Clik here to view.
IP-Knock Shellcode: Spoofed IP as authentication method
Let's keep playing around with more shellcodes. In recent posts we have seen two alternatives to the classic bind shell. First we saw how you can add firewall capabilities to your shellcode so that...
View ArticleClik here to view.
Metasploit: Getting outbound filtering rules by tracerouting
Deciding between a bind or reverse shell depends greatly on the network environment in which we find ourselves. For example, in the case of choosing a bind shell we have to know in advance if your...
View ArticleClik here to view.
reflectPatcher.py: python script to patch your reflective DLL
Here I share a tiny python script to “patch” a reflective DLL with the bootstrap needed to be executed by the respective stager. Its use is simple, just give it the DLL you want to patch and the...
View ArticleClik here to view.
TLS Injector: running shellcodes through TLS callbacks
I would like to share a python script that lets you inject a shellcode in a binary to be executed through a TLS callback. If you don't know what I'm talking about I recommend you to read this post and...
View ArticleClik here to view.
Pazuzu: reflective DLL to run binaries from memory
Most of the times I use Meterpreter in my pentest but sometimes I missed the possibility to run my own binaries from memory to carry out very specific tasks. In this type of scenario I needed a way to...
View ArticleClik here to view.
Modbus Stager: Using PLCs as a payload/shellcode distribution system
This weekend I have been playing around with Modbus and I have developed a stager in assembly to retrieve a payload from the holding registers of a PLC. Since there are tons of PLCs exposed to the...
View ArticleClik here to view.
Post-exploitation: Mounting vmdk files from Meterpreter
Whenever I get a shell on a Windows system with VMware installed I feel a certain frustration at not being able to access the filesystem of the available virtual machines. Although it would be possible...
View ArticleClik here to view.
DoublePulsar SMB implant detection from Volatility
In the last months there have been various groups of attackers as well as script kiddies that have been using the FuzzBunch Framework to compromise systems.In a recent incident while I was analyzing a...
View ArticleClik here to view.
Windows reuse shellcode based on socket's lifetime
I've always been a big fan of the old sockets reuse techniques: findtag, findport, etc.; each with its advantages and disadvantages. This type of shellcodes usually demand multiple requirements. The...
View ArticleClik here to view.
DNS Polygraph: tool designed to make easier the identification of techniques...
Some time ago I had to research an alleged case of DNS Interception in a somewhat hostile Windows environment. Part of the job was to sniff all DNS responses from the corresponding resolver with tools...
View ArticleClik here to view.
One-Way Shellcode for firewall evasion using Out Of Band data
In a recent post I was talking about a shellcode technique to bypass firewalls based on the socket's lifetime which could be useful for very specific exploits. Continuing with this type of shellcodes...
View ArticleClik here to view.
Retro shellcoding for current threats: rebinding sockets in Windows
In previous posts we saw two techniques to bypass firewalls through custom stagers to locate and reuse the connection socket; on the one hand, taking advantage of socket's lifetime and on the other,...
View Article