content top

EyeWitness – A Rapid Web Application Triage Tool

EyeWitness – A Rapid Web Application Triage Tool

More than half of the assessments that myself, and our team, go on include web applications.  Even on network level assessments, as we identify live machines within a target network, it’s fairly common for us to find a large number of web applications.  These web apps can be their own application for the customer’s purpose, or web front ends for various appliances (switches, VOIP phones, etc.).  I needed a way to be able to quickly get a...

Read More

Developing a Self-Brute Forcing Payload for Veil

Developing a Self-Brute Forcing Payload for Veil

I’ve always thought the concepts that Hyperion utilizes to encrypt and hide an executable are very interesting.  As a result, I thought it would be a fun exercise to try to create a Veil payload that utilizes the following concepts: Encrypt the shellcode stored within the executable Only contain part of the decryption key within the executable Make the payload brute force itself to find the complete decryption key Hopefully, it’ll be...

Read More

Introduction to Hasher

Introduction to Hasher

Nearly every pen test I’ve been on, we’ve been able to obtain hashes of some sort.  These hashes could be generated by a web application, database, operating system, or more.  Typically, there will come a point where I either need to generate a hash myself, or compare the hashes I’ve obtained with their potential plaintext value.  The problem that we face is it’s not operationally safe to blindly submit cleartext...

Read More

I Have the Password Hashes! Can I Pass Them?

I Have the Password Hashes! Can I Pass Them?

When on a pen test, you’re going to get password hashes.  It’s going to happen.  Something that I like to see is where the credentials we have may also be used throughout the rest of the target network.  There’s a couple different tools that you can use to rapidly check system hashes across an IP range, and I try to detail some of them below. Note: THIS IS GOING TO GENERATE A LOT OF NOISE!  I can’t reiterate that...

Read More

Multiple Methods for Dropping Payloads with Credentials (or Hashes)

Multiple Methods for Dropping Payloads with Credentials (or Hashes)

I like the cliche that “There’s more than one way to skin a cat” because it’s how I like to operate.  I like to have a lot of different options to choose from when attempting to reach a certain goal.  In my previous post, I showed how psexec_command can be used to trigger an executable once it’s been placed on a machine.  But this could lead to the question, how can we get our payload on to our target machines...

Read More

psexec_command – When You Can’t Trigger Your Payload

psexec_command – When You Can’t Trigger Your Payload

Ever been able to drop a payload on a machine, but not execute it? I’ve had a few odd times on assessments and/or CTFs where I’ve been able to drop a payload onto a machine that I am targeting, but haven’t been able to trigger it. An example I can talk to is when I’ve created a custom executable, such as one generated from Veil, and use metasploit’s psexec to drop the payload on the machine (which I’ve...

Read More

Veil – A Payload Generator to Bypass Antivirus

Veil – A Payload Generator to Bypass Antivirus

NOTE: Please, be kind, and don’t submit any payloads to ANY online virus scanner!  Please be sure to check out https://www.veil-evasion.com, Veil’s website for the latest tutorials, updates, and repo location.  Any questions on using Veil?  Join us in #veil on Freenode! To learn how to effectively use Veil on assessments, and other Red Team techniques, check out our class at Blackhat USA 2014! And check out our Pen Testing...

Read More
content top