Friday, January 31, 2014

Leveraging psexec locally to execute privileged command..

Gong Xi Fa Choy to all of you. Not really a good start year for me, my daughter is sick. But I need to go to Jakarta next week to teach  a Digital Forensics/Anti-Forensic class. Okay anyway this is another trick to use sysinternal tools in a hackish way.

Case Study

  1. In a social engineering campaign attack, you managed to pivot your way into a machine with low privileged (guest) windows access machine.
  2. You have an admin privileged  username and password but RDP is impossible or runas doesn`t work.
  3. Ingress/Outgress Firewall kicked in.. so psexec remotely is impossible.
  4. For Fun!!!!!
Suppose a we backdoored a normal user with a bind shell at port 4444



As you can see add user is kinda impossible due to limited priviledge. Let's assume we know the password of user admin which is admin123 .    Can we use runas command?


It seems our runas command failed due to the fact that our bindshell backdoor is an interactive shell  that couldn`t compensate normal stdin..

All hope is loss? Nope we can use psexec to bypass this circumstances.  I would say "psexec is  like sudo"


Why do I like psexec? I believe internal tools is the "universal windows backdoor."




Thursday, January 2, 2014

2014: The Age of Pentest Apocalypse.

Happy new year everyone.

We are entering 2014. After doing pentest for so many years.... I can safely say "Penetration Testing is Dead". I am not the first person to declare such statement . Popping a remote shell and rooting is quite challenging for the last 2 years (challenging but not impossible).

Summary from year 2013.

1. Secured Framework is being deployed widely .
2. IPS/IDS being deployed widely (Juniper/Bluecoat/blax3) .
3. HIPS becoming quite common  (whitelisting application)
4. SQL Injection /XSS /Remote Code Exec  still exist . But no longer straightforward ,it's quitre rare to see ' or 1=1 # , but sometimes ' or  RAND() > 0.5 still works , wide usage of WAF
5. VA is deadly inaccurate...... (it might cover most but not all).
6. Local clients are willing to sign up for more offensive security testing approach. (brutefoce attack , sniffing etcx3).
7. Weak/Default credential seems to be the weakest link of all time.

mandatory Skills required in this age.

1. The Art Of Tunneling and Pivoting... It's mandatory to mitigate firewall.
2. Bypassing Antivirus IDS IPS.. need to say more, implementing own VM....
3. Bypassing HIPS, executing unlisted/blacklisted binary outside whitelist domain usually windows
4. Bypassing noexec()... knowledge on ld based rootkit might help. usually nix
5. Forensics and Anti-Forensics technique.
6. Modifiying PoC exploits to suitable your needs.. ms08-067 is just not there anymore  lolz.

Expect to see more revolution in 2014 pentest.!!!



P/S: If someone comes and around and **shitng u about great Tools. Tell em pentest is dead.