I've had several customers come to me before a pentest and say they think they're in a good shape because their vulnerability scan shows no critical vulnerabilities and that they're ready for a pentest, which then leads me to getting domain administrator in fifteen minutes by just exploiting misconfigurations in AD. One of the lapses … Continue reading Penetration Testing Active Directory, Part I
When Invoke-Obfuscation came out in late 2016, I, and I'm sure many other pentesters, rejoiced at the fact that our commands bypassed AV like it wasn't even there. Empire payload? Easy. Privilege escalation Powershell scripts? Not a problem. In 2016, Windows Defender was but an annoying feature in Windows that would just catch Cain & … Continue reading Suck it, Windows Defender.
I take absolutely no credit for the modules used in this script. A massive thanks to Tim Medin, Kevin Robertson, Marcello Salvati, Will Schroeder and the rest of the team at Specter Ops for the modules used in this script. Finally, thanks to Daniel Bohannon for writing Invoke-Obfuscation, which was used to obfuscate all … Continue reading Active Directory Assessment and Privilege Escalation Script 2.0
Windows PrivEsc has always been difficult for me but this method is pretty straightforward and very successful. This already assumes you have a shell on the box. I start up Empire, start a listener and generate a Powershell payload Then run the payload. An agent then spawns on the target I then select the agent … Continue reading Windows Privilege Escalation via Unquoted Service Paths
My job involves lightweight pentesting and vulnerability assessment and such is the nature that clients know what I want to accomplish and will happily white-list any script I ask them to, but what's the fun in that? Researching methods to bypass AV and thinking of methods to just not write to disk, showed that AV … Continue reading AV Evasion