Cracking the Perimeter (CTP) and OSCE review
Exactly a year ago I went through the Offensive Security Certified Professional (OSCP) exam, the 24 hour capstone to the comprehensive and awesome Penetesting with Backtrack (now Pentesting with Kali...
View ArticlePowerUp
On a recent assessment we ran into a situation where we needed to escalate privileges on a fairly locked down workstation. Kernel exploits (kitrap0d) wouldn’t work, so we fell back to an old classic,...
View ArticlePowerUp v1.1 – Beyond Service Abuse
Edit: I gave a short firetalk on PowerUp at BSidesBoston 2014- the slides are posted here. The public reaction for PowerUp has been awesome and unexpected. I wanted to expand the script to move beyond...
View ArticleClik here to view.
Pwnstaller 1.0
Edit: a presentation on Pwnstaller 1.0 was given BSides Boston ’14- the slides are posted here and the video of the talk is here. This topic was also cross-posted on the official Veris Group blog....
View ArticleFile Server Triage on Red Team Engagements
Note: this topic was cross-posted on the official Veris Group blog One common activity performed during red team assessments is data pilfering of compromised servers, particularly file servers. These...
View ArticleClik here to view.
PowerUp: A Usage Guide
Note: this topic was cross-posted on the official Veris Group blog. PowerUp is the result of wanting a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes...
View ArticleVeil-PowerView: A Usage Guide
[Note: this topic was cross-posted on the Veil-Framework site] Veil-PowerView is a project that was originally prompted by a client who locked down their corporate machines by disabling all “net *”...
View ArticleClik here to view.
A Brave New World: Malleable C2
Last week, Raphael Mudge released an awesome update to Cobalt Strike’s asynchronous agent, Beacon, in the form of new fully customizable/malleable command and control communications. Beacon’s initial...
View ArticleClik here to view.
Pass-the-Hash is Dead: Long Live Pass-the-Hash
[Edit] – @mubix alerted me to some additional functionality with WinRM/psremoting and Metasploit that I updated about 1/4 of the way through the post. You may have heard the word recently about how a...
View ArticleClik here to view.
Finding Local Admin with the Veil-Framework
Back in 2012 @zeknox wrote a great post on “Finding Local Admin with Metasploit” which I highly recommend everyone read. My team consistently runs into situations similar to what he describes, where...
View ArticleClik here to view.
Trusts You Might Have Missed
How often do you investigate trust relationships between Windows domains during a penetration test? You may have domain admin or other privileged access on your target and not even know it. Abusing...
View ArticleDerbycon + PowerShell Weaponization
Derbycon Wrapup This past Friday, my boss (@davidpmcguire) and I had the awesome experience of speaking at Derbycon 4.0. Our talk was titled “Passing the Torch: Old School Red Teaming, New School...
View ArticlePowerShell and Win32 API Access
Several functions in PowerView are dependent on the lower-level Windows API. Specifically, Get-NetSessions utilizes the NetSessionEnum call, Get-NetShare utilizes the NetShareEnum call, Get-NetLoggedOn...
View ArticleThe Case of a Stubborn ntds.dit
The awesomesauce of the Kerberos Golden Ticket (based on the spoofed-PAC whitepaper from BlackHat 2012) has started to change how I operate on my engagements, especially during repeat assessments done...
View ArticleClik here to view.
Targeted Trojanation
So you’re on an engagement and everything seems pretty locked down. Group Policy Preferences doesn’t have any deployment passwords left lying around, you’re not a local administrator on the machine,...
View ArticleClik here to view.
Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2
[Note: this topic was cross-posted on the official Veris Group blog] A year ago, @mubix published a cool post on http://carnal0wnage.attackresearch.com/ about “Dumping a domain’s worth of passwords...
View ArticleClik here to view.
Mining a Domain’s Worth of Data With PowerShell
On a red team engagement, our goal usually isn’t access, it’s data. While getting domain admin on a test is a great feeling, what actually matters to us is identifying what a customer is trying to...
View ArticleClik here to view.
“I Hunt Sys Admins”
[Note] This post is a companion to the Shmoocon ’15 Firetalks presentation I gave, also appropriately titled “I Hunt Sys Admins”. The slides are here and the video is up on Irongeek. Big thanks to...
View ArticleClik here to view.
Domain Trusts: Why You Should Care
Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public infosec discussions. While the community has started to talk more about...
View ArticleClik here to view.
Push it, Push it Real Good
My boss comes from a red teaming background; I do not. When I started to move beyond simple pentests and absorb his more advanced tradecraft, I was amazed that I hadn’t heard of much of it before. I...
View Article