Penetration

How to use Responder to capture NetNTLM and grab a shell

NTLMv2

Responder: The Ultimate Tool for Samba Server Hijack and NetNTLM Hash Theft In the vast arsenal of cybersecurity tools, Responder stands out for its unique capability to masquerade as a rogue Samba server, opening up avenues to pilfer NetNTLM hashes with finesse. Here’s a deep dive into harnessing this tool …

Read More »

Remotely Capture Traffic from a Domain Controller and Analyze It Locally

This blog post will walk you through the steps of remotely capturing traffic from a domain controller and then analyzing it locally. This can be useful for troubleshooting network issues or investigating security incidents. Requirements A Windows computer with PowerShell The NetEventPacketCapture PowerShell module The etl2pcapng PowerShell module A domain …

Read More »

very simple modifications to a Meterpreter shellcode dropper can be sufficient to bypass modern EDRs

Introduction When I talk about EDRs in this article, I mean a combination of endpoint protection (EPP) and endpoint detection and response (EDR). I also want to define the term “evasion” in the context of EDRs and malware. When I talk about the fact that it is or has been …

Read More »

Inspect RDP traffic in Wireshark

Wireshark RDP resources Looking for a way to capture and inspect RDP traffic in Wireshark? You’ve come to the right place! SSLKEYLOGFILE Many applications, including browsers, support the SSLKEYLOGFILE environment variable with a path to a text file where TLS pre-master secrets are dumped. This format is supported by Wireshark …

Read More »

NTLMRelay2Self over HTTP (Webdav)

Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring …

Read More »

Cobalt Strike Defense Guide – 2

In previous report on Cobalt Strike focused on the most frequently used capabilities that observed. In this report, we will focus on the network traffic it produced, and provide some easy wins defenders can be on the look out for to detect beaconing activity. We cover topics such as domain fronting, …

Read More »

How To Attack Kerberos

Kerberos Fundamentals Kerberos is a network authentication protocol that works on the principle of issuing tickets to nodes to allow access to services/resources based on privilege level. Kerberos is widely used throughout Active Directory and sometimes Linux but truthfully mainly Active Directory environments. TLDR: https://www.roguelynn.com/words/explain-like-im-5-kerberos/ I am aiming to approaching …

Read More »

Active Directory Penetration Mind Map

click to see Full-Size Image Scan Network cme smb # enumerate smb hosts nmap -sP -p # ping scan nmap -PN -sV –top-ports 50 –open # quick scan nmap -PN –script smb-vuln* -p139,445 # search smb vuln nmap -PN -sC -sV # classic scan nmap -PN -sC -sV -p- # …

Read More »

Check if your Active Directory passwords are compromised in a data breach

To compare Active Directory accounts against breached passwords you need access to your Active Directory with a specific privileged account, a password list with NTLM hashes and some PowerShell commands. But why should you do this? Password hashes of Domain accounts can be dumped locally from SAM, memory, remotely and …

Read More »

Utilizing a Common Windows Binary to Escalate to System Privileges

Windows pwnage courtesy of trusted Windows binaries Introduction If you’ve ever tried to run a command prompt as administrator on your Windows OS before, you’ve seen a harmless popup appear. This is Windows User Account Control, or UAC. According to Microsoft, UAC “is a fundamental component of Microsoft’s overall security …

Read More »