Pentester – Page 6 – Penetration Test Resource Page

29 Dec

LinEnum.sh

#!/bin/bash #A script to enumerate local information from a Linux host v=”version 0.6″ #@rebootuser #help function usage () { echo -e “\n\e[00;31m#########################################################\e[00m” echo -e “\e[00;31m#\e[00m” “\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m” “\e[00;31m#\e[00m” echo -e “\e[00;31m#########################################################\e[00m” echo -e “\e[00;33m# www.rebootuser.com | @rebootuser \e[00m” echo -e “\e[00;33m# $v\e[00m\n” echo -e “\e[00;33m# Example: ./LinEnum.sh -k keyword -r […]

29 Dec

MS11-080 AfdJoinLeaf Privilege Escalation

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring its […]

28 Dec

windows privilege escalation using “bypassuac vbs” metasploit

Pentester
Privilege Escalation,Skills
Tags: bypassuac, bypassuac_injection, bypassuac_vbs, getsystem, Meterpreter
no comments

Hacking any windows system is an easy process with metasploit. We can use many techniques to compromise windows by either exploiting a remote code execution or malicious file attack. Code is often embedded with genuine applications or executed remotely on an application with limited privileges. When we use getsystem command it will return an error “access […]

27 Dec

Windows Privilege Escalation Methods for Pentesters

Imagine that you have gotten a low-priv Meterpreter session on a Windows machine. Probably you’ll run getsystem to escalate your privileges. But what if it fails? Don’t panic. There are still some techniques you can try. Unquoted Service Paths Basically, it is a vulnerability that occurs if a service executable path is not enclosed with quotation marks […]

24 Dec

Pentestmonkey

Windows-privesc-check is standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written in python and converted to an executable using pyinstaller so it can be easily uploaded and run (as opposed […]

23 Dec

Windows Privilege Escalation Fundamentals

Not many people talk about serious Windows privilege escalation which is a shame. I think the reasons for this are probably (1) during pentesting engagements a low-priv shell is often all the proof you need for the customer, (2) in staged environments you often pop the Administrator account, (3) meterpreter makes you lazy (getsystem = […]

21 Dec

rpcclient – Help

Name rpcclient — tool for executing client side MS-RPC functions Synopsis rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-I destinationIP] {server} DESCRIPTION This tool is part of the samba(7) suite. rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone […]

20 Dec

More with rpcclient

Pentester
Null Session,Skills
Tags: enumalsgroups, queryaliasmem, querygroup, rpcclient
no comments

Got asked to help remotely locate local admins on boxes on a network. rpcclient $> enumalsgroups Usage: enumalsgroups builtin|domain [access mask] rpcclient $> enumalsgroups builtin group:[Administrators] rid:[0x220] group:[Backup Operators] rid:[0x227] group:[Guests] rid:[0x222] group:[Network Configuration Operators] rid:[0x22c] group:[Power Users] rid:[0x223] group:[Remote Desktop Users] rid:[0x22b] group:[Replicator] rid:[0x228] group:[Users] rid:[0x221] Now you would think that doing a querygroup […]

17 Dec

More of using rpcclient to find usernames

Pentester
Null Session,Skills
Tags: lookupnames, lookupsids, rpcclient
no comments

So say you are given the assignment of doing an audit in a non-english speaking country. you are at a minimum going to have to locate how they spell administrator in the country in question. if google doesnt help you or gives you multiple options (like it did me this time) if you can find […]

15 Dec

How to turn off gcc compiler optimization to enable buffer overflow

Pentester
Buffer Overflow,Skills
Tags: ASLR, Buffer Overflow, fno-stack-protector, gcc
no comments

up vote55down votefavorite 35 I’m working on a homework problem that requires disabling compiler optimization protection for it to work. I’m using gcc 4.4.1 on ubuntu linux, but can’t figure out which flags are are the right ones. I realize it’s architecture dependant – my machine runs w/ 32-bit Intel processor. Thanks. c gcc buffer-overflow compiler-optimization 6 Answers activeoldestvotes up […]