Home DEP Bypass: Mini HTTPD Server 1.2

DEP Bypass: Mini HTTPD Server 1.2

Posted on 16 April, 2014 by Ignacio Sorribas No Comments ↓

In my “Writing exploit on win32 from scratch: Mini HTTPD Server 1.2” blog post, I pointed that we were working on a Windows SP SP3 box with no DEP (data execution prevention). That’s not real, Windows XP SP3 has DEP, but by default it is configured in “OptIn” that means only the processes and services on the list has DEP activated (usually OS processes). For this post we are going to change that configuration to “OptOut” that means DEP is allways On except for the processes that we put in the list. Read more ›

Posted in Exploiting, win32

From exploit to Metasploit: Mini HTTPD Sever 1.2

Posted on 6 April, 2014 by Ignacio Sorribas No Comments ↓

This post is to explain how to convert our Mini HTTPD Server 1.2 Exploit to a Metasploit module gaining a lot of flexibility to chose our payloads and targets (once defined in the module of course).

Here there is an exploit skeleton from Metasploit you can find in “Metasploit Unleashed”.

Read more ›

Posted in Exploiting, Metasploit, python, win32

Mini HTTPD 1.2 Exploit writing from scratch.

Posted on 1 April, 2014 by Ignacio Sorribas No Comments ↓

Introduction

Some time ago since I wrote my last post cause lately between work, trainings, conferences and some software development my “Free Time” suffered a “Buffer Overflow”.

But hey, now found some time and I decided to create the first entry about “Exploiting” of hardsec.net.

We will see how to develop an exploit step by step for “Mini HTTPD”. You can find it at http://www.vector.co.jp/soft/winnt/net/se275154.html or here in this post.

I’ll try to explain the process step by step, including the mistakes I’ve been making during the development, the cause of these errors and how I solved it. Read more ›

Posted in Exploiting, win32

Packet sniffing from Meterpreter

Posted on 15 January, 2014 by Ignacio Sorribas 4 Comments ↓

Following with the post chain about Meterpreter extensions, I’m going to show you how “sniffer” extension works. This module let’s you capture traffic from one network interface of the victim host and dump it to a “pcap” file on the attacker box.

The “sniffer” module can store up to 200000 packets in a ring buffer and exports them in a “pcap” file without ever touching the disk. Read more ›

Posted in Metasploit, Meterpreter, Post-Exploitation, Sniffer

Mimikatz Meterpreter extension

Posted on 9 January, 2014 by Ignacio Sorribas 2 Comments ↓

During a PenTest one of the main objectives of the PenTester when a Windows host is compromised is to obtain the user authentication hashes, to try pivot to other systems on the target network using the “Pass The Hash” attack.

This post is about how to get those credentials in clear text, using a tool named “Mimikatz”.

Mimikatz is a powerful tool developed by Benjamin Delpy (aka gentilkiwi) used to extract user credentials directly from the memory of a windows system among other things like export certificates marked as non-exportable or obtain SAM hashes. Read more ›

Posted in Metasploit, mimikatz, Post-Exploitation

Post-Exploitation with “Incognito”.

Posted on 9 January, 2014 by Ignacio Sorribas 1 Comment ↓

Incognito is a tool used to escalate privileges inside an Active Directory domain on the post exploitation phase of a PenTest.

It was born as a standalone tool, later was included in Metasploit as a module and finally it was included in Meterpreter as an extension. In this demo, we are going to use the “Incognito” extension of Meterpreter.

It is used to impersonate authentication tokens on compromised windows hosts.

Authentication tokens are like Internet Cookies, a temporal key used to access different services and files on the domain without asking for credentials all the time. Read more ›

Posted in Incognito, Metasploit, Post-Exploitation

Bypass new generation Firewalls with meterpreter and ssh tunnels

Posted on 7 January, 2014 by Ignacio Sorribas 13 Comments ↓

In this post I’m going to show the main content of an article published in  Kali Linux 2 | Pentest Extra 05/2013 by me. I hope you enjoy it.

Introduction

During a recent penetration test I found a Windows host running a web application that let me execute code via an SQL injection error. The host was a Windows 2003 Server with an SQL Server 2005. It was part of a local area network (LAN), and my intention was to use it to pivot to other hosts on the LAN, up to create me an account of “Domain Administrator” and take possession of the entire Network . Read more ›

Posted in Firewall, Metasploit, SSH

Welcome to my blog

Posted on 1 January, 2014 by Ignacio Sorribas No Comments ↓

With the new year I decided to go one step further and start posting in English as well as in Spanish.

So this post is just to welcome all the new english readers. I hope the contents of this blog likes you the same likes me to write it.

Thanks and regards.

Posted in No category