Thursday, May 17, 2018

Gaining a foothold: Using Responder to capture NTLMv2 Hashes and cracking with John the Ripper

Recently, I finally got my new home lab set up and I figured it was time to start documenting some tools that are used quite often within penetration testing.

Today I am going to demonstrate how to run Responder in its most basic form, capture an NTLMv2 Hash and cracking it with John the Ripper. While this will not be an exhaustive list and showing all the possible examples (there are many blog posts out there that do), I will just be demonstrating how this can be done at its simplest form. It is up to you to decide how far you want to go with this information.


Wednesday, May 2, 2018

Running an Obfuscated version of Mimikatz in Memory to bypass AntiVirus and other host based controls

About

The other day I was part of an engagement that required a post exploitation (already obtained administrative access to the system) of the target system and steal credentials. There are many posts online that have done this and I will be referencing them as we go. This is just a supplement to everything else out there.

Mimikatz is a tool that collects credentials, including cleartext passwords, Lan manager hashes, Kerberos tickets and a number of other items. This post is to leverage Mimikatz, but instead of downloading the binary to the targets disk and jeopardizing AntiVirus to trip, or other host based controls stopping us, we will download the script directly in memory and run it without ever touching disk.

Additionally, there are a few obfuscation techniques that can be used with simple Linux fu to help generate this "custom" version of Mimikatz to help bypass AV. Lastly, there is another technique to help obfuscate the actual powershell command that calls the download to run the exploit.


Thursday, October 5, 2017

RickdiculouslyEasy: 1 - Walkthrough

It has been a long time since I've last posted anything off of Vulnhub. To be honest, I just haven't had too much time to dive into any of these VM's. However, g0tmi1k released a ton of new VM's so I wanted to check them out. One of which is was RickdiculouslyEasy: 1 made by Luke.

This VM is based off the tv show Rick and Morty. I, myself, am a fan of this show so I had to check it out. It turned out to be quite easy but I still had fun solving it. Below is my walkthrough on capturing all of the flags. 


Friday, June 30, 2017

Elevate from Admin to NT Authority\SYSTEM

Elevate from Admin to NT Authority\SYSTEM


The other day I gained Administrative access to a windows machine. While I was enumerating around, I had the urge to escalate to the most powerful account on a Windows local instance: NT Authority\SYSTEM.

I realized there weren't a lot of posts online about it. I figured I'd give the steps I did in order to accomplish this task.