SMB Relay has been around for a long while. I even have a post about using it along with LNK files here: MS08-068 + MS10-046 = Fun until 2018 Here is the problem though. Most of the tools to exploit it either catch the authentication in NTLMv2/NTLMv1 (which is not always easy to crack) or assume administrative access (because they attempt to PSEXEC with the incoming session). Well, since MS08-068 thats much harder to pin down.
This is my box. There are many like it, but they are all mine. My malware is my best friend. It is my life. I must master it as I must master my life. My malware, without me, is useless. Without my malware, I am useless. I must drop my malware true. I must rootkit better than my enemy who is trying to kill my binary. I must kit him before he kits me.
So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] - here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says “AD Replication (EXPERIMENTAL)“ What it boils down to is if you can position a system that can do DNS resolution to the target domain, and perform some other UDP traffic, you can fake join a samba server you control to a domain and it doesn’t require code execution in any way on the domain controller.
PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all “psexec” tools work is: (Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.
Everyone has their list of hostnames they brute force domains with. In my last post I even mentioned a few ways to use one with XARGS or PARALLEL. But one fact about wordlist brute forcing is that there is no “one list to rule them all”. But over the years of doing DNS record collection I have noticed one thing, most domains have a large number of short hostnames that are easy to remember, usually 4 characters or less.
Quick update: As @MikeDamm points out, xargs has a -P option that can do the same thing I’m using parallel for. If you have a supported version of xargs you can use -P 0 to do the same thing as -j0 with parallel, but if your version doesn’t support the 0 you can simply use the same number parallel uses ala: cat subdomains.txt | xargs -P 122 -I subdomain dig +noall subdomain.
Attacker Ghost Stories - ShmooCon 2014 from Rob Fuller
Guest post by @subTee There was a recent presentation at DerbyCon, entitled: Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation by Christopher Campbell & Matthew Graeber I highly recommend that you start with this presentation as it lays the foundation for this post. The premise is, how can we maintain persistence in a corporate environment, using tools and defaults provided by the host OS we have compromised. This is a very important concept, given the shift in many organizations to an Application Whitelisting Defense model.
Show URL: Hak5 Youtube URL: YouTube Show RSS feed: RSS
Since I’ve been gone, OJ has released the ExtAPI (Extended API) for Meterpreter. This has some pretty amazing functionality. You can find OJ’s write up on it and more amazing things he did in 3 months of meterpreter and on the Metasploit blog. Just brushing the surface and to help people see the power of this new functionality I went ahead and created a few Meterpreter scripts that can really mess with someone.