Press "Enter" to skip to content

harmj0y Posts

PowerShell RC4

Every language needs an RC4 implementation. Despite its insecurities, RC4 is widely used due to its simple algorithm and the minimal amount of code it takes to implement it. Some people have even tried to fit implementations into single tweets. It’s commonly used by malware due to its low overhead, and I’m actually shocked that RosettaCode doesn’t have an entry for RC4. The only PowerShell implementation I’m aware of is Remko Weijnen’s code here, and as far as I know .NET doesn’t include an RC4 implementation that we can take advantage of. This post will cover a ‘proper’-(esque) implementation of RC4, a practical ‘minimized’…

KeeThief – A Case Study in Attacking KeePass Part 2

Note: this post and code were co-written with my fellow ATD workmate Lee Christensen (@tifkin_) who developed several of the interesting components of the project. The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, most good, but a few negative and dismissive. Some comments centered around the mentality of “if an attacker has code execution on your system you’re screwed already so who cares“. Our counterpoint to this is that protecting your computer from malicious compromise is a very…

A Case Study in Attacking KeePass

[Edit 7/1/16] I wanted to make a few clarifying notes as there have been some questions surrounding this writeup: You only need administrative rights to execute any WMI subscriptions and/or gather files from user folders NOT normally accessible from the current user context (not everything described here needs admin rights). KeePass is not “bad” or “vulnerable” – it’s a much better solution than what we see deployed in most environments. However admins/companies sometimes tend to see solutions like this as some silver bullet, so one point of this post is to show that practical attack vectors against it are not unrealistic. This writeup does not cover…

Where My Admins At? (GPO Edition)

[Edit 6/14/16] I was mistaken on a few points in the Local Account Management – Restricted Groups section, which I have now corrected. Thanks to @DougSec for the question/catch. Enumerating the membership of the Administrators local group on various computers is something we do on most of our engagements. This post will cover how to do this with Group Policy Object (GPO) correlation and without sending packets to every machine we’re enumerating these memberships for. I touched on this briefly in the Tracking Local Administrators by Group Policy Objects section of my “Local Group Enumeration” post back in March, but with a number of recent bug fixes…

Upgrading PowerUp With PSReflect

PowerUp is something that I haven’t written about much in nearly two years. It recently went through a long overdue overhaul in preparation for our “Advanced PowerShell for Offensive Operations” training class, and I wanted to document the recent changes and associated development challenges. Being one of the first PowerShell scripts I ever wrote, there was a LOT to clean up and correct (it’s come a long way since its initial commit back in 2014). The new code is in the development branch of PowerSploit and I updated the PowerUp cheat sheet to reflect the new functions and syntax. Many of these updates were only possible with @mattifestation‘s awesome PSReflect library, something we’ll be…

OS X Office Macros with EmPyre

This post is part of the ‘EmPyre Series’ with some background and an ongoing list of series posts [kept here]. One of the (many) challenges with operating in an OS X heavy environment is initial access. Without a still working exploit/0day or compromising something like JAMF to deploy out OS X agents/commands you need some way to trigger initial access on target machines. Luckily there’s a way to craft macros for OS X Office 2011 documents that trigger system commands, meaning we can weaponize documents for EmPyre just like its Windows equivalent. Note: we are not claiming that we invented macros on…

Building an EmPyre with Python

The “EmPyre Series” 5/12/16 – Building an EmPyre with Python 5/18/16 – Operating with EmPyre 5/24/16 – The Return Of the EmPyre 5/31/16 – OS X Office Macros with EmPyre Our team has increasingly started to encounter well secured environments with a large number of Mac OS X machines. We realized that while we had a fairly expansive Windows toolkit, there were very few public options available for OS X agents, and none that satisfied our particular requirements. Our group is used to operating in heavy Windows environments (hence me not shutting up about offensive PowerShell on this blog) so we felt a bit out of our element,…

Running LAPS with PowerView

A year ago, Microsoft released the Local Administrator Password Solution (LAPS) which aims to prevent the reuse of local administrator passwords by setting, “…a different, random password for the common local administrator account on every computer in the domain.” This post will cover a brief background on LAPS and how to use PowerView to perform some specific LAPS-specific enumeration. Sean Metcalf has a detailed post about LAPS here with much more information for anyone interested. Note: this functionality is in the dev branch of PowerSploit. LAPS Overview LAPS accomplishes its approach by first extending the Active Directory schema to include two new fields, ms-MCS-AdmPwd (the password itself) and ms-MCS-AdmPwdExpirationTime (when the password expires).…

Empire’s RESTful API

This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here]. [tl;dr] The Empire RESTful API is documented here on the Empire GitHub wiki. Last week, Empire’s 1.5 release included a RESTful API implementation which I hinted about previously. This effort was inspired by a conversation with @antisnatchor from the BeEF project while at the Troopers conference this year- big shoutout to him and Carlos Perez for inspiration and feedback as the API was being developed. This post (and the code itself) wouldn’t exist if it wasn’t for both of your efforts. RESTwut REST stands for ‘REpresentational State Transfer’, and an…

Empire 1.5

Three months have elapsed since the Empire 1.4 release, and we have some awesome new features for our next release! The notes for Empire 1.5 are below, but a quick warning- this release modifies part of the backend database schema, so do not apply this update if you have existing agents on your Empire server. You will need to run ./setup/reset.sh to reinitialize the database, and will likely need to rerun setup.sh or pip install flask to install the Flask dependencies necessary for the RESTful API. New Modules The core version of PowerView was updated with the newest version from PowerSploit’s dev branch. With…