Post breach on a recent external penetration test, I wanted to do some poking around the target's intranet which required that I set up a SOCKS proxy. Given that I was using a jumpbox, I knew it was going to be necessary to set up a tunnel to get everything working properly. If you're anything like me, tunneling makes your brain hurt. Fortunately, with a little help from jagar, ... READ MORE
Offense
No RDP, No Problem!
The Setup I conducted some phishing for a pentest this past week. My ulterior motive was to have an opportunity to familiarize myself with Empire, so I decided to go with a pretext which would allow me to use the macro stager and a malicious Excel sheet attachment to drop agents onto victim boxes. After some initial hiccups, a handful of (elevated!) agents started calling ... READ MORE
Building a Vulnerable Box – HFS Revisted
A few months ago, in the Building a Vulnerable Box series, I wrote a walkthrough for putting together and compromising a Rejetto HFS server. The post had originally been intended for my security students at the time, but, to my surprise, it's become one of the War Room's most consistently visited write-ups. Just last week, a similar exploit was posted to the Exploit-DB by Naser ... READ MORE
Empire: An Elegant Weapon for a More Civilized Age
Empire, developed by @harmj0y, @sixdub, and @enigma0x3, debuted earlier this month at BSides Las Vegas. In the words of the developers, "Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all ... READ MORE
Kali 2.0: Fresh Look, Easy Updates, and Post Install Tips
Kali 2.0 was released last week which means that we get to spend some time sifting through Offensive Security's latest release looking at all the new tools and tricks. Offensive Security promised us a better, more powerful penetration testing platform, and my preliminary look at 2.0 shows that they delivered. The Look Kali 2.0 switched over to the GNOME3 interface which ... READ MORE
Retrieving Credentials from Configuration Files
“Security is not convenient.” Though blunt, this phrase neatly captures the fundamental conflict between typical users and information security personnel. Typical users want their workstations and networks to be configured for speed, accessibility, and convenience, whereas security professionals prioritize tight access control and monitoring. If you believe that security is ... READ MORE
Metasploit Module of the Month – web_delivery
In the second edition of this series we are going to take a look at an exploit module that doesn't get a lot of attention. I'll use "exploit" in the same context that Metasploit does, which means that upon successful completion of this module you get a shell. It doesn't mean that this module is some super 1337 browser exploit/sandbox escape 0day, which I think, is partly ... READ MORE
How to Bypass SEP with Admin Access
I realize that this post is an edge case, but I recently used this method to bypass SEP (Symantec Endpoint Protection) during a pen test, so for my reference and that one person who runs into a similar scenario I am writing this. A little bit of backstory: I was able to acquire a shared local administrator's credentials during a pen test. I was using them to gain access to ... READ MORE
Pillage Exchange
A while back I wrote a post detailing a technique for pillaging .pst files. A .pst is a "personal storage folder" created by Microsoft Outlook containing email messages, contacts, appointments, and other information, and may be stored locally or on a centralized server. The approach I detailed in that post involved dropping a small binary on the machine hosting the .pst ... READ MORE
Crouton – Chromebooks as a Pentesting Platform
I had the opportunity to pick up a Chromebook (Acer C720) on the cheap(er) this past weekend. A local high school was getting rid of those machines that had previously belonged to graduating seniors who had chosen not to buy them outright at the end of the year. I had never had much of a chance to play around in ChromeOS until now, so I was excited to get my hands dirty. I have ... READ MORE