This blog post is mainly aimed to be a very 'cut & dry' practical guide to help clear up any confusion regarding NTLM relaying. Talking to pentesters I've noticed that there seems to be a lot of general confusion regarding what you can do with those pesky hashes you get with …
Ever since Empire and BloodHound, pentesting Active Directory has become pretty straight forward for 95% of the environments I get dropped in.
I find myself doing the same things over and over again, and when that happens it's time to automate! After all a 'fire and forget' script that automatically …
Edit 06/02/2017 - CrackMapExec v4 has been released and the CLI commands have changed, see the wiki here for the most up to date tool docs
In Part 1 we went over the basics such as:
Part 2 will …
Edit 06/02/2017 - CrackMapExec v4 has been released and the CLI commands have changed, see the wiki here for the most up to date tool docs
This is going to be a multipost series going over a lot of the functionality of CrackMapExec. Although there is some documentation already …
I'm an Arch linux fan and I've been using Empire on a lot of pentests recently. Problem is Empire requires Swig2 and Arch had only Swig3 in it's repos.
Today I just noticed that the Arch AUR has a functional Swig2 package, and I finally got Empire running! W00t!
So …
I've been using Scapy for years and one thing that's always bothered me was it's performace, especially when it comes to sending packets, to give you an idea:
from scapy.all import *
for i in range(0, 10):
send(ARP(pdst='192.168.1.88',
psrc='192.168.1.11 …
This is basically a reminder for me but could be useful for anyone. I keep forgetting how to convert commands to a Powershell compatible encoded string:
From the command line:
echo "iex(command)" | iconv --to-code UTF-16LE | base64 -w 0
For Python:
from base64 import b64encode
b64encode('iex(command)'.encode('UTF-16LE …
While I was re-writing the Spoof plugin for MITMf I came across the "pythonic" way of using Nfqueue with python.
Previously the plugin was using code from dnspoof.py for DNS tampering, which used the nfqueue-bindings python library from here.
Problem was that it was a pain to setup: you …
When I successfully extract a file system from the firmware of an embedded system, the first thing that I do is run grep or strings looking for low hanging fruit or even potential command injection vulns.
What I wanted though is something that recursively checked all files of a directory …
Now I'm pretty sure there was a talk at BlackHat a couple of years ago about doing this, so this might not be anything new but I'll write about it anyway.
This is a great way to exfiltrate data from a network: it's stealthy (who looks at traffic going to …