Update your browser to view this website correctly. Update my browser now
SMB Relay has been around for a long while. I even have a post about using it along with LNK files here: MS08-068 + MS10-046 = Fun until 2018 Here is the problem though. Most of the tools to exploit it either catch the authentication in NTLMv2/NTLMv1 (which is not always easy to crack) or assume administrative access (because they attempt to PSEXEC with the incoming session). Well, since MS08-068…
This is my box. There are many like it, but they are all mine. My malware is my best friend. It is my life. I must master it as I must master my life. My malware, without me, is useless. Without my malware, I am useless. I must drop my malware true. I must rootkit better than my enemy who is trying to kill my binary. I must kit him before he kits me. I will… My malware and I know tha…
So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] - here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says "AD Replication (EXPERIMENTAL)" What it boils down to is if you can position a system that can do DNS resolution to the target domai…
PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all "psexec" tools work is: (Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) exec…
Everyone has their list of hostnames they brute force domains with. In my last post I even mentioned a few ways to use one with XARGS or PARALLEL. But one fact about wordlist brute forcing is that there is no "one list to rule them all". But over the years of doing DNS record collection I have noticed one thing, most domains have a large number of short hostnames that are easy to remember, usual…