Penetration Testing Tutorials Archives - Page 2 of 2 - Pentest Geek

Posted In:Penetration Testing Tutorials Archives - Page 2 of 2 - Pentest Geek

standard

Scheduled tasks with S4U and on demand persistence

2013/02/11 - By 

Github module [1, 2]

I came across an interesting article by scriptjunkie (which you should really read) about running code on a machine at any time using service-for-user. By changing one line in the export XML of a scheduled task you effectively get a scheduled task that can run whether or not a user is logged in, whether or not the system reboots, whether or not you have the user’s password, run as a limited user, and doesn’t require bypassing UAC! This isn’t an interactive logon but can still be very useful in certain situations.

This works with any user with logon as batch job. While scriptjunkies blog post only showed altering a basic task scheduled to run every hour, it is possible to create more complex triggers based off a variety of things to make a more flexible trigger for your payload. Some of the triggers can even be used to replicate functionality for non-privileged accounts that are usually restricted. Some can even be used to trigger a scheduled task remotely from only your IP address.

Read More


standard

Hard coded encryption keys and more WordPress fun

2013/01/16 - By 

Metasploit modules [1, 2]

A few days ago I was chatting with pasv about a recent vulnerability he discovered. Apparently there was demand for Razer Synapse which syncs the configuration for a Razer mouse to the “cloud”. Syncing configurations to the cloud was most likely needed since some of Razer models have so many buttons the mouse has its own full blown number pad on the side. Pasv got bored and did what any good bored security professional does and reverse engineered the Razer Synapse installer. He discovered that the encryption key and IV were hard coded for the “Remember my password” feature (PoC).

The vulnerability was recently fixed before the new year (12/27/12), via an auto-update in the Razer Synapse software but we figure there are probably at least a few configuration files still sitting out there. This vulnerability was very similar to a recent metasploit module @zeknox and I released about Spark IM so it was fairly painless to write up a new module to exploit this configuration.

Read More


standard

Using Nmap to find Local Admin

2012/08/23 - By 

While conducting  penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials.  If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.

I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges.  Sure I could fire up metasploit’s msfconsole and psexec across the network.  Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network.  That’s when I started to utilize Nmap’s smb-enum-shares NSE script.  I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others.  Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do.  The syntax is pretty straightforward as seen below:Read More


standard

Using Nmap to Screenshot Web Services Troubleshooting

2012/07/11 - By 

Recently a member from the Trustwave SpiderLabs team created an nmap NSE script that could be used to take a screenshot of webpages as it scanned the network. Working for a top 10 accounting firm, I conduct a lot of internal penetration tests for clients that operate on very large networks, and sometimes I’m required to audit entire counties.  Having the ability to view all the webpages on the internal network without being required to manually type in each addresses into the browser sounded amazing.  This was very exciting news now that there was a way to automate this process and have the ability to scale.  I dove in right away to get started by installing the script based on the instructions in the link listed below:

http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html

I highly suggest you look over the article above as I wrote this article in hopes that it would help assist anyone when having issues getting the http-screenshot NSE script to function properly with the latest version of nmap.

Read More


standard

Stealing Servers Through Directory Traversal

2012/01/26 - By 

Recently I was conducting an internal penetration test for a client that is part of the financial industry.  Since this client is a financial institution they are required to have an independent 3rd party company audit their security once a year per NCUA and FDIC requirements.  That’s where I come in, I get paid to hack companies like banks and credit unions.  Internal penetration testing is probably one of my favorite engagements to conduct because of the wealth of information you can obtain on an internal network.  Devices on the internal network typically do not have firewalls so you have unrestricted access to every port a network device will serve up.  There are so many devices on the internal network, and each one tells a story.

During this recent assessment I had brought out my typical attack vectors but was striking out. I typically run Nessus as my primary vulnerability scanner, but like every tool I don’t trust it to be the holy grail.  Understanding how a tool works is the best way to get a better understanding of how to find more vulnerabilities in the case that your tools don’t find anything, or malfunction.  I’ve met penetration testers that will see zero high risk findings in Nessus and throw up their hands thinking there is no way to penetrate this network.  When I see a scan that comes back clean with zero high risk findings, I get excited thinking this one’s gonna be a challenge.

Sitting on this internal network the Nessus scan had completed and came up pretty clean.  I brought out my typical arsenal of attacks including but not limited to brute forcing mssql accounts, searching for Apache Tomcat servers that had weak or easily guessable password, sending medusa after the built-in local Administrator account since I enumerated it via null sessions along with the fact this account cannot be locked out by default, nbns_spoofing harvested network hashes but the netLM was disabled leaving me only with netNTLM which is difficult to crack, numerous metasploit auxiliary modules were run along with various other scripts and tools.

Read More


standard

Using Metasm To Avoid Antivirus Detection (Ghost Writing ASM)

2012/01/25 - By 

It seems that more and more these days I find myself battling head to head against my client’s Antivirus Detection capabilities. Payloads I encoded to successfully bypass one solution get picked up by another. An executable that walked effortlessly past one AV this week gets stopped dead in its tracks by the very same software build at a different client the week later. This is a frustrating and constant problem for myself and many other Penetration Testers I am sure.

The topic of Antivirus Detection bypass is not a new one by any means. Currently there exist several methodologies that work well and I don’t think anyone (at least no one I know) can respectfully make a claim for a particular method being the De facto standard that works every time.

This article aims to provide some insight into one such method that I have become fond of and has proven quite successful in many of my recent Information Security Assessments. I first became aware of the technique by reading This Great Writeup from exploit-db. I’m not sure if the author is responsible for coining the term or not but they refer to this ancient wisdom and all of its magical powers under the alias “Ghost Writing” which I think sounds super cool!
Read More


Share This

Recent Posts

Subscribe To Our Mailing List

The Ultimate Burp Suite Training Program

Penetration Testing

Categories

Metasploit

Web Application Hacking


Copyright 2019

css.php