Press "Enter" to skip to content

Author: harmj0y

Finding Local Admin with the Veil-Framework

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-FindLocalAdminAccess  ->  Find-LocalAdminAccess Additionally, the -Ping command for Invoke-ShareFinder is no longer needed Back in 2012 @zeknox wrote a great post on “Finding Local Admin with Metasploit” which I highly recommend everyone read. My team consistently runs into situations similar to what he describes, where the current user context we’re operating under doesn’t have local administrator privileges on the machine where we have our shell. This was actually one of the motivations for PowerUp (which you can read more about here). zeknox then details the Metasploit module…

Pass-the-Hash is Dead: Long Live Pass-the-Hash

[Edit 3/16/17] Many elements of this post, specifically the ones concerning KB2871997, are incorrect. I have an updated post titled “Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy” that contains the most up-to-date and accurate information.   [Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin Get-NetLocalGroups  ->  Get-NetLocalGroup -ListGroups You may have heard the word recently about how a recent Microsoft patch has put all of us pentesters out of a job. Pass-the-hash is dead, attackers can no longer spread laterally, and Microsoft has finally secured its authentication mechanisms. Oh wait: This is…

A Brave New World: Malleable C2

Last week, Raphael Mudge released an awesome update to Cobalt Strike’s asynchronous agent, Beacon, in the form of new fully customizable/malleable command and control communications. Beacon’s initial communications channel with its C2 server was with HTTP, with a DNS control channel added soon after. This allowed Beacon to behave similarly to most documented crimeware strains. The ability to communicate using SMB pipes was added at the end of last year, enabling the emulation of like some of the more advanced APT agents like Red October and Duqu. However, there still wasn’t a way to make the network traffic really look like the specific C2 for any of these samples. With this update, communication profiles for Beacon can…

Veil-PowerView: A Usage Guide

[Edit 8/13/15] – Many of the cmdlets listed here have changed. Check out the PowerView 2.0 post to see the new updates. [Note: this topic was cross-posted on the Veil-Framework site] Veil-PowerView is a project that was originally prompted by a client who locked down their corporate machines by disabling all “net *” commands for normal users. While building pure Powershell replacements to easily bypass this protection, I began to explore what else could be done with Powershell from a domain and network situational awareness perspective. Being inspired by my boss @davidpmcguire, and drawing on existing work from @mubix, the offensive Powershell community (@obscuresec, @mattifestation, and DarkOperator), and the authors…

PowerUp: A Usage Guide

Note: this topic was cross-posted on the official Veris Group blog. PowerUp is the result of wanting a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes various service abuse checks, .dll hijacking opportunities, registry checks, and more to enumerate common ways that you might be able to elevate on a target system. We’ve gotten the chance to test PowerUp in multiple environments, as well integrate public feedback, so I wanted to put together a quick usage guide for those wanting to check it out. To load up PowerUp, first download the raw script to a local location, and then launch Powershell: C:>…

File Server Triage on Red Team Engagements

Note: this topic was cross-posted on the official Veris Group blog One common activity performed during red team assessments is data pilfering of compromised servers, particularly file servers. These systems can host an incredible amount of useful information and often the target data you’re after. However, the triage of a machine with literally millions of files can be an incredibly time consuming process. Examining the innumerable number of files, folders, and shares is how some red teams break their new members over a span of days, weeks, and months. This post will cover a few techniques to hopefully help you find what you’re looking for when…

Pwnstaller 1.0

Edit: a presentation on Pwnstaller 1.0 was given BSides Boston ’14- the slides are posted here and the video of the talk is here. This topic was also cross-posted on the official Veris Group blog. Pyinstaller, for those of you who aren’t aware, is a useful program that “converts (packages) Python programs into stand-alone executables”. This is great for the distribution of Python-based projects, as a developer doesn’t have to rely on Python already being installed on a user’s system. A few years ago, the security community started to realize that Pyinstaller could be repurposed to distribute malicious binaries during pentests. Debasish Mandal’s post describes how…

PowerUp v1.1 – Beyond Service Abuse

Edit: I gave a short firetalk on PowerUp at BSidesBoston 2014– the slides are posted here. The public reaction for PowerUp has been awesome and unexpected. I wanted to expand the script to move beyond just vulnerable service abuse, and include several other Windows privilege escalation vectors. There is a ton of great information out there on a variety of privesc techniques, and I drew from what I could find to implement the new functionality in PowerUp. I highly recommend checking out FuzzySecurity’s awesome post on the subject, as well as checking out @mubix‘s and @carnal0wnage‘s presentation “AT is the new Black”.…

PowerUp

On a recent assessment we ran into a situation where we needed to escalate privileges on a fairly locked down workstation. Kernel exploits (kitrap0d) wouldn’t work, so we fell back to an old classic, vulnerable windows services. While we couldn’t manipulate services directly, a custom system service purposely left its binary privileges open for compatibility purposes. tldr; replacing the service binary path with a custom binary (that created a user and added them to the local administrators) and then rebooting the box did the job nicely. Our process was more or less manual: reviewing all currently running Windows services and…

Cracking the Perimeter (CTP) and OSCE review

Exactly a year ago I went through the Offensive Security Certified Professional (OSCP) exam, the 24 hour capstone to the comprehensive and awesome Penetesting with Backtrack (now Pentesting with Kali Linux) training offered by the guys Offensive Security. I can’t say enough good things about that set of training and the exam itself; it’s a de facto requirement at my company that technical testers get their OSCP. A few months ago, I completed the follow-up training course, Cracking the Perimeter, and just finished the exam this past weekend. The OSCE functions as an ‘intermediate’ certification in between the OSCP and…