Clik here to view.
Metasploit Forensics: Recovery deleted files (NTFS)
The possibilities offered by Meterpreter when developing post-exploitation modules are practically limitless. See for example the modules Imager.rb and NBDServer.rb developed by R. Wesley McGrew and...
View ArticleClik here to view.
¿Dónde dejo mi bind shell?
Realizando auditorías internas me he encontrado diversas ocasiones en la que consigo shell en equipos supuestamente localizados dentro de la DMZ de la organización pero de los que desconozco su...
View ArticleClik here to view.
CrystalAEP: una alternativa a EMET
Una de las herramientas que mencioné en el informe de Software Exploitation y de la que apenas oigo hablar cuando se referencian herramientas de protección (en concreto anti-explotación) es...
View ArticleMetasploit: Man in the Middle through PPTP tunnel
Recently I made a small post-exploitation module to take advantage of the rasdialWindows client. The idea is to create an outbound VPN connection (pptp) from the "victim" machine to a VPN server...
View ArticleClik here to view.
TOR + 2nd VPN: An additional layer of anonymity
Without going into the reasons why one wants remain anonymous (personally I have some good reasons and these are growing every day) I would like to comment how to add an additional layer of anonymity...
View ArticleClik here to view.
Metasploit: Getting Ingress firewall rules
This week Rapid7announced the addition of Metamodules in Metasploit Pro v4.7. One of these modules, "Egress Firewall Testing", allows you to deduce outbound filtering rules from firewalls/routers. No...
View ArticleClik here to view.
Metasploit: Chain of proxies with PortProxy module
Portfwd is a well known feature to allow us to do port forwarding from our Meterpreter session. I think it goes without saying all the possibilities it provides. However, since this feature is part of...
View ArticlePassive DNS with Tshark
Passive DNS is a nice monitoring technique to get the relationships of domains and IP addresses. With this information we can identify fast-flux botnets that constantly update DNS with very low TTL...
View ArticleClik here to view.
Network Forensics with Tshark: Psexec intrusion
I love Tshark for network forensics; I think the command line version of Wireshark can be really efficient if it used wisely to detect a big amount of anomalies/attacks in our network. Let's see the...
View ArticleClik here to view.
Metasploit: Controlling Internet Explorer user traffic through a proxy PAC file
We have several alternatives from our shell if we want to play with the DNS to control the victim traffic. A common method is to modify the file C:\WINDOWS\system32\drivers\etc\hosts to add fake...
View ArticleClik here to view.
Loading a kernel driver from Meterpreter
Since life in kernel space is more stealthy, you may want to load your own rootkit kernel driver to hide your shell, some process or connection, etc. and thus make your post-exploitation work more...
View ArticleClik here to view.
Don't touch my shell: ACL Bind Shellcode
How many times have you used a bind shell as a persistence method? and how many of those times you have been restless thinking that someone could steal your shellcode? Personally, most of the times....
View ArticleHidden Bind Shell: Keep your shellcode hidden from scans
Many organizations use tools like Nexpose, Nessus or Nmap to perform periodic scans of their networks and to look for new/unidentified open ports. In this kind of environment it’s difficult that our...
View ArticleClik here to view.
IP-Knock Shellcode: Spoofed IP as authentication method
Let's keep playing around with more shellcodes. In recent posts we have seen two alternatives to the classic bind shell. First we saw how you can add firewall capabilities to your shellcode so that...
View ArticleClik here to view.
Metasploit: Getting outbound filtering rules by tracerouting
Deciding between a bind or reverse shell depends greatly on the network environment in which we find ourselves. For example, in the case of choosing a bind shell we have to know in advance if your...
View ArticleClik here to view.
reflectPatcher.py: python script to patch your reflective DLL
Here I share a tiny python script to “patch” a reflective DLL with the bootstrap needed to be executed by the respective stager. Its use is simple, just give it the DLL you want to patch and the...
View ArticleClik here to view.
TLS Injector: running shellcodes through TLS callbacks
I would like to share a python script that lets you inject a shellcode in a binary to be executed through a TLS callback. If you don't know what I'm talking about I recommend you to read this post and...
View ArticleClik here to view.
Pazuzu: reflective DLL to run binaries from memory
Most of the times I use Meterpreter in my pentest but sometimes I missed the possibility to run my own binaries from memory to carry out very specific tasks. In this type of scenario I needed a way to...
View ArticleClik here to view.
Modbus Stager: Using PLCs as a payload/shellcode distribution system
This weekend I have been playing around with Modbus and I have developed a stager in assembly to retrieve a payload from the holding registers of a PLC. Since there are tons of PLCs exposed to the...
View ArticleClik here to view.
Post-exploitation: Mounting vmdk files from Meterpreter
Whenever I get a shell on a Windows system with VMware installed I feel a certain frustration at not being able to access the filesystem of the available virtual machines. Although it would be possible...
View ArticleClik here to view.
DoublePulsar SMB implant detection from Volatility
In the last months there have been various groups of attackers as well as script kiddies that have been using the FuzzBunch Framework to compromise systems.In a recent incident while I was analyzing a...
View ArticleClik here to view.
Windows reuse shellcode based on socket's lifetime
I've always been a big fan of the old sockets reuse techniques: findtag, findport, etc.; each with its advantages and disadvantages. This type of shellcodes usually demand multiple requirements. The...
View ArticleClik here to view.
DNS Polygraph: tool designed to make easier the identification of techniques...
Some time ago I had to research an alleged case of DNS Interception in a somewhat hostile Windows environment. Part of the job was to sniff all DNS responses from the corresponding resolver with tools...
View ArticleClik here to view.
One-Way Shellcode for firewall evasion using Out Of Band data
In a recent post I was talking about a shellcode technique to bypass firewalls based on the socket's lifetime which could be useful for very specific exploits. Continuing with this type of shellcodes...
View ArticleClik here to view.
Retro shellcoding for current threats: rebinding sockets in Windows
In previous posts we saw two techniques to bypass firewalls through custom stagers to locate and reuse the connection socket; on the one hand, taking advantage of socket's lifetime and on the other,...
View Article