Clik here to view.
Poshing the hashes part 2 - Dump Windows password hashes with PowerShell
Ok, this should have been the first part. Read my previous post, Posing the hashes: Using PowerShell to play with hashes, about what we can do _after_ dumping password hashes. I got many questions on...
View ArticleClik here to view.
Nishang 0.2.7 - Improved backdoors, keylogger and better exfiltration
I like the backdoors in Nishang. Though very basic, they could be very useful depending on the situation and permission of usage (during a pen test). Two major things that have been improved in Nishang...
View ArticleClik here to view.
(Introducing) Powerpreter and Nishang 0.3.0 : Easy post exploitation using...
This post is all about what I was unable to discuss during my talk at Defcon 21 "Powerpreter: Post Exploitation like a boss". In 45 minutes one can only highlight limited things, so this and some more...
View ArticleKautilya 0.4.4 - dump lsa secrets, introduce vulns, improved backdoors and more
Here comes Kautilya 0.4.4. This version adds three new payloads and improves couple of others.Download and Execute Powerhell Script - As the name suggests this script downloads a powershell script and...
View ArticleClik here to view.
Pivoting to and poking other computers using powershell - Powerpreter and...
This is second post in the series about powerpreter. You can read the first part here: http://www.labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.htmlWe can use Powerpreter to pivot...
View ArticleClik here to view.
Persistence - Powerpreter and Nishang 0.3.2 - Part 3
This is the third post in the series about Powerpreter and Nishang.You can read the first two parts here:(Introducing) Powerpreter and Nishang 0.3.0 : Easy post exploitation using powershell - Part 1...
View ArticleClik here to view.
Kautilya 0.4.5 - Reboot Persistence, DNS TXT exfiltration and more
This update of Kautilya introduces reboot persistence for HTTP Backdoor, DNS TXT Backdoor and Keylogger. The payloads for Windows have been rearranged in five categories making the menu clearer.Another...
View ArticleClik here to view.
Egress Testing using PowerShell
Imagine that you pwned a box during a pen test. You want to know if it is possible to acess the internet/other network on any port. This is what egress testing is, for me. I am happy to give you...
View ArticleNishang 0.3.4 - Nishang Module, Dot Sourcing, Leaner scripts, New...
This update of Nishang makes some basic changes in how Nishang could be used.You can now use Nishang as a module. Just import Nishang.psm1 by using PS C:\nishang> Import-Module...
View ArticleClik here to view.
Introducing Antak - A webshell which utilizes powershell
Duing penetration tests, I always wanted to have a simple yet powerful webshell. For that, I wrote Antak last year, demonstrated it at Defcon 21 but never released for I was busy in other things...
View ArticleClik here to view.
Hacking Jenkins Servers With No Password - Powershell fun
This post is stolen/copied/inspired from the post by Royce Davis. He posted the awesome original post here on Pentest Geek. I am just taking the hack forward using Nishang and powershell for doing...
View ArticleClik here to view.
Kautilya 0.5.0 - Passwords in Plain, Exfiltrate SAM, Code Exec and more
Kautilya 0.5.0 is out. This version adds six more exciting payloads for Windows and supports Ruby bundler! I tried to do away with the menus and make Kautilya UI interactive shell based just like MSF...
View ArticleClik here to view.
Script Execution and Privilege Escalation on Jenkins Server
Disclaimer: We would use only existing features of Jenkins, no 'exploits' here.During a recent penetration test I came across a Jenkins server. Having written a blog post on it, I was really excited...
View ArticleClik here to view.
Introducing Gupt: A Backdoor which uses Wireless network names for command...
Few weeks back, I was playing with my mobile WiFi hotspot and powershell. Using powershell, I was listing the SSIDs created by the mobile hotspot, wondering if it could be exploited some way? It turned...
View Article(Quick Post) POODLE workaround on Windows using PowerShell
This quick blog post is for quickly applying workaround on Windows using PowerShell for the POODLE vulnerability. It is more for my own notes, so nothing extraordinary.The Microsoft Advisory on POODLE...
View ArticleClik here to view.
Using PowerShell for Client Side Attacks
This blog post details everything I spoke about at DeepSec [slides here] plus much more. tl;dr: Try the new scripts from Nishang here.Why using Client Side Attacks with PowerShell?When I started...
View ArticleClik here to view.
Using Nishang with Cobalt Strike
This (very) quick post explains usage of Nishang with Cobalt Strike. Someone left a comment on a post asking for it, so here it is.Raphael already wrote a blog post explaining how to use PowerShell...
View ArticleClik here to view.
Fun with DNS TXT Records and PowerShell
This post discusses using DNS TXT records with PowerShell for command, script and shellcode execution . Nishang and Kautilya have two payloads and data exfiltration methods based on DNS TXT records....
View ArticleClik here to view.
Dropping infected/weaponized files using a Human Interface Device
This post discusses dropping infected/weaponized files on a target using a Human Interface Device. I am always against using mounted SD cards in a HID. In my experience, it increases the chances of...
View ArticleClik here to view.
Using Windows Screensaver as a Backdoor with PowerShell
I came across this interesting post about bypassing Windows Lock Screen via Flash Screensaver. While bypassing the lock screen is useful, the method mentioned there needs physical access to the target....
View Article