Clik here to view.
Reverse Port SSH Tunneling en SET v1.3
El pasado jueves 31 de Marzo, el Framework de ingeniería Social SET (Social Engineer Toolkit) lanzó su versión 1.3 “Artillery Edition” proporcionando características de gran interés. Entre las más...
View ArticleClik here to view.
DNS Port Forwarding con Meterpreter
A diferencia de la versión Pro de Metasploit, una de las limitaciones a la hora de “pivotar” conexiones desde Meterpreter por medio de route es el tipo de herramientas que podemos usar a través del...
View ArticleClik here to view.
Infección de procesos en Linux con Cymothoa
Estos días he estado jugando un poco con Cymothoa. Para quien no lo conozca, esta herramienta te permite inyectar payloads dentro del espacio de direcciones de un proceso, o dicho de otro modo,...
View ArticleClik here to view.
Análisis de shellcodes con scdbg / libemu
Una de las herramientas más utilizadas para analizar e identificar posibles shellcodes es libemu. La idea de esta librería, escrita en C e implementada en frameworks como Dionaea, es emular...
View ArticleClik here to view.
Defensas frente a ataques DHCP
A raíz del post de @chemaalonso sobre la herramienta DHCP Ack Inyector, recordé mis años en la universidad (allá por el 2005) donde ibas a la biblioteca, conectabas tu portátil y simplemente escuchando...
View ArticleClik here to view.
Uso eficiente de Metasploit: resource scripts
Cuando empecé a utilizar Metasploit —hace ya unos cuantos años— era bastante caótico para mi auditar una red en busca de vulnerabilidades o información relevante. No seguía una metodología determinada...
View ArticleClik here to view.
Rcapd start Meterpreter module
Durante la fase de post-explotación en una intrusión, tras conseguir una shell en un equipo, uno de los pasos para seguir ganando acceso a otras máquinas o dispositivos de networking es capturar...
View ArticleClik here to view.
Metasploit Forensics: Recovery deleted files (NTFS)
The possibilities offered by Meterpreter when developing post-exploitation modules are practically limitless. See for example the modules Imager.rb and NBDServer.rb developed by R. Wesley McGrew and...
View ArticleClik here to view.
¿Dónde dejo mi bind shell?
Realizando auditorías internas me he encontrado diversas ocasiones en la que consigo shell en equipos supuestamente localizados dentro de la DMZ de la organización pero de los que desconozco su...
View ArticleClik here to view.
CrystalAEP: una alternativa a EMET
Una de las herramientas que mencioné en el informe de Software Exploitation y de la que apenas oigo hablar cuando se referencian herramientas de protección (en concreto anti-explotación) es...
View ArticleMetasploit: Man in the Middle through PPTP tunnel
Recently I made a small post-exploitation module to take advantage of the rasdialWindows client. The idea is to create an outbound VPN connection (pptp) from the "victim" machine to a VPN server...
View ArticleClik here to view.
TOR + 2nd VPN: An additional layer of anonymity
Without going into the reasons why one wants remain anonymous (personally I have some good reasons and these are growing every day) I would like to comment how to add an additional layer of anonymity...
View ArticleClik here to view.
Metasploit: Getting Ingress firewall rules
This week Rapid7announced the addition of Metamodules in Metasploit Pro v4.7. One of these modules, "Egress Firewall Testing", allows you to deduce outbound filtering rules from firewalls/routers. No...
View ArticleClik here to view.
Metasploit: Chain of proxies with PortProxy module
Portfwd is a well known feature to allow us to do port forwarding from our Meterpreter session. I think it goes without saying all the possibilities it provides. However, since this feature is part of...
View ArticlePassive DNS with Tshark
Passive DNS is a nice monitoring technique to get the relationships of domains and IP addresses. With this information we can identify fast-flux botnets that constantly update DNS with very low TTL...
View ArticleClik here to view.
Network Forensics with Tshark: Psexec intrusion
I love Tshark for network forensics; I think the command line version of Wireshark can be really efficient if it used wisely to detect a big amount of anomalies/attacks in our network. Let's see the...
View ArticleClik here to view.
Metasploit: Controlling Internet Explorer user traffic through a proxy PAC file
We have several alternatives from our shell if we want to play with the DNS to control the victim traffic. A common method is to modify the file C:\WINDOWS\system32\drivers\etc\hosts to add fake...
View ArticleClik here to view.
Loading a kernel driver from Meterpreter
Since life in kernel space is more stealthy, you may want to load your own rootkit kernel driver to hide your shell, some process or connection, etc. and thus make your post-exploitation work more...
View ArticleClik here to view.
Don't touch my shell: ACL Bind Shellcode
How many times have you used a bind shell as a persistence method? and how many of those times you have been restless thinking that someone could steal your shellcode? Personally, most of the times....
View ArticleHidden Bind Shell: Keep your shellcode hidden from scans
Many organizations use tools like Nexpose, Nessus or Nmap to perform periodic scans of their networks and to look for new/unidentified open ports. In this kind of environment it’s difficult that our...
View Article