Metasploit Archives - Pentest Geek

Posted In:Metasploit Archives - Pentest Geek


WordPress Pingback Portscanner – Metasploit Module

2013/01/03 - By 
Metasploit Module Wordpress Pingback Port Scanner

The latest version of WordPress, version 3.5 was recently released on December 11, 2012. This latest version of WordPress comes pre-packaged with the XML-RPC interface enabled by default. This is just the type of configuration that us pentesters love to see during an engagment. This additional attack surface may be just the little extra that a pentester needs.

Read More


Recover Spark IM Stored Passwords with Metasploit

2012/12/26 - By 

Metasploit Module [1]

I recently added a post exploit module to the metasploit framework. The module will extract and decrypt passwords that are stored by the Spark Instant Messenger client. The passwords are stored in a file on the local HDD ( using Triple DES encryption. This sounds all fine and dandy, but this all goes out the door when they hardcoded the key and made it publicly documented.

The vulnerability isn’t that new since it was documented by Adam Caudill back in July 2012 when he disclosed the details and PoC code in .net that illustrates how the attack can be completed.  Mubix recently submitted a  request to add this post exploit module into the framework. Well, SmilingRacoon and myself decided to answer the call and work up a module to accomplish this task.

Read More


NetLM Downgrade Attacks with Metasploit

2012/11/30 - By 

Metasploit Module [1]

Recently I added a post exploit module to the metasploit framework  that will help automate the NetLM Downgrade attack.  If you are not familiar with the  attack, I highly suggest you read the following article by Dave Howard before continuing.

The purpose of this article is not to describe the NetLM attack, but rather demonstrate how the post exploit module functions and how it can save  time on a pentest or even get you that next step in order to take over the network.

Read More


Dumping Domain Password Hashes Using Metasploit (ntds_hashextract.rb)

2012/11/16 - By 

Earlier this week I released a blog post on the Accuvant website explaining at a high level some of the techniques and use cases for my recently developed Metasploit modules. This article will be the first in a series of tutorials where I plan to do a deeper dive into the individual modules and some of their many uses during an Information Security Assessment or Penetration Testing exercise.
The ntds_hashextract.rb script is a standalone tool that can be used to quickly and efficiently extract Active Directory domain password hashes from the exported datatable of an NTDS.dit database. As it turns out, exporting the datatable can sometimes be tricky so here is a detailed tutorial covering the methodology that I use and continue to have success with.

Step 1 – Install Libesedb

Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL
Read More


Finding Logged In Users – Metasploit Module

2012/11/05 - By 

Sometimes during an Information Security Assessment I find myself spending a fair amount of effort locating a server or workstation with a specific user logged into it. This could be because I am searching for a box with a Domain Admin, or maybe my engagement’s scope has a CTF style scope that requires me to find a single user logged into a large enterprise domain.

Whatever the reason, this processes can sometimes take a long time. Especially on a sizable network. Like most security auditors I’m not a big fan of doing the same thing over and over again so I decided to build a tool to help automate this process.

First we query HKEY_USERS to find out how many legitimate SIDs are currently logged in. We should see an output simalr to this.

Read More


Find Local Admin with Metasploit

2012/11/03 - By 

Metasploit Module [1]

When conducting email phishing engagements I often run into situations where I gain a meterpreter session on the internal network, but I don’t have local admin privileges. Often times many penetration testers give up on the assessment because they have already illustrated access to the internal network and consider that adequate on an external engagement. I like to go that extra mile and really make an impact by showing what a malicious user can do once inside.

I feel many penetration testers ignore the fact that a user executed the payload. A user that is most likely part of a domain, and may have access to many additional resources on the internal network that we wouldn’t otherwise have access to.

Read More

Share This

Recent Posts

Subscribe To Our Mailing List

The Ultimate Burp Suite Training Program

Learn Network Penetration Testing

Penetration Testing



Web Application Hacking

Brandon McCann

Copyright 2024