  evasion  defender  windows 
6 weeks ago by whip_lash
Reversing Windows Internals (Part 1) - Digging Into Handles, Callbacks & ObjectTypes
Welcome to the first part of a series of posts about Exploring & Reversing Windows Concepts and Internals. If you reach here then you’re probably a security researcher or a programmer and this post and similar posts can help you understand what’s going on in some parts of Windows when you use objects with different users and credentials and what you can expect from Windows and how it internally works.
windows  security  reverseengineering 
10 weeks ago by whip_lash
google/glazier: A tool for automating the installation of the Microsoft Windows operating system on various device platforms.
Glazier is a tool developed at Google for automating Windows operating system deployments.
How it works

Boots a system into the Windows Preinstallation Environment (WinPE)
Reaches out to a web server for instructions over HTTPS
Applies a base operating system
Installs applications and configurations to said operating system
automation  tools  windows  deployment  imaging  sysadmin  installation 
october 2019 by whip_lash
How to: Kerberoast like a boss | Pen Test Partners
Why write a blog post about this in 2019 then? It still works well, yet there are plenty of tips and tricks that can be useful to bypass restrictions that you come up against. That’s what this post is about.
kerberoast  pentest  windows  activedirectory 
september 2019 by whip_lash
microsoft/PowerToys: Windows system utilities to maximize productivity
Inspired by the Windows 95 era PowerToys project, this reboot provides power users with ways to squeeze more efficiency out of the Windows 10 shell and customize it for individual workflows. A great overview of the Windows 95 PowerToys can be found here.
opensource  software  tools  utilities  windows 
september 2019 by whip_lash
Making an antivirus engine : Guidelines - Adlice Software
Favorite tweet:

Making an antivirus engine : the guidelines

Very useful reference to understand basic AV internals!

— Cn33liz (@Cneelis) August 21, 2019
antivirus  c++  windows 
august 2019 by whip_lash
LAN-Based Blind SSRF Attack Primitive for Windows Systems (switcheroo) –
Unauthenticated attackers on a local network can force stock Windows systems to perform arbitrary HTTP GET requests, including to the target’s localhost interface. No user interaction is required. No IIS installation is required. Network Discovery must be enabled to trigger the exploit (usually on by default for private networks). The response cannot be viewed by the attacker, making this a “Blind Server-Side Request Forgery” vulnerability.
ssrf  ssdp  windows  exploit 
august 2019 by whip_lash
Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO) | Clément Notin | Blog
If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logonpasswords, or LSASS dumping), you should check out the credential delegations settings. If enabled, it allows to obtain clear-text passwords without touching the LSASS process or even without having administrator rights (limited to the current user’s password then)!

You have to use @gentilkiwi’s “kekeo” tool and its tsssp module! “mimikatz” is not even required here!
windows  lsass  kekeo  mimikatz  hashes  pentest 
july 2019 by whip_lash
Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP and AV bypass, AMSI patched
Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it's execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#.
windows  pentest  reverseshell  amsi  tool 
june 2019 by whip_lash
Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin -
Using a combination of these vulnerabilities, it is possible to relay SMB authentication to LDAP. This allows for Remote code execution as SYSTEM on any unpatched Windows server or workstation (even those that are in different Active Directory forests), and for instant escalation to Domain Admin via any unpatched Exchange server (unless Exchange permissions were reduced in the domain).
windows  activedirectory  domain  pentest 
june 2019 by whip_lash
Brute Forcing Local Accounts on an AD joined computer
Favorite tweet:

Some fun brute force research for me. #imfosec #security

— Mark (@_markmo_) June 7, 2019
windows  privesc 
june 2019 by whip_lash
Test Your DFIR Tools: Sysmon Edition — Daniel Bohannon
Do I still think Sysmon is really awesome? Yes, you bet! Would I make it my sole source of process execution event visibility? No, I would use Security EID 4688 or another officially supported mechanism for capturing command line arguments in real-time. But if I had to use Sysmon EID 1 until I migrated to something else (or until this bug is fixed) then I would test the tools I use to query these logs to ensure they properly parse Sysmon's unescaped percent characters so I do not miss events or write detection rules based off of this improper escaping.
sysmon  windows  dfir 
june 2019 by whip_lash
Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking – MDSec
However, without modifying the scheduled task or existing registry keys, we can hijack the search order by creating an equivalent key structure in HKCU with an InProcServer32 key pointing to a user controlled DLL
windows  com  persistence  pentest 
may 2019 by whip_lash
How to Manually Exploit EternalBlue on Windows Server Using MS17-010 Python Exploit « Null Byte :: WonderHowTo
In this guide, we'll tackle the manual route of exploiting EternalBlue on Windows Server. I'll be using an unpatched copy of Windows Server 2016 Datacenter as the target, and evaluation copies can be downloaded from Microsoft if you want to follow along as we perform each step below.
windows  pentest  python  exploit  ETERNALBLUE 
may 2019 by whip_lash
Hexacorn | Blog
And since this post is about TC, I must say for the millionth time that if you use Windows Explorer as your goto File Manager you are hurting yourself a lot. Once you try TC, FAR, or any type of the Orthodox File Managers, there is no way back. It’s worth every single eurocent you have to pay for it. Btw. I am not paid to endorse this software, I just love it and recommend it to anyone who wants to be more efficient.
totalcommander  windows 
may 2019 by whip_lash
How To Technically Deal With An Intrusion On A Windows System
It's late in the evening, you're getting ready to sleep when your phone rings, it's one of your relatives, "I think someone hacked into my computer, I need help".  What's your next move? In this article we will discuss the best and most secure way to respond to an intrusion and remediate it on a Windows machine.
dfir  windows 
april 2019 by whip_lash
GitHub - olafhartong/sysmon-modular: A repository of sysmon configuration modules
A repository of sysmon configuration modules

windows  sysmon  monitoring  logging 
april 2019 by whip_lash
Running a .NET Assembly in Memory with Meterpreter
For this article we will attempt to execute Seatbelt on the target box to help identify various PrivEsc routes. This guide will walk through the steps necessary to execute the Seatbelt assembly in-memory with our current Meterpreter foothold, much like we would do if our C2 framework was Cobalt Strike.
dotnet  metasploit  exploit  memory  pentest  windows 
april 2019 by whip_lash
Bypassing AD account lockout for a compromised account
Favorite tweet:

I’m not sure if someone found this before but I came across this while testing net use. #infosec #security

— Mark (@_markmo_) April 10, 2019
Password  passwords  activedirectory  windows  bruteforce 
april 2019 by whip_lash
Windows Command Line cheatsheet (part 2): WMIC | So Long, and Thanks for All the Fish
Favorite tweet:

Windows Command Line cheatsheet (part 2): WMIC

- Bookmark this! Saved my day several times 😉#infosec #pentest #redteam

— Florian Hansemann (@HanseSecure) April 6, 2019
windows  wmic  pentest 
april 2019 by whip_lash
Risk, Failure, Survival: Instrumenting OS for Per Process DNS Query Inspection
But, Process Monitor didn't show the details of the actual calls, so looked into APIMonitor:

I set the filter to just look at getaddrinfo and related requests in case I missed something.
dns  windows 
april 2019 by whip_lash
API Monitor: Spy on API Calls and COM Interfaces (Freeware 32-bit and 64-bit Versions!) |
API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.
api  debugging  windows  syscall 
april 2019 by whip_lash
GitHub - PaulSec/awesome-windows-domain-hardening: A curated list of awesome Security Hardening techniques for Windows.
Favorite tweet:

Awesome Windows Domain Hardening. A curated list of awesome Security Hardening techniques for Windows, by @PaulWebSec

— DirectoryRanger (@DirectoryRanger) June 17, 2019
domain  hardening  security  windows  activedirectory 
march 2019 by whip_lash
Penetration Testing Active Directory, Part II – root@Hausec
Privilege escalation in Windows can of course come from a missing patch or unquoted service paths, but since this is pentesting AD, we’re going to exploit some AD things in order to elevate privileges.
activedirectory  privilegeescalation  windows  pentest 
march 2019 by whip_lash
DTrace on Windows - Microsoft Tech Community - 362902
There are a lot of websites and resources from the community to learn about DTrace. One of the most comprehensive one is the Dynamic Tracing Guide html book available on website. This ebook describes DTrace in detail and is the authoritative guide for DTrace. We also have Windows specific examples below which will provide more info.
debugging  dtrace  windows 
march 2019 by whip_lash
GitHub - nikallass/sharesearch: Samba, NFS shares spider and grepper
Favorite tweet:

Need privilege escalation? Have access to SMB and NFS shares? Automate looking for credentials!

1) pip3 install -r requirements.txt
sudo apt-get install cifs-utils
2) git clone
3) python3 -p all -w -v -H hosts.lst -C creds.lst

— Paul Seekamp (@nullenc0de) March 2, 2019
smb  windows  pentest  shares  recon 
march 2019 by whip_lash
Tool Analysis Result Sheet
This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. The following logs were examined. Note that it was confirmed that traces of tool execution is most likely to be left in event logs. Accordingly, examination of event logs is the main focus here.
dfir  security  threathunting  tools  windows 
february 2019 by whip_lash
Volatility Workbench - A GUI for Volatility memory forensics
Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in Windows. It provides a number of advantages over the command line version
volatility  dfir  windows 
february 2019 by whip_lash
Run any app from Ease of Access button on Windows 10 login screen
To open Command Prompt using the Ease of Access button from the Windows 10 login screen, set the Debugger value data to the following value
windows  pentest  debug  registry 
february 2019 by whip_lash
GitHub - FortyNorthSecurity/WMImplant: This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImpl
This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
wmi  c2  windows  pentest 
february 2019 by whip_lash
GitHub - secabstraction/PowerCat: A PowerShell TCP/IP swiss army knife.
Favorite tweet:

PowerCat : A PowerShell TCP/IP swiss army knife :

— Binni Shah (@binitamshah) February 9, 2019
cli  netcat  powershell  windows  pentest 
february 2019 by whip_lash
Extended Protection for Authentication Overview | Microsoft Docs
The solution is to use a TLS-secured outer channel and a client-authenticated inner channel, and to pass a Channel Binding Token (CBT) to the server. The CBT is a property of the TLS-secured outer channel, and is used to bind the outer channel to a conversation over the client-authenticated inner channel.

In the previous scenario, the CBT of the client-attacker TLS channel is merged with the authorization information that is sent to the server. A CBT-aware server compares the CBT co...
security  microsoft  windows  authentication 
february 2019 by whip_lash
Abusing Exchange: One API call away from Domain Admin -
In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Ex...
exchange  windows  security  pentest  activedirectory 
february 2019 by whip_lash
XORSearch & XORStrings | Didier Stevens
Favorite tweet:

I use @DidierStevens's XORSearch for that.

— sys_kill (@sys_kill) February 4, 2019
xor  encryption  strings  windows 
february 2019 by whip_lash
Dr. Memory: Strace for Windows
Favorite tweet:

drstrace is strace for Windows with DynamoRio. Relatively unknown and really useful.

— Ben Koller (@__bkoller) February 3, 2019
strace  windows 
february 2019 by whip_lash
Time Travel Debugging - Overview - Windows drivers | Microsoft Docs
Time Travel Debugging, is a tool that allows you to record an execution of your process running, then replay it later both forwards and backwards. Time Travel Debugging (TTD) can help you debug issues easier by letting you "rewind" your debugger session, instead of having to reproduce the issue until you find the bug.
debugger  debugging  windows 
january 2019 by whip_lash
Pop Pop Ret: Playing with MOF files on Windows, for fun & profit
In this article, we will focus on a high-level Windows feature that is not so well-known, and that can be interesting from an attacker's point of view. I will share my investigation of MOF files from its use in Stuxnet - in the exploitation of a vulnerability in the Windows Printer Spooler - to some basic practical examples of what we can do with MOF files.
mof  wmi  windows 
january 2019 by whip_lash
GitHub - Wox-launcher/Wox: Launcher for Windows, an alternative to Alfred and Launchy.
WoX is a launcher for Windows that simply works. It's an alternative to Alfred and Launchy. You can call it Windows omni-eXecutor if you want a long name.
app  windows  tool  productivity 
january 2019 by whip_lash
Keypirinha — Keypirinha
A fast launcher for keyboard ninjas on Windows
apps  productivity  tools  windows 
january 2019 by whip_lash
Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade
   DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well.
dcom  windows  pentest  powershell  postexploitation  security 
january 2019 by whip_lash
Lateral Movement via DCOM: Round 2 | enigma0x3
This resulted in identifying the MMC20.Application COM object and its “ExecuteShellCommand” method, which you can read more about here. Thanks to the help of James Forshaw (@tiraniddo), we determined that the MMC20.Application object lacked explicit “LaunchPermissions”, resulting in the default permission set allowing Administrators access:
dcom  security  windows  postexploitation  pentest 
january 2019 by whip_lash
DropIt: Personal Assistant to Automatically Manage Your Files
When you need to organize files, DropIt can eliminate much of the drudgery of searching and manually opening folders and moving files around.
windows  apps  automation 
january 2019 by whip_lash
NTAPI Undocumented Functions
This is an advanced, low-level programer's guide to Windows NT Kernel, Native API and drivers.
All remarks, fixes and comments are very welcome.
api  kernel  programming  security  windows 
december 2018 by whip_lash
VMWARE Bridge Protocol is missing on Windows 10... |VMware Communities
After uninstalling WS again, I had to manually remove the driver netbridge.
vmware  workstation  windows 
december 2018 by whip_lash
BMC Patrol Agent - Domain User to Domain Admin – Securifera
After verifying that we could use patrolcli to connect to any other patrol agent client using a regular domain user, we pointed it to the domain controller and were able to successfully execute commands as SYSTEM on the DC.
patrol  vulnerability  windows  pentest  privilegeescalation  domain  bmc 
december 2018 by whip_lash
AppLocker CLM Bypass via COM – MDSec
I won’t cover the internals of this code here (I recommend you read through Microsoft’s post here if you are interested), but the end-result is that the DLL will load the .NET CLR, followed by a .NET assembly, and pass execution to the specified method.

With this completed, we now have access to .NET, and more importantly, .NET’s reflective capability. Next we need to figure out just where Constrained Language Mode’s on/off switch is.
applocker  postexploitation  windows  pentest 
december 2018 by whip_lash
In the example below I demonstrate the ability to load an arbitrary exe into csi.exe. This can be loaded from a basic text file. This is done on a PC running Windows Device Guard.
c#  windows  pentest  deviceguard 
december 2018 by whip_lash
Using C# for post-PowerShell attacks | Forcepoint
A blog post by Forty North Security built on Matt Graber’s research into Microsoft.Workflow.Compiler.exe and demonstrated that you can use the technique to run shellcode on a machine. In both cases the authors used a local payload file and, while it may seem a minor difference, we wanted to see if it was possible to compile and execute a file hosted remotely.
windows  pentest  c# 
december 2018 by whip_lash
Provadys Offensive Security Blog
Last May, Casey Smith pointed out on twitter and on his blog that the .NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables.

When reading this, first thing that came to mind was "if this works with elevated .NET processes, this would make a nice UAC bypass as well". And sure enough, it does.

This issue is still unfixed as of this writing – and may remain so – but is already public since July, as it was independently discovered, reported and published on Full Disclosure by Stefan Kanthak.
hacking  uac  windows  pentest 
december 2018 by whip_lash
Home · cbucher/console Wiki · GitHub
ConsoleZ is a Windows console window enhancement. It is a fork of Console project.
windows  terminal 
december 2018 by whip_lash
VcXsrv Windows X Server download |
Windows X-server based on the xorg git sources (like xming or cygwin's xwin), but compiled with Visual C++ 2012 Express Edition. Source code can also be compiled with VS2008, VS2008 Express Edition and VS2010 Express Edition, although current project and makefile are not fully compatible anymore.
xserver  windows  vcxsrv 
september 2018 by whip_lash
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
NTLM relay from the local “NT AUTHORITY\SYSTEM” (we will just call it SYSTEM for brevity) account back to some other system service has been the theme for the Potato privilege escalation exploits. The first step is to trick the SYSTEM account into performing authentication to some TCP listener we control.

In the original Hot Potato exploit, we did some complex magic with NBNS spoofing, WPAD, and Windows Update services to trick it into authenticating to us over HTTP. For more information, see the original blog post.

Today, we’ll be discussing another method to accomplish the same end goal which James Forshaw discussed here. We’ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.
security  pentest  windows  privesc  privilegeescalation 
september 2018 by whip_lash
Juicy Potato (abusing the golden privileges) | juicy-potato
If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.

The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.
pentest  windows  privilegeescalation  security 
september 2018 by whip_lash
FuzzySecurity | Windows Userland Persistence Fundamentals
This tutorial will cover several techniques that can be used to gain persistent access to Windows machines. Usually this doesn't enter into play during a pentest (with the exception of red team engagements) as there is no benefit to adding it to the scope of the project. That is not to say it is not an interesting subject, both from a defensive and offensive perspective.
persistence  windows  pentest  redteam  security 
september 2018 by whip_lash
Quickpost: Compiling EXEs and Resources with MinGW on Kali | Didier Stevens
Compile for 64-bit:

x86_64-w64-mingw32-windres demo.rc demo-resource-x64.o
x86_64-w64-mingw32-gcc -o demo-x64.exe demo-resource-x64.o demo.c
Compile for 32-bit:

i686-w64-mingw32-windres demo.rc demo-resource-x86.o
i686-w64-mingw32-gcc -o demo-x86.exe demo-resource-x86.o demo.c
mingw  c  c++  windows  kali  pentest 
september 2018 by whip_lash
Advisory: CVE-2018-7572 – Pulse Secure Client Authentication Bypass – MDSec
By default, the Pulse client attempts to connect to the configured proxy service on port TCP port 80; supplying the configuration for a proxy server with a self-signed certificate forces the Pulse client to warn the user that the certificate is invalid but provides the option to “View” the certificate which when selected loads the standard Windows certificate wizard running as SYSTEM. From the Windows certificate wizard it is possible to select the option to export the certificate, then browse to a location where the certificate should be stored on the file system. Inevitably this provides the option to browse to cmd.exe, right click to obtain a command prompt as SYSTEM and full access to the workstation.
windows  privesc  pentest  pulsesecure 
september 2018 by whip_lash
Persistence using Universal Windows Platform apps (APPX) – Oddvar Moe's Blog
Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns.
Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon:
windows  persistence  pentest 
september 2018 by whip_lash
Transferring files from Kali to Windows (post exploitation)
Often times on an engagement I find myself needing to copy a tool or a payload from my Kali linux attack box to a compromised Windows machine. As a perfect example, on a recent pentest, I found a vulnerable ColdFusion server and was able to upload a CFM webshell. It was a very limited, non-interactive shell and I wanted to download and execute a reverse Meterpreter binary from my attack machine. I generated the payload with Veil but needed a way to transfer the file to the Windows server running ColdFusion through simple commands.

I'm putting this post together as a "cheat sheet" of sorts for my favorite ways to transfer files.
kali  windows  pentest  filesharing 
september 2018 by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:

to read