November 1, 2015

Knock and Pass: Kerberos Exploitation

Almost a year after the critical vulnerability MS14-068 https://technet.microsoft.com/en-us/library/security/ms14-068.aspx a lot of guides and tutorials have written how to trick the Domain Controller in order to retrieve the Golden ticket impersonating a simple user as a user with "high level" privileges.

The purpose of this post is not to teach you or to re/present how to exploit a DC in order to retrieve the Kerberos ticket because there are hundreds well written posts about the specific exploitation but a general guide of how to configure a Linux machine in order to generate a valid Kerberos ticket without assigning your host machine into the Domain Controller.

April 18, 2015

Bypass UAC and AV on Windows 7

It's being a long time since I wrote my last tutorial, so I'm coming back folks with a new one that implements some basic penetration techniques like msfconsole and introducing a couple of amazing tools for our purpose such as Shellter.

Some intro about Shellter.
Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created. It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).

The shellcode can be something yours or something generated through a framework, such as Metasploit.

May 26, 2014

Dump memory / Volatile memory

In this tutorial describes the main options of dumping and volatile memory using some basic tools. We will explain the basic operations of encapsulating and using both dumpit and volatility tool, analyzing multiple ways of dumping memory host or remotely and extracting windows Hashes or web session information and a variety of information such as system OS, network/system processes.

About Dumpit
This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting. Perfect to deploy the executable on USB keys, for quick incident responses needs.

January 1, 2014

Multiple vulnerabilities in ZPanel 10.0.2

When i started to setup the Zpanel in my private Server for the first time, i was really curious how secure is, so i started looking the source code of Zpanel for vulnerabilities.After hours of digging the source, i managed to find 2 security flaws.

The first one (and most important) is the LFI (Local File Inclusion) where i found it in the file getdownload.php and is located in /etc/zpanel/panel/modules/backupmgr/code/.

December 10, 2013

Wireshark In PenTesting

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets, it runs on various Unix-like operating systems including Linux, OS X, BSD, and Solaris, and on Microsoft Windows.

We can download Wireshark for Windows or Mac OS X from the official website . Most Linux systems have pre installed Wireshark tool.

July 12, 2013

Exploitation Ubuntu - Windows Services

This tutorial describes the basic principles of gathering informations and exploit vulnerable machines like Ubuntu Server and Windows XP. On both systems (Ubuntu and Windows) are installed some vulnerable services like Tomcat Java / Samba File Server or vulnerable Databases like PostgreSQL for Ubuntu machine and MySQL for Windows respectively.


February 23, 2013

Crack Hashes using Hashcat

In this tutorial will describe the main options of Hashcat. Will explain the basic operation of using it to crack Hashes Passwords (LM, NTML, MD5, etc) with different attack methods such as Brute-Force attack, Combinator attack, Dictionary attack, Hybrid attack and much more.

About Hashcat

Hashcat is the world’s fastest CPU-based password recovery tool.
While it's not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

February 16, 2013

Create Wordlists using Crunch

In this tutorial we will describe the main options of Crunch. We will explain the basic operation and most important options of using Crunch tool to create - generate wordlists.
 

About Crunch 
Crunch is a tool for creating bruteforce wordlists which can be used to audit password strength.

The size of these wordlists is not to be underestimated, however crunch can make use of patterns to reduce wordlist sizes, can compress output files in various formats and (since v2.6) now includes a message advising the size of the wordlist that will be created, giving you a 3 second window to stop the creation should the size be too large for your intended use.

January 30, 2013

Hacked

If you’re like most people, you probably manage multiple online accounts for a wide variety of uses—from multiple email addresses to online shopping accounts or online banking, the average person accesses an account containing personal information at least once a day. Whether you manage large quantities of financial information via an online account, or you simply have personal information associated with your social media accounts, chances are you would hate for that information to fall into someone else’s hands. 

However, sometimes keeping your private information private isn’t as easy as it should be. 75% of Americans have fallen or will fall victim to some sort of cyber crime due to having their accounts hacked. And among larger institutions, like corporations or even universities, when data for large amounts of people is stored all in one central location, the risk for being hacked is even higher. In fact, about 90% of corporations report suffering some sort of system breach over the course of the past 12 months.