Pen Testing

TLDR:If you aren’t interested in the details and you have always wanted to run python on top of .Net in 5 lines of powershell or less, skip to the bottom for code snippets. If you want to figure out how that is possible read on…

I have been digging into .Net recently, trying to stretch the bounds of  the .Net Framework and have a very cool discovery to share.  Anyone who is interested in the offensive side of security is always looking to limit the amount of attack surface that is available to various security controls, when trying to get shells on boxes.  This article will hopefully teach you a bit about the .Net framework, as well as about how to pull and load .Net assemblies over the Internet into a C# application or even more interestingly…  PowerShell.  The resulting C# applications are around 6KB.  The resulting PowerShell applications are just a handful of lines of code.  Imagine having all the power, benefits and extensibility of managed .Net code without the footprint.  As an example, we are going to run (Iron)Python on top of .Net, over the internet. Here is how.

Read Full Article

Intro to Mimikatz

One of the most interesting tools in a penetration tester’s arsenal is mimikatz.  Mimikatz is a tool that scrapes the memory of the process responsible for Windows authentication(LSASS) and reveals cleartext passwords and NTLM hashes that an attacker can use to pivot around a network.  From that point they escalate privilege either by authenticating with the clear text credentials or passing the hash. Sounds deadly right? Most people have the reaction “Why hasn’t Microsoft come up with a solution to this?”.

If you Google the phrase “defending against mimikatz” the information you find is a bit lackluster. The best article I have found was this one. It has a lot of good suggestions like using the “Protected Users” group(SID: S-1-5-21-<domain>-525) available in recent versions of Active Directory and also limiting administrator usage, and taking advantage of not storing passwords in memory with a registry setting. You can limit the number of services running as system or remove debug privilege to help prevent an attacker from being able to run mimikatz. What this and other articles make you believe is that you need to have Windows 8 or 8.1 or 10 rolled out everywhere. What about the large number of Windows 7/2008 R2 machines out there? Well it turns out you can defend against mimikatz on these versions of Windows, here is how. Read Full Article