October 6, 2016

Undetectable Metasploit WAR

A possible attack path during a penetration test is having access to the administrative console of a JAVA Application Server (like WAS, JBOSS and Tomcat) installed on a Windows server with default or guessable (e.g. through brute-force) administrative credentials.

The idea was to upload a Metasploit generated WAR application in order to successfully compromise the server, but the outcome was not the expected...

So here it goes.

November 1, 2015

Knock and Pass: Kerberos Exploitation

Almost a year after the critical vulnerability MS14-068 https://technet.microsoft.com/en-us/library/security/ms14-068.aspx a lot of guides and tutorials have written how to trick the Domain Controller in order to retrieve the Golden ticket impersonating a simple user as a user with "high level" privileges.

The purpose of this post is not to teach you or to re/present how to exploit a DC in order to retrieve the Kerberos ticket because there are hundreds well written posts about the specific exploitation but a general guide of how to configure a Linux machine in order to generate a valid Kerberos ticket without assigning your host machine into the Domain Controller.

April 18, 2015

Bypass UAC and AV on Windows 7

It's being a long time since I wrote my last tutorial, so I'm coming back folks with a new one that implements some basic penetration techniques like msfconsole and introducing a couple of amazing tools for our purpose such as Shellter.

Some intro about Shellter.
Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created. It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).

The shellcode can be something yours or something generated through a framework, such as Metasploit.

May 26, 2014

Dump memory / Volatile memory

In this tutorial describes the main options of dumping and volatile memory using some basic tools. We will explain the basic operations of encapsulating and using both dumpit and volatility tool, analyzing multiple ways of dumping memory host or remotely and extracting windows Hashes or web session information and a variety of information such as system OS, network/system processes.

About Dumpit
This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting. Perfect to deploy the executable on USB keys, for quick incident responses needs.

January 1, 2014

Multiple vulnerabilities in ZPanel 10.0.2

When i started to setup the Zpanel in my private Server for the first time, i was really curious how secure is, so i started looking the source code of Zpanel for vulnerabilities.After hours of digging the source, i managed to find 2 security flaws.

The first one (and most important) is the LFI (Local File Inclusion) where i found it in the file getdownload.php and is located in /etc/zpanel/panel/modules/backupmgr/code/.

December 10, 2013

Wireshark In PenTesting

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets, it runs on various Unix-like operating systems including Linux, OS X, BSD, and Solaris, and on Microsoft Windows.

We can download Wireshark for Windows or Mac OS X from the official website . Most Linux systems have pre installed Wireshark tool.

July 12, 2013

Exploitation Ubuntu - Windows Services

This tutorial describes the basic principles of gathering informations and exploit vulnerable machines like Ubuntu Server and Windows XP. On both systems (Ubuntu and Windows) are installed some vulnerable services like Tomcat Java / Samba File Server or vulnerable Databases like PostgreSQL for Ubuntu machine and MySQL for Windows respectively.

February 23, 2013

Crack Hashes using Hashcat

In this tutorial will describe the main options of Hashcat. Will explain the basic operation of using it to crack Hashes Passwords (LM, NTML, MD5, etc) with different attack methods such as Brute-Force attack, Combinator attack, Dictionary attack, Hybrid attack and much more.

About Hashcat

Hashcat is the world’s fastest CPU-based password recovery tool.
While it's not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

February 16, 2013

Create Wordlists using Crunch

In this tutorial we will describe the main options of Crunch. We will explain the basic operation and most important options of using Crunch tool to create - generate wordlists.

About Crunch 
Crunch is a tool for creating bruteforce wordlists which can be used to audit password strength.

The size of these wordlists is not to be underestimated, however crunch can make use of patterns to reduce wordlist sizes, can compress output files in various formats and (since v2.6) now includes a message advising the size of the wordlist that will be created, giving you a 3 second window to stop the creation should the size be too large for your intended use.