recentpopularlog in

whip_lash : windows   261

« earlier  
Penetration Testing Active Directory, Part II – root@Hausec
Privilege escalation in Windows can of course come from a missing patch or unquoted service paths, but since this is pentesting AD, we’re going to exploit some AD things in order to elevate privileges.
activedirectory  privilegeescalation  windows  pentest 
10 days ago by whip_lash
DTrace on Windows - Microsoft Tech Community - 362902
There are a lot of websites and resources from the community to learn about DTrace. One of the most comprehensive one is the Dynamic Tracing Guide html book available on dtrace.org website. This ebook describes DTrace in detail and is the authoritative guide for DTrace. We also have Windows specific examples below which will provide more info.
debugging  dtrace  windows 
11 days ago by whip_lash
GitHub - nikallass/sharesearch: Samba, NFS shares spider and grepper
Favorite tweet:

Need privilege escalation? Have access to SMB and NFS shares? Automate looking for credentials!

1) pip3 install -r requirements.txt
sudo apt-get install cifs-utils
2) git clone https://t.co/oG040moAQT
3) python3 https://t.co/PiA2r24vU4 -p all -w -v -H hosts.lst -C creds.lst pic.twitter.com/7kvsSeNs1D

— Paul Seekamp (@nullenc0de) March 2, 2019
smb  windows  pentest  shares  recon 
21 days ago by whip_lash
Tool Analysis Result Sheet
This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. The following logs were examined. Note that it was confirmed that traces of tool execution is most likely to be left in event logs. Accordingly, examination of event logs is the main focus here.
dfir  security  threathunting  tools  windows 
29 days ago by whip_lash
Volatility Workbench - A GUI for Volatility memory forensics
Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in Windows. It provides a number of advantages over the command line version
volatility  dfir  windows 
4 weeks ago by whip_lash
Run any app from Ease of Access button on Windows 10 login screen
To open Command Prompt using the Ease of Access button from the Windows 10 login screen, set the Debugger value data to the following value
windows  pentest  debug  registry 
5 weeks ago by whip_lash
GitHub - FortyNorthSecurity/WMImplant: This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImpl
This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
wmi  c2  windows  pentest 
5 weeks ago by whip_lash
GitHub - secabstraction/PowerCat: A PowerShell TCP/IP swiss army knife.
Favorite tweet:

PowerCat : A PowerShell TCP/IP swiss army knife : https://t.co/xIrOZmZxER

— Binni Shah (@binitamshah) February 9, 2019
cli  netcat  powershell  windows  pentest 
5 weeks ago by whip_lash
Extended Protection for Authentication Overview | Microsoft Docs
The solution is to use a TLS-secured outer channel and a client-authenticated inner channel, and to pass a Channel Binding Token (CBT) to the server. The CBT is a property of the TLS-secured outer channel, and is used to bind the outer channel to a conversation over the client-authenticated inner channel.

In the previous scenario, the CBT of the client-attacker TLS channel is merged with the authorization information that is sent to the server. A CBT-aware server compares the CBT co...
security  microsoft  windows  authentication 
6 weeks ago by whip_lash
Abusing Exchange: One API call away from Domain Admin - dirkjanm.io
In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Ex...
exchange  windows  security  pentest  activedirectory 
6 weeks ago by whip_lash
XORSearch & XORStrings | Didier Stevens
Favorite tweet:

I use @DidierStevens's XORSearch for that. https://t.co/hiw4MogEXE

— sys_kill (@sys_kill) February 4, 2019
xor  encryption  strings  windows 
6 weeks ago by whip_lash
Dr. Memory: Strace for Windows
Favorite tweet:

drstrace is strace for Windows with DynamoRio. Relatively unknown and really useful. https://t.co/cdpdagYbas

— Ben Koller (@__bkoller) February 3, 2019
strace  windows 
6 weeks ago by whip_lash
Time Travel Debugging - Overview - Windows drivers | Microsoft Docs
Time Travel Debugging, is a tool that allows you to record an execution of your process running, then replay it later both forwards and backwards. Time Travel Debugging (TTD) can help you debug issues easier by letting you "rewind" your debugger session, instead of having to reproduce the issue until you find the bug.
debugger  debugging  windows 
8 weeks ago by whip_lash
Pop Pop Ret: Playing with MOF files on Windows, for fun & profit
In this article, we will focus on a high-level Windows feature that is not so well-known, and that can be interesting from an attacker's point of view. I will share my investigation of MOF files from its use in Stuxnet - in the exploitation of a vulnerability in the Windows Printer Spooler - to some basic practical examples of what we can do with MOF files.
mof  wmi  windows 
9 weeks ago by whip_lash
GitHub - Wox-launcher/Wox: Launcher for Windows, an alternative to Alfred and Launchy.
WoX is a launcher for Windows that simply works. It's an alternative to Alfred and Launchy. You can call it Windows omni-eXecutor if you want a long name.
app  windows  tool  productivity 
10 weeks ago by whip_lash
Keypirinha — Keypirinha
A fast launcher for keyboard ninjas on Windows
apps  productivity  tools  windows 
10 weeks ago by whip_lash
Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade
   DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well.
dcom  windows  pentest  powershell  postexploitation  security 
10 weeks ago by whip_lash
Lateral Movement via DCOM: Round 2 | enigma0x3
This resulted in identifying the MMC20.Application COM object and its “ExecuteShellCommand” method, which you can read more about here. Thanks to the help of James Forshaw (@tiraniddo), we determined that the MMC20.Application object lacked explicit “LaunchPermissions”, resulting in the default permission set allowing Administrators access:
dcom  security  windows  postexploitation  pentest 
10 weeks ago by whip_lash
DropIt: Personal Assistant to Automatically Manage Your Files
When you need to organize files, DropIt can eliminate much of the drudgery of searching and manually opening folders and moving files around.
windows  apps  automation 
11 weeks ago by whip_lash
NTAPI Undocumented Functions
This is an advanced, low-level programer's guide to Windows NT Kernel, Native API and drivers.
All remarks, fixes and comments are very welcome.
api  kernel  programming  security  windows 
11 weeks ago by whip_lash
VMWARE Bridge Protocol is missing on Windows 10... |VMware Communities
After uninstalling WS again, I had to manually remove the driver netbridge.
vmware  workstation  windows 
december 2018 by whip_lash
BMC Patrol Agent - Domain User to Domain Admin – Securifera
After verifying that we could use patrolcli to connect to any other patrol agent client using a regular domain user, we pointed it to the domain controller and were able to successfully execute commands as SYSTEM on the DC.
patrol  vulnerability  windows  pentest  privilegeescalation  domain  bmc 
december 2018 by whip_lash
AppLocker CLM Bypass via COM – MDSec
I won’t cover the internals of this code here (I recommend you read through Microsoft’s post here if you are interested), but the end-result is that the DLL will load the .NET CLR, followed by a .NET assembly, and pass execution to the specified method.

With this completed, we now have access to .NET, and more importantly, .NET’s reflective capability. Next we need to figure out just where Constrained Language Mode’s on/off switch is.
applocker  postexploitation  windows  pentest 
december 2018 by whip_lash
subTee
In the example below I demonstrate the ability to load an arbitrary exe into csi.exe. This can be loaded from a basic text file. This is done on a PC running Windows Device Guard.
c#  windows  pentest  deviceguard 
december 2018 by whip_lash
Using C# for post-PowerShell attacks | Forcepoint
A blog post by Forty North Security built on Matt Graber’s research into Microsoft.Workflow.Compiler.exe and demonstrated that you can use the technique to run shellcode on a machine. In both cases the authors used a local payload file and, while it may seem a minor difference, we wanted to see if it was possible to compile and execute a file hosted remotely.
windows  pentest  c# 
december 2018 by whip_lash
Provadys Offensive Security Blog
Last May, Casey Smith pointed out on twitter and on his blog that the .NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables.

When reading this, first thing that came to mind was "if this works with elevated .NET processes, this would make a nice UAC bypass as well". And sure enough, it does.

This issue is still unfixed as of this writing – and may remain so – but is already public since July, as it was independently discovered, reported and published on Full Disclosure by Stefan Kanthak.
hacking  uac  windows  pentest 
december 2018 by whip_lash
Home · cbucher/console Wiki · GitHub
ConsoleZ is a Windows console window enhancement. It is a fork of Console project.
windows  terminal 
december 2018 by whip_lash
VcXsrv Windows X Server download | SourceForge.net
Windows X-server based on the xorg git sources (like xming or cygwin's xwin), but compiled with Visual C++ 2012 Express Edition. Source code can also be compiled with VS2008, VS2008 Express Edition and VS2010 Express Edition, although current project and makefile are not fully compatible anymore.
xserver  windows  vcxsrv 
september 2018 by whip_lash
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
NTLM relay from the local “NT AUTHORITY\SYSTEM” (we will just call it SYSTEM for brevity) account back to some other system service has been the theme for the Potato privilege escalation exploits. The first step is to trick the SYSTEM account into performing authentication to some TCP listener we control.

In the original Hot Potato exploit, we did some complex magic with NBNS spoofing, WPAD, and Windows Update services to trick it into authenticating to us over HTTP. For more information, see the original blog post.

Today, we’ll be discussing another method to accomplish the same end goal which James Forshaw discussed here. We’ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.
security  pentest  windows  privesc  privilegeescalation 
september 2018 by whip_lash
Juicy Potato (abusing the golden privileges) | juicy-potato
If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.

The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.
pentest  windows  privilegeescalation  security 
september 2018 by whip_lash
FuzzySecurity | Windows Userland Persistence Fundamentals
This tutorial will cover several techniques that can be used to gain persistent access to Windows machines. Usually this doesn't enter into play during a pentest (with the exception of red team engagements) as there is no benefit to adding it to the scope of the project. That is not to say it is not an interesting subject, both from a defensive and offensive perspective.
persistence  windows  pentest  redteam  security 
september 2018 by whip_lash
Quickpost: Compiling EXEs and Resources with MinGW on Kali | Didier Stevens
Compile for 64-bit:

x86_64-w64-mingw32-windres demo.rc demo-resource-x64.o
x86_64-w64-mingw32-gcc -o demo-x64.exe demo-resource-x64.o demo.c
Compile for 32-bit:

i686-w64-mingw32-windres demo.rc demo-resource-x86.o
i686-w64-mingw32-gcc -o demo-x86.exe demo-resource-x86.o demo.c
mingw  c  c++  windows  kali  pentest 
september 2018 by whip_lash
Advisory: CVE-2018-7572 – Pulse Secure Client Authentication Bypass – MDSec
By default, the Pulse client attempts to connect to the configured proxy service on port TCP port 80; supplying the configuration for a proxy server with a self-signed certificate forces the Pulse client to warn the user that the certificate is invalid but provides the option to “View” the certificate which when selected loads the standard Windows certificate wizard running as SYSTEM. From the Windows certificate wizard it is possible to select the option to export the certificate, then browse to a location where the certificate should be stored on the file system. Inevitably this provides the option to browse to cmd.exe, right click to obtain a command prompt as SYSTEM and full access to the workstation.
windows  privesc  pentest  pulsesecure 
september 2018 by whip_lash
Persistence using Universal Windows Platform apps (APPX) – Oddvar Moe's Blog
Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns.
Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon:
windows  persistence  pentest 
september 2018 by whip_lash
Transferring files from Kali to Windows (post exploitation)
Often times on an engagement I find myself needing to copy a tool or a payload from my Kali linux attack box to a compromised Windows machine. As a perfect example, on a recent pentest, I found a vulnerable ColdFusion server and was able to upload a CFM webshell. It was a very limited, non-interactive shell and I wanted to download and execute a reverse Meterpreter binary from my attack machine. I generated the payload with Veil but needed a way to transfer the file to the Windows server running ColdFusion through simple commands.

I'm putting this post together as a "cheat sheet" of sorts for my favorite ways to transfer files.
kali  windows  pentest  filesharing 
september 2018 by whip_lash
Rotten Potato | Penetration Testing Lab
However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.
windows  privesc  privilegeescalation  pentest  security 
august 2018 by whip_lash
JPCERTCC/LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event log
LogonTracer associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
windows  forensics 
august 2018 by whip_lash
RE Corner
scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

What I wanted was a emulation version of sclog that I could be free to run without worry on my dekstop.
shellcode  windows 
august 2018 by whip_lash
exploitexcel.png (1272×694)
Which privesc exploits work on which Windows versions
Windows  exploits  pentest  privesc  privilegeescalation 
july 2018 by whip_lash
Lateral Movement Using WinRM and WMI
In this case, the Win32_Process WMI class has a “Create” method. This allows the user of WinRM to execute a process via WMI.
winrm  windows  wmi  postexploitation 
july 2018 by whip_lash
Exploit Monday: Writing Optimized Windows Shellcode in C
Now, you could say I’m a bit of a Microsoft fan boy. That said, considering the majority of the shellcode I’ve written has been for Windows, I decided to take on the challenge of using only Microsoft tools to emit position independent shellcode. The fundamental challenge however, is that the Microsoft C compiler – cl.exe does not emit position independent code (with the exception of Itanium). Ultimately, to achieve this goal, we’re going to have to rely upon some C coding tricks and some carefully crafted compiler and linker switches.
c  windows  shellcode  malware  pentest 
july 2018 by whip_lash
A Guide to Upgrading your Ubuntu App’s Release – Windows Command Line Tools For Developers
For Ubuntu, the upgrade command is ‘sudo do-release-upgrade.’ This is recommended because it has the ability to handle system configuration changes between releases.
wsl  windows 
july 2018 by whip_lash
hacksysteam/HackSysExtremeVulnerableDriver: HackSys Extreme Vulnerable Windows Driver
HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
security  windows  kernel 
july 2018 by whip_lash
Phishing tales: Microsoft Access Macro (.MAM) shortcuts
Previously, I blogged about the ability to create malicious .ACCDE Microsoft Access Database files and using them as a phishing vector. This post expands on using the ACCDE format and will be introducing Microsoft Access Macro “MAM” shortcuts to gain access via phishing.
phishing  windows  macro 
july 2018 by whip_lash
Hexacorn | Blog
If you run ‘powershell <0x2000 spaces> calc’ you will spawn Windows Calculator.

What will you see in the logs?

This:

JUST A POWERSHELL COMMANDLINE
obfuscation  logging  pentest  windows  security 
june 2018 by whip_lash
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random > blog.py
This article is going to be talking about what you can do with Net-NTLM in modern windows environments.
hash  ntlm  relay  windows  pentest  security 
june 2018 by whip_lash
Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI – Security Stuff
earning from these incidents, and the requirements inherent to them (ability to deploy tools and get data rapidly, use only built in tools, has to be usable and deployable by people who probably haven't slept in a week) I developed an Incident Response dashboard that I liked so much I personally used it to "hunt" on all the engagements in the later part of my Incident Response Consultant tenure. Many of the customers liked it so much that they have kept it in their environments to use for proactive threat hunting and log analysis.
defense  dfir  security  windows 
june 2018 by whip_lash
Microsoft COM for Windows - Privilege Escalation
The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects.
 
privesc  windows  pentest  exploit  security 
june 2018 by whip_lash
Pentester's Windows NTFS Tricks Collection | SEC Consult
Moreover, it’s possible that an administrator or a program configures such permissions and assumes that users are really not allowed to create folders in it.

This ACL can be bypassed as soon as a user can create files. Adding “::$INDEX_ALLOCATION” to the end of a filename will create a folder instead of a file and Windows currently doesn’t include a check for this corner case.

As shown above, a directory was successfully created and the user can create arbitrary files or folders in this directory (which can lead to privilege escalation if an administrator/program assumes that this is not possible because of the missing permissions).
ntfs  windows  privesc  privilegeescalation  security  whitelist-evasion 
june 2018 by whip_lash
NTCore's Homepage
a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64.
software  tools  windows  reverse-engineering  reverseengineering 
may 2018 by whip_lash
InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-05-07
A Job file[1] is a special XML file that contains all the details to configure a scheduled task on a Microsoft Windows host. More technical details about this file format can be found here[2].
persistence  postexploitation  windows  pentest 
may 2018 by whip_lash
0xdabbad00 - Hurdles for a beginner to exploit a simple vulnerability on modern Windows
tl;dr This is basically a guide for newbies to the world of "vulnerability research" (exploit development), and shows how hard it is to get the simple exploit samples from books and tutorials to work on modern Windows using a modern compiler. This is just for fun to show all the pain points you are likely to encounter.
exploit  windows 
may 2018 by whip_lash
Download Windows Commands Reference from Official Microsoft Download Center
A PDF containing an overview and alphabetical listing of Windows commands
reference  commandline  windows 
may 2018 by whip_lash
Download Windows XP for Free and Legally, Straight From Microsoft
Don’t give up though because I’m going to show you how to take that Windows XP Mode download, extract a file or three, and load it up in a virtual machine.
windows  xp  vm 
april 2018 by whip_lash
PDF Files Can Be Abused to Steal Windows Credentials
Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.
windows  pentest  hashes  ntlm  responder 
april 2018 by whip_lash
Pwned by a Shortcut – Tom Melo – Medium
I wrote a small CLI tool called lnk2pwn to make the process of generating malicious shortcuts easier and I’m going to be using this tool to prepare the attack
windows  pentest  malware 
april 2018 by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:





to read