Clik here to view.
Privilege Escalation via "Sticky" Keys
This has been documented all over, but i like things to be on the blog so i can find them...You can gain a SYSTEM shell on an application you have administrative access on or if you have physical...
View ArticleClik here to view.
From LOW to PWNED [4] Browsable Directories
Post [4] Browsable Directories"Index of" can be your friend and the same with "web mirroring". Unfortunately, and also to the point of the talk/series you have to go look at this crap. It's *usually*...
View ArticleClik here to view.
From LOW to PWNED [5] Honorable Mention: Null Sessions
Post [5] Honorable Mention: Null SessionsNull sessions are old school. they used to be useful for pretty much every host in a domain. Unfortunately, I very rarely run into an environment where all...
View ArticleClik here to view.
From LOW to PWNED [6] SharePoint
Post [6] SharePointMisconfigured SharePoint can be *really* useful. Examples of things you can do with it are:User/Domain EnumerationAccess to useful filesRegular / Auth Protected SharePoint also...
View ArticleClik here to view.
From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH
Post [7] HTTP PUT/WebDAV/SEARCHMan I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not...
View ArticleClik here to view.
Android Emulator, Trusted CA, and Persistent Storage
UPDATE - An easier way to do this can be found on our update post hereAndroid periodically updates it's SDK and somtimes when this happens, old methods for importing a Trusted CA, necessary to proxy...
View ArticleClik here to view.
Update - Android & SSL Cert
Thanks to the comments left by Zach from our last Android post here, it has been brought to my attention there is an easier way to do all of this with the latest AVD (4.0.3).After creating your AVD...
View ArticleClik here to view.
From LOW to PWNED [8] Honorable Mention: Log File Injection
Post [8] Honorable Mention: Log File InjectionSo this didn't make it into the talk, but was in the hidden slides...not positive this is a "low" but a friend suggested it, so here you go.Goes like...
View ArticleClik here to view.
PowerShell, Shellcode, metasploit, x64
This is a quick blog post based on my slides from the May 2012 NovaHackers MeetingTwo posts got me started looking at PowerShell and its ability to execute...
View ArticleClik here to view.
From LOW to PWNED [9] Apple Filing Protocol (AFP)
Post [9] Apple Filing Protocol (AFP)The Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services...
View ArticleClik here to view.
From LOW to PWNED [10] Honorable Mention: FCKeditor
Post [10] Honorable Mention: FCKeditorFCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless...
View ArticleClik here to view.
From LOW to PWNED [11] Honorable Mention: Open NFS
Post [11] Honorable Mention: Open NFSOpen NFS mounts/shares are awesome. talk about sometimes finding "The Goods". More than once an organization has been backing up everyone's home directories to an...
View ArticleClik here to view.
From LOW to PWNED [12] Trace.axd
Post [12] Trace.axd"Trace.axd is an Http Handler for .Net that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file...
View ArticleClik here to view.
Burp Intruder and Timing Options
Quick post on timing options with Burp Intruder.Say you need to brute force something. Many devices (like Juniper SSL VPNs) will tell you to go to hell if you throw too many failed attempts at it to...
View ArticleClik here to view.
WebDAV Server to Download Custom Executable or MSF Generated Executables
Metasploit comes with dllhijacker moduleThe current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for....
View ArticleClik here to view.
Lotus Domino Scanner
occasionally I run into Lotus Domino stuff on tests.William Dawson (@bill_e_ghote) did a talk at Bsides LV 2012 and skytalks on Lotus Domino hashesLink --> http://youtu.be/vfUqZo1Hrygits worth a...
View ArticleClik here to view.
Article 8
Debut of Offensive Techniques:We have completely overhauled our Tactical Exploitation class for Blackhat, and are now getting ready to debut a new course at Countermeasure 2012...
View ArticleClik here to view.
Why We Created Offensive Techniques
We are going to be releasing a few blog posts on our thoughts on why we have to better communicate what works in actually securing something! This first post is on why we created our new class...
View ArticleClik here to view.
Pwn Plug Elite Action Shots
We've been able to use the Pwn Plug on a few LARES Red Team tests.We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic...
View ArticleClik here to view.
Attack Research Product Launch
Attack Research, LLC. is proud to announce two new product / services today:- HERMES: Threat Intelligence, Automated Analysis, Correlation- APTSim: Advance Persistent Threat SimulationWe all know by...
View Article